Data Subject Rights

1. PURPOSE

The purpose of Data Subject Rights Manual (hereinafter referred to as "Manual”), is to provide guidance and establish a procedure to handle DSR Requests in an effective, efficient, transparent, and timely manner in line with the requirements of the rights. It aims to establish a systematic approach for receiving, validating, monitoring, managing, reviewing and responding to DSR Requests, including defining response timelines and key considerations for their resolution.

2. SCOPE AND APPLICABILITY

These guidelines apply to all Employees, Customers, End Users, Merchants, Vendors, and any individuals whose Personal Data is processed by Tumodo and its subsidiaries. They cover all business operations and third-party service providers handling personal data on behalf of the Organisation.

3. DEFINITIONS

3.1. Consent

Consent means the Data Subject's Consent that is granted by a person with full legal capacity; the same shall be written, explicit, clear, and specific to the Processing of certain data; and shall be freely given by the Data Subject after being advised of the intended purpose or purposes of the Processing, together with, where the particular circumstances so require, of the consequences of refusing Consent.

3.2. Data Controller

Data Controller is any entity or individual who determines the purposes and means of the Processing of Personal Data. The Data Controller is responsible for ensuring that Personal Data is processed in compliance with applicable laws and regulations, and for implementing appropriate technical and organizational measures to protect the Data Subject's rights and freedoms.

3.3. Data Subject and Data Principal:

Data Subject: A Data Subject is any identifiable individual whose personal data is collected, processed, or stored by a data controller or processor. Under data protection laws data subjects have specific rights regarding their personal data, including access, rectification, and deletion.

Data Principal: Data Principal refers to the individual to whom the personal data relates, as defined under the Digital Personal Data Protection Act, 2023 (DPDPA). In cases where the Data Principal is a child or a person with disabilities requiring legal guardianship, their lawful guardian shall be deemed the Data Principal.

Note: For the purposes of this policy, all references to Data Subject shall be construed to include and mean Data Principal as defined under the DPDPA. Accordingly, all rights granted to a Data Subject under this policy shall equally apply to a Data Principal in compliance with applicable data protection laws.

3.4. Data Processor:

Data Processor means any person who processes Personal Data on behalf of a Data Controller.

3.5. Data Controller and Data Fiduciary:

Data Controller: A Data Controller is an entity (natural or legal person, public authority, agency, or body) that determines the purposes and means of processing personal data. The controller is responsible for ensuring compliance with data protection laws and safeguarding the rights of data subjects.

Data Fiduciary: A Data Fiduciary is a term used in Digital Personal Data Protection Act, 2023 (DPDPA), similar to a Data Controller. It refers to any entity that determines the purpose and means of processing personal data and is responsible for complying with data protection obligations.

Note: For the purposes of this policy, all references to Data Controller shall be construed to include and mean Data Fiduciary as defined under the DPDPA. Accordingly, all rights and responsibilities granted to a Data Controller under this policy shall equally apply to a Data Fiduciary in compliance with applicable data protection laws.

3.6. Data Protection Officer:

Data Protection Officer (hereinafter referred to as “DPO”), is an individual appointed by the organization who ensures that the organization processes the Personal Data of Data Subject, in compliance with the applicable data protection rules and regulation.

3.7. Data Subject Rights Request (DSR Request):

DSR Request refers to the request made by the Data Subject to exercise the set of rights granted under DPDPA.

3.8. Legitimate Interest

Legitimate Interest is a legal basis for Processing Personal Data under data protection laws. It refers to a justified and lawful reason for Processing Personal Data that is necessary for the interests of the Company, provided it does not override the rights and freedoms of the individual.

3.9. Personal Data

Personal Data means any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified by reference, in particular, to his or her personal identification number, or by reference to one or more factors specific to his or her physical, physiological, intellectual, cultural, economic, or social identity. In determining whether an individual is identifiable, all the means that the Data Controller or any other person uses or may have access should be taken into consideration.

3.10. Privacy Notice

Privacy Notice is a statement or document provided to individuals that explains how an organization collects, uses, discloses, and protects their Personal Data. It ensures transparency and informs individuals about their rights and data handling practices of Tumodo.

3.11. Privacy Champion:

Privacy Champion is in charge of overseeing and guaranteeing that personnel within their department follow the Manual to dispose of their responsibilities in terms of DPR request handling.

3.12. Processing

Processing means any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.

3.13. Vendor/Third Party

Vendor/Third Party means a natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data.

2. ROLES AND RESPONSIBILITIES:

2.1. Data Subject:

2.1.1.Data Subject is an individual who exercises rights pertaining to his/her Personal Data that Company uses, processes, transfers, collects, stores about them and makes a request either directly or through a Representative of the Data Subject, in the event of death or incapacity of the Data Subject.

