Riversand Technologies Inc., including its subsidiaries and affiliates (collectively referred to as “Riversand” or “our” or “we”), are a global software company empowering enterprises to transform their data into an engine of growth.
Riversand offers various solutions such as Master Data Management (MDM), Product Information Management (PIM), Digital Asset Management(DAM), Riversand Print, Riversand Customer MDM, Riversand Vendor Portal and Retail Connectors and other dynamic, configurable platforms that helps forward-thinking companies to discover the value in their data, increase productivity and improve the customer experience.
We respect the personal data entrusted to us by our clients or customers, third party vendors, consultants, prospective candidates, and visitors. We are committed to fair, transparent and secure processing of the personal data.
This policy outlines how Riversand collects, processes, and uses personal data in compliance to Global Data Protection Laws. The policy sets the minimum standard and guides all Riversand employees even if the local law is less restrictive. Our policy adheres with General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)
This policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.
The scope of the policy allows:
- All individuals who provide personal data, such as but not limited to clients, third party vendors, participants in proof of concept, investigators, investors, facility visitors, and regulators etc.
- All locations where Riversand operates and where personal data is collected from, even where local regulations do not exist.
The objective of this policy is to provide direction towards ensuring the privacy of individuals from whom personal data is collected by Riversand.
The key objectives of this policy are:
- To provide adequate guidance and framework for the secure handling of personal information in compliance to all regulations applicable to Riversand.
- Increase awareness of data privacy and instill a privacy-oriented mind-set among the employees of Riversand.
- Safeguard personal data by implementing adequate technical and organizational measures.
4. Roles and Responsibilities
Each employee bears a personal responsibility for complying with this policy in the fulfilment of their responsibilities at Riversand.
DPO, Data Privacy Working Committee and regional Data Privacy Executives shall ensure adherence to this policy and shall be responsible for appropriate remedial action.
All persons who are covered by this policy must comply with it, and where requested demonstrate such compliance specially towards GDPR and CCPR regulations. Failure to comply with this policy can result in disciplinary action which may include termination of services of employees or termination of the engagement of a consultant or dismissal of interns or volunteers, as the case may be.
6. Data Privacy Principles
Riversand has adopted the following principles to govern its use, collection, storage and transmission of personal data:
- Personal Data shall only be processed fairly and lawfully.
- Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
- Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
- Personal Data shall be accurate, complete and current as appropriate to the purposes for which they are collected and/or processed.
- Personal Data shall not be kept in a form which permits identification of the data subject/consumer for longer than necessary for the permitted purposes in accordance with the applicable laws depending upon the source of personal data.
- Appropriate physical, technical, and procedural measures shall be taken to:
- Prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of personal data; and
- Prevent accidental loss or destruction of, or damage to, personal data.
- Transfer of data out of a region (such as European Union and California) / country (such as United States, India etc.,) shall be performed in compliance local privacy laws and with adequate protection.
7.1 Strategy & Governanc
7.1.1 Office of the Data Privacy Officer (DPO)
- Riversand has appointed a DPO who shall be responsible to manage compliance to applicable privacy regulations within the organization and shall be independent of conflicting duties. Riversand shall equip the DPO with the resources, support and training required to perform his/her role.
- Name and contact details of the DPO shall be communicated and accessible to all employees and data subjects/consumer.
- DPO shall implement formalized processes to track and address any inquiries and complaints received from data subjects/consumer in a timely manner, not later than a month
- Riversand follows a risk-based approach towards its Data Privacy program. DPO shall carry out data protection & privacy risk assessments on a periodic basis to identify risk and appropriate mitigation plans, controls and/or processes to remediate the risks.
- DPO shall define and document a privacy compliance plan and update the plan annually to incorporate changes in its environment (such as change in operations, privacy landscape, legal and regulatory requirements, contracts) including service-level agreements with third parties, business operations and processes, IT security matters and technology etc.
- From time to time, DPO shall develop/ update procedures, guidelines and best practices around data protection and privacy, and publish it to the relevant stakeholders.
- Effectiveness of privacy controls shall be monitored by DPO on an ongoing basis and appropriate measures shall be taken to address identified deficiencies which shall be monitored for remediation.
- Findings and recommendations that come as a result of risk assessment, reviews, audits and monitoring activities of the privacy program are communicated to the Riversand management as applicable
7.2 Training & Awareness
- Training & awareness materials around data protection and privacy shall be developed by the Data Privacy Team for Riversand employees, Consultants, Subcontractors, third parties. DPO shall also develop role-based trainings for individuals or teams considering their role and nature of processing.
