RAL strives to collect the least amount of personal data possible. If personal data is collected from a third party, it is personal data and is collected lawfully with prior consent and define its retention.
The purposes, methods, storage limitation and retention period of personal data must comply with the consent form. The RAL has maintained the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Security mechanisms designed to protect personal data has been used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. RAL CISO along with ISO and ISSC is responsible for compliance with the requirements.
When RAL uses a third-party supplier or business partner to process personal data on its behalf, it has ensured that this processor will provide security measures to safeguard personal data.
RAL has contractually agreed with the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the RAL or upon the instructions of the RAL and not for any other purposes. When the RAL processes personal data jointly with an independent third party, the RAL will explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.
It is responsibility of CISO to ensure ISSC maintains the Personal Data, as appropriate is maintained from time to time.
Any interested party whose data is maintained by RAL have the right to receive, upon request, a copy of the data they maintained. RAL CISO is responsible to ensure that such requests are processed.
Personal data must only be processed when explicitly authorized by RAL CISO.
It should be All type of personal data collected, if required to be transferred to third party either in India or abroad will be done with prior consent from interested party.
Whenever personal data processing is based on the interested party consent, or other lawful grounds, it is responsibility of ISSC to retain a record of such consent. RAL CISO is accountable to make responsible departments like HR, Admin, Marketing, Procurement in ISSC for providing interested parties with options to provide the consent and must inform and ensure that their consent can be withdrawn at any time.
The board of directors are decision making body makes decisions about and approves the RAL’s general strategies on personal data protection.
Legal Affairs Department, monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.
IT manager is responsible for Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Marketing manager is responsible for Approving any data protection statements attached to communications such as emails and letters.
Human Resources Manager is responsible for Improving all employees' awareness of user personal data protection and to ensure personal data protection program is developed and implemented
Procurement Manager is responsible for passing on personal data protection responsibilities to suppliers and improving suppliers' awareness levels of personal data protection as well as flow down personal data requirements to any third-party supplier they are using. The Procurement Department must ensure that the RAL reserves a right to audit suppliers.
When the RAL learns of a suspected or actual personal data breach, it must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach actions that may be decided as per law or land or management decision.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
Data is retained at RAL in accordance with various legal requirements, business information as per classification in Asset register is maintained as per retention period. Data maintained by organization for IATF is guarded for retention as per customer requirement. Infosec system records are maintained as per master list, retention of department documents related to employees, contractors, customers are retained by respective departments as per master list maintained by each department in IMS. Medical reports, legal documents, business information or personal information of employee’s period of retention is as guided by law of the land or management decision.