Jan Sahas logo
Jan SahasSocial Empowerment Society

POLICY ON PRIVACY AND DATA PROTECTION (JAN SAHAS SOCIAL EMPOWERMENT SOCIETY)

POLICY ON PRIVACY AND DATA 

PROTECTION 
(JAN SAHAS SOCIAL EMPOWERMENT SOCIETY) 
Disclaimer: 
This document is intended solely for the internal use of JSSES and is not intended to be and 
should not be used by any other person or entity. No other person or entity is entitled to rely, in 
any manner, or for any purpose, on this document. 
Copyrights: 
All rights reserved. No part of this document may be reproduced or transmitted in any form 
and by any means without the prior permission of JSSES. 

Version 2
Policy Owner: TI and Human Resources Department 
Date of first approval by Board: November 2020 
Review Schedule: Annually by the Board 
Date of most recent review: April 2022 
Date of next review: April 2023 

Table of Contents: 

1. Introduction  
2. Definitions  
3. Privacy Policy Objective  
4. Policy Coverage  
5. Applicable Laws & Regulations  
6. Collection of Personal Data  
7. Privacy Principles  
8. Rights of Data Subjects  
9. Privacy Specific Process  
10. Privacy Organization and Governance  
11. Non-Disclosure & Confidentiality Agreements  
12. Grievances & Complaints Redressal  
13. Review and Amendments  

1. Introduction 
We at JSSES respect the personal data entrusted to us by our users, employees, contractors, 
vendors, and candidates, and we are committed to fair, transparent, and secure processing of 
personal data. This policy outlines how JSSES (hereafter referred to as 'the organization') 
collects, processes, and uses the personal data of users in compliance with applicable data 
privacy laws. 

2. Definitions: 
In this policy, unless the context indicates otherwise: 
2.1. Product and Services: Products and services offered by the organization. 
2.2. Data: A representation of information, facts, concepts, opinions, or instructions in a 
manner suitable for communication, interpretation, or processing by humans or automated 
means. 
2.3. Data Subject: An individual whose personal data is processed by the organization or by 
another entity on behalf of the organization. 
2.4. Personal Data: Any information relating to an identified or identifiable natural person 
('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, 
in particular by reference to an identifier such as a name, an identification number, location 
data, an online identifier, or to one or more factors specific to the physical, physiological, 
genetic, mental, economic, cultural, or social identity of that natural person. 
2.5. Sensitive Personal Data (SPD): A special category of personal data that requires focused 
handling. Personal data revealing racial or ethnic origin, political opinions, religious or 
philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning 
health, or data concerning a natural person's sex life or sexual orientation. Sensitive personal 
data is a subset of personal data. Hence, wherever sensitive personal data is not mentioned 
separately in this document, it is deemed to be included under personal data. Consequently, all 
that is applicable to personal data is automatically applicable to sensitive personal data. 
2.6. Processing: Any operation or set of operations performed on personal data or on sets of 
personal data. These include collection, receipt, recording, holding, structuring, storage, 
organization, adaptation or alteration, collation, updating, retrieval, consultation, use, 
disclosure by transmission, dissemination, or otherwise making available in any form, merging, 
linking, alignment or combination, restriction, erasure, degradation, or destruction. These could 
be performed by manual or automated means. 
2.7. Party: Organizations or individuals that include, but are not limited to, service providers, 
suppliers, contractors, consultants, temporary staff, and others that provide their products 
and/or services or are otherwise associated with the organization. 
2.8. Genetic Data: Personal data relating to the inherited or acquired genetic characteristics of 
an individual, which provide unique information about the physiology or health of that 
individual. 
2.9. Biometric Data: Personal data resulting from specific technical processing relating to the 
physical, physiological, or behavioral characteristics of an individual, which allow or confirm 
the unique identification of that individual, such as facial images or fingerprint data. 
2.10. Data Concerning Health: Personal data related to the physical or mental health of an 
individual, including the provision of healthcare services, which reveal information about his 
or her health status. 

3. Privacy Policy Objective: 
The objective of this policy is to: 
• Create a Privacy-aware and responsible culture towards management of Personal Data 
(PD) processed by and on behalf of the organization. 
• Identify and protect Personal Data as per applicable laws. 
• Identify and manage the legal, regulatory and other obligations towards Privacy and 
Protection of Personal Data. 
• To increase employee awareness of Data Privacy in general and of acceptable data 
handling practices and applicable requirements in relation to Personal Data. 
• To set minimum standards pertaining to Data Privacy and Personal Data within the 
organization. 
• Measure and review the effectiveness of the Privacy Posture within the organization 

4. Policy Coverage: 
This Policy applies to the organization and the users of this policy are all employees, 
permanent or temporary, and all contractors working on behalf of the organization 
regardless of their geographic location. 

5. Applicable Laws & Regulations: 
The organization shall adhere to and comply with all applicable laws, regulations and 
standards relating to data protection and privacy. 

6. Collection of Personal Data: 
The organization may collect Personal Data from Data Subjects in the following ways: 
Directly:  
• Where the Data Subject is aware of her Personal Data being collected.  
• Where the Data Subject may not necessarily be aware (e.g., online identifiers).  
Indirectly:  
• Where the Data Subject’s Personal Data is collected from third parties.  

7. Privacy Principles:  
7.1. Lawful Basis of Processing  
7.2. Privacy Notice  
7.3. Consent (with withdrawal rights)  
7.4. Choice  
7.5. Purpose Limitation  
7.6. Data Minimization  
7.7. Storage Minimization  
7.8. Accuracy  
7.9. Disclosure  
7.10. Transfer  
7.11. Security  
7.12. Accountability  

8. Rights of Data Subjects:  
The organization is committed to providing all rights mandated by law.  

9. Privacy Specific Processes:  
Includes classification of data, inventory, purpose & usage documentation, legal/regulatory intelligence, contracts with third parties, cross-border transfers, regulatory body management, incident management, awareness & training, security, PIAs/DPIAs, privacy by design & default, record keeping, audits.  

10. Privacy Organization and Governance:  
The organization will establish an appropriate structure and governance mechanisms.  

11. Non-Disclosure & Confidentiality Agreements:  
Requisite clauses must be incorporated into contracts and agreements.  

12. Grievances & Complaints Redressal:  
Complaints will be recorded and addressed without undue delay.  

13. Review and Amendments:  
Policy is subject to change; changes communicated within 2 working days.  

***********************************************