- Data Privacy training and awareness programs shall be conducted on a periodic basis (at minimum, annually) for all applicable employees, Consultants, Sub-contractors, third parties working at/for Riversand.
- Training attendance records shall be maintained for documentation and audit trail.
7.3 Collection of Personal Data
- Riversand shall ensure that any personal data collected is relevant and limited to what is necessary in relation to the purposes for which they are processed.
- If personal data is collected directly from the data subject/consumer, Riversand shall:
- Provide a concise, transparent, intelligible, easily accessible, and an adequate notice to the Data Subject/consumer (customer/ vendor or others) in physical or electronic format in a timely manner (before or at the time of data collection)
- The notice shall be written in a clear and plain language
- Notify the data subject/consumer if there is a change in the purpose of data collection
- Notice shall include the mechanism of denying/ withdrawing consent as applicable
- Notice shall include the consequences of denying/ withdrawing consent if applicable
- If Personal Data is collected from someone other than the Data Subject/consumer, Riversand shall ensure that Data is only collected from sources, which collect data in a privacy compliant manner with respect to local laws and regulations.
- Personal data may be disclosed by/to Riversand physically or electronically. The receipt or form shall be retained along with a record establishing the fact, date, content, and method of disclosure.
7.4 Data Visibility
- Riversand shall ensure that any personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- These records shall be maintained using Personally Identifiable Information (PII) Inventories and Data Flow Diagrams (DFDs).
- As a Data Controller or Data Processor, Riversand shall document the following within the PII Inventories and DFDs:
- Details of the controller/ joint controller(s)/ processors
- Purposes of the processing
- Description of the categories of data subjects/consumer
- Description of the categories of personal data
- Categories of recipients to whom the personal data is disclosed/ transferred including third parties
- Geographies of recipients
- Retention periods
- General description of the technical and organization security measures shall be in place for both data controller and data processor.
- Business units and enabling functions handling personal data shall develop, maintain and update their PII inventories and DFD’s. The PII Inventories and DFD’s shall be reviewed and updated periodically (at minimum semi-annually) or in the event of any changes to the processing activities.
7.5 Processing of Personal Data
- The processing shall be conducted with due regards to the privacy and equality of data subjects/consumer.
- Riversand shall not process personal data in the absence of the following valid business and legal basis:
- Data Subject/consumer has provided a valid consent for the processing of their personal data.
- Processing is necessary to fulfil Riversand’s contractual obligations towards the data subject/consumer or an organization.
- Processing is necessary to fulfil Riversand’s legal obligations towards a government or regulatory authority
- Processing is necessary to protect vital interests of the individuals or of another person, in the public interest, or in the exercise of official authority vested in the controller.
- Processing is necessary to protect the legitimate interests of Riversand. In such cases, care shall be taken to not pose high risk to data subjects/consumer, and to protect the interests and rights of data subjects/consumer.
- If processing of personal data relies on consent from the data subject/consumer, Riversand shall stop the processing of personal data if the consent is withdrawn/revoked.
- Sensitive personal data shall not be processed unless:
- Such processing is specifically authorized or required by law.
- The data subject/consumer provides explicit consent.
- The processing is required for preventive medicine, medical diagnosis, or health care treatment; provided the data are processed by a health professional subject/consumer to national law or rules with an obligation of professional secrecy or by another person with an equivalent obligation of secrecy. If Riversand is relying upon this medical exemption, all contracts with employees and independent consultants who will have access to the Sensitive Data must contain confidentiality requirements equivalent to those imposed on health professionals.
- Processing is necessary to protect a vital interest of the data subject/consumer, wherein the data subject/consumer is physically or legally incapable of giving consent. This exemption may apply, for example, where emergency medical care/treatment is needed.
- Data relating to criminal offenses may be processed only by or under the control of regulatory/ statutory authority.
- As a Data Controller, Riversand shall only use the personal data for the purposes the data subject/consumer has been made aware of in the privacy notice provided to them.
- As a Data Processor, Riversand shall only use the personal data in line with instructions provided by the Data Controller (such as clients).
- Periodic reviews/ audits shall be conducted to verify and ensure that function teams and client operations teams collect/ process personal data appropriately in compliance with privacy notices, contracts and this policy.
7.6 Privacy Impact Assessment (PIA)
- PIAs shall be carried out on processing activities that is likely to result in a high risk to data subject’s/consumer’s interests.
- PIA shall at minimum:
- Have a description of nature, scope, context and purposes of the processing;
- Assess necessity and proportionality
- Identify and assess risks to individuals; and
- Identify any additional measures to mitigate those risks
- DPO and Data Privacy Executives (where necessary) shall be consulted while carrying out PIAs.
- For any risks identified during PIA, where appropriate mitigation measures do not exist, DPO shall consult with the relevant data protection authorities prior to starting the processing.
- As a Data Processor, Riversand shall support its clients and carry out the PIAs in line with their written instructions.
- Mechanisms shall be implemented to perform periodic Privacy Impact Assessments (PIAs) for key processing activities carried out within Riversand.
- Documented procedures shall be maintained around conducting PIAs.
7.7 Disclosure to Third Parties
Note: This section is not applicable for day to day operation but when personal data (of customers/ visitors/ vendors/ volunteers) is shared with the third parties for processing on Riversand’s behalf.
- Riversand has established a vendor governance program to ensure:
- Appropriate due-diligence covering data privacy and security is carried out prior to on-boarding new third-party vendors (vendors) that process any personal data of/or on behalf of Riversand or its clients.
- Contract signed with vendors cover adequate security and privacy obligations as well as clear instructions around how personal data shall be handled.
- Compliance of vendors to their security and privacy obligations is reviewed/ monitoring periodically.
- Compliance team is responsible to oversee the vendor governance program.
- Only Compliance team empaneled vendors shall be utilized for processing any personal data on behalf of Riversand.
- Riversand shall clearly notify the Data Subjects/consumer prior to transfer of their personal data to third party vendors. If not notified previously, the data subject/consumer shall be notified prior to performing the transfer and obtain their consent (where necessary).
- Personal data shall be shared to third party vendors only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law.
7.8 Cross Border Transfer of Personal Data
- Personal Data shall be transferred by Riversand only if any of the below mechanisms are in place:
- The Data Subject/consumer has given consent to the proposed transfer;
- The transfer is necessary for the performance of a contract between the data subject/consumer and Riversand, or the implementation of pre-contractual measures taken in response to the data subject’s/consumer’s request;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject/consumer between the Riversand and a third party;
- The transfer is necessary in order to protect the vital interests of the data subject/consumer;
- The transfer is required by law;
- The transfer is necessary or legally required on important public interest grounds;
- The transfer is necessary for the establishment, exercise, or defense of legal claims; or
- The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest.
- Transfer of personal information across borders shall be performed in compliance to the following procedures:
- Data subjects/consumer shall be clearly notified of any transfer of personal information across borders of the country in which the information was collected.
- Personal data shall not be transferred to another entity/ country/ territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection.
- Personal Data shall be communicated to third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by law.
- Sensitive personal data transferred outside of Riversand or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption.
- Personal data of data subjects/consumer residing in the European Union (EU) and California shall not be transferred to a country or territory outside the EU and California unless the transfer is made to a country or territory recognized by the EU and California as having an adequate level of legal protection for the rights and freedoms of Data Subjects/ consumer in relation to the processing of Personal Data, or is made in compliance with one of the mechanisms recognized by the EU and California (such as use of model contracts/ Binding Corporate Rules (BCR)/ EU-US Privacy Shield) as providing adequate protection when transfers are made to countries or territories lacking an adequate level of legal protection.
- For non-EU and non-California regions, transfers to another country or territory shall be performed in compliance to the above procedures or specific regulations mandated by region’s law (such as notifying data subject/consumer, obtaining consent and/ or obtaining approval from the local privacy regulator/ governing body, where applicable, and mandated by law)
- Additionally, in order to fulfil Riversand’s obligations as a data processor, Riversand shall ensure that their clients have authorized the transfer of personal data across borders of the country in which the information was initially collected.
7.9 Security of Personal Data
- Riversand has implemented adequate technical and organizational safeguards, in line with industry standards to ensure the security of personal data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
- Riversand has developed and published information security policies, procedures and guidelines to all employees and consultants.
- Employees and consultants shall adhere to Riversand security policies, practices and any additional guidance issued by the DPO while processing personal data.
- Confidentiality agreements & NDAs covering data protection and privacy responsibilities shall be signed by all employees & consultants on or before their joining date.
- Employees, consultants and third-party vendors involved in any stage of processing Personal Data shall explicitly be made subject to a requirement of secrecy which shall continue after the end of the employment relationship.
- Employees, consultants and third-party vendors shall have access only to the personal data necessary for the fulfilment of their employment/ contractual duties.
- Riversand shall comply with the security safeguards as per its contractual and legal requirements in consultation with its Corporate IT Team.
- The Corporate IT Team and DPO shall assess the security measures implemented to safeguard personal data on a regular basis and update the same, where required.
7.10 Data Retention and Disposal
- Personal Data shall not be retained longer than required for the purpose it was collected for, or as defined by the data retention and disposal policy, after considering other regulatory requirements.
