Cloud4C Data Privacy
This privacy notice for all PII/ Data Principals (Customers, Suppliers, Vendors, Employees, Visitors, Contractors and Subcontractors or other third party) and other ("Privacy notice") applies to the Cloud4C Services Pvt Ltd. (hereinafter referred to as "Cloud4C"). The Cloud4C company for the purpose of providing a service, Cloud4C is responsible for processing your personal Information and controls its use in accordance with this privacy notice. We at Cloud4C including its subsidiaries and affiliates (collectively referred to as “Cloud4C or “our” or “we”) are strongly committed at to honouring and safeguarding your privacy. Cloud4C, protecting your personal information is a top priority. This privacy notice describes our privacy practices regarding collecting, storing, processing and use of our personal data when you availing / providing a service to/for the company or visit our premises / Website.
-
WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL INFORMATION?
-
Cloud4C and its subsidiaries are responsible for your personal Information. In accordance with applicable information protection laws, the person responsible for processing your personal Information is the Cloud4C subsidiary which communicates with you. Furthermore, other Cloud4C subsidiaries may receive and process your information, either as the information controller or the information processor. Accordingly, this privacy notice applies equally to them. In your case, Cloud4C or the respective company affiliated with Cloud4C, as the "responsible party" applicable laws at the headquarter or Information Center of the country in which of the respective subsidiary, for what and how your personal information will be used in accordance with this privacy notice.
-
WHAT KIND OF PERSONAL INFORMATION DO WE COLLECT AND PROCESS?
-
We collect and use the personal information that we receive from you within the scope or an existing business relationship with you or your company (hereinafter: "you"). We may also process personal information that we receive from you either as a result of your contact request, a specific pre-contractual inquiry or a registration for a specific event via our websites, by email or telephone or at a trade fair or event. In addition, to the extent necessary for the purposes stated in this privacy notice, we process personal information that we can obtain from publicly available sources or that is lawfully transmitted by other third parties in pursuant to Business relations. We process the following categories of your personal information to the extent required for the purposes of processing in accordance with this privacy notice:
- Identifying information and contact details that you provide us with, such as first name, last name, profession / position / title, business email address, postal address, telephone, cell phone and fax numbers, gender, date of birth, vehicle registration number, visit date time and number of a valid identification document as per law.
- Additional information that you provide us with during or in connection with your visit, such as registration details for facilities and sites, visits to an employee, purpose of the visit, records of your visit or information relating to the fulfilment of our contractual obligations and precontractual measures; To a certain extent, this information may also include your interests in our products, marketing preferences and registration information provided at training sessions, events or trade fairs, etc.
- Image and video recordings on which you are depicted ("recordings") and which are produced by our video surveillance systems (CCTV) or by photographers or Cloud4C employees working on our behalf at events organized by us.
- Children Information - The Data Fiduciary / Controller Shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed - sec 9(1) of DPDP Act 2023.
- Electronic identification information and information collected from communications systems, IT applications and web browsers (provided that the information you have has access to or is affected by such systems or applications and in accordance with applicable laws), such as use of information technology (system access, IT and Internet use), device identification (mobile device ID, PC ID), registration and login information, IP address, access information and log files, analysis ID, time and URL, search queries, website registration records and cookie information, sound recordings (e.g. voice message, meeting recordings).
If you wish to obtain information about a specific information processing activity, this can be requested from DPO at dpo@cloud4c.com .
-
WHY DO WE USE YOUR PERSONAL INFORMATION?
-
We process your personal information primarily to carry out and fulfil our business and contractual relations with you and to ensure security in our offices and premises of the people and items, security of confidential Information located in the company's premises or accessible from the company's premises. This is done to prevent loss, frauds, health safety thefts, injuries, terrorism, and other events of such kind in the company's premises. In the context of this business relationship with you and your visit to our offices and premises, we must process your personal information, which we require in order to fulfil the associated contractual and legal obligations or which we are legally obliged to collect and process (e.g. health and safety laws, statutory insurance requirements). In particular, we process the personal information listed above for the following purposes:
- Visitor management which includes Approval, Visitor Registration and Gate pass processing and access creation if required.
