1. Data Privacy Policy

1.1. Objective

The purpose of this policy is to maintain the privacy and protect the personal information of employees, contractors, vendors, interns, associates, customers and business partners of Tata Steel Downstream Products Limited and ensure compliance with laws and regulations applicable to Tata Steel Downstream Products Limited (hereafter referred to as “TSDPL” or “the organization”).

1.2. Scope

This policy is applicable to all TSDPL employees, contractors, vendors, interns, associates, customers and business partners who may receive personal information, have access to personal information collected or processed, or who provide information to the TSDPL, regardless of geographic location.

All employees of TSDPL are expected to support the privacy policy and principles when they collect and / or handle personal information, or are involved in the process of maintaining or disposing of personal information. This policy provides the information to successfully meet the organization’s commitment towards data privacy.

All partner firms and any Third-Party working with or for TSDPL, and who have or may have access to personal information, will be expected to have read, understand and comply with this policy. No Third Party may access personal information held by the organization without having first entered into a confidentiality agreement.

1.3. Responsibilities

The owner for the Data Privacy Policy shall be the Data Privacy Officer. The Data Privacy Officer shall be responsible for maintenance and accuracy of this policy. Any queries regarding the implementation of this Policy shall be directed to the Data Privacy Officer. This policy shall be reviewed for updates by Data Privacy Officer on an annual basis.

1.4. Data Privacy Principles

This Policy describes generally acceptable privacy principles (GAPP) for the protection and appropriate use of personal information at TSDPL. These principles shall govern the use, collection, disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws:

• Choice and Consent: TSDPL shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information.
• Rights of Data subject: TSDPL acknowledges right to access, rectification, erasure, restriction of the processing, data portability and object to the processing of personal data. However, these rights are not absolute in nature and are subjected to contract, applicable legislation, record keeping requirement under applicable statutes, ongoing disputes, or potential disputes TSDPL may foresee.
• Collection: TSDPL shall collect personal information from data subjects only for the purposes identified in the privacy notice / SoW / contract agreements and only to provide:
  • a smooth, efficient and customized experience.
  • to enable TSDPL to reach out to you in relation to programmes managed by them or products or services offered by them;
  • to enable TSDPL to improve products & services;
  • to process your requests (such as replying to your queries or complaints);
  • to evaluate your candidature for prospective career opportunities with us;
  • to drive marketing campaign, promotional communications for which you have consented;
  • to protect our vital interest
• Use, Retention and Disposal: TSDPL shall only use personal information for a reasonable time that has been collected for the purposes identified in the privacy notice / SoW / contract agreements and in accordance with the consent that the data subject shall provide. TSDPL shall not retain personal information longer than is necessary to fulfil the purposes for which it was collected and to maintain reasonable business records. TSDPL shall dispose the personal information once it has served its intended purpose or as specified by the data subject.
• Access: TSDPL shall allow data subjects to make inquiries regarding the personal information about them, that TSDPL shall hold and, when appropriate, shall provide access to their personal information for review, and/or update.
• Disclosure to Third Parties: TSDPL shall disclose personal information to Third Parties / partner firms only for purposes identified in the privacy notice / SoW / contract agreements. TSDPL shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws and other segments, and, where needed, with consent of the data subject. TSDPL do not market or sell your personal data to any third party.
• Obligations for Sub-processor: Where a processor (vendor or 3rd party acting on behalf of TSDPL’s data processor) engages another processor (Sub-processor) for carrying out specific processing activities on behalf of TSDPL (controller), the same data protection obligations as set out in the contract or other legal act between TSDPL and the processor shall be imposed on the Sub-processor by way of a contract or other legal act.
• Security for Privacy: TSDPL is committed to protecting your Personal Data in their custody. We take reasonable steps to ensure appropriate physical, technical and managerial safeguards are in place to protect your Personal Data from unauthorized access, alteration, transmission and deletion. shall protect personal information from unauthorized access, data leakage and misuse.
• Monitoring and Enforcement: TSDPL shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints and disputes.

1.5. Notice

Notice shall be made readily accessible and available to data subjects before or at the time of collection of personal information or otherwise, notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided.

1.6. Choice and consent

Choice refers to the options the data subjects are offered regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.

• TSDPL shall establish systems for the collection and documentation of data subject consents to the collection, processing, and/or transfer of personal data.
• Data subjects shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.
• Consent shall be obtained (in writing or electronically) from the data subjects before or at the time of collecting personal information or as soon as practical thereafter.
• The changes to a data subject’s preferences shall be managed and documented. Consent or withdrawal of consent shall be documented appropriately.
• The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the notice / SoW / contract agreements at the time of collection, the new purpose shall be documented, the data subject shall be notified, and consent shall be obtained prior to such new use or purpose.
• The data subject shall be notified if the data collected is used for marketing purposes, advertisements, etc.

1.7. Collection of Personal Information

Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.

