RSG Media has a longstanding commitment to protect the confidentiality and integrity of PI/SPI and complying with all applicable privacy and data protection laws and regulations. The company recognizes that safeguarding and appropriately processing PI/SPI (including PI/SPI of EU data subjects) is important to maintain stakeholders trust. Inappropriate or inadvertent disclosures and unlawful processing of PI/SPI can damage the company reputation, and may expose the company to significant legal and regulatory liabilities.
This policy sets forth the general principles which underlie RSG Media’s specific practices for collecting, disclosing, storing, retaining, disposing, accessing, transferring or otherwise processing PI/SPI in order to comply with General Data Protection Regulation and local privacy laws and regulation.
This policy applies to all associates of the company that collect and/or process PI/SPI (including PI/SPI of EU residents and citizens) and clients/customers whose PI/SPI is processed by RSG Media. Processing of PI/SPI includes any operation which is performed upon PI/SPI, such as collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, transferring, disclosing through transmission, disseminating or otherwise making available, aligning or combining, blocking, erasing or destroying.
This policy also anchors the company’s privacy framework regarding PI/SPI, which also includes adherence to other privacy policies and procedures defined for RSG Media. Compliance with the policy is vital to avoid inappropriate, inadvertent, or unlawful disclosure of PI/SPI.
Data Subject – means a natural person is an individual who is the subject of certain personal information or whose information is being collected.
Associate means an employee, officer, director, third party, contractual employees, intern, job –candidate, end customer or any representative of the Company.
Personal information (PI) – means any information relating to an identified or identifiable living person (‘data subject’). An identifiable living person is one who can be identified, directly or indirectly, from the data items. In particular using a common identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data/ Sensitive Personal Information (SPI)– personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Breach- a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Processing – means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure or destruction
Profiling – means any form of automated processing of personal information consisting of the use of personal information to evaluate certain personal aspects relating to a person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Data Controller – means individual, company, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal information. In some cases, the purpose and means of processing are determined by Union or Member State law.
Data Processor – in relation to personal information, means any person (other than an employee of the Data Controller) who processes the personal information on behalf of the data controller.
Disclosure – means rendering personal information accessible, for example by allowing access to personal information either transferring, distributing, or publishing the personal information.
Data Subject Right – any request received by the firm from a Data Subject or other individual or legal entity who wishes to receive a copy of all the personal information related to it or him the firm is processing about it/him.
European Economic Area (EEA) – the European Union plus Norway, Liechtenstein and Iceland.
Personal profile – means a collection of data that allows the appraisal of fundamental characteristics of the personality of an individual.
Consent – of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, through a statement or using a clear affirmative action, signify agreement to the specific processing of personal information relating to them.
Third party– means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal information
Cross-border processing– means either:
(a) processing of personal information which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) Processing of personal information which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
1.4 Consequences of Non-Compliance
Non-compliance to the mandatory requirement of Privacy / GDPR may potentially lead to regulatory penalties (if applicable). Thus, it is imperative that the organization abides by all the key requirements of the regulation.
1.5 Unanticipated Situations
This policy does not anticipate every situation that may arise within RSG Media. Therefore, all users are encouraged to consider carefully the actions they take and to contact the Privacy Officer or legal if they have any questions, concerns or suggestions relating to this policy.
2 Privacy Statement
3 Regulatory Requirements
RSG Media is subject to, and must comply with, the following privacy laws and regulations:
3.1 Information Technology Act:
- clear and easily accessible statements of its practices and policies;
- type of personal or sensitive personal data or information collected;
- purpose of collection and usage of such information;
- disclosure of information including sensitive personal data or information; and
- reasonable security practices and procedures.
3.2 General Data Protection Regulation (GDPR)
The regulation lays down rules relating to the protection of natural persons (EU residents and citizens) with regard to the processing of PI/SPI and rules relating to the free movement of PI/SPI. The regulation aims to protect the fundamental rights and freedom of natural persons and in particular their right to the protection of PI/SPI.
3.3 Other local or company/industry specific privacy laws and regulations
If the privacy laws or regulations in the country where RSG Media operates, establishes standards that are higher than or conflict with those established under this policy, the privacy team will ensure compliance with the regulation/policy which follows stringent data protection and security controls
4 Privacy Framework
The above figure highlights the privacy framework of RSG Media. The key components of the privacy framework are as follows:
- Process Management;
- Privacy Assessment;
- Communication and Training; and
- Monitoring and Evaluation
Through the privacy framework, RSG Media intends to achieve the following
- Enhancing customer trust;
- Complying with legal and regulatory requirements;
- Gaining completive advantage; and
- Ensuring security of PI/SPI
4.1 Process Management
4.1.1 Privacy Principles
These privacy principles (the “Principles”) were designed to ensure that all associates/clients/customers are aligned with a single set of privacy standards. The principles establish procedures and safeguards to protect the confidentiality of PI/SPI and ensure that it is shared only on a “need to know” basis.
