Employee Privacy Policy - Template, Sample Form Online Pro · IN-law

EMPLOYEE PRIVACY POLICY

(Formulated in accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and the rules framed thereunder)

This Employee Privacy Policy ("Policy") is effective from ________ ("Effective Date") and is issued by ________, a company incorporated under the Companies Act, 2013 having its registered office at ________ and bearing Corporate Identity Number (CIN) ________, together with its subsidiaries and joint ventures over which it exercises management control ("We", "Us", "Our", "Company"). This Policy applies to all Employees engaged to provide services to the Company.

The Company is committed to protecting the privacy and security of all personal data and to complying with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and all other applicable data protection and privacy legislation within each jurisdiction in which We operate.

§ 1. DEFINITIONS

1.1. "Data Principal / Data Subject" means the Employee to whom the Personal Data relates and who can be identified by reference to such data.

1.2. "Data Fiduciary" means the Company, which alone or in conjunction with others determines the purpose and means of Processing of Personal Data.

1.3. "Employee" means all employees, directors, officers and board members of the Company, and for the purposes of this Policy also includes consultants, retainers and individual contractors engaged by the Company, notwithstanding that they may not be employees in the strict sense.

1.4. "Personal Data" means any data about a natural person who is identifiable by or in relation to such data, including name, a unique identification number, location data, an online identifier or any one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.5. "Sensitive Personal Data" means Personal Data such as financial information, biometric data, health information, and information relating to caste, religion or sexual orientation, as recognised under applicable law.

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate.

1.7. "Third Party" means any person or entity other than the Company or an affiliate of the Company.

1.8. "Data Protection Officer" or "Grievance Officer" means the person designated by the Company under § 10 to address queries and grievances relating to the Processing of Personal Data.

§ 2. PERSONAL DATA COLLECTED

In order to meet its statutory, regulatory, contractual and other obligations, the Company collects and Processes the following categories of Personal Data of Employees to protect the legitimate interests of both the Company and its Employees:

(a). Personal information such as date of birth, age, marital status, place of birth, nationality and mother tongue.

(b). Contact information (e.g., name, address, telephone number and email address).

(c). Gender of the Employee.

(d). Caste and religion, where required for compliance with applicable law or affirmative-action obligations.

(e). Nominee and beneficiary information.

(f). Recruitment and selection information, including skills and experience, qualifications, references, curriculum vitae, and interview and assessment data.

(g). Previous employment records.

(h). Aadhaar, PAN or other Government-issued identification numbers, collected and used strictly in accordance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and applicable law.

(i). Photographs and specimen signatures.

(j). Emergency contact details.

(k). Access card and entry details.

(l). Regulatory information, including records of registration with any applicable regulatory authority, regulated status, criminal-record or credit-background checks where lawful and necessary, and regulatory certificates and references.

(m). Remuneration information, including salary, hourly/contract pay or fees, allowances, overtime, bonus and commission, leave payments, bank account details, grade, tax information, expense claims and payment information.

(n). Leave and management information, including attendance and absence records, holiday dates, requests and approvals, statutory leave, details of incapacity and reasonable adjustments, manager and Human Resources communications, performance improvement plans and return-to-work interviews.

(o). Monitoring information (to the extent authorised by applicable law), including Closed Circuit Television (CCTV) footage, system and building login and access records, and download and print records.

(p). Call or meeting records and information captured by IT security programmes and filters.

(q). The work output of the Company's Employees, whether in paper, electronic or any other format, which belongs to the Company and, together with the tools used to generate such output, remains subject to review and monitoring by the Company in accordance with applicable law.

(r). Health information, including information about short- or long-term disabilities or illnesses disclosed by the Employee, particularly in relation to any leave of absence.

§ 3. HOW THE DATA IS COLLECTED AND LAWFUL BASIS

3.1. The Company may collect the aforesaid Personal Data directly from the Employee, from references nominated by the Employee, and from other lawful sources.

3.2. The Company may also collect Personal Data from Third Parties, subject to the requirements of applicable law.

3.3. In accordance with the DPDP Act, the Company Processes Personal Data on the basis of (i) the consent of the Employee, freely given, specific, informed, unconditional and unambiguous, obtained through a clear affirmative action; and/or (ii) certain legitimate uses recognised under the DPDP Act, including for purposes of employment and to safeguard the Company from loss or liability.

3.4. At or before the time of collection, the Company shall provide to the Employee a notice in accordance with Section 5 of the DPDP Act, specifying the Personal Data sought to be collected, the purpose of Processing, the manner of exercising rights, and the manner of making a complaint to the Data Protection Board of India.

§ 4. PURPOSE OF COLLECTING PERSONAL DATA

The Company uses the Employee's Personal Data for internal business purposes, including for establishing, managing and terminating the employment relationship, namely:

(a). To authenticate the Employee's identity.

(b). To determine eligibility for initial employment, including verifying references and qualifications.

(c). To administer pay, statutory benefits and contributions (including provident fund, gratuity and employees' state insurance, where applicable).

(d). To process Employee work-related claims, including workmen's compensation and insurance claims.

(e). To establish training and development requirements.

(f). To conduct performance reviews and determine performance requirements.

(g). To assess qualifications for a particular job or task.

(h). To gather evidence for disciplinary action or termination.

(i). To identify a contact point in the event of an emergency.

(j). To comply with applicable labour laws, the Code on Wages, 2019, the Code on Social Security, 2020 and other applicable laws.