• Personal information shall not be collected unless either of the following is fulfilled:
  • the data subject has provided a valid, informed and free consent;
  • processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with the organizations legal obligation;
  • processing is necessary in order to protect the vital interests of the data subject; or
  • processing is necessary for the performance of a task carried out in the public interest
• Data subjects shall not be required to provide more personal information than is necessary for the provision of the product or service that data subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of personal information shall be avoided or limited when reasonably possible.
• Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
• When using vendors to collect personal information on the behalf of TSDPL, it shall ensure that the vendors comply with the privacy requirements of TSDPL as defined in this Policy.
• The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.
• TSDPL shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources.

1.8. Use, Retention and Disposal

• Personal information may only be used for the purposes identified in the notice / SoW / contract agreements and only if the data subject has given consent;
• Personal information shall be retained for as long as necessary for business purposes identified in the notice / SoW / contract agreements at the time of collection or subsequently authorized by the data subjects.
• When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
• TSDPL shall have a documented process to communicate changes in retention periods of personal information required by the business to the data subjects who are authorized to request those changes.
• Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by TSDPL or for the benefit of the data subject. Additionally, TSDPL has the right to retain the personnel information for legal and regulatory purpose and as per applicable data privacy laws.
• TSDPL shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with the organization’s data privacy policy.

1.9. Access

TSDPL shall establish a mechanism to enable and facilitate exercise of data subject’s rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.

• Data subjects shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing. TSDPL shall provide its response to a request within 72 hours of receipt of written request.
• The data subjects shall have the right to require TSDPL to correct or supplement erroneous, misleading, outdated, or incomplete personal information.
• Requests for access to or rectification of personal information shall be directed, at the data subject’s option, to the manager of the projects team or support function responsible for the personal information.
• The privacy coordinators shall record and document each access request as it is received and the corresponding action taken.
• TSDPL shall provide personal information to the data subjects in a plain simple format which is understandable (not in any code format).

1.10. Disclosure to Third Parties

Data Subject shall be informed in the privacy notice / SoW / contract agreement, if personal information shall be disclosed to Third Parties / partner firms, and it shall be disclosed only for the purposes described in the privacy notice / SoW / contract agreements and for which the data subject has provided consent.

• Personal information of data subjects may be disclosed to the Third Parties / partner firms only for reasons consistent with the purposes identified in the notice / SoW / contract agreements or other purposes authorized by law.
• TSDPL shall notify the data subjects prior to disclosing personal information to Third Parties / partner firms for purposes not previously identified in the notice / SoW / contract agreements.
• TSDPL shall communicate the privacy practices, procedures and the requirements for data privacy and protection to the Third Parties / partner firms.
• The Third Parties shall sign a NDA (Non-Disclosure Agreement) with TSDPL before any personal information is disclosed to the Third Parties partner firms. The NDA shall include the terms on non-disclosure of customer information.

1.11. Security

• Information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred and disposed by TSDPL.
• Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
• Management shall establish procedures that maintain the logical and physical security of personal information.
• Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
• Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices.
• Individuals noticing or becoming aware of any breach of personal data shall notify the DPO (by emailing at itsecurity@tsdpl.in ) within 2 hours. It shall be the DPO’s responsibility to analyse and act on the intimation of the same within 12 hours; furthermore in accordance with the Breach Management Policy (wherever applicable).

1.12. Quality

TSDPL shall maintain data integrity and quality, as appropriate for the intended purpose of personal data collection and use and ensure data is reliable, accurate, complete and current.

• For this purpose, the data privacy officer and privacy coordinators shall have systems and procedures in place to ensure that personal information collected is accurate and complete for the business purposes for which it is to be used.

1.13. Monitoring and enforcement

1.13.1. Dispute Resolution and Recourse

TSDPL shall define and document an Incident and Breach Management policy which addresses the privacy related incidents and breaches.

• The incident and breach management program includes a clear escalation path up to the executive management, legal counsel, and the board based on type and/or severity of the privacy incident/breach. It shall define a process to register all the incidents/complaints and queries related to data privacy.
• TSDPL shall perform a periodic review of all the complaints related to data privacy to ensure that all the complaints are resolved in a timely manner and resolutions are documented and communicated to the data subjects.
• An escalation process for unresolved complaints and disputes which shall be designed and documented.
• Communication of privacy incident / breach reporting channels and the escalation matrix shall be provided to all the data subjects.

1.13.2. Dispute Resolution and Escalation Process for Employees

Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Officer (Email at itsecurity@tsdpl.in ).

1.13.3. Dispute Resolution and Escalation Process for Customer / Third Party

Customers / Third Party with inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the Grievance Officer in writing. Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.

1.13.4. Compliance Review

Privacy Review Team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.

• The internal audit shall consist of the review of the following:
  • personal information collected from data subjects;
  • the purposes of the data collection and processing;
  • the actual uses of the data;
  • disclosures made about the purposes of the collection and use of such data;
  • the existence and scope of any data subject consents to such activities;
  • any legal obligations regarding the collection and processing of such data, and
  • the scope, sufficiency, and implementation status of security measures.
• The Privacy Review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Privacy Management committee.

The Data Privacy Officer along with Privacy Coordinators shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture.

• Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.