RSG will adhere to the following privacy principles:
18.104.22.168 Notice and Consent
- Notice: Prior to collecting PI/SPI from the associates/clients/customers, the company will notify the latter about the company’s (as applicable) privacy policies and practices, purposes of collecting PI/SPI, usage, retention and disclosure, the contacts details of the Privacy Officer and, including information on how to contact the same; and
- Choice and Consent: Prior to collecting PI/ SPI from the associates/clients/customers, the company will obtain an explicit consent from the latter.
In cases where RSG Media is involved in collection of the PI/SPI (including PI/SPI of EU residents and citizens) directly from the data subjects/associates/clients/customers, RSG Media shall ensure the following:
- Provide associates/clients/customers, as applicable, with a privacy notice before or during the collection of PI/SPI, and at any other time as prescribed by applicable law, and update relevant privacy notices if the business changes the manner in which PI/SPI is used, shared, or processed. The privacy team must draft, review, and approve the language of any privacy notice prior to its use;
- Obtain consents from associates/clients/customers, in a manner and form required by applicable law, before processing PI/SPI, using PI/SPI in a manner that is inconsistent with any privacy notice previously provided, and/or marketing RSG Media’s goods or services;
- Stop processing an individual’s PI/SPI within the time required by applicable local law if the individual withdraws consent or objects to the processing; and
- Provide associates/clients/customers with access to their PI/SPI for review and update, which may include maintaining an easy and secure way for individuals to contact RSG Media, obtain copies of their records, and submit requests to modify, update, or erase their PI/SPI. All individual requests should be fulfilled within the time period required by applicable local law.
Refer: RSG Media_Notice and Consent Template
22.214.171.124 Collection Limitation
The company will collect PI/SPI of the associates/clients/customers limited to the purposes identified in the notice, furthermore, any such information shall be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the client/customer or associate concerned.
Additionally, the company will follow the principle of data minimization and will collect limited and relevant PI/SPI in relation to the purpose for which they are processed.
126.96.36.199 Use Limitation
PI/SPI of associates/clients/customers will not be made available or otherwise used for any purpose other than what was agreed with that individual at the time of data collection. The purpose of usage of PI/SPI will be clearly articulated in the process SoP for the respective function.
Associates/clients/customers will be given access to his/ her PI/SPI that the company has gathered or stored in its systems (if required), and he/she will be provided with an opportunity to correct his/her PI/SPI thereby assuring the associates/clients/customers that their PI/SPI is accurate. RSG Media will erase, rectify, complete or amend the PI/SPI to a justified request.
Associates/clients/customers may request RSG Media to review, correct, update, suppress, or otherwise modify any of PI/SPI of the data subjects. All such requests will be routed through the Privacy Officer. The privacy manager in consultation with the Privacy Officer and respective function will support the closure of the request.
Refer: RSG Media_Data Subject Rights Procedure for more details
The company will protect PI/SPI that it handles, with appropriate technical and organizational safeguards for security, against threats (internal and external security threats), such as loss of confidentiality, integrity, unauthorized destruction, usage, or other misuses. To protect against the risk that PI/SPI may be compromised by internal and external security threats, the company relies on information protection safeguards:
- Technical safeguards-Firewalls, antivirus, logs, encryption, pseudonymization etc.
- Administrative safeguards -IT security policies and standards, incident management procedure, trainings etc.
- Physical safeguards- CCTV cameras, employee ID badges, access controls etc.
188.8.131.52 Disclosure to Third Party
The company will disclose PI of the associates/clients/customers to a third party only for the purposes identified in the notice and only with the explicit consent of the associates/clients/customers. This may require RSG Media to transfer the PI/SPI to countries other than where it operates. For every new engagement with a third party or renewal of existing engagement where the PI/SPI is disclosed to third party, the following must be ensured:
- To evaluate risk exposure of all third parties
- Initial due diligence to be conducted
- Include privacy and data protection provisions in the agreement
Additionally, ongoing due diligence process should be in place for third parties handling PI/SPI of associates/clients/customers (including PI of EU residents/citizens)
RSG Media Third Party Privacy Framework
The company will adapt to a general policy of transparency about developments, practices and policies with respect to the PI/SPI.