- Health and safety management, including medical emergencies.
- Recording by video surveillance system (CCTV) for the purpose of public and employee safety, theft building security and the prevention and detection of crime.
- Monitoring and auditing of compliance with Cloud4C and Cloud4C's corporate guidelines, contractual obligations and legal requirements.
- Conducting audits, evaluations and regulatory checks to ensure compliance with regulatory obligations.
We only collect the personal information from you that we require for the purposes described above. This means that you can no longer be directly or indirectly identified as an individual using this information.
-
WHAT HAPPENS IF YOU DO NOT PROVIDE US WITH THE PERSONAL INFORMATION WE REQUEST OR IF YOU ASK US TO STOP PROCESSING YOUR INFORMATION?
-
In the case of processing operations in connection with your visit to Cloud4C (as described above), without certain personal information, Cloud4C may not be able to adequately ensure your security and the security of other persons in our offices and premises, monitor the security of the premises and its facilities, or fulfil the related legal obligations or the purposes described above in general. Although we cannot oblige you to provide us with your personal information, please be aware that your refusal could have consequences that could negatively affect your visit to our offices and premises or our business relationship. You will not be permitted, for example, to enter certain or any Cloud4C facility or location for security reasons, nor will we be able to take requested precontractual or contractual measures to conclude or fulfil a contract with you.
-
ON WHAT LEGAL BASIS DO WE PROCESS YOUR PERSONAL INFORMATION?
-
We process your personal information for the purposes described above (WHY DO WE USE YOUR PERSONAL INFORMATION?) in accordance with the provisions of the the Information Technology Act 2000, IT Rules (2011) and DPDP Act 2023 India, especially in accordance with the following applicable legal bases:
- Where required, we process your personal information within the scope of your specific visit to our offices and premises, or your stay on our premises, as well as the existing business relationship with you or your company, in order to safeguard legitimate interests (ours and that of third parties) .
-
WHAT IS THE SECURITY OF DATA PROVIDED BY YOU
-
Cloud4C has implemented technical, physical, contractual, and organizational safeguards with a view to protecting the security of personal data from loss, damage, or unauthorized use, disclosure, alteration, or access, having regard to the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
-
WHAT KIND OF TRANSFERS AND DISCLOSURE OF PERSONAL DATA WITH AFFILIATES HAPPENS
-
The disclosure may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, pursuant to the laws of the India.
-
WHAT IS RETENTION OF PERSONAL DATA
-
We will only keep your personal data for as long as is reasonably necessary to fulfill the purposes for which it was collected, taking into consideration our need to respond to your queries or resolve problems, any other purpose outlined above or to comply with legal requirements under applicable law(s). This means that we may retain your personal data for a reasonable period after, for example, the end of the contract with the client you represent, or after your query has been addressed. After this period, your personal data will be deleted from all our system.
-
CHANGES TO OUR PRIVACY NOTICE
-
Our Privacy Notice may be updated from time to time. Any updates will appear on this www.Cloud4C.com.
-
HOW TO CONTACT US
-
You can contact us by writing to: Data Protection Officer, If you have any questions about our privacy notice please contact the Data Protection Officer on data-protection email dpo@cloud4c.com
-
1. INTRODUCTION
-
This Privacy Policy covers the life cycle of data protection and privacy aspects which includes data collection, treating, storing, maintaining, securing and disposing the data including PII (Personally Identifiable Information) which shall be from various channels. The purpose of this policy is to set out the relevant technical and organizational control measures where Cloud4C get complied with Industry best practices, regulatory and legal laws of the land. This policy applies to all the interested parties of the organization's information and privacy systems which includes employees, customers, suppliers, vendors and other third parties who have access to Cloud4C systems. Cloud4C complies with below Standards, Regulatory and Legal Requirements as per law of the land and supervisory authorities Regulatory and legal requirements, including:
- IT Act 2000,IT Amendment 2008, IT Act rules 2011, DPDP Act 2023 of India.
