Privacy Policy

1. Policy Statement

1.1 The Data Privacy Policy at Omniactive Health Technologies Private Limited (“Omniactive”) aims to meet leading standards for data protection and privacy. Omniactive is committed to protecting the privacy and personal data of its Data Principal. Omniactive recognizes that safeguarding and appropriately processing Personal Data, is important to maintain stakeholders’ trust. Data privacy rules must be followed in order to protect the privacy or personal data of Omniactive’ s customers, employees, business contacts, suppliers, and third parties or any other entities (if applicable) and to perform any action with regards to personal data, whether in whole or in part, such as collecting, recording, organizing, storing, processing, modifying, using, disclosing, transferring, monitoring or deleting.

1.2 This policy is applicable to all Omniactive offices including head offices, branches, employees, contractors, vendors, interns, customers, business partners and other people working on behalf of Omniactive, who may receive personal data from Omniactive , have access to personal data collected or processed by or on behalf of Omniactive, or who provide information to Omniactive . This policy covers the treatment of personal data collected, handled and stored by Omniactive for lawful business purposes to meet Omniactive’ s data protection standards and to comply with the applicable data privacy laws.

2. Terms and Definitions

• Data Subject/Data Principal/Individual- A natural person to whom the Personal Data relates. Examples of a data subject can be an individual, a customer, a prospect, an employee, a contact person, etc. For the purposes of this Policy, the terms “Data Subject”, “Data Principal” and “Individual” may be used interchangeably.
• Personal data/Personal Identifiable Information – Any information relating to an identified / identifiable individual, whether it relates to his or her private, professional, or public life. Can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP address, or a combination of the data that directly or indirectly identifies the person. For the purposes of this Policy, the terms “Personal Data” and “Personal Identifiable Information” may be used interchangeably.
• Sensitive personal data- It refers to “special categories of personal data.” which includes personal data related to racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data, processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
• Data Controller/Data Fiduciary- Any organization, person, or body that determines the purposes and means of processing personal data, controls the data and is responsible for it, alone or jointly. Examples where the data controller is an individual includes general practitioners, pharmacists, and politicians, where these individuals keep personal data about their patients, clients, constituents etc. Examples of organizations that can be data controllers, includes for profit or not for profit, private or government-owned, large or small, where those organizations keep personal data about their employees, clients, etc. For the purposes of this Policy, the terms “Data Controller” and “Data Fiduciary” may be used interchangeably.
• Data Masking – Data masking processes change the values of the data while using the same format. The goal is to create a version that cannot be deciphered, or reverse engineered. E.g., character shuffling, word or character substitution, and encryption
• Data Processor- A data processor processes the data on behalf of the data controller. Examples include payroll companies, accountants, and market research companies.
• Data Protection Officer- A Data Protection Officer is a person appointed by a Data Controller or Data Processor as per the Applicable Data Privacy Law.
• Accountability- Accountability is the ability to demonstrate compliance with the applicable privacy regulations. This states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures must be implemented. Best practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
• Consent- Consent is any “freely given, specific, informed, unconditional and unambiguous” indication of the individual’s wishes, either by a statement or by a clear affirmative action and signifies an agreement to process personal data relating to them for one or more specific purposes. The affirmative action, or a positive opt-in, means that the consent cannot be inferred from silence, pre-ticked boxes, or inactivity.
• Privacy Impact Assessment (PIA)/Data Protection Impact Assessment (DPIA) – The data controllers and data processors shall conduct a Data Protection Impact Assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
• Processing- Processing is any operation performed on personal data (sets), such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc., whether by automated means.
• Profiling- Profiling is any form of automated processing of personal data intended to evaluate certain personal aspects relating to an individual, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour.
• Subject access- This is the data subject’s right to obtain from the data controller, on request, certain information relating to the processing of his/her personal data.
• Third party- A third party is any natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
• Transfer- Movement of personal data from one country to another.
• Applicable Data Privacy Law- All directives, laws, rules, regulations, governmental requirements, codes as well as international, federal, state, provincial laws applicable to the processing and storage of personal data and includes but is not limited to:
  1. India’s Digital Personal Data Protection Act(DPDPA), 2023 (as amended from time to time)
  2. European Union General Data Protection Regulation (GDPR),2018 (as amended from time to time)