- Personal Data shall be erased if their storage violates any of the data protection rules or if data is no longer required by Riversand or for the benefit of the data subject rights/consumer.
- Personal Data shall be blocked and restricted, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Data Subject/consumer, erasure is not possible without disproportionate effort due to the specific type of storage, or if the data subject/consumer disputes that the data is correct and it cannot be ascertained whether they are correct or incorrect.
- Disposal of personal data shall be handled with utmost care and shall be governed by the data retention and disposal policy.
- In order to fulfil Riversand’s obligations to their clients, personal data obtained from clients shall be retained in line with the written instructions of the client. In the absence of any requirement by the client, personal data used for a project shall be disposed once the project is complete, or as defined by Riversand’s data retention and disposal policy.
7.11 Data Quality
- Riversand shall ensure to implement reasonable processes to monitor the quality of the personal information it stores/ processes.
- Each function shall take steps to ensure that personal data it collects, or processes is complete and accurate in the first instance and recorded in a manner to give a true picture of the current representation of the data subject/consumer.
- Riversand shall implement a process to ensure that employees and consultants periodically (at least yearly) review, update and confirm on the accuracy and completeness of their personal data collected and processed.
7.12 Data Subjects/Consumer Rights
- To the extent allowed under applicable local laws, data subjects/Consumer shall have the right to:
- Request access to copies of their personal data.
- Request information on the processing activities carried out with their personal data.
- Request that their personal data is rectified if it is inaccurate or incomplete.
- Request erasure of your personal data in certain circumstances.
- Request that the processing of their personal data is restricted in certain circumstances.
- Object to processing of their personal data in certain circumstances.
- Lodge a complaint with the respective data protection authority.
- Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly effects on the data subject/consumer.
- Withdraw consent as and when requested by the data subject/consumer.
- Right to Opt-out/Right to opt-out from selling of personal data.
- Right to disclosure of data to third parties
- Data Subject/consumer shall be notified of the cost incurred, if any, in fulfilling such requests. The cost incurred shall be transferred to the data subject/consumer accordingly.
- Riversand shall not impose any restriction on the method and channel of raising requests by the data subject/consumer.
- Riversand shall not restrict any individual requesting for their data based on any characteristics, including language, disability status, technological knowledge, etc.
- Riversand shall review and ensure all requests raised by data subjects/consumer are addressed in a timely manner and in compliance to the local laws & regulations.
- Riversand shall advocate the feasibility of fulfilling such requests and provide a reasonable justification in writing (physically or electronically) in case of delay/ denial of such requests.
- Riversand shall maintain records of such requests irrespective of their fulfilling status.
- As a Data Processor, Riversand shall support its clients in fulfilling requests they receive from their data subjects/consumer based on the written instructions provided by the client.
- Documented procedures shall be maintained around handling data subject request/consumer.
7.13 Privacy by Design
- Riversand shall establish a process to proactively embed privacy at the initial planning/design stages and throughout the complete development process of new processes/ services/ technologies that involve processing of personal data.
- Considerations shall be made for technical and organizational measures to enhance privacy protection (e.g. pseudonymization, anonymization, data minimization, data aggregation etc.). In addition, appropriate technical and organizational measures shall be considered to ensure that personal data collected, processed or stored is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
7.14 Data Privacy and Breach Management
- Riversand shall formulate and implement an incident and breach management mechanism to ensure that breach in data privacy compliance are promptly reported to the incident response teams and DPO.
- All the employees shall be aware of the mechanism of raising data privacy and security incidents.
- The Riversand shall work closely with the Incident Response Team to investigate potential data privacy and data breach incidents and track it to closure.
- Riversand shall maintain an inventory of such incidents and shall record the lessons learnt.
- Riversand shall ensure timely notification of breaches is provided to relevant data protection authorities and data subjects/consumer, where necessary, in line with local data protection laws and regulations.
- As a Data Processor, Riversand shall promptly notify its client of any potential data privacy and data breach incidents in line with the written instructions provided by the client.
- Documented procedures shall be maintained to identify, track, review and notify data breaches to data protection authorities and data subjects/consumer.
7.15 Automated Profiling and Decision Making
- Processing activities involving fully automated decision-making, including profiling and decision making by processing personal data shall not be performed unless:
- It is necessary for entering into or performance of a contract between Riversand and the data subject/consumer;
- It is authorized by law (e.g. for the purposes of fraud or tax evasion prevention); or
- The data subject/consumer has provided an explicit consent.
- Processing activities involving profiling that does not involve automated decision-making of personal data, shall not be performed unless:
- The data subject/consumer has provided an explicit consent;
- Processing is necessary for the performance of a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect vital interests of the individual;
- Processing is necessary for the performance of a task carried out in the public interest or exercise of official authority; or
- Processing is necessary for the legitimate interests pursued by the controller or third party.
