| S.no. | Term | Definition |
| 1 | Personally Identifiable Information |
Any information that relates to a natural person, which, either directly or indirectly, in combination with other information available is capable of identifying such person. |
| 2 | Sensitive personal information (SPI) | Personal information which consists of information relating to :
(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise |
The policy shall be reviewed at the time of any major changes in the
existing business environment or at least once every two years to
ensure its continuing, suitability, adequacy, and effectiveness.
Major changes to the policy shall be approved by IT Strategy
Committee. Minor changes to the policy shall be approved by Group
Chief Information Security Officer.
GMR will follow the following Privacy principles:
While collecting information directly from the person concerned, GMR shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —
(a) the fact that the information is being or has been collected;
(b) the purpose for which the information is being or has been collected;
(c) the intended recipients of the information; and
(d) the name and address of —
The information collected shall be used for the purpose for which it has been collected.
GMR shall not collect sensitive personal information unless:
(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
GMR shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal information regarding purpose of usage before collection of such information.
GMR does not share users’ personal data with any third party that intends to use it for direct marketing purposes, unless users have provided specific consent in relation to this.
GMR may share users’ personal data with third parties for other purposes, but only in the following circumstances:
a) Affiliates
GMR may provide users’ personal data to its affiliates or related companies for legitimate business purposes. GMR may share users Information with third parties under a confidentiality agreement which inter alia provides for that such third parties not disclosing the Information further unless such disclosure is for the Purpose.
GMR shall not publish the sensitive personal data or information.
GMR may transfer sensitive personal information including any information, to any other body corporate or a person in India, or located in any other country during the course of its business, that ensures the same level of data protection that is adhered to by GMR. The transfer may be allowed only if it is necessary for the performance of the lawful contract between GMR and provider of information or where such person has consented to data transfer.
b) Service providers
GMR may engage service providers, agents or contractors to provide services on its behalf, including to administer
GMR Sites and services available to users. These third parties may come to access or otherwise process users’ personal data in the course of providing these services.
GMR may require such third parties, who may be based outside the country, to comply with all relevant data protection laws and security requirements in relation to users’ personal data, usually by way of a written agreement. In some instances there is a possibility that such data is transferred from one location to another. Such storage and transfers are undertaken with utmost care and attention. We contractually bind the service providers to store or transfer users’ information in a confidential manner and they are made to treat the data only according to relevant privacy laws of the land.
c) Legal requirements and business transfer
GMR may disclose users’ personal data if it is required to do so by law or if, in GMR’s good faith judgment, such legal disclosure is reasonably necessary to comply with legal processes or respond to any claims.
In the event of a full or partial merger with, or acquisition of all or part of GMR by another company, the acquirer would have access to the information maintained by that GMR business, which could include personal data.
d) Regulatory Requirements
GMR or any person on its behalf shall provide personal information of the users where the disclosure is necessary for compliance of a legal obligation.
Information shall be shared, without obtaining prior consent from the provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.
GMR will act upon a request in writing received from the Government agency which states clearly the purpose of seeking such information, and also states that the information so obtained shall not be published or shared with any other person.
Notwithstanding anything contained above, any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.
GMR shall implement security practices and standards and have a comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures. The international standard ISO 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard that will be referred.
GMR strives to ensure the security of users Personal Information and to protect the same against unauthorized access or unauthorized alteration, disclosure or destruction. For this purpose, GMR adopts internal reviews of the data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems.
Each of the GMR entity shall adopt reasonable security practices and procedures as mandated under applicable laws for the protection of users Information. Users hereby confirm to waive their right to claim damages and release all GMR entities from any claim of damages under contract or under tort.
It may be noted that these protections do not apply to personal data users choose to share in public areas such as on community websites.
Notwithstanding anything contained in this Policy or elsewhere, GMR and its entities shall not be held responsible for any loss, damage or misuse of users Personal Information, if such loss, damage or misuse is attributable to a Force Majeure Event (as defined below).
A "Force Majeure Event" shall mean any event that is beyond the reasonable control of GMR and shall include, without limitation, sabotage, fire, flood, explosion, acts of God, civil commotion, strikes or industrial action of any kind, riots, insurrection, war, terrorism, acts of government, government authority, computer hacking, unauthorised access to computer, computer system or computer network, computer crashes, breach of security and encryption (provided beyond reasonable control of GMR), power or electricity failure or unavailability of adequate power or electricity.
While GMR will endeavor to take all reasonable and appropriate steps to keep secure any Personal Information which GMR hold about users and prevent unauthorized access, users acknowledge that the internet or computer networks are not fully secure and that GMR cannot provide any absolute assurance regarding the security of users Personal Information.
GMR will only retain users’ personal data for as long as it is necessary for the stated purpose and comply with legal requirements under applicable laws.
GMR shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal information found to be inaccurate or deficient shall be corrected or amended as feasible.
GMR shall provide a privacy policy for handling of or dealing in personal information including sensitive personal information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of GMR and shall provide for:
(i) Clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected
(iii) purpose of collection and usage of such information;
(iv) disclosure of information including sensitive personal information as provided (v) reasonable security practices and procedures