3. Policy: Generally Acceptable Privacy Principles The GAPP consists of ten privacy principles. The privacy principles are listed and summarized below:

• Management – The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
• Notice – The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal data is collected, used, retained, and disclosed.
• Choice and consent – The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal data.
• Collection – The entity collects personal data only for the purposes identified in the notice.
• Use, retention, and disposal – The entity limits the use of personal data to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal data only if necessary, to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
• Access – The entity provides individuals with access to their personal data for review and update.
• Disclosure to third parties – The entity discloses personal data to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
• Security for privacy – The entity protects personal data against unauthorized access (both physical and logical).
• Quality – The entity maintains accurate, complete, and relevant personal data for the purposes identified in the notice.
• Monitoring and enforcement – The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.

The implementation and consistent application of the GAPP privacy framework or privacy principles shall enable an organization to effectively manage the collection, use, retention, disclosure, and disposal of data requiring privacy protections.

4. Personally Identifiable Information

• PII is any information about an individual maintained by an agency, including:
  • any information that can be used to distinguish or trace an individual ‘s identity, such as name, social security number, Aadhar, PAN, / government idenifiers date and place of birth, mother ‘s maiden name, or biometric records, etc.
  • any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
• PII may be divided into two categories: linked information and linkable information.
• Linked information is any piece of personal information that can be used to identify an individual and includes the following:
  • Full name;
  • Home address;
  • Email address;
  • Government id;
  • Passport number;
  • Driver’s license number;
  • Debit/Credit card numbers;
  • Date of birth;
  • Telephone number;
  • Log in details; and
  • Biometric information (Fingerprint).
• Linkable information, on the other hand, is information that on its own may not be able to identify a person, but when combined with another piece of information could identify, trace, or locate a person. Examples of linkable information:
  • First or last name (if common)
  • Country, state, city, postcode
  • Gender
  • Race
  • Non-specific age (e.g. 30-40 instead of 30); and
  • Job position and workplace.

5. Lawful Basis of Processing All operations and sub-processes owner must validate whether the “Processing” activity fulfils any one all of the following bases of processing to be lawful:

• The Data Principal has given consent for one or more specific purposes – Where a distinguishable, affirmative, unambiguous, and free consent is obtained from the data principal in order to process his/ her personal data for processing operations/ activities.
• Processing is necessary for the performance of a contract – All situations wherein personal data is necessary for entering into a contract with the individual/ third party.
• Processing is necessary for compliance with a legal obligation – Whenever processing of an activity is mandated by Government. For example, an employer needs to process personal data to comply with its legal obligation to disclose employee salary details to Revenue and customs agency/ department.
• Processing is necessary in order to protect the vital interests of the Data Principal or another natural person – In scenarios, wherein processing is necessary to protect Data Principal or someone’s life.
• Processing is necessary for the performance of a task carried out in the public interest – In scenarios, wherein collection and processing of personal data is carried out in public interest authorized by relevant government authorities. The processing task or scenario needs to have a clear basis in law. For example, information provided to government agencies to carry out an investigation against a Data Principal, protecting against serious cross-border threats to health emergency or crisis situations.
• Processing is necessary when national security is involved – In scenarios, wherein collection and processing of personal data is carried out by the national security of the country. For example- information provided to physical and security vigilance team at the airport involving national security to carry out the investigation against a Data Principal, protecting against any threats.
• Processing is necessary for the purposes of the legitimate interests pursued by the fiduciary or by a third party. – The processing is not required by law but is of a justified and clear benefit to the Data Principal. It can be used when other means of processing cannot be applied. For e.g., fraud prevention, direct marketing, intra group administrative transfers.

6. Collection of Personal Data

• Omniactive shall collect the personal data of employees, customers or third parties as per the relevant business operation policies and procedures and Applicable Data Privacy Laws and will limit the collection, use, storage, processing, transfer and disclosure of personal data to a minimum that Omniactive requires to carry its business specific purposes.
• Any Omniactive policy, including but not limited to business operations policies, procedure, technical documents, system design documents, defining the collection of personal data at any level in Omniactive shall adhere to the Data Privacy Policy.
• Personal data or Personal Identifying Information (PII) may only be collected, used, stored, processed, transferred or disclosed for reasonable, specific and lawful purposes.
• Business functions shall be aware of the Applicable Data Privacy Laws- India (Digital Personal Data Protection Act,2023) and European Union (General Data Protection Regulation,2018) or regulatory guidelines and comply with the same.
• Respective Business functions shall implement adequate procedures regarding obtaining, identification of personal data or Personal Identifying Information (PII). This will include procedures to collect data from customers through the Omniactive branch operations and employees (including third party employees and trainees).
• Omniactive shall be responsible to identify data which requires specific compliance requirements regarding data protection and privacy.
• In cases where the data is collected directly from the data subjects, Omniactive shall ensure that the privacy notice is visible and uses clear language.
• Omniactive should verify the accuracy and completeness of personal data that an individual updates by means of a self-declaration form or supporting evidence provided at the time of making those changes.

7. Consent

• Omniactive shall not collect, use or disclose any personal data without the consent of the Data Subject except where there is consent or where such collection, use or disclosure is required to meet the requirements of country specific laws and, regulations, if any.
• Omniactive shall seek consent from data subject or legal guardian person before collecting, processing and disclosing Personal Data concerning a child. A child is an individual who has not completed the age defined in the Applicable Data Privacy Law.
• For sensitive data, Omniactive shall ensure explicit consent is obtained.

8. Data Principal Request Management The process to address data principal rights will be established. The data principals have the following rights subject to applicable laws and regulations and prior consent given:

• Access information: Data principal(s) has the right to know what information data fiduciary hold and the processing activities undertaking by them. Additionally, it also has the right to know with whom (other data fiduciary, third party vendors etc.) Is the personal data shared along with the description of the personal data shared.
• Correct, complete, update and erase personal data: Data Principal(s) has the right to correct/complete/update and erase their respective personal data
• Grievance Redressal: Data Principal(s) have the right to grievance redressal from an officer appointed by the data fiduciary i.e., Data Protection officer/Consent Manager or any other officer of similar stature as prescribed by the law
• Nominate: Data Principal(s) have the right to nominate a person on event of the death of data principal OR any unfortunate event leading to ‘Incapacity’ to exercise his/her rights

9. Adequacy and Accuracy of personal data

• Personal data shall be accurate and wherever necessary, kept up to date. Omniactive shall take all reasonable steps to ensure the accuracy of any personal data it obtains and the authenticity of its source, as required by the policies and related procedures.
• Omniactive shall ensure that personal data collected, stored, and processed shall be adequate, relevant and not excessive in relation to the business purpose or purposes for which the data is collected.

10. Protection of personal data Implementing security controls for personal data protection:

• Omniactive shall determine and ensure the implementation of appropriate procedural (policies, procedures, guidelines, and standards), physical or technical security controls in order to protect personal data against risks such as loss, unauthorised access, modification, destruction, disclosure and misuse of its information processing facilities;
• Omniactive shall have processes in place to ensure the integrity of personal data through existing security controls;
• Omniactive shall determine the specific privacy requirements and implement technical controls resulting from the identified privacy requirements; and
• Omniactive shall define specific controls to ensure all data protection and privacy requirements are catered. In order to protect the confidentiality of the data, all Personal data shall be stored in an encrypted format. Data Masking techniques shall be incorporated to protect the confidentiality of any personal data:
  • Data Pseudonymisation: replace private identifiers with fake identifiers or pseudonyms, for example replacing the identifier “John Smith” with “Mark Spencer”.
  • Data Swapping: rearrange the dataset attribute values so they don’t correspond with the original records. Swapping attributes (columns) that contain identifiers values such as date of birth.
• Privacy requirements for Contractors and Service Providers:
  • Omniactive shall establish privacy roles, responsibilities, and access requirements for contractors and service providers; and shall include privacy requirements in contracts, Data Processing Agreements and other acquisition-related documents.
• Privacy requirements for Contractors and Service Providers:
  • Omniactive shall establish privacy roles, responsibilities, and access requirements for contractors and service providers; and shall include privacy requirements in contracts, Data Processing Agreements and other acquisition-related documents.
• Processing Personal Data:
  • Personal data shall be processed by Omniactive in accordance with the rights of data subjects under the applicable national/international legislations.
• Personal data Access & Correction:
  • Omniactive shall ensure that the data subject is given access to his/her personal data and allowed to make corrections if it is inaccurate after seeking necessary approval/permission from the data owner (Data Principal or lawful guardian) to do so.
• Retention and Destruction of Personal Data:
  • Personal data collected shall be destroyed securely once the purpose is achieved/where the data is no longer required, subject to policies for retention of data, as defined in the Applicable Data Privacy Law or the Data Management Policy
• Accessing Personal Data
  • Access to personal data shall be restricted according to, Omniactive’ s business needs and the requirements of the tasks at hand, to the minimum number of persons required.
  • Personal data shall be used for approved purposes only. The printing, use, exchange, distribution or any other type of processing of personal data is permitted only in compliance with Omniactive policies.
• Disclosure of Personal Data:
  • Information (including information derived from the processing of personal data) that can be linked to an individual can be disclosed to third parties and Omniactive  employees only if such disclosure is permissible as per the Omniactive policies and after taking due consent from the Data Subject.
  • Exposure of any personal data of any entity, during Incident resolution processes with external vendors shall not be considered as a privacy breach by Omniactive or any of its team performing any such activity.
• Right to Subject Access:
  • The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information, subject to the Applicable Data Privacy Laws.
• The purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed/transferred, recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
• Prohibiting the Processing of Sensitive Personal Data:
  • The collection and processing of sensitive personal data shall be done in accordance with this Data Privacy Policy and as per the Applicable Data Privacy Laws.
• Transferring of Personal data between Countries:
  • Personal data shall be transferred only in accordance with the applicable data privacy laws of countries involved. In case, any of the country is not having privacy law in place, best practices shall be considered before the transfer of any personal data.
  • In case personal data belonging to data subjects is shared with any third party, Omniactive must confirm that the third party complies with the applicable privacy laws and regulations. In cases where data subject’s personal data is shared within Omniactive entities (e.g. USA to India) then that must be captured.
• Personal data and Omniactive’ s Publicly Available Information Systems:
  • Omniactive shall implement the appropriate procedural (policies, procedures, guidelines, standards), physical or technical protection controls in order to protect all of its publicly available information systems that permit feedback and direct entering of information such as personal data, to visitors and/or Omniactive’ s customers. In any case, information on a publicly available system, information on a Web server accessible via the Internet, shall comply with respective policies of Omniactive.
• Conducting Privacy Impact Assessments:
  • Omniactive team shall document and implement a privacy risk management process that assess privacy risk to data subjects resulting from the collection, sharing, storing, transmitting, use, and disposal of personal data.
  • Omniactive team shall conduct Privacy Impact Assessments (PIAs)/DPIAs for information systems, programs, or other activities that pose a privacy risk in accordance with applicable data privacy laws, or any existing organisational policies and procedures.
  • Omniactive team shall conduct risk assessments and PIAs/DPIAs pertaining to data privacy on a periodic basis. The procedure shall be reviewed at least once annually.
  • Omniactive will adopt the following approach:
  • v Identify relevant processes and support functions
    • Prepare Personal Data Inventory and roll out DPIA questionnaire
    • Identify the risks and develop mitigation strategies; and
    • Monitor closure of identified actions.
    • The Local Privacy Officer/ Local DPO will coordinate with the relevant privacy champions to ensure that personal data inventory is maintained and DPIA is conducted as per the defined methodology.
• Training and Awareness:
  • Omniactive shall implement training and awareness plan for employees and third-party vendors enabling them to protect personal data . To reduce the possibility that personal data will be accessed, used, or disclosed inappropriately, all individuals who have been granted access to the personal data should receive appropriate training and, where applicable, specific role-based training.
• Omniactive shall:
  • Develop, implement, and update a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.
  • Administer basic privacy training at least annually and targeted, role-based privacy training for personnel having responsibility for personal data or for activities that involve personal data at least annually.

