GDPR Compliance Statement

Introduction
The EU General Data Protection Regulation (“GDPR”) came into effect across the European Union on 25th May 2018. GDPR data protection rules are designed to give EU citizens more control over their personal data. GDPR is also applicable to companies outside the EU that process EU citizens’ data. GDPR requires data controllers and data processors implement appropriate security measures and safeguards for personal data processing. Sundaram Business Services works as a “Data Processor” for its EU based clients.

We have created this GDPR Compliance Statement to explain our approach to implementing our GDPR compliance program. It describes the implementation of our data protection roles, policies, procedures, controls and measures to ensure ongoing compliance with GDPR.

Our Commitment

At Sundaram Business Services, we are committed to ensuring the security and protection of the personal information that we process. Sundaram Business Services is an ISO 27001:2013 Information Security Management System certified company which is practicing controls for privacy and personally identifiable information to end user’s personal data. We have data protection teams committed to ongoing review and audits of all matters within the scope of GDPR so that a process of continual assessment, risk management and improvement is embedded in our organisation.

Our GDPR Principles

Sundaram Business Services takes the privacy and security of individuals and their personal information very seriously. Our principles for processing personal information are:

  • We will process all personal information fairly and lawfully
  • We will only process personal information for specified and lawful purposes
  • Where practical, we will keep personal information up to date
  • We will not keep personal information for longer than is necessary
  • We will process personal information with appropriate security using appropriate technical and organisational measures

How we comply with the GDPR

Data Processor Agreements: Where applicable, we enter into data processing agreements.

Legal Basis for Processing Personal Data: We assess and have a system for recording the legal basis for processing activities involving personal data.

Identification of Personal Data – We have performed a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed, and to whom it is disclosed as personal data flow diagrams.

If you choose not to provide your Personal Information to us for the purposes set out in this Privacy Policy, we may not be able to undertake certain activities as requested by you.

Risk Management – The identified personal data flow diagrams are risk analysed and go through ISO 31000 compliant SBS Risk Management System for mitigation of high personal data privacy risks.

Data Protection Impact Assessments: We have a system for facilitating data protection impact assessments. Impact assessments are routed to SBS Risk Management System for control/mitigation measures.

Policies & Procedures- We have implemented data protection policies and procedures to meet the requirements and standards of the GDPR. We also practice relevant data protection laws of India and other data protection laws of customers, including:

Data Protection - Our main policy and procedure document for data protection has been strengthened to meet the standards and requirements of the GDPR. We have adequately trained our employees about GDPR directives to protect individual privacy rights.

Data Retention & Data Purging – We have updated our retention policy and schedule to ensure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that personal information is stored, archived, and destroyed compliantly and ethically. We have planned data purging procedures in place to meet the new ‘Right to Erasure’ obligation.

Data Breaches – Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate, and report any personal data breach at the earliest possibility. We have trained all our employees on the breach reporting lines and steps to follow.

International Data Transfers & Third-Party Disclosures – Where Sundaram Business Services stores or transfers personal information outside the EU, we have stringent procedures and safeguarding measures in place to secure and maintain the integrity of the data. We have well defined data security policies in place to protect the personal information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.

Privacy Policy – We have our Privacy Policy to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to, and what safeguards are in place to protect their information.

Data Subject Rights – In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide information via email to individuals to comply with their right to access any personal information that Sundaram Business Services processes about them and to request information about:

  • What personal data we hold about them
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/ will be disclosed
  • How long we intend to store your personal data
  • If we did not collect the data directly from them, information about the source
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • The right to lodge a complaint or seek judicial remedy; and who is to be contacted in such instances

Information Security, Technical and Organizational Measures for GDPR Compliance
Sundaram Business Services takes the privacy and security of individuals and their personal information very seriously. We take every reasonable measure and precaution to protect and secure the personal data that we process. We have dedicated information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction, and have several layers of security measures, including secure areas, access controls,password policies, data encryption, secure IT practices, and restrictions on access of confidential data by unauthorized personnel.
Sundaram Business Services understands that continuous employee awareness and understanding is vital to our continued compliance of the GDPR regulations. We have already implemented an employee awareness program specific to GDPR regulations, and have updated our learning management system to ensure annual refresher programs on secure management of personal data.

Contact us if you have GDPR related questions
If you have any questions about this GDPR Compliance Statement, or our privacy or security practices, please contact us: