Data Protection Policy

Last Updated: December 26, 2024

This Data Protection Policy outlines our comprehensive approach to protecting your personal data in compliance with Indian data protection laws and international best practices.

1. Legal Framework and Compliance

Our data protection practices are designed to comply with:

  • Digital Personal Data Protection Act, 2023 - India's primary data protection law
  • Information Technology Act, 2000 and related rules
  • Information Technology (Reasonable Security Practices) Rules, 2011
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
  • Consumer Protection Act, 2019 - Consumer data protection
  • Companies Act, 2013 - Corporate data governance
  • Foreign Exchange Management Act (FEMA), 1999 - Cross-border data transfers
  • Reserve Bank of India (RBI) Guidelines - Financial data protection

2. Data Protection Principles

We adhere to the following fundamental data protection principles:

Lawfulness and Fairness

Data processing is lawful, fair, and transparent to the data principal.

Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes.

Data Minimization

We collect only data that is necessary for the specified purpose.

Accuracy

Personal data is accurate, complete, and kept up to date.

Storage Limitation

Data is retained only for as long as necessary for the purpose.

Security of Processing

Appropriate technical and organizational measures protect personal data.

3. Types of Personal Data We Process

We process different categories of personal data based on our business needs:

Basic Personal Data

  • Name and contact information
  • Email addresses and phone numbers
  • Postal addresses
  • Company/organization details
  • Job titles and professional information

Service-Related Data

  • Service preferences and requirements
  • Property details and specifications
  • Service history and records
  • Communication preferences
  • Feedback and survey responses

Technical Data

  • IP addresses and device identifiers
  • Browser type and version
  • Operating system information
  • Website usage patterns
  • Cookies and tracking data

Financial Data

  • Billing and payment information
  • Bank account details (for payments)
  • GST and tax information
  • Transaction records
  • Credit verification data

Sensitive Personal Data

  • Health information (if relevant to services)
  • Security clearance information
  • Biometric data (if used for access)
  • Background verification data
  • Emergency contact information

Employee Data

  • Employee personal and professional details
  • Performance and training records
  • Attendance and scheduling data
  • Health and safety information
  • Payroll and benefits data

4. Legal Basis for Processing

We process personal data based on the following legal grounds:

4.1 Consent

  • Free Consent: Given freely without coercion
  • Specific Consent: For clearly defined purposes
  • Informed Consent: With clear information about processing
  • Unambiguous Consent: Through clear affirmative action
  • Withdrawable Consent: Can be withdrawn at any time

4.2 Legitimate Interests

  • Contract performance and service delivery
  • Business operations and administration
  • Legal compliance and regulatory requirements
  • Fraud prevention and security measures
  • Direct marketing (with appropriate safeguards)

4.3 Legal Obligations

  • Compliance with labour laws and regulations
  • Tax and financial reporting requirements
  • Health and safety obligations
  • Anti-money laundering and KYC requirements
  • Court orders and legal proceedings

5. Data Subject Rights Under DPDP Act 2023

As a data principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Information

Know what personal data we hold about you and how it's processed

  • Purposes of processing
  • Categories of personal data
  • Recipients of your data
  • Retention periods
  • Your rights and how to exercise them

Right to Correction

Update, correct, or complete your personal data

  • Correct inaccurate information
  • Complete incomplete data
  • Update outdated information
  • Verify data accuracy
  • Request confirmation of corrections

Right to Erasure

Request deletion of your personal data in certain circumstances

  • Data no longer necessary
  • Consent withdrawn
  • Unlawful processing
  • Legal obligation to erase
  • Public interest grounds

Right to Grievance Redressal

Lodge complaints about data processing

  • Internal grievance mechanism
  • Data Protection Board complaints
  • Consumer forum complaints
  • Civil court remedies
  • Compensation for damages

Right to Nomination

Nominate another person to exercise rights in case of death or incapacity

  • Designate a nominee
  • Specify rights to be exercised
  • Update nomination details
  • Revoke nomination
  • Multiple nominees for different rights