11. Communications Privacy

• Identification of Laws and Regulations for Communications Privacy:
  • Monitoring of electronic communications (telephone calls, e-mails and internet access) by any means for business or security purposes shall be done in compliance with applicable data privacy laws.
  • Omniactive’ s employees are prohibited from eavesdropping, storing, monitoring or intercepting of the communications or information in Omniactive.
  • Such personal data can be retained, accessed, stored by approved personnel only, during and after investigation, and as per the Data Privacy Policy or otherwise as directed by the applicable data privacy laws.
• Accountability:
  • Omniactive shall establish, approve, review the privacy requirements (along with the privacy plan, policies) and associated controls for completeness (periodically), and maintain detailed roles and responsibilities of the various functionaries for Omniactive’s Privacy function;
  • Omniactive shall appoint a Data Protection Officer (DPO) accountable for developing, implementing, and maintaining an organisation-wide governance and privacy program to ensure compliance with all applicable data privacy laws regarding the collection, use, maintenance, sharing, and disposal of personal data by programs and information systems.
• Complaint Management:
  • Omniactive shall implement a process for receiving and responding to complaints, concerns, or questions from data subjects about the organisational privacy practices. System communication recording requirements.
  • Systems used to provide electronic communications and services shall be designed to record only the communication data required in accordance with Omniactive policies or as required by business need or otherwise suggested by national/regional legislation and regulations.
• Right of Users to Access Information Collected by Monitoring Mechanisms:
  • Country specific applicable regulations for monitoring mechanism, Omniactive shall provide the relevant information to respected data subjects, who wish to validate information that has been collected by security monitoring mechanisms used by Omniactive.
• Handling of Data Privacy Incidentst:
  • Omniactive shall develop and implement a “Privacy Incident Response Plan” and provide an organised and effective response to privacy incidents in accordance with the Omniactive’s Privacy Incident Response Plan.
  • Data privacy incidents shall be handled in accordance with the Data Breach Management Policy .
  • Any suspected fraud noted due to violation to this policy and during security investigation, should be reported to regional IT Team and IT Lead over email.
  • Privacy breach management covers:
    • Individuals should be able to detect and report a privacy incident as it occurs within the operational infrastructure and results in deviations from normal services. v Privacy Office in consultation with the Local Privacy Officer / Local DPO will regularly update all individuals over privacy incidents and breaches happening across the globe and their relevance at Omniactive’s environment, by means of privacy trainings, emails, posters etc
    • All the privacy incidents shall be reported to Local Privacy Officer / Local DPO through (email to be added)
    • All privacy incidents shall be recorded and tracked.
• Access to Personal data or Personal Identifiable Information during detection, investigation and monitoring:
  • Omniactive shall place appropriate technical controls to detect any fraud and prevent the leakage of Omniactive confidential information, employees PII or any other personal data, from Omniactive endpoints, networks, storage devices and other information processing systems. Any employee’s personal data (including but not limited to bank account no, and credit card no), if exposed to monitoring or investigation team, during any such detection, monitoring activity or investigation, will not be considered as a privacy breach by Omniactive.
  • Any investigation related to data leakage of personal data or sensitive information shall be initiated only after the approval of Local Privacy Officer / Local DPO and should be in consultation with HR or Legal department, if required, on case-to-case basis.
• Disclosure of Personal data with regulatory bodies
  • Personal data may be disclosed to respective regulatory authority, if required for an appropriate lawful purpose and will not be considered as a privacy breach by Omniactive.

