- To collect, store and process personal data in a lawful manner;
- Provide consistent treatment of Personal Data throughout Aptara, its entities and operations
- Transfer Personal Data outside the European Union only to countries that the European Commission has determined provide adequate protection of such data and/or to Aptara entities and other enterprises that use and protect that Personal Data in a manner consistent with the Commissions adequacy determinations.
Aptara shall ensure that Personal Data relating to natural persons including employees (current as well as former) suppliers, and customers, are obtained and processed fairly, in accordance with the data subjects’ rights under Data Protection Laws and Regulations. Aptara respects the privacy and is committed to promoting the responsible use of personal information and protecting individual’s privacy rights.
This policy applies to all Aptara operations and business units and supersedes any other policy relating to personal data protection. This means that all Employees, Contractors, Working Partners and businesses carried on by Aptara and its subsidiaries and any other company or organization that is managed by the Aptara, must comply with it.
3. Policy Guidelines
a. Aptara as a data controller or processor, shall establish the specific purposes for which Personal Data is being collected and that its processing is done in a manner consistent with those purposes;
b. Aptara shall collect and process only such Personal Data as is adequate, relevant and limited in scope and for a length of time to what is necessary for the stated purposes of its use;
c. Utilize IT systems and applications that have the ability to comply with Data Protection Laws and Regulations including providing appropriate security for storage and transmission of Personal Data;
d. Where required by the GDPR perform Data Protection Impact Assessments;
e. Report breaches promptly and in line with the personal data breach notification process;
f. Record, investigate, analyze and report data protection-related complaints; and g. Provide that data protection training is undertaken by all appropriate employees.
g.Provide that data protection training is undertaken by all appropriate employees.
4. Data Collection Transfer & Processing
Aptara may collect, store, use and disclose information about individuals which may constitute personal data (including sensitive personal data) under various Government Laws (for e.g. Indian IT Act Privacy rules, GDPR, etc.), lawful, explicit and legitimate purposes and for further processing of personal data consistent with those purposes.
The personal data may be processed for purposes including, without limitation,
- Administering relationships services.
- Operational purposes.
- Conducting market or customer satisfaction research.
- Providing individuals with information concerning products and services which Aptara believes to be of interest.
- Compliance with any requirement of law, regulation, associations, codes that Aptara decides to adopt.
- For the detection, investigation, monitoring and prevention of fraud and other crimes or malpractice.
- For the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for obtaining legal advice or for establishing, exercising or defending legal rights or Any other purpose connected to or incidental to the purposes as stated above.
- Privacy data collected at website - cookies may be used in website to track user behavior, etc., and/or user name, address, email, phone number is collected for marketing or research purposes.
Aptara shall obtain consent from the data subject in free manner prior to collecting, storing and processing of personal data.
Aptara shall not utilize an individual's personal data beyond this scope without prior consent from the individual and shall take measures to ensure that this principle is observed. An individual's personal data shall not be provided or otherwise disclosed to third parties other than Aptara affiliates, investigators, or law enforcement personnel when consent has been obtained from the individual in question or when disclosure is legally mandated.
To the extent permitted by applicable law, Aptara may record and monitor electronic and voice communications to ensure compliance with the legal and regulatory obligations and internal policies and for the purposes outlined above.
Any transfer of personal data to a third party shall take place only if, all provisions of Data protection are applied by the third party in order to ensure that the level of protection of personal data is guaranteed.
Data shall be encrypted and anonymized wherever necessary.
5. Confidentiality and Security Correction & Deletion
Aptara takes prudent steps to safeguard the confidentiality and security of all personal data including taking procedural and organizational steps to protect personal data from accidental or unlawful destruction. These steps include entering into written agreements with all its vendors, subcontractors who process personal data.
In addition, Aptara strives to protect personally identifiable information that it maintains or disseminate so it is not obtained by unauthorized individuals or used in unauthorized ways, including through the use of appropriate administrative, physical, and technical safeguards.
6. Data Subject Access, Correction & Deletion
Aptara recognizes the right of data subjects at reasonable intervals to seek / request a copy of the personal data held in relation to them by Aptara. If any personal data is found to be wrong, the individual concerned has the right to ask us to amend, update or delete it, as appropriate. In some circumstances individuals also have a right to object to the processing of their personal data as per the prevailing laws.
If Aptara undertake transactions or other services that involve the disclosure of personal data on behalf of any of our client or counterparty, it shall be the responsibility of such client or counterparty to ensure that it has all necessary authority to permit us to process and disclose the personal data accordingly.
Privacy consent can be withdrawn easily and at any time by the data subject by informing to appropriate authority within Aptara as mentioned in Access revocation process.
The privacy data shall be deleted from the system based on evaluation of compliance with a legal obligation or business process and technologies available to erasure individual data.
7. Privacy by Design
Privacy controls shall be considered while designing and implementing new or existing systems or processes, based on the technologies available, cost of implementation, scope, context and purposes of collecting, storing and processing.
Aptara shall implement appropriate data-protection principles, technical and organizational measures, such as pseudonymization, data minimization, data encryption, etc.
8. Data Protection Impact Assesment
Aptara shall conduct Data Protection Impact Assessment that shall include:
a. A systematic description of the system or purpose.
b. Assessment of the risks to the rights and freedoms of data.
c. The measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate
9. Breach Notification
All personnel of Aptara handling personal data have a responsibility to report any data privacy breach related incidents in case of violation of the data protection policy to SIRT@aptaracorp.com
Data Privacy Officer (DPO), HR & Legal department are responsible for administration of this policy and monitoring its compliance. All personnel of Aptara handling personal data shall take reasonable measures for protection of personal data.
Personal Data means any information relating to a living individual who can be identified directly or indirectly by an identifier such as:
- a name, identification number, image, location data, an online identifier, or • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- employee personal details like birth date, address, personal phone number
- personal email address, race, nationality, ethnicity, origin, color, religious or political beliefs or associations, age, sex, sexual orientation, marital status, family status, identifying number, code, finger prints, blood type, inherited, characteristics, health care history including information on physical/mental
- disability, educational, financial, criminal, history. Photographs of employee and internal gatherings
Lawful processing means that the activity is conducted in accordance with applicable national or international laws.
Specified purpose means being clear from the outset about why we are collecting personal data and are transparent about our purposes with the individuals concerned. Accurate means that the data collected and stored are correct and their integrity is protected.
Adequate, relevant and not excessive means that data should be sufficient for the intended purpose and that we should not hold more data than necessary for that purpose.
Data Protection Laws and Regulations means, in the European Union, the Data Protection Directive 95/46/EC and the national statutory legislation passed in each Member State implementing this Directive, the General Data Protection Regulation(GDPR) 2016 / 679, as well as national law that exists outside the EU in each country.
European Union – means the current EU Member State countries of:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
Enforcement of this policy is mandatory & violations of this policy will be reported through the Breach Notification Policy and Security Incident Response Team (SIRT) procedure.
The action taken after a violation is encountered is as follows:
a. All violations will be reported to DPO/Steering Committee.
b. Person will be issued a warning or will face stricter action depending upon nature of incidence for first time of violation.
c. Any further violation on part of the same person would result in strict disciplinary action up to termination of employment.