Right of Parents/Guardians

Exercise rights on behalf of children

  • Consent to processing
  • Access child's data
  • Correct child's information
  • Request erasure
  • File complaints

6. Data Security Measures

Technical Security Measures

Encryption

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive communications
  • Database field-level encryption

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication
  • Principle of least privilege
  • Regular access reviews

Network Security

  • Firewalls and intrusion detection
  • Virtual private networks (VPNs)
  • Network segmentation
  • DDoS protection

Monitoring

  • 24/7 security monitoring
  • Audit logs and trails
  • Anomaly detection
  • Incident response procedures

Organizational Security Measures

  • Data Protection Officer (DPO): Designated DPO for privacy oversight
  • Privacy by Design: Privacy considerations in all system designs
  • Staff Training: Regular data protection training for all employees
  • Vendor Management: Due diligence on third-party data processors
  • Incident Response: Comprehensive breach response procedures
  • Regular Audits: Internal and external security assessments
  • Compliance Reviews: Periodic compliance and risk assessments
  • Physical Security: Secure facilities and document handling

7. Data Breach Management

Data Breach Response Procedure

In the event of a personal data breach, we follow a comprehensive response procedure:

7.1 Detection and Assessment (0-24 hours)

  • Immediate containment and mitigation measures
  • Assessment of breach scope and impact
  • Identification of affected data and individuals
  • Risk assessment for data subjects
  • Documentation of incident details

7.2 Notification Requirements (72 hours)

  • Data Protection Board: Notification within 72 hours if likely to result in risk
  • Affected Individuals: Direct notification if high risk to rights and freedoms
  • Supervisory Authorities: Compliance with sector-specific requirements
  • Law Enforcement: If criminal activity is suspected
  • Insurance Providers: As per insurance policy requirements

7.3 Remediation and Recovery

  • Security measures to prevent further breaches
  • Recovery of compromised systems and data
  • Support and assistance to affected individuals
  • Credit monitoring services if applicable
  • Regular updates to affected parties

7.4 Post-Incident Review

  • Root cause analysis and investigation
  • Lessons learned and process improvements
  • Security measure enhancements
  • Staff training updates
  • Policy and procedure revisions

8. Cross-Border Data Transfers

8.1 Data Localization Requirements

We comply with Indian data localization requirements:

  • Critical Personal Data: Processed only within India
  • Sensitive Personal Data: One copy of data stored in India
  • Financial Data: Payment system data stored in India (RBI guidelines)
  • Government Data: All government-related data processed within India
  • Health Data: Medical and health data stored locally

8.2 International Transfer Safeguards

When transferring data outside India, we ensure:

  • Adequacy Decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: Legal agreements with recipients
  • Binding Corporate Rules: Internal data transfer policies
  • Explicit Consent: Your consent for transfers to non-adequate countries
  • Derogations: Limited transfers for specific circumstances

8.3 Third Country Assessment

We assess the data protection standards of recipient countries:

  • Legal framework evaluation
  • Enforcement mechanisms assessment
  • Government surveillance laws review
  • Individual rights protection analysis
  • Redress mechanisms availability

9. Data Protection Impact Assessments (DPIA)

9.1 When We Conduct DPIAs

  • High-risk processing activities
  • New technology implementations
  • Large-scale processing of special categories
  • Systematic monitoring of public areas
  • Automated decision-making processes
  • Processing of vulnerable groups' data
  • Cross-border data transfers

9.2 DPIA Process

  • Necessity Assessment: Evaluation of processing necessity
  • Proportionality Analysis: Balance between purpose and impact
  • Risk Identification: Identification of potential risks
  • Mitigation Measures: Measures to reduce risks
  • Stakeholder Consultation: Input from relevant parties
  • Documentation: Comprehensive DPIA documentation
  • Review and Update: Regular DPIA reviews

10. Children's Data Protection

10.1 Special Protection Measures

  • Age Verification: Robust age verification mechanisms
  • Parental Consent: Verifiable parental consent for under-18s
  • Data Minimization: Minimal data collection from children
  • Purpose Limitation: Strict purpose limitation for children's data
  • Enhanced Security: Additional security measures
  • Limited Retention: Shorter retention periods
  • No Profiling: Prohibition on automated profiling