12. Acceptable Usage Policy End users shall perform their day-to-day activity in alignment with Acceptable Usage Policy and be aware of social engineering methods that can be misused to attempt the leakage of personal data.

13. Privacy Monitoring and Review

• Omniactive shall have rights to monitor any computer system, network system and storage device, or personal data (stored, or in transmission), if required and as per the applicable data privacy laws. Such monitoring shall be carried out as preventive measures to detect any fraudulent activity and shall not be a privacy violation to any employee and shall be carried out with appropriate approvals.
• Omniactive shall monitor and review the privacy controls and the privacy policy at least annually to ensure effective implementation.
• Omniactive shall document all the personal data processing operations carried out under its responsibility.
• Omniactive shall review complaints/grievances to identify indications of any misuse of personal data by third parties.
• Omniactive shall have a process in place to document and maintain the record of the personal data hardcopy and media movements from the facilities.
• Omniactive shall conduct periodic self-assessment or reviews or due diligence of third parties to demonstrate compliance to privacy requirements.
• Some of Omniactive’s office space buildings and sites use CCTV systems to monitor their exterior and interior 24 hours a day for security reasons. This data is recorded. Use of CCTV and recording of CCTV data is only carried in accordance with Omniactive’s approved guidelines.
• Omniactive shall take reasonable efforts to alert the individual that the area is under electronic surveillance.

14. Privacy Reporting

Omniactive shall develop, disseminate, and update the regulatory bodies and other oversight bodies, as appropriate, with suitable reports to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

15. Privacy Enhanced Design and Development

• Omniactive shall design information systems to support privacy by automating privacy controls, wherever possible.
• Transfer of personal data from one process to another should be over secure channels.

16. Privacy Notice

• Data Subjects shall be notified of the purposes for which Omniactive intends to collect, use or disclose personal data before or when such data is collected. If any intended use of personal data will go beyond the purposes notified during collection, Omniactive employees will notify the relevant Data Subject of the new purpose and seek that Data Subject’s consent to use the data for such a purpose.
• Omniactive shall provide effective notice to the public and to data subjects regarding:
  • Its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personal data.
  • Authority for collecting personal data. Ø The choices, if any, data subjects may have regarding how Omniactive uses personal data and the consequences of exercising or not exercising those choices.
  • The ability to access and have personal data amended or corrected if necessary.
  • Any other information required as per the Applicable Data Privacy Laws.
• Omniactive shall describe:
  • The personal data the organisation collects and the purpose(s) for which it collects that information.
  • How the Omniactive uses personal data internally.
  • Whether Omniactive shares personal data with external entities, the categories of those entities, and the purposes for such sharing.
  • Whether data subjects can consent to specific uses or sharing of personal data and how to exercise any such consent.
  • How data subjects may obtain access to personal data.
  • How the personal data will be protected.
  • Rights available with data subjects
  • Point of contact for complaints or grievances or exercising rights
  • Omniactive shall revise its public notices to reflect changes in practice or policy that affect personal data or changes in its activities that impact privacy, before or as soon as practicable after the change.
  • Any other details necessary to comply with the Applicable Data Privacy Laws

17. Dissemination of Privacy Program Information

• Omniactive shall ensure that the public has access to information about its privacy activities and is able to communicate with its Local Privacy Officer / Local DPO
• Omniactive shall ensure that its privacy practices are publicly available through Omniactive’s websites or otherwise.