2.1.2.Data Subject may submit the request by sending an email or sending a Data Subject Rights form. (Link of the Form.)

2.1.3.If a Legal Representative is making a DSR Request on behalf of the Data Subject, then the Data Subject Rights form must be filled up by the requestor along with a copy of the Power of Attorney (or any other relevant legal document required under law) from the Data Subject.

2.2. Data Protection Officer:

2.2.1.DPO serves as the primary point of contact for Data Subject when they have DSR Requests, or any grievances related to the processing of their Personal Data. DPO shall receive and record DSR Requests from Data Subject and maintain a DSR Register <> for these requests.

2.2.2.DPO is responsible for verifying the identity of Data Subject.

2.2.3.DPO shall acknowledge the receipt of DSR Requests.

2.2.4.DPO shall define and, if possible, narrows the scope of DSR Requests.

2.2.5.DPO shall consult the relevant Privacy Champions, and the Data Processors that store the requested Personal Data.

2.2.6.DPO is responsible for reviewing and validating the Personal Data in the requested format for providing it back to the Data Subject within a defined period of purview.

2.2.7.DPO is also responsible for overseeing the entire process of handling DSR Requests.

2.2.8.It shall be the responsibility of the DPO to implement, maintain, and operate a grievance redressal mechanism outlined under external Privacy Policy, to address Data Subjects' grievances and complaints.

2.3. Privacy Champion:

2.3.1.The Privacy Champion is accountable for monitoring and ensuring that personnel within their department follow the present Manual to dispose of their responsibilities regarding the DSR Request.

2.3.2.The Privacy Champion is responsible for identifying and categorizing the Personal Data requested or involved, ensuring that all relevant Personal Data is recognized and properly documented

2.3.3.The Privacy Champion is responsible for evaluating whether the identified Personal Data is subject to legal privileges or exemptions.

2.3.4. The Privacy Champion shall collaborate closely with the DPO to further clarify and outline the scope of processing activities, aligning with data protection and privacy regulations.

2.3.5.The Privacy Champion shall provide the requested Personal Data (if any) back to the DPO.

2.3.6.The Privacy Champion shall actively collaborate with the DPO to contact applicable Data Processors to fulfil DSR Requests.

2.4. Data Controller:

2.4.1.The Data Controller shall ensure compliance with data protection laws and regulations governing the collection, processing, and storage of personal data.

2.4.2.The Data Controller will determine the purpose and legal basis for processing personal data and ensure it aligns with applicable laws.

2.4.3.The Data Controller should implement appropriate technical and organizational measures to secure personal data and protect it from unauthorized access, loss, or breach.

2.4.4.The Data Controller shall maintain accurate records of data processing activities, including the categories of data processed, retention periods, and data sharing practices.

2.4.5.The Data Controller will respond to data subject requests, such as access, rectification, erasure, and objections to processing, within the required legal timeframes.

2.4.6.The Data Controller should conduct data protection impact assessments (DPIAs) for high-risk processing activities and implement risk mitigation measures where necessary.

2.4.7.The Data Controller shall ensure data processing agreements are in place with third parties (data processors) and monitor their compliance with contractual and legal obligations.

2.4.8.The Data Controller will notify relevant supervisory authorities and affected individuals in the event of a personal data breach, following legal notification requirements.

2.4.9.The Data Controller should provide staff training and awareness programs on data protection principles, policies, and best practices to ensure compliance across the organization.

2.4.10.The Data Controller shall regularly review and update data protection policies, procedures, and documentation to align with evolving regulatory requirements and industry standards.

2.5. Employee/s:

In cases where an Employee/s is contacted by the Data Subject with an intention to exercise their rights as specified herein; it shall be the responsibility of the said Employee/s to inform Data Subject that they can submit the request by sending an email or sending a Data Subject Rights form.

3. GENERAL REQUIREMENTS:

3.1.It is critical to document and maintain accurate recordings of the DSR requests in a DSR Register that we receive from the Data Subjects and have a designated DPO responsible for handling DSR Requests.

3.2.Tumodo shall have designated DPO responsible for handling DSR Requests and all Employees are responsible for following the guidelines and instructions of the Privacy Champion and DPO, in terms of searching and retrieving, modifying, altering or deleting Personal Data.

3.3.When determining whether Tumodo holds Personal Data, it shall be documented in a Report, about the searches Tumodo has carried out as well as refer to Tumodo's Data Retention Policy for guidance on data retention practices.

3.4.When responding to requests, it is imperative to maintain written communication through an email, in a manner that is concise, transparent, easily understood, and readily accessible. Furthermore, Tumodo must ensure the validation of the Data Subject's identity. In cases where Tumodo is unable to authenticate the identity of the individual making the request, the company should refrain from disclosing any Personal Data or taking any actions to fulfil the request until the person has provided sufficient proof of their identity.

3.5.There should be a Procedure which describes the process for enabling Data Subjects to exercise their rights. Key considerations of the same are as follows:

3.5.1. All Employees need to be aware of their responsibilities to provide information in the case of DSR Request.

3.5.2. The preferred mode of making a DSR Request should be informed to the Data Subjects.

3.5.3. It is advisable to adhere to the best practices of data protection. Tumodo shall complete DSR Request within one month from receiving all the required information. In case, the request is complex, the company may take an extension and will notify it within one month.

4. RIGHTS PROVIDED TO DATA SUBJECTS:

Tumodo shall ensure that adequate mechanisms (such as Data Subject Rights form, email ID, etc.) are in place to facilitate and address requests received from Data Subject. The following are the rights available to Data Subjects whose Personal Data is processed by us or on behalf of us. The rights are explained below, and we are required to interpret the respective DSR Requests as per the definitions given below:

4.1. Right to Access Information about Personal Data

Data Subjects shall have a right to access information pertaining to the Personal Data for which they had previously consented. Tumodo shall adhere to the following guidelines when responding to a request to access information from a verified individual regarding their Personal Data:

4.1.1.Confirm if the company processes any Personal Data of the individual and provide supporting/ detailed information as needed.

4.1.2.The request-response should cover:

4.1.2.1.A summary of Personal Data which is being processed by Tumodo.

4.1.2.2.Processing Activities undertaken by Tumodo with respect to such Personal Data.

4.1.2.3.The identities of all other Data Controllers and Data Processors with whom the Personal Data has been shared by Tumodo, along with a description of the Personal Data so shared.

4.1.2.4.Any other information related to Personal Data of such Data Subject.

4.1.3.However, the above clauses are subject to specific conditions such as in the event the Company shares Personal Data with some other Data Controller authorized by law to obtain such Personal Data or where sharing is pursuant to request made by such other Data Controller for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. In such cases the company shall adhere to the existing territorial Data Protection Laws and other applicable legal obligations under any other existing law.

4.2. Right to Correction of Personal Data

4.2.1.Data Subject may request to have their inaccurate/ misleading Personal Data corrected. Correction can include having incomplete Personal Data completed or updated.

4.2.2.We shall also communicate the correction of the Personal Data to each recipient to whom the Personal Data has been disclosed (for example, our Data Processors who process the data on our behalf), unless this is impossible or involves disproportionate effort.

4.3. Right to Erasure of Personal Data

4.3.1.Data Subject has the right to have his/her Personal Data erased. On receiving a DSR Request for erasure, the company should erase Personal Data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.

4.3.2.Any relevant Data Processor with which the Data Subject's Personal Data lies shall also be informed about the request for erasure and it needs to be ensured that the same Personal Data has been erased from their end as well.

4.4. Right to Nominate

Data Subject shall have the right to nominate, in such manner as may be prescribed, a Representative/ Nominee, who shall, in the event of death or incapacity of the Data Subject, exercise the rights of the Data Subject. The Company shall keep a record of the Representative/ Nominee, in our files to cross-check that the designated individual is duly authorized to exercise the rights of the Data Subject in the event of their death or incapacity.

4.5. Right of Grievance Redressal

To fulfil the Data Subject's right of grievance redressal, the company should:

4.5.1.Establish an accessible mechanism for lodging grievances.

4.5.2.Promptly acknowledge receipt of grievances.

4.5.3.Investigate grievances promptly and thoroughly.

4.5.4.Provide timely responses within prescribed timeframes.

4.5.5.Communicate resolution clearly to the Data Subject.

4.5.6.Inform Data Subject about their right to escalate grievances to Data Protection Board if unsatisfied.

4.5.7.Maintain comprehensive records of all grievances received.

5. PROCEDURE:

The Company has provided the Data Subjects to exercise their rights either by sending an email to dpo@tumodo.io. The DPO shall be responsible for managing and addressing the requests received, in the manner as prescribed below:

5.1. DSR Request received

5.1.1.Data Subject or their Representative/ Nominee, can raise DSR Requests by sending an email to dpo@tumodo.io.

5.1.2.Once the DSR Request is received, it is routed to the DPO, who logs it manually in the DSR Register.

5.1.3.If the DSR Request is found to be valid, the company will acknowledge in writing and provide a reference number. In case the DSR Request is found invalid due to insufficient context or description, the company shall return the DSR Request with reasoning.

5.2. Identity Verification

5.2.1.As the Company has a duty to protect Personal Data, it can only be disclosed against a valid DSR Request. Company must be satisfied that the individual making the DSR Request is the Data Subject or the Representative/ Nominee of the Data Subject. To verify the identity of the requestor, below steps can be taken:

5.2.1.1.The identity of the Merchant, Customer/ End User can be verified by sending an OTP at their registered Phone Number.

