This policy establishes an effective, accountable and transparent framework for ensuring compliance with the requirements of the GDPR (General Data Protection Regulation).

This policy applies to all IT By Design, Inc. employees and all third parties responsible for the processing of personal data on behalf of Company’s services/entities.

Company is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct. This policy sets forth the expected behaviors of Company’s employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging to a Company contact (i.e. the data subject). Personal data is any information (including opinions and intentions) that relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations that impose restrictions on how organizations may process personal data. An organization that handles personal data and makes decisions about its use is known as a Data Controller. Company, as a Data Controller, is responsible for ensuring compliance with the data protection requirements outlined in this policy. Non-compliance may expose Company to complaints, regulatory action, fines and/or reputational damage. Company’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all Company employees and third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, Company has appointed a Data Protection Officer. The Data Protection Officer operates with independence and is supported by suitably skilled individuals granted all necessary authority. The Data Protection Officer reports to Company’s CEO. The Data Protection Officer’s duties include:

• Informing and advising Company and its employees who carry out processing pursuant to data protection regulations, national law or European Union-based data protection provisions;
• Ensuring the alignment of this policy with data protection regulations, national law or European Union based data protection provisions;
• Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);
• Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);
• Determining the need for notifications to one or more DPAs because of Company’s current or intended personal data processing activities;
• Making and keeping current notifications to one or more DPAs because of Company’s current or intended personal data processing activities;
• The establishment and operation of a system providing prompt and appropriate responses to data subject requests;
• Informing senior managers, officers, and directors of Company of any potential corporate, civil and criminal penalties that may be levied against Company and/or its employees for violation of applicable data protection

Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this Policy by any third party who:

• provides personal data to Company or an affiliated entity;
• receives personal data from Company or an affiliated entity ;
• has access to personal data collected or processed by Company.

To ensure that all data protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. Each Company service/entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the CEO for review and approval. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of personal data.

To confirm that an adequate level of compliance that is being achieved by all Company services/entities in relation to this policy, the Data Protection Officer will carry out an annual data protection compliance audit for all such services/entities. Each audit will, as a minimum, assess:

• Compliance with policy in relation to the protection of personal data, including: The assignment of
• The effectiveness of data protection-related operational practices, including: Data subject
• Raising
• Personal data
• Personal data incident
• Personal data complaints
• The level of understanding of data protection policies and privacy
• The currency of data protection policies and privacy
• The accuracy of personal data being
• The conformity of data processor
• The adequacy of procedures for redressing poor compliance and personal data breaches. The Data Protection Officer, in cooperation with key business stakeholders from each Company service/entity, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies and good practice identified will be reported to, monitored and shared by the Company’s executive team.

Company has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data:

Principle 1: Lawfulness, Fairness and Transparency. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means that Company must tell the data subject what processing will occur (transparency), the processing must match the description given to the data subject (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).

Principle 2: Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means Company must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.

Principle 3: Data Minimization. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means Company must not store any personal data beyond what is strictly required.

Principle 4: Accuracy. Personal data shall be accurate and, kept up to date. This means Company must have processes in place for identifying and addressing out-of-date, incorrect and redundant personal data.

Principle 5: Storage Limitation. Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means Company must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.

Principle 6: Integrity & Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Company must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained at all times.

Principle 7: Accountability. The Data Controller shall be responsible for, and be able to demonstrate compliance. This means Company must demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to enhance user experience & to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

The 2009 amendment to the Information Technology Act introduced basic privacy and data protection provisions. The privacy law in India now requires businesses and websites to apply due care while collecting and dealing with sensitive personal data or information. A civil provision is now available, prescribing damages for an entity that is negligent in using “reasonable security practices and procedures” while handling “sensitive personal data or information”, resulting in wrongful loss or wrongful gain to any person. Further, criminal punishment is also provided for persons who: Disclose sensitive personal information without the consent of the person or in breach of the relevant contract, with the intention of, or knowing that the disclosure would cause wrongful loss or gain.