18. Information sharing with Third Parties and Outward Transfers

• Omniactive shall share personal data externally, only for the authorised purposes and/or described in its notice(s) or for a purpose that is compatible with those purposes.
• Where appropriate, enter into Data Processing Agreements, Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the personal data covered and specifically enumerate the purposes for which the personal data may be used. · If third party or sub-contractor and vendors (support/ enhancement/ troubleshooting/ administration) is aligned in the process involving personal data, non-disclosure agreement (NDA) to be signed and privacy requirement to be mentioned in the contract.
• Omniactive shall monitor, audit, and train its staff on the authorised sharing of personal data with third parties and on the consequences of unauthorised use or sharing of personal data.
• Omniactive shall evaluate any proposed new instances of sharing personal data with third parties to assess whether the sharing is authorised and whether additional or new public notice is required.
• Personal information transferred across geographies from where Omniactive operates for storage or processing should follow the following (Cross Border transfers):
  • Obtain implicit or explicit consent from individual for transfer of personal information.
  • The transfer is necessary for the performance of a contract between the individual and Omniactive, or the implementation of pre-contractual measures taken in response to the individual’s request.
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Omniactive and a third party.
  • The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise, or defense of legal claims.
  • The transfer is required by law and should be governed by the applicable contractual clauses (E.g., Standard Contractual Clause)
  • The transfer is necessary to protect the vital interests of the individual.
  • The transfer is made under a data transfer agreement.
  • Ensure proper safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)

19. Guidelines for personal data breach management Data Breach Management Policy A data controller or data processor shall implement policies and procedures for the purpose of managing security incidents, including personal data breach. These policies and procedures must ensure: Data Breach Response Team A data controller or data processor shall constitute a data breach response team, which shall have at least one (1) member with the authority to make immediate decisions regarding critical action, if necessary. The team may include the Local Privacy Officer/ Local Data Protection Officer. The team shall be responsible for the following:

• Implementation of the security incident management policy of the data controller or data processor.
• Management of security incidents and data privacy incidents.
• Compliance by the data controller or data processor with the relevant provisions of the applicable data privacy laws and all related issuances by the commission on data privacy incident management.
• The team must be ready to assess and evaluate a security incident, restore integrity to the information and communications system, mitigate and remedy any resulting damage, and comply with reporting requirement.
• The functions of the Data Breach Response Team may be outsourced. Such outsourcing shall not reduce the requirements found in the privacy regulations, or related issuance. The Data Protection Officer shall remain accountable for compliance with applicable data privacy laws. In cases where the Data Protection Officer is not part of the Data Breach Response Team, the Data Breach Response Team shall submit a written report addressed to the Data Protection Officer detailing the actions taken in compliance with these rules.
• Notify the relevant supervisory authority (e.g., UK’s ICO) within 72 hours of discovering a breach.
• In the event of a Personal Data Breach, the Data Fiduciary needs to notify the Board and each affected Data Principal of such breach. 20. Internal Audit Review Mechanism
• Internal audit can help Omniactive shift from the preparation phase to the implementation phase of privacy regulations. The regulation specifically requires organizations to focus on these control-oriented topics.
• Accuracy and quality require organizations to ensure personal data is accurate and up to date and allow data subjects to correct their records.
• Security and privacy by design require organizations to document decisions made to inform about how their data will be used and restricted. They also must implement technical, administrative and physical security/privacy controls to mitigate potential harm.
• Security safeguards ensure technical and organizational measures are implemented for privacy and security.
• Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements and strengthen controls that prevent and detect data errors.