5.2.1.2.The identity of the Employees (including former employees), Vendors can be verified from the internal database.

5.2.1.3.The identity of Representative/ Nominee of the Data Subject can be verified through any Government ID proof.

5.2.2.In case the DSR request is found to be valid, but the identity cannot be verified from the above-provided methods, additional information will be requested from the Data Subject in the acknowledgement mail.

5.2.3.Once the identity is verified, the company shall start processing the DSR Request.

5.3. DSR Request Clarification and Validation

5.3.1.In case the company processes a large amount of Personal Data about a Data Subject, the company may ask them to specify the Personal Data or processing activities to which their request relates to before responding to the request. However, such clarification must only be sought if it is genuinely required to respond to a DSR Request or if the company processes a large amount of Personal Data. However, Data Subject reserves the right to request all Personal Data and may not narrow down the request.

5.3.2.Concerned Privacy Champions should be communicated about the requirements of the DPR Request.

5.3.3.A stipulated time shall be given to the concerned Privacy Champion to collate the necessary details for dealing with the DSR Request and inform the DPO.

5.3.4.The Personal Data that has been requested has to be compiled according to the type of request that has been made. This includes the collection of Personal Data from all the systems and repositories that hold the relevant information.

5.4. Data Review

5.4.1.Upon collating all the necessary information regarding the request, we must determine the complexity of the Personal Data as it would impact Company's ability to respond to the same.

5.4.2.A request made by the Data Subject shall be resolved by the Company in an expeditious manner and not later than one month from the date of receipt of the request. Therefore, upon receiving the request from the Data Subject, the concerned Privacy Champion must, within 30 calendar days of receiving the request:

5.4.2.1.Identify the requisite Personal Data.

5.4.2.2.Complete the requested action.

5.4.3.If the request is complex and would require more time, the DPO will communicate it with reasoning, to the Data Subject before the one-month deadline has expired and get an extension of up to 1 month.

5.4.4.In case of such extension, the concerned Privacy Champion must,

5.4.4.1.Identify the requisite Personal Data.

5.4.4.2.Complete the requested action.

5.4.4.3.Provide the information to the DPO for further action and deliberation.

5.5. Final Response

5.5.1.If the requested Personal Data encompasses the Personal Data of additional Data Subjects, we shall redact such data.

5.5.2.Once the necessary redactions have been completed, the company will internally review, following the maker-checker rule. Additionally, the company shall consult our legal department, before sharing the final response to the Data Subject.

5.5.3.The Personal Data should be provided to the Data Subject in a concise, comprehensive, transparent, and easily accessible form, using clear and plain language that can be easily understood.

5.5.4.The response should be provided in the same mode that it was requested (i.e., E-mail or Post) and relevant security techniques such as encryption, usage of password-protected files, etc. should be followed.

5.6. Queries

5.6.1.If the Data Subject has any queries/complaints regarding their DSR Request, they can reach out to the DPO. The queries should be addressed without any undue delay.

5.6.2.If a Data Subject does not have any other post-fulfilment queries, the DSR Request shall be closed.

6. REJECTING A DSR REQUEST

6.1.If any DSR Request is rejected, Tumodo shall provide the Data Subject, the reasons in writing for such refusal. Data Subject may file a complaint with relevant authorities in the applicable jurisdictions against the refusal.

6.2.Data Subject Requests can be denied where:

6.2.1.The Company demonstrates that it is not possible to identify the Data Subject or verify the identity with the help of resources or information available or using the additional information provided by the Data Subject.

6.2.2.We find the DSR Request is invalid due to the absence of enough context or description.

7. INFORMATION TO DATA PROCESSORS

It shall be the responsibility of the DPO in collaboration with the relevant Privacy Champion to communicate with all the Data Processors processing the Personal Data of Data Subject, within 30 days of receipt of the exercise of such request, informing the Data Processors of such request made by the Data Subject and the positive response provided by the Company which shall result in any correction, completion, updating or erasure of certain or all Personal Data of the Data Subject in control of the Company and processed by the Data Processors. Further, it should be ensured that correction, completion, updating or erasure, has been adhered by all the Data Processors processing data of the Data Subject exercising such right.

8. EXCEPTIONS

Exceptions to the provisions in this policy must be documented and formally approved by the DPO. Policy exceptions must describe:

8.1.A reasonable explanation for why the policy exception is required.

8.2.The nature of the exception.

8.3.Any risks created by the policy are an exception.

8.4.Evidence of approval by the DPO.

9. ENFORCEMENT

Any employee, consultant or contractor found to have violated this policy may be subject to disciplinary actions, up to and including termination of employment, and related civil or criminal penalties.