The company will keep the PI/SPI as accurate, complete and up-to date as is necessary for the purpose for which it is processed; and provide appropriate channels for the same.
184.108.40.206 Retention and Disposal
The company will retain the PI/SPI in a form that permits identification for no longer than as necessary for the fulfilment of the stated purpose. Also, RSG Media will retain and use associates’/clients’/customers’ PI/SPI as necessary to comply with the legal obligations, resolve disputes, and enforce agreement, post which it will be disposed securely.
Each RSG Media function must have policies, procedures, and internal controls in place to comply with recordkeeping requirements established by applicable privacy laws and regulations. Records maintained should, at a minimum, include those relating to data protection impact assessments, privacy notices, consents, privacy complaints, third party relationships (including all due diligence performed on the third party), cross-border data transfers (including any data transfer agreements or other valid transfer mechanism), and any regulatory or customer notification related to a data breach. All such records and supporting documentation must be maintained in an auditable manner and readily retrievable for a period as defined in the Data Retention Policy of RSG Media
Refer: RSG Media_Data Retention Policy
The company shall be accountable to comply with measures that give effect to the principles stated above. RSG Media understands its accountability for PI/SPI under its control as a data controller and processor; accordingly, it will
- Have appropriate instructions, guidelines and other measures to be able to demonstrate that the processing of PI/SPI is performed in compliance with this policy, or PI/SPI is managed in compliance with this policy
- Designate individual or individuals who are accountable for RSG Media’s compliance with the privacy principles
- Ensure the availability of required policies, procedures and contacts for management of PI/SPI; these being reviewed at a minimum annually or as and when there is a change warranted.
RSG Media_Privacy Governance Structure
4.1.2 Cross Border Data Transfer
When conducting business, working on company projects, or implementing new processes or systems, RSG Media may require the transfer of PI/SPI to other RSG Media entities or third parties that are located outside of the RSG Media’s country of business. RSG Media shall develop a standardized approach for protection of data moving across borders. RSG Media shall adopt appropriate technical and administrative controls that apply well to cross border data flows to act as an accountability framework for information management as a whole and including natural checkpoints for each step of international transfer.
RSG Media_Standard Contractual Clauses
4.1.3 Privacy Incident Management
Privacy incident management establishes requirements for monitoring and responding to PI/SPI potential privacy incidents.
The company establishes requirements for monitoring and responding to PI/SPI potential privacy incidents in accordance to policy requirements and assist associates/clients/customers in understanding their roles and responsibilities in addressing privacy incidents. Privacy incident management covers:
- Associates/clients/customers should be able to detect and report a privacy incident as it occurs within the operational infrastructure and results in deviations from normal services.
- Privacy team in consultation with the Privacy Officer will regularly update all associates/clients/customers over privacy incidents and breaches taking place across the globe and their relevance at the company environment, by means of privacy trainings, emails, posters etc.
- All the privacy incidents shall be reported to Privacy Officer through mail ID <TBU>
- All privacy incidents shall be recorded and tracked.
Refer: RSG Media_Privacy Incident – Breach Management Procedure.
4.2 Privacy Assessment
4.2.1 PI Inventory and Data Protection Impact Assessment
As RSG Media is processing PI/SPI (including PI/SPI of EU residents and citizens) and as technology continues to evolve, it is vital that the company finds ways to integrate privacy into the design phase of projects. PI inventory and data protection impact assessments (DPIA) have become an essential component of privacy compliance programs. RSG Media will prepare PI inventory and conduct DPIA for the privacy related risks applicable to RSG Media.
RSG Media will adopt the following approach:
- Identify relevant functions;
- Prepare PI inventory and roll out DPIA questionnaire;
- Identify the risks and develop mitigation strategies; and
- Monitor closure of identified actions.
The Privacy Officer will coordinate with the relevant functions to ensure that PI inventorization and DPIA is conducted as per the defined methodology.
Refer: RSG Media_Data Protection Impact Assessment Procedure
4.3 Communication and Training
4.3.1 Training and awareness
RSG Media will ensure adequate awareness pertaining to data privacy, its importance and implications, through a targeted and relevant training program to all its associates/clients/customers to reduce the risk of a privacy breach. The Privacy Officer will monitor that all employees and the relevant associates/clients/customers processing PI/SPI undergo the privacy awareness program as per defined policies and procedures.
4.4 Monitoring and Evaluation
Enforcement and redressal -RSG Media shall provide robust mechanisms for assuring compliance with the principles, and address grievance and / or provide recourse for individuals who are affected by non-compliance with the principles and guidelines laid in the policy.