- UK-GDPR, CCPA-USA, PDPL-KSA, GDPR, Contractual agreements, all other applicable laws globally.
The information security and privacy program is reviewed annually or upon significant changes to the information security and privacy environment.
Cloud4C has recognized that our business information and privacy is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success. -
2. PII DEFINITIONS
-
The common terms used within this policy are defined by the ISO/IEC 29100 Privacy Framework international standard as follows:
PII principal
“Natural person to whom the personally identifiable information (PII) relates.”
Personally identifiable information (PII)“Any information that
(a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal.”
Processing of PII
“Operation or set of operations performed upon personally identifiable information (PII)
Note 1 to entry: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII of ”PII Controller
“Privacy stakeholder(s) that determines the purposes and means for processing PII other than natural persons who use data for personal purposes.”
Joint PII Controller
PII controller that determine the purposes and means of the processing of PII jointly with one or more other PII controllers.
PII Processor
“Privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.”
“Customer Configuration” means an information technology system (hardware, software and/or other information technology components) which is the subject of the Services or to which the Services relate.
“Customer Data" means all data which Customer receives, stores, or transmits on or using the Customer Configuration.
Derived Data means data or information, created, generated from use of customer data or configuration.
Direct Data classifies items such as name, address, birthplace, marital status and occupation.
Cloud service provider - party which makes cloud services available according to the cloud model.
Processing of PII Operation or set of operations performed on personally identifiable information (PII).
Sub-processor" means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
Privacy Breach
Situation where personally identifiable information is processed in violation of one or more relevant
privacy safeguarding requirements.
Privacy Controls
Measures that treat privacy risks by reducing their likelihood or their consequences.
Privacy Enhancing Technology -PET
Privacy control, consisting of information and communication technology (ICT) measures, products,
or services that protect privacy by eliminating or reducing personally identifiable information (PII) or
by preventing unnecessary and/or undesired processing of PII, all without losing the functionality of
the ICT system.
Privacy Policy
Overall intention and direction, rules and commitment, as formally expressed by the personally
identifiable information (PII) controller related to the processing of PII in a particular setting.
Privacy Preferences
Specific choices made by a personally identifiable information (PII) principal about how their PII
should be processed for a particular purpose.
Privacy Principles
Set of shared values governing the privacy protection of personally identifiable information (PII) when processed in information and communication technology systems.
Privacy Risk
Effect of uncertainty on privacy.
Privacy Risk Assessment
Overall process of risk identification, risk analysis and risk evaluation with regard to the processing of personally identifiable information (PII).
This process is also known as a privacy impact assessment.
Privacy Safeguarding Requirements
Set of requirements an organization has to take into account when processing personally identifiableinformation (PII) with respect to the privacy protection of PII.
Privacy Stakeholder(s)
Natural or legal person, public authority, agency or any other body that can affect, be affected by, or
perceive themselves to be affected by a decision or activity related to personally identifiable
information (PII) processing.
Pseudonymization
Process applied to personally identifiable information (PII) which replaces identifying information with an alias.
Secondary Use
Processing of personally identifiable information (PII) in conditions which differ from the initial ones.
Sensitive PII
Category of personally identifiable information (PII), either whose nature is sensitive, such as those
that relate to the PII principal's most intimate sphere, or that might have a significant impact on the PII principal.
Third Party
Privacy stakeholder other than the personally identifiable information (PII) principal, the PII controller and the PII processor, and the natural persons who are authorized to process the data under the direct authority of the PII controller or the PII processor.
-
3. CLOUD4C INFORMATION AND PRIVACY SYSTEMS OBJECTIVE
-
The objective of this policy is to make sure that the provisioning of a service is in accordance with the business, security and Privacy requirements with reference to the applicable o laws and regulations.
- protect the Cloud4C information assets through safeguarding its confidentiality, integrity, availability and Privacy.
- establish effective governance arrangements including accountability and responsibility for information security and privacy within Cloud4C.
- maintain an appropriate level of Customer, Vendor, Supplier, Employees and other stakeholders awareness, knowledge and skill to minimize the occurrence and severity of information security and privacy incidents.
- Ensure Cloud4C is able to continue and/or rapidly recover its business operations in the event of a detrimental information security and privacy incident.
- Cloud4C is committed to protect information and privacy. This Policy deals with the security and privacy requirements at the level of design / life cycle which includes, collection, storing, maintaining, disclosing, securing and disposing of personal identifiable information as per privacy policy.
- Clou4C proactively addresses data principal's expectations concerning their privacy and security in order to create and ensure trust and confidence in Cloud4C and its services provided.
- Compliance with relevant privacy and data protection laws is maintained thereby minimizing legal liability, regulatory risk, brand and reputational exposure; and
- A data principal's PII is collected after acquiring consent and processed in fair and transparent manner and in compliance with applicable laws and regulations. Cloud4C is committed to maintaining and improving data protection and privacy within the company and minimizing its exposure to risks.
3.1.THE PERSONAL DATA THAT WE COLLECT FROM THE USER:
Cloud4C collects information during User's interactions with Cloud4C, whether through business related interactions or online (involuntary), including through Cloud4C's websites that is necessary to conduct its business, to provide the services to the customers, as part of business operations and optimization of its service offerings.
Cloud4C may collect, use, store and transfer different kinds of personal data which have been grouped together as follows:- Identity Data: including first name, last name.
- Contact Data: including address, email address, and telephone numbers.
- Marketing and Communications Data: including User's preferences in receiving marketing from Cloud4C (including authorized third parties) and User's communication preferences.
- Public PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories Visiting Cards, Business telephone number and Business mailing or email address.
3.2.HOW IS YOUR PERSONAL DATA COLLECTED AND USED?
Generally, Cloud4C collects personal information related to customers and their representatives when they decide to interact with us, or avail services or express an interest or apply for a position, Employees, Visitors, vendors, contractors, subcontractors and other third party. The kind of data that Cloud4C collects and/or has visibility/access to, depends solely on the context and the nature of User's interaction with Cloud4C and in case of Cloud4C's customers, the nature service offering that such customer avails from Cloud4C. Cloud4C do not solicit and/or collect any sort of personal information that is irrelevant/not necessary for the provision of services to the User. Cloud4C further declare that it does not participate in any sort of data mining activities whatsoever, with any third parties.
Cloud4C uses Customer PII only to the extent such data is required to provide the services agreed upon, and does not mine it for marketing or advertising. In case a Customer decides to suspend the services or terminates the requirement for availing services, Cloud4C shall, in accordance with Customer's requirements, and any applicable laws policies it has, follows strict standards and requisite processes for deleting Customer PII from its servers.
If anyone represents an organization, such as business or individual, that utilizes Enterprise services from Cloud4C, please see Cloud4C privacy statement to learn how we process data.
Customer or Individual have choices when it comes to the technology used and the data shared. When Cloud4C asks to provide personal data, Customer or Individual can decline. Many of our services require personal data to provide with a service. If Customer or Individual choose not to provide data required to provide with a service or feature, Customer or Individual cannot use that service or feature. Likewise, where Cloud4c needs to collect personal data by law or to enter into or carry out a contract with Customer or Individual, and they do not provide the data, Cloud4C will not be able to enter into the contract; or if this relates to an existing service being used, Cloud4C may have to suspend or cancel it. We will notify Customer or Individual if this is the case at the time. Where providing the data is optional, and Customer or Individual choose not to share personal data, features like personalization that use such data will not work for them.
Cloud4C undertakes that Cloud4C uses personal data strictly in compliance with applicable laws.
Purposes for which Cloud4C may collect the personal data belonging to the User and the rationale behind such collection:
Cloud4C uses personal information only where required for specific purposes. The following table serves as an explainer for the purpose for which Cloud4C collects/uses of the personal data belonging to the User and the rationale behind such collection/use:
Purpose/Instance Rationale Managing Cloud4C's contractual and/or employment relationship with the User. - Necessary for the performance of a contract to which User is a party.
- To engage in activity in relation to Cloud4C's member services. This may include sending updates, meeting invite and other information that may be of important.