20. Internal Audit Review Mechanism

• Internal audit can help Omniactive shift from the preparation phase to the implementation phase of privacy regulations. The regulation specifically requires organizations to focus on these control-oriented topics.
• Accuracy and quality require organizations to ensure personal data is accurate and up to date and allow data subjects to correct their records.
• Security and privacy by design require organizations to document decisions made to inform about how their data will be used and restricted. They also must implement technical, administrative and physical security/privacy controls to mitigate potential harm.
• Security safeguards ensure technical and organizational measures are implemented for privacy and security.
• Internal audit should work with management to identify relevant controls over data entry, assess the accuracy of information and recommend improvements and strengthen controls that prevent and detect data errors.

21. Data Protection Impact Assessment(DPIA)/ Risk Assessments

• Where a type of processing in particular using new technologies, and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of data subjects, the data controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
• The data controller shall seek the advice of the Data Protection Officer, where designated, when carrying out a data protection impact assessment.
• The assessment shall contain at least:
  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller.
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes.
  • an assessment of the risks to the rights and freedoms of data subjects.
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation considering the rights and legitimate interests of data subjects and other persons concerned.

22. Records of Processing Activities (ROPA) Each data controller and, where applicable, the data controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all the following information:

• The name and contact details of the data controller and, where applicable, the joint controller, the data controller’s representative and the Data Protection Officer.
• the purposes of the processing.
• a description of the categories of data subjects and of the categories of personal data.
• the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers).
• where possible, the envisaged time limits for erasure of the different categories of data.
• where possible, a general description of the technical and organisational security measures
• Each data processor and, where applicable, the data processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a data controller, containing:
  • the name and contact details of the data processor or data processors and of each data controller on behalf of which the data processor is acting, and, where applicable, of the data controller’s or the data processor’s representative, and the Local Privacy Officer/Local DPO
  • the categories of processing carried out on behalf of each data controller.
  • where possible, a general description of the technical and organisational security measures.

23. Cookies Omniactive  shall publish a cookie Policy and a cookie consent banner requesting data principal to accept or reject cookies on the external facing website/applications; Consent should be obtained where personal data is collected from the data principal in the form of cookies and consent is the lawful basis of processing of those cookies.

24. Policy Enforcement The organization is committed to ensuring compliance with this Data Privacy Policy and protecting personal and sensitive data in accordance with applicable privacy laws and regulations. To enforce this policy effectively, the following measures will be implemented:

• Compliance Monitoring

Regular monitoring and auditing will be conducted to assess compliance with this policy. This includes periodic reviews of data processing activities, data access controls, and the handling of personal information.

• Accountability

All employees, contractors, and third-party service providers are required to adhere to the principles outlined in this policy. Failure to comply with this policy may result in disciplinary action, which could include warnings, termination of employment, or legal consequences, depending on the severity of the breach.

• Training and Awareness

The organization will provide regular training on data privacy and security practices for all relevant personnel. This training will cover their responsibilities in safeguarding personal data and the steps to take in the event of a data breach or policy violation.

• Reporting and Investigation of Violations

Any suspected or actual violations of this policy should be immediately reported to the designated Data Protection Officer (DPO) or the relevant authority within the organization. All reports will be thoroughly investigated, and corrective actions will be taken as necessary to mitigate any harm.

• Corrective Actions

In cases where a breach or violation occurs, the organization will take prompt corrective actions to remedy the situation. This may include but is not limited to, notification to affected individuals, regulatory authorities, or other stakeholders, as required by applicable laws.

• Continuous Improvement

The organization will continuously review and update this policy, as well as its enforcement mechanisms, to ensure it remains compliant with evolving data privacy laws and industry best practices. This includes updating internal controls, improving training programs, and adopting new technologies to enhance data protection.

25. Policy Review We may update and amend this cookie policy from time to time by posting an amended version on our website. The amended version will be effective as of the date it is published. When we make material changes to this privacy notice, we will provide users with notice as appropriate under the circumstances, e.g., by displaying a prominent notice on the website or by sending an email.

26. Contact us If you have additional questions or concerns, contact our Omniactive representative at privacy@omniactives.com