- PIA’s shall be conducted prior to carrying out any processing activities involving automated profiling or decision making to identify the potential risks to data subjects/consumer.
- DPO and Data Privacy Executives shall be engaged during the PIA process to assess the risks and identify appropriate mitigation measures.
- Riversand shall ensure to notify Data Subjects/consumer prior to or during the collection of personal data that shall be subject to automated decision making or profiling.
- The notice shall be provided to the data subject/consumer with fair processing information about solely automated decision-making (including profiling) that has significant or legal effects:
- Meaningful information about the logic involved:
- the categories of data used to create a profile;
- the source of the data;
- why this data is considered relevant.
- Meaningful information about the logic involved:
- The significance and envisaged consequences of such processing;
- Data Subjects/Consumer shall be provided the opportunity to object to automated decision making or profiling.
- In such circumstances, data subjects/consumer shall be given the opportunity to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it
- In such circumstances, data subjects/consumer shall be given the opportunity to:
- As a Data Processor, Riversand shall only carry out automated decision making and profiling activities on the personal data received from clients based on the authorization and written instructions from the client.
7.16. Managing Changes to Processes/ Solutions/ Technology
- No new or expanded collection or processing activities involving personal data may be undertaken without first obtaining approval from the DPO.
- PIAs shall be performed for any new/ changes to major process/ solution/ technology, which requires or involves the processing of personal data.
- Personnel at all levels shall apply the following while making changes in existing processes/ technologies:
- Collection and use of Personal Data shall be avoided or limited when reasonably possible.
- Personal Data shall be de-identified when the purposes of data collection or processing can be at reasonable cost achieved without personal identification.
- The purpose(s) of the collecting or processing of Personal Data shall be expressly identified by the business unit preparing any new or expanded data collection and processing activity or function.
- Personal data may only be used for the purposes for which they were originally collected, other than historical, statistical, scientific, or legally mandated purposes
7.17. Resolution of Disputes
Inquiries or complaints about the processing of their personal data shall bring the matter to the attention of the DPO in writing. Any disputes concerning the processing of the personal data of non-employees will be resolved by the DPO by following due process or through law via arbitration.
7.18. Handling appeals
If an issue is not resolved through consultation with the data subject’s/consumer’s supervisor or the DPO, or through other mechanisms under existing employment agreements, union agreements, or statutory procedures, then the data subject/consumer may, at its option, seek redress through resort to mediation, binding arbitration, litigation, or complaint to a data protection authority with jurisdiction (all as permitted by applicable local law or procedure).
7.19. Monitoring and Enforcement
7.19.1 Performance Measurement
The DPO shall develop key performance indicators (KPI’s) for measuring the compliance and performance of the current processes related to data privacy. The DPO shall periodically track and monitor the KPIs and identify appropriate remedial actions for functions and client operations teams.
7.19.2 Compliance Assessments
The DPO shall work with the risk leadership to develop processes to carry out periodic reviews for all functions and client operations to ensure processing activities are carried out in line with this policy.
This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Intranet Portal of Riversand or e-mail communication and to others through an appropriate mechanism selected by the DPO.
7.21. Key Terms & Definitions
|Data Controller||The entity that determines the purposes, conditions and means of the processing of personal data|
|Data Subject||A natural living person whose personal data is processed by a controller or processor|
|Data Processor||The entity that processes data on behalf of the Data Controller|
|Processing||Any operation performed on personal data, whether or not by automated means, including collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Third Party||Third party, in relation to personal data, means any person other than the data subject/consumer, the data controller, or any data processor or other person authorized to process data for the data controller.|
|Personal Data||Any data related to a natural person or ‘Data Subject’/’Consumer’ that can be used to directly or indirectly identify the person.
e.g., Name, Address, Phone Number, IP Address etc.,
|Sensitive Personal Data||Sensitive Personal Data is defined as information that if lost, compromised, or disclosed could potentially harm, cause inconvenience, embarrassment, or unfairness to an individual.
e.g., Bank account information, Government ID’s, Income or Credit history, Credit/Debit card No, data relating to offenses, or criminal convictions, Sexual Orientation, Health/ Medical records either Past or Present or Future, Racial or ethnic origin, political opinions, religious or philosophical beliefs etc.,
|Consumer||Consumers means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.|
7.22. Contact details of DPO
Identity and contact details of data protection officer
If you have any concerns as to how your data is processed, you can contact:
Arun Krishna, Data Protection Offer at firstname.lastname@example.org