- Provide our services, products, which includes updating, securing, and troubleshooting, as well as providing support. It also includes sharing data, when it is required to provide the service or carry out the transactions you request.
- Improve and develop our products or services and personalize our products and make recommendations.
- To verify identify and entitlements to Cloud4C's products and services when the User contacts Cloud4C or access its services.
- To provide technical and customer support.
- To obtain feedback on Cloud4C's services.
Facilitating communication with the User (including in case of emergencies, and to provide User with requested information). To ensure proper communication and emergency handling within the organization. This kind of collection includes collection of basic contact information of relevant stakeholders. Operating and managing Cloud4C business operations. To ensure the proper functioning of Coud4C business operations and optimise Cloud4Cservice offerings. Complying with legal requirements. This is a legitimate purpose as Cloud4C is bound by and is subject to all applicable laws and legal mandates. Monitoring User's use of Cloud4C systems (including use of Cloud4C website). To avoid compliance related issues and protecting the standards of Cloud4C service offerings, ensuring that they meet the legal requirements and industry standards. Improving the security and functioning of Cloud4C website, networks and information. To ensure that User receives an excellent user experience and Cloud4C networks and information are secure. Undertaking data analytics, i.e. applying analytics to business operations and data to describe, predict and improve business performance within Cloud4C and/or to provide a better user experience. To ensure the proper functioning of Cloud4C business operations and optimise Cloud4C service offerings. Marketing Cloud4C products and services to User. To ensure the proper functioning and growth of Cloud4C business operations. However, any kind of collection for this purpose will be subject to User's consent and privacy rights. To provide improved website and product experience and communications informed by product subscriptions and/or data collected. Customers billing address, email address, and telephone numbers and prospective clients information - For performance of contract.
- To supply services and manage payments.
- To send statements and invoices, and collect payments.
- To provide commercial quotes.
Employee Name, address, email address, telephone numbers and other personnel information. - where anyone has applied for a position with Cloud4C, to review and process job application
- As an employer, Cloud4C collects User's personal information in order to manage and carry out User's employment with Cloud4C.
- To provide the employment benefits and rewards, perform HR operations and Insurance.
Assess your suitability for employment for the role for which you are applying, as well as future roles that may become available. Justified on the basis of Cloud4C's legitimate interests of ensuring that it recruits the appropriate employees. Manage your application. Justified on the basis of Cloud4C's legitimate interests of ensuring that it recruits the appropriate employees. Perform data analytics, including analysis of our applicant pool in order to better understand who is applying to positions and how to attract and keep top talent. Justified on the basis of Cloud4C's legitimate interests of ensuring that it continually improves its recruitment processes. In some cases, record your online interview for review by additional recruiters and hiring managers. Justified on the basis of Cloud4C's legitimate interests of ensuring that it recruits the appropriate employees. If you register for any position. Justified on the basis of Cloud4C's legitimate interests of ensuring that it recruits the appropriate employees. Transfer your contact information, education data, employment data, application information and the CV, all as supplied by you in our recruitment system, to the Cloud4C Talent acquisition Team. Justified on the basis of Cloud4C's legitimate interests of ensuring that it recruits the appropriate employees. Administration of employee benefits Justified on the basis of Cloud4C's legitimate interests of ensuring that our employees receive the applicable benefits. Perform any legally required reporting and respond to legal process. Compliance with a legal obligation. To share alumni information with other internal Cloud4C systems, specifically our internal sales tool, to contact you with industry relevant information. Justified on the basis of our legitimate interest for ensuring proper communication with, and sending marketing to, our alumni. - Where the above table states that we rely on our legitimate interests for a given purpose, we are of the opinion that our legitimate interests are not overridden by your interests, rights or freedoms, given (i) the transparency we provide on the processing activity.
- In carrying out these purposes, Cloud4C combines data collects from different contexts (from the use of two different services of Cloud4C ) or obtain from third parties to give you a more seamless, consistent, and personalized experience, to make informed business decisions, and for other legitimate purposes.
3.3.DATA MINIMISATION
- Cloud4C shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
3.4.HOW WE SHARE / DISCLOSE YOUR PERSONAL DATA
Purposes for which Cloud4C may share personal data belonging to the User:
Cloud4C shares / disclose the User's personal data with the User's consent and/or to carry out any transaction and/or provide any service that the User has authorized or requested. Cloud4C also shares/ disclose any such personal data with its wholly owned subsidiaries and affiliates whenever necessary, to optimize Cloud4C's service offerings.
Further, Cloud4C may also share / disclose User's personal data with its vendors/suppliers/third parties when customer or user separately consent to or request such sharing on strict need to know basis, ensuring that such parties are bound by the privacy principles detailed herein and are bound by strict confidentiality obligations.
Lastly, Coud4C shares / disclose the personal data when required by applicable laws/legal mandates and/or in order to respond to any legal process, including but not limited to protection of the rights and property of Cloud4C and its customers.3.5. IN RESPONSE TO THE LAW.
Cloud4C may disclose Customer's information if it required to comply with a law, regulation, or valid legal process. If Cloud4C is going to disclose Customer's information, Cloud4C will provide Customer with a notice unless it is prohibited from doing so under law or under judicial or executive order. Further, Cloud4C may disclose Customer's information without providing customer with a prior notice if it reasonably be required that such disclosure is necessary to prevent imminent and serious harm to a person.
3.6.TO PROVIDE SERVICES AND TO FIX ISSUES.
Cloud4C will provide services as per agreed terms under contract to provide Cloud or other services. This may include applying new product or system versions, patches, updates and upgrades; monitoring and system use and performance; and other issues reported to Cloud4C.
Based on the request raised by the customer, Cloud4C accesses customer setup to resolve particular issue. Cloud4C will use temporary access to fix the issue raised by the Customer within agreed time window.
Cloud4C may share customer personal information with its wholly owned subsidiaries and affiliates whenever necessary, to optimize Cloud4C's service offerings. These includes other companies within the Cloud4C Services Pvt Ltd. such as CtrlS,…etc.
Individual PII We may share personal data with one or all of the following:- Internal Third Parties: these include other companies within the Cloud4C Services Pvt Ltd. such as CtrlS,…etc.
External Third Parties may include:
- Suppliers / Business Partners who we engage to provide services on our behalf, for example payment processors and marketing services companies.
- Authorities who require reporting of processing activities in certain circumstances.
3.7.VENDOR HAVING ACCESS TO PII?
- Service or work involving vendor access to PII include:
A contractor is hired to provide payroll service to assist organization Performance Management system. The potential exists for the contractor to have access to PII of employee such as names, mailing addresses, salary slip, personal telephone numbers, and financial account information. - A vendor or contractor is hired to perform survey on the organization work culture or corporate program to be used by Organization Top Management. Depending on the nature of the survey, the vendor or contractor may have access to PII such as names of the survey respondents, email addresses, etc.
- A contractor is hired to deploy or upgrade physical access control systems (e.g., card swipe entry readers) and Biometric access card. The potential exists for the contractor to have access to any PII collected via the card swipe and thumb impression such as names, Organization ID numbers and finger print.
3.8.STORING YOUR PERSONAL INFORMATION
How long we hold personal information will vary and will depend principally on:
- the purpose for which we are using personal information - we will need to keep the information for as long as is necessary for the relevant purpose, and
- Legal obligations - laws or regulation may set a minimum period for which we have to keep personal information.
- We will ensure that the personal information that we hold is subject to appropriate security measures.
- Access to personal information is limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
3.8.1.ARCHIVING / REMOVAL
To ensure that personal data is kept for no longer than necessary as per data classification and applicable law, the Cloud4C implements retention period for each area in which personal data is processed and review this process annually.
The retention period shall consider what data should/must be retained, for how long, and why.3.9.LAWFULNESS OF PROCESSING
Depending on the legislation involved, there may be a number of alternative ways in which the lawfulness of a specific case of processing of PII may be established. It is Cloud4C policy to identify the appropriate basis for processing and to document it, in accordance with the applicable legislation. The main options are described in brief in the following sections.
3.10.CONSENT
Where appropriate, will obtain consent from a PII principal to collect and process their data. In case of children below the age specified in applicable legislation parental consent will be obtained. Transparent information about our usage of their PII will be provided to PII principals at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.
If the PII is not obtained directly from the PII principal, then this information will be provided to the PII principal within a reasonable period after the data is obtained and definitely within one month.3.11.PERFORMANCE OF A CONTRACT
Where the PII collected and processed is required to fulfil a contract with the PII principal, consent is not required. This will often be the case where the contract cannot be completed without the PII in question, for example, a delivery cannot be made without an address.
3.12.LEGAL OBLIGATION
If the PII is required to be collected and processed in order to comply with applicable law, then consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
3.13.VITAL INTERESTS OF THE PII PRINCIPAL
In a case where the PII is required to protect the vital interests of the PII principal or of another natural person, then this may be used as the lawful basis of the processing. Cloud4C will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of PII. As an example, this may be used in aspects of social care, particularly in the public sector.
3.14.RIGHTS OF THE PII PRINCIPAL/ INDIVIDUAL/ DATA SUBJECTS
The PII principal also has rights with regard to their PII. These will generally consist of:1.The right to be informed.
2.The right of access.
3.The right to rectification.
4.The right to erasure.
5.The right to restrict processing.
6.The right to data portability.
7.The right to object.
8.Rights in relation to automated decision making and profiling.Each of these rights are supported by appropriate procedures within Cloud4C that allow the required action to be taken within the timescales stated in the applicable privacy legislation.
These rights include:- Obtaining information regarding the processing of personal information and access to the personal information which we hold.
- Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal information. In particular, information that is subject to legal professional privilege will not be disclosed other than to our member and as authorized by our member.
- Requesting that we correct personal information if it is inaccurate or incomplete.
- Requesting that we erase personal information in certain circumstances. Please note that there may be circumstances where we erase personal information but we are legally entitled to retain it.
- Objecting to, and requesting that we restrict, our processing of personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of personal information but we are legally entitled to refuse that request.
- Withdrawing your consent, although in certain circumstances it may be lawful for us to continue
processing without your consent if we have another legitimate reason (other than consent) for doing so.
Cloud4C applied appropriate data management data management practice to govern the processing of personnel data. Cloud4C limits the disclosure of personal to authorized persons.
3.15.TASK CARRIED OUT IN THE PUBLIC INTEREST (LAW ENFORCEMENT AGENCIES)
Where Cloud4C needs to perform a task that it believes is in the public interest or as part of an official duty then the PII principal's consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
3.16.LEGITIMATE INTERESTS
If the processing of specific PII is in the legitimate interests of Cloud4C and is judged not to affect the rights and freedoms of the PII principal in a significant way, then this may be defined as the lawful reason for the processing. Again, the reasoning behind this view will be documented.
3.17.PRIVACY BY DESIGN
Cloud4C has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process PII will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.
The privacy impact assessment will include:
- Consideration of how PII will be processed and for what purposes.
- Assessment of whether the proposed processing of PII is both necessary and proportionate to the purpose(s).
- Assessment of the risks to individuals in processing the PII.
- What controls are necessary to address the identified risks and demonstrate compliance with applicable legislation.
Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate, including at the end of processing, and the mechanisms used to achieve them will be documented.
-
4. PII-PERSONAL IDENTIFIABLE INFORMATION- TYPES
-
Personally Identifiable Information (PII) – any information that, by means of use or correlation with other data or information, can be used to uniquely identify an entity. The PII has been categorized by Cloud4C into three types 1. Sensitive PII 2. Highly Sensitive PII 3. Non- Sensitive or Public PII.
4.1.SENSITIVE PII
Sensitive Personal Identifying Information (PII) is defined as information that if lost, compromised, or disclosed could result in substantial harm, inconvenience, or unfairness to an individual.