10.2 Parental Rights

  • Access to child's personal data
  • Correction of child's information
  • Deletion of child's data
  • Withdrawal of consent
  • Object to processing
  • Data portability rights
  • Complaint and grievance rights

11. Employee Data Protection

11.1 Lawful Basis for Employee Data

  • Employment Contract: Performance of employment contract
  • Legal Obligation: Compliance with labour laws
  • Legitimate Interest: HR administration and management
  • Consent: Optional benefits and activities
  • Vital Interests: Health and safety emergencies

11.2 Employee Data Types

  • Personal and contact information
  • Employment history and qualifications
  • Performance and appraisal data
  • Training and development records
  • Attendance and leave records
  • Payroll and benefits information
  • Health and safety data
  • Background verification results

11.3 Employee Rights

  • Right to information about data processing
  • Right to access personal data
  • Right to correct inaccurate data
  • Right to erasure (in limited circumstances)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to file grievances

12. Vendor and Third-Party Data Protection

12.1 Due Diligence Process

  • Privacy Assessment: Evaluation of vendor data practices
  • Security Review: Technical and organizational measures assessment
  • Legal Compliance: Verification of regulatory compliance
  • Contract Negotiation: Data protection clauses in agreements
  • Ongoing Monitoring: Regular vendor performance reviews

12.2 Data Processing Agreements

  • Clear purpose and scope of processing
  • Data protection obligations and responsibilities
  • Security measures and breach notification
  • Data retention and deletion requirements
  • Data subject rights facilitation
  • Audit and inspection rights
  • Liability and indemnification clauses

12.3 Vendor Categories

  • Technology Providers: Cloud services, software vendors
  • Service Providers: Cleaning suppliers, equipment vendors
  • Professional Services: Legal, accounting, consulting
  • Marketing Partners: Advertising and promotional services
  • Financial Services: Banks, payment processors, insurers

13. Data Retention and Deletion

13.1 Retention Principles

  • Purpose Limitation: Retain only for original purpose
  • Legal Requirements: Comply with statutory retention periods
  • Business Necessity: Retain for legitimate business needs
  • Minimal Retention: Shortest period necessary
  • Regular Review: Periodic retention period assessment

13.2 Retention Schedules

  • Customer Data: 7 years after contract termination
  • Employee Data: 7 years after employment end
  • Financial Records: 8 years as per Companies Act
  • Tax Records: 8 years as per Income Tax Act
  • Marketing Data: Until consent withdrawal
  • Website Analytics: 26 months maximum
  • CCTV Footage: 30-90 days unless incident

13.3 Secure Deletion

  • Cryptographic erasure for encrypted data
  • Multi-pass overwriting for magnetic storage
  • Physical destruction of storage media
  • Certificate of destruction for sensitive data
  • Verification of complete deletion
  • Documentation of deletion activities

14. Contact Information and Requests

Data Protection Officer

Designation: Data Protection Officer

Email: dpo@arrowfacilityservices.com

Phone: +91 98409 63029

Address: New 128, Old 114, 2nd Floor, Eldams Rd, Subbarayan Nagar, Teynampet, Chennai, Tamil Nadu 600018

How to Exercise Your Rights

  • Email: Send requests to dpo@arrowfacilityservices.com
  • Online Form: Use our data subject request form on website
  • Written Request: Mail to our registered office
  • Phone: Call +91 98409 63029 during business hours

Response Times

  • Acknowledgment: 3 business days
  • Response: 30 days (may extend to 60 days for complex requests)
  • Urgent Requests: 7 days for urgent matters
  • Appeal Process: 15 days for internal appeals

Required Information for Requests

  • Full name and contact details
  • Proof of identity (government-issued ID)
  • Specific request details
  • Relationship to data subject (if acting on behalf)
  • Preferred response method

This Data Protection Policy demonstrates our commitment to protecting your privacy and personal data. We continuously update our practices to maintain the highest standards of data protection in compliance with Indian and international laws.