India Digital Personal Data Protection Act Standard

Please click here for XBP Global Holdings, Inc.’s Privacy Policy

1 Office of Responsibility

Senior Vice President, Global Risk & Compliance

2 Purpose

XBP Global Holdings Inc. (the “Company”) complies with the Digital Personal Data Protection Act (“DPDPA”), which applies to private-sector organizations across India that collect, use, or disclose personal information in the course of a commercial activity.

This standard outlines XBP Global India’s commitment to complying with the Digital Personal Data Protection Act, 2023 (“DPDPA”) in all its operations. This standard aims to ensure the lawful, fair, and transparent processing of all personal data, while safeguarding the rights and freedoms of individuals.

3 Scope

The Privacy Policy defines the Company objectives for securing and protecting personally identifiable information and other information.

The DPDPA builds on the objectives established in the Privacy Policy and provides specific requirements for the management of personal information of individuals located in India. The DPDPA protects digital personal data that is processed in India, regardless of whether the data was originally collected in India or elsewhere. The Act also applies to the processing of personal data of Indian citizens, even if the data is processed outside of India.

Note: The Company, as a service provider (data processor), processes personnel data on behalf of our customers (data fiduciaries). As such, the Company is not the data owner nor the book of record of the information it is handling. The Company shall carry out the processing operations with the appropriate technical and organizational measures instructed by the data fiduciaries.

• Data Fiduciary – any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data (customer)
• Data Processor – any person who processes personal data on behalf of a Data Fiduciary (the Company)

4 Standard: India Digital Personal Data Protection Act

The India Digital Personal Data Protection Act (DPDPA) outlines specific compliance standards for service providers (data processors) when handling personal data. Here are some key areas:

4.1 DATA PROCESSING AGREEMENT (DPA)

• A DPA between the data fiduciary (the customer) and the data processor (the Company) should be in place. Key Provisions:
  • Scope of Processing: Clearly define the types of personal data, the purpose of processing, and the duration of processing.
  • Instructions: The customer shall provide clear and specific instructions to the Company on how to handle the data.
  • Sub-processing: If the Company engages a sub-processor, they shall inform the customer and ensure the sub-processor complies with the DPDPA.
  • Data Security: The Company shall implement appropriate technical and organizational measures to ensure the security and confidentiality of the data.
  • Data Subject Rights: The Company shall assist the customer in fulfilling data subject rights (e.g., access, correction, erasure). 
  • Data Breaches: The Company shall notify the customer within 24 hours of any data breaches and assist in responding to them.
  • Liability: The DPA should outline the liabilities of the Company in case of non-compliance.

4.2 DATA SECURITY

• The following measures shall be implemented:
  • Encrypt data both in transit and at rest.
  • Access controls (e.g., multi-factor authentication, role-based access) to limit data access
  • DLP measures to prevent unauthorized data exfiltration.
  • Regular security audits and vulnerability assessments to identify and address potential risks.
  • Develop and maintain an incident response plan to effectively handle data breaches.

4.3 DATA SUBJECT RIGHTS

• The Company shall assist the customer in fulfilling data subject rights, such as:
  • Right to Access: Provide access to the data processed.
  • Right to Correction: Assist in correcting inaccurate or incomplete data.
  • Right to Erasure: Assist in deleting or anonymizing data.
  • Right to Restriction: Assist in restricting the processing of data.
  • Right to Data Portability: Assist in transferring data to another data processor

4.4 INTERNATIONAL TRANSFERS

• If the Company transfers personal data outside India, we shall ensure the transfer complies with the DPDPA’s provisions on cross-border transfers. This may involve:
  • Adequacy Decisions: Transferring data to countries with adequate data protection laws.
  • Standard Contractual Clauses: Using approved contractual clauses to ensure appropriate safeguards.
  • Binding Corporate Rules: Implementing binding corporate rules for intra-group transfers

4.5 RECORD-KEEPING

The Company shall maintain records of processing activities, including the categories of data processed, the purposes of processing, and the recipients of the data.

4.6 COMPLIANCE OFFICER

The Company shall appoint a Data Protection Officer (DPO) to oversee compliance with the DPDPA.

5 Standard: India Digital Personal Data Protection Act

Note: The Company, as a service provider (data processor), processes personnel data on behalf of our customers (data fiduciaries). As such, the Company is not the data owner nor the book of record of the information it is handling. The Company shall carry out the processing operations with the appropriate technical and organizational measures instructed by the data fiduciaries.

• “Data Fiduciary” – any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data
• “Data Processor” – any person who processes personal data on behalf of a Data Fiduciary

5.1 DPDPA SUPPLEMENTAL PRIVACY STATEMENT

The following only applies if you are an individual located in India. In addition to the rights granted under our Privacy Policy, you have the right to know what personal information the Company has collected about you, challenge the accuracy and completeness of the information, and have it amended as appropriate.

5.2 KNOW AND AMEND YOUR PERSONAL INFORMATION

The Company may have collected the following categories of personal information about you: first name, last name, email, phone number, and company name. You may request that the “data fiduciary” disclose to you the categories and specific pieces of personal information that the Company has collected about you, the business or commercial purpose for collecting your personal information, the categories of personal information that the Company disclosed for a business purpose, and the categories of third parties with whom the Company has shared your personal information. You may also challenge the accuracy and completeness of the information and have it amended as appropriate.

5.3 NO SALE OF PERSONALINFORMATION

The Company does not and will not sell your personal information to third parties.

6 Related Standards and Policies

• Privacy Policy

7 Policy Compliance

7.1 RESPONSIBILITIES

The Senior Vice President of Global Risk & Compliance is responsible for the development, implementation, and maintenance of the Canada Personal Information Protection and Electronic Documents Act Standard.

Company management is accountable for ensuring that the India Digital Personal Data Protection Act Standard and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the India Digital Personal Data Protection Act Standard Canada Personal Information Protection and associated standards and guidelines. Company management is responsible for the ownership of the systems, applications, and data within its organizational units to ensure the information technology is actively managed.

All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the India Digital Personal Data Protection Act Standard and associated standards and guidelines.

7.2 COMPLIANCE MEASUREMENT

The Global Risk & Compliance team shall verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

7.3 ENFORCEMENT

An employee found to have violated this policy shall be subject to disciplinary action, up to and including termination of employment.