Sensitive PII include:- Bank account numbers
- Passport information
- Driver's license
- Address
- Employees Dependents Data
4.2.HIGHLY SENSITIVE PII:
- Healthcare related information
- Medical insurance information
- Biometric data: Finger print or voice signatures
- Social security number
- Children's Data (Below 16 Yrs.)
- Government issued IDs
- Social Security Number
- Driver's License Number
- Passport Number
- Personal Banking, Debit, or Credit Card Account Information
Non-sensitive or Public PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories.
4.3.NON-SENSITIVE OR PUBLIC PII:
- Visiting Cards
- Business telephone number
- Business mailing or email address
- The above list contains pieces of information and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual's identity.
However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual.
Cloud4C will ensure that all relationships it enters that involve the processing of PII are subject to a documented contract that includes the specific information and terms required by the applicable legislation, Data Processing Agreement.4.4.INTERNATIONAL TRANSFERS OF PII
Transfers of PII between countries will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the applicable legislation. This depends partly on the relevant authority's judgement (for example in the case of the GDPR, the European Commission) as to the adequacy of the safeguards for PII applicable in the receiving country and this may change over time.
Where an adequacy decision (or similar statement) does not exist for a destination country, an appropriate safeguard such as standard contractual clauses will be used, or a relevant exception identified as permitted under the applicable legislation.4.5.DATA PROTECTION OFFICER
A defined role of Data Protection Officer (DPO) is generally required under privacy legislation if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.
Based on these criteria, Cloud4C has appointed the Data Protection Officer.4.6.BREACH NOTIFICATION
It is policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of PII. In line with the applicable legislation, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, where required the relevant supervisory authority will be informed within the specified timeframe (for example, for the GDPR within 72 hours, as per new DPDP Act 2023 of India (As it stands today, a data breach is a cyber incident that must be reported to the India Computer Emergency Response Team (CERT-In) within 6 hours of first knowledge about the breach)). This will be managed in accordance with our Information Security and privacy Incident Response Procedure which sets out the overall process of handling information security and privacy incidents.
Under privacy legislation (Law of the land) the relevant authority DP may have the right to impose a range of fines, often based on a percentage of annual worldwide turnover or a specific amount, for infringements of the regulations.4.7.ADDRESSING COMPLIANCE TO APPLICABLE PRIVACY LEGISLATION
The following actions are undertaken to ensure that Cloud4C complies at all times with the accountability principle of privacy legislation within the countries in which it operates:
- The legal basis for processing PII is clear and unambiguous
- A Data Protection Officer is appointed with specific responsibility for data protection in the organization (if required)
- All staff involved in handling PII understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to PII principals wishing to exercise their rights regarding PII and such enquiries are handled effectively
- Regular reviews of procedures involving PII are carried out
- Privacy by design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
- Organization name and relevant details
- Purposes of the PII processing
- Categories of individuals and PII processed
- Categories of PII recipients
- Agreements and mechanisms for transfers of PII to other countries including details of controls in place
- PII retention schedules
- Relevant technical and organizational controls in place
These actions are reviewed on a regular basis as part of the management process concerned with privacy and data protection.
-
5.TECHNICAL & ORGANIZATIONAL MEASURES
-
Organizations that collect, process or use personal data themselves or on behalf of others must take the technical and organizational measures necessary to ensure compliance with the provisions of the data protection laws. The measures must be suitable to adequately protect the personal data according to their nature and category. The measures are only necessary if their effort is in a reasonable relation to the intended protection purpose.
- Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Cloud4C's information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Cloud4C organization, monitoring and maintaining compliance with Cloud4C policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
- Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
- Communication with Cloud4C applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
- Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Physical and environmental security of data center, server room facilities and other areas containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Cloud4C facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Cloud4C possession.
- Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Cloud4C technology and information assets.
- Incident / problem management procedures designed to allow to Cloud4C investigate, respond to, mitigate and notify of events related to Cloud4C technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Formal Vendor Management program, including vendor security reviews for critical vendors to ensure compliance with Cloud4C Information Security Policies.
- A Data Protection Officer (DPO) who is independent, regularly reviews data protection risks and controls.