1. INTRODUCTION TO THE POLICY
1.1 Laurus Bio Private Limited (hereinafter to be referred as “Company”), is a company duly incorporated under the provisions of the Companies Act, 1956 and Companies Act, 2013. It is engaged in developing novel ‘Non Animal Origin’ recombinant proteins including media components, reagents, excipients and drug products that enhance safety, consistency, traceability and competitiveness for Stem Cells & Regenerative Medicine, Vaccines & Biological Drugs, Cultured Meat and Bio-Manufacturing industries.
2. APPLICABLE LAW AND DEFINITIONS
- Section 43A of the Information Technology Act, 2000 (“IT Act”); and
- Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (“SPDI Rules”).
- ‘Infrastructure’ means Company networks, laptops or any other electronic devices provided to Data Providers by the Company for official use;
- ‘Personal Information’ means any information relating to the Data Provider which, either directly or indirectly, in combination with other information available or likely to be available with the Company, is capable of identifying such Data Provider and includes Sensitive Personal Data of the Data Provider;
- ‘Sensitive Personal Data’ or ‘SPDI’ of a Data Provider means such personal data or information of a Data Provider which consists of information relating to:
- financial information such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- biometric information;
- any detail relating to the above clauses as provided to the Company for providing service; and
3. INFORMATION COLLECTED AND METHOD OF COLLECTION
3.2 The Company is entitled to and shall rely upon the accuracy of the Personal Information collected by the Company from the Data Providers.
3.3 The Company shall monitor the Infrastructure for inappropriate use, or any use otherwise than in furtherance of the Company’s business. In the course of such monitoring the Company may intercept, extract, process or store information, including SPDI, from the Infrastructure.
3.4 The Company may either directly procure, handle, manage, store, process, protect and transmit the Personal Information of the Data Provider or may authorize certain third party entities, persons and/ or agencies to do so on its behalf (including authorized sub-contractors, consultants and/or representatives of such persons) (“Authorised Persons”).
3.6 Where the Data Provider shall choose not to provide the Company or any Authorised Persons, the permission to collect, use or disclose such Personal Information or later on withdraws the consent for usage of such Personal Information so collected, the Company may not have sufficient information about the Data Provider to be able to offer or continue his/her employment with the company or to provide him/ her with the employee benefits under law and company’s internal policy. In such cases the Company reserves the right ̧ at its sole discretion, to not offer employment to the Data Provider and/or withdraw his/her employment offer and/or terminate the Data Provider’s employment with the company and/or discontinue all or part of his/ her employment benefits and/or take any other action that the Company may decide in this regard.
4. USE OF PERSONAL INFORMATION
The Company shall use a Data Provider’s Personal Information for its human resource and employment related requirements, including but not limited to:
- To process initial job application with the Company, including for background verification;
- In relation to ongoing employment matters such as training, confirmations, promotions, transfers, secondments, appraisals, sickness and mid-term vetting;
- To perform payroll and related administration;
- To provide for the administration of benefits;
- To monitor compliance with the internal rules of the Company (for example the Code of Ethics) and if necessary in relation to this, for investigative purposes;
- To meet legal and regulatory requirements and to comply with applicable law;
- To respond to any queries that Data Provider may have and to communicate information to Data Provider;
- To investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or as otherwise required by law;
- To disclose Personal Information to companies or individuals who are authorized by the Company to perform functions on behalf of the Company including but not limited to those which administer benefits, conduct background verification, provide administrative or other services to the Company such as mailing houses, telecommunication companies, information technology companies, insurance companies or agents, background check vendors;
- To disclose or transfer Personal Information to a third party who acquires, or proposes to acquire, Company’s business units, whether such acquisition is by way of merger, consolidation or purchase of all or a substantial portion of Company’s assets;
- To facilitate the provision of funds for official travel undertaken by Data Provider or provision of any other reimbursements due to Date Provider as per the policies of the Company; and
- To disclose Personal Information if legally required to, pursuant to an order from a governmental entity or in good faith. For example, Company may disclose the Personal Information to:
- conform to legal requirements or comply with legal process;
- protect Company’s rights or property or affiliated companies;
- prevent a crime or protect national or international security; or
- protect the personal safety of other employees or the public at large.
5. RETENTION OF INFORMATION
Except as reasonably required or otherwise permitted or required by applicable law or regulatory requirements, the Company endeavours to retain the Data Provider’s Personal Information only for as long as it believes is necessary to fulfil the purposes for which such information was collected (including, for the purpose of meeting any legal, administrative, accounting, regulatory or other reporting requirements or obligations). This information is safeguarded against inappropriate access and disclosure, as provided in Clause 7 below.
6. DISCLOSING PERSONAL INFORMATION
6.2 The Company and its Authorised Persons may share and transfer Data Providers’ Personal Information with its affiliated companies for compliance, risk management and operational purposes and with other Authorized Persons such as those providing professional, legal, accounting or other advice or services, including any third party agencies that perform background checks on a Data Provider. The Company may also disclose and transfer the Personal Information to any other third party pursuant to the Data Provider’s express consent. Third parties are required to maintain strict standards of confidentiality for dealing in such Personal Information and to use it only in the course of providing services to the Company, in the manner and for the limited purposes authorized by the Company. Third parties receiving the Personal Information under any of the circumstances described above are required to not disclose or disseminate such information further.
6.3 Notwithstanding the above and subject to applicable law, the Personal Information of the Data Providers may be shared, without their prior consent, with government agencies mandated under the law to obtain information including SPDI for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Company may also disclose Personal Information to any third party pursuant to an order under the law in force, for instance, when responding to summons or similar legal process, to protect against fraud and to otherwise co-operate with law enforcement or regulatory authorities.
7. INFORMATION SECURITY PRACTICES AND PROCEDURES
7.1 The Company endeavours to maintain physical, technical and procedural safeguards that are appropriate to protect the Data Provider’s information against loss, misuse, copying, damage or modification and unauthorized access or disclosure.
7.2 The Company shall not be responsible for any breach of security or for any actions of any third parties or events that are beyond its reasonable control including but not limited to acts of government, computer hacking, unauthorised access to computer data and storage device, computer crashes, breach of security and encryption, poor quality of internet service or telephone service of the Data Provider, etc.
8. ACCESS TO PERSONAL INFORMATION
To receive a copy of the information in the Company’s records, or to provide instructions to the Company on correcting or updating the Personal Information maintained by it, the Data Provider can send an e-mail to the Company at email@example.com. The Data Provider is entitled to review the information provided by him/ her or on his/ her behalf and ensure that any inaccurate or deficient Personal Information is immediately corrected.
10.2 The Company shall not be responsible for any breach of security or for any actions of any third parties or events that are beyond Company’s reasonable control including but not limited to acts of government, computer hacking, unauthorized access to computer data and storage device, computer crashes, breach of security and encryption, poor quality of internet service or telephone service, etc.