(k). To ensure Employee safety and to protect the confidential information of the Company.

(l). For any other purpose required by the Company in connection with the employment, and consistent with this Policy.

§ 5. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

5.1. The Company ensures that Personal Data is accessed only by those who genuinely require it to perform their tasks and duties, and by Third Parties having a legitimate purpose for accessing it.

5.2. The Company may share Personal Data with employees, contractors, consultants and service providers (acting as Data Processors) who require the data to assist the Company to establish, manage or terminate the employment, including parties that provide products or services to or on behalf of the Company, subject to binding contractual obligations of confidentiality and data protection.

5.3. If the Company undergoes a corporate sale, merger, reorganisation, dissolution or similar event, Personal Data may be transferred in connection with such event, provided that any acquirer or successor is bound by appropriate agreements and may use or disclose the Personal Data only in a manner consistent with this Policy, unless the Employee consents otherwise.

5.4. The Company may also disclose Personal Data to a Third Party in the following circumstances:

(i). where the Company in good faith believes it is compelled by any applicable law, regulation, legal process or order of a court, tribunal or Government authority;

(ii). where necessary to exercise, establish or defend legal rights, including to enforce the Company's agreements and policies;

(iii). to protect the Company's rights or property;

(iv). to protect the Company, its customers or the public from harm or illegal activities;

(v). to respond to an emergency which the Company in good faith believes requires disclosure of data to prevent harm; or

(vi). with the consent of the Employee.

5.5. Any transfer of Personal Data outside India shall be undertaken only in accordance with Section 16 of the DPDP Act and any restrictions notified by the Central Government from time to time.

§ 6. SECURITY AND DATA INTEGRITY

6.1. The Company implements reasonable security safeguards consistent with Section 8(5) of the DPDP Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including access controls, firewalls, network intrusion detection and the use of anti-virus software, to protect Personal Data both online and offline against breach.

6.2. Notwithstanding the above, no system involving transmission of information via the internet or electronic storage is wholly secure, and the Company cannot be held responsible for breaches occurring outside its reasonable control. In the event of a personal data breach, the Company shall comply with all applicable laws, including taking reasonable measures to mitigate harm and notifying the Data Protection Board of India and the affected Employee in the manner and within the timelines prescribed under the DPDP Act and rules framed thereunder.

§ 7. EMPLOYEE (DATA PRINCIPAL) RIGHTS

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut.

7.2. Access, correction, amendment or deletion may be declined where doing so would be disproportionate to the privacy risks involved, where the rights of other persons would be infringed, or where retention is required under applicable law. To exercise any such right, the Employee may contact the Company at the contact details set out in § 10.

7.3. The Employee may withdraw consent at any time, with the same ease with which it was given, it being clarified that such withdrawal shall not affect the lawfulness of Processing carried out prior to withdrawal nor relieve the Employee of obligations arising under applicable law.

7.4. If Personal Data is to be used for a purpose materially different from that described in this Policy, or disclosed to a Third Party not acting as the Company's Data Processor, the Company shall give the Employee an opportunity to opt out of such materially different use or disclosure.

§ 8. RETENTION OF PERSONAL DATA

8.1. The Company shall retain Personal Data only for so long as is necessary to fulfil the purposes set out in this Policy, including for the duration of the Employee's engagement, unless a longer retention period is required or permitted by applicable law.

8.2. When Personal Data is no longer required for the purposes for which it was collected, or for any legal, regulatory or accounting requirement, the Company shall securely delete, destroy or anonymise such Personal Data in accordance with applicable law and its internal data retention policies, and shall require its Data Processors to do likewise.

§ 9. REVISION

9.1. The Company may, from time to time, make changes or updates to this Policy on account of changes in applicable laws or regulations or in its data practices.

9.2. The Company shall give Employees notice of any material changes affecting their Personal Data and, where consent is necessary, shall not make such changes without obtaining the requisite consent.

§ 10. REDRESS MECHANISM

10.1. For any inquiry or complaint regarding this Policy or the collection or use of Personal Data, including the exercise of rights of access, correction, deletion or limitation, the Employee may contact the Data Protection Officer / Grievance Officer:

Name: ________

Designation: ________

Address: ________

Email: ________

Telephone: ________

10.2. If the Employee is not satisfied with the response of the Grievance Officer, the Employee may make a complaint to the Data Protection Board of India established under the DPDP Act, in the manner prescribed.

§ 11. GOVERNING LAW AND JURISDICTION

This Policy shall be governed by and construed in accordance with the laws of India, and the courts at ________ shall have exclusive jurisdiction in respect of any dispute arising out of or in connection with this Policy.

§ 12. ACKNOWLEDGEMENT AND CONSENT

By signing this Policy, I, the Employee:

(a). acknowledge that I have read and understood the above policies and guidelines of the Company and understand my responsibilities;

(b). consent, freely, specifically and unambiguously, to the collection, Processing, storage, disclosure and retention of my Personal Data for the purposes set out in this Policy, in accordance with the DPDP Act, 2023;

(c). agree to report any actual or potential situation or incident contrary to the above policies as soon as I become aware of it; and

(d). agree to abide by the aforesaid policies and understand that failure to do so may result in disciplinary action, up to and including dismissal.

Employee Name: ________

Designation: ________

Employee Code: ________

Place: ________

Date: ________

_________________________

Signature of Employee

For and on behalf of Company:

Name: ________

Designation: ________

_________________________

Authorised Signatory