Privacy Policy

1. INTRODUCTION TO THE POLICY

1.1    Laurus Bio Private Limited (hereinafter to be referred as “Company”), is a company duly incorporated under the provisions of the Companies Act, 1956 and Companies Act, 2013. It is engaged in developing novel ‘Non Animal Origin’ recombinant proteins including media components, reagents, excipients and drug products that enhance safety, consistency, traceability and competitiveness for Stem Cells & Regenerative Medicine, Vaccines & Biological Drugs, Cultured Meat and Bio-Manufacturing industries.

1.2    The Company is committed to protecting the privacy, confidentiality and security of Personal Information of all its employees (past and present) and prospective employees (hereinafter collectively referred to as the “Data Provider(s)”) which the Company may collect and/or come into possession. Pursuant to such commitment, the Company has developed this Privacy Policy (“Privacy Policy”) for the handling of or for dealing in the aforementioned information.

1.3    This Privacy Policy outlines the security practices and procedures of the Company with respect to Personal Information, including SPDI, collected, received, stored, dealt in, handled and shared by the Company, either directly or through any of its affiliates.

2. APPLICABLE LAW AND DEFINITIONS

2.1    This Privacy Policy has been drafted pursuant to and in compliance with the following:

  1. Section 43A of the Information Technology Act, 2000 (“IT Act”); and
  2. Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (“SPDI Rules”).

2.2    For the purposes of this Privacy Policy, the following capitalized terms shall have the meaning assigned to them below:

  1. ‘Infrastructure’ means Company networks, laptops or any other electronic devices provided to Data Providers by the Company for official use;
  2. ‘Personal Information’ means any information relating to the Data Provider which, either directly or indirectly, in combination with other information available or likely to be available with the Company, is capable of identifying such Data Provider and includes Sensitive Personal Data of the Data Provider;
  3. ‘Sensitive Personal Data’ or ‘SPDI’ of a Data Provider means such personal data or information of a Data Provider which consists of information relating to:
  1. password;
  2. financial information such as bank account or credit card or debit card or other payment instrument details;
  3. physical, physiological and mental health condition;
  4. sexual orientation;
  5. medical records and history;
  6. biometric information;
  7. any detail relating to the above clauses as provided to the Company for providing service; and
  8. any of the information received under the above clauses by the Company for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of this Privacy Policy.

3. INFORMATION COLLECTED AND METHOD OF COLLECTION

3.1    The Personal Information collected by the Company shall include all information and data that is required by the Company or any third party on its behalf, for the usage noted in Clause 4 of this Privacy Policy and may include (without limitation) one or more of the following: names, e-mail and residence addresses, telephone numbers, photographs, educational qualifications, details of relatives, all employment-related and compensation-related information, government-issued identification numbers, aadhaar related information and any other information, as deemed necessary. Further, the SPDI collected by the Company shall include financial and medical information of the Data Providers.

3.2    The Company is entitled to and shall rely upon the accuracy of the Personal Information collected by the Company from the Data Providers.

3.3    The Company shall monitor the Infrastructure for inappropriate use, or any use otherwise than in furtherance of the Company’s business. In the course of such monitoring the Company may intercept, extract, process or store information, including SPDI, from the Infrastructure.

3.4    The Company may either directly procure, handle, manage, store, process, protect and transmit the Personal Information of the Data Provider or may authorize certain third party entities, persons and/ or agencies to do so on its behalf (including authorized sub-contractors, consultants and/or representatives of such persons) (“Authorised Persons”).

3.5    All Personal Information provided by the Data Providers has been provided voluntarily and by providing such Personal Information the Data Providers consent to the collection, use, sharing, and disclosure of the Personal Information as described in this Privacy Policy. At the time of or prior to the collection of Personal Information by the Company or any Authorised Persons, the Data Provider shall have the right to not provide such information to the Company or any of the Authorised Persons. Further, the Data Provider, at any time subsequent to providing the information, shall also have the option to withdraw his/her consent given earlier to the Company or any Authorised Persons. The decision to not provide any Personal Information or withdrawal of consent later shall be given in writing by the Data Provider to the Company or the Authorised Persons (as the case may be) and to the extent possible accompanied by reasons.

3.6    Where the Data Provider shall choose not to provide the Company or any Authorised Persons, the permission to collect, use or disclose such Personal Information or later on withdraws the consent for usage of such Personal Information so collected, the Company may not have sufficient information about the Data Provider to be able to offer or continue his/her employment with the company or to provide him/ her with the employee benefits under law and company’s internal policy. In such cases the Company reserves the right ̧ at its sole discretion, to not offer employment to the Data Provider and/or withdraw his/her employment offer and/or terminate the Data Provider’s employment with the company and/or discontinue all or part of his/ her employment benefits and/or take any other action that the Company may decide in this regard.

3.7    By giving Person Information to the Company, the Data Providers confirm that they have the capacity to enter into a legally binding contract under Indian law, in particular, the Indian Contract Act, 1872, and have read, understood and agreed to the practices and policies outlined in this Privacy Policy.

4. USE OF PERSONAL INFORMATION

The Company shall use a Data Provider’s Personal Information for its human resource and employment related requirements, including but not limited to:

  1. To process initial job application with the Company, including for background verification;
  2. In relation to ongoing employment matters such as training, confirmations, promotions, transfers, secondments, appraisals, sickness and mid-term vetting;
  3. To perform payroll and related administration;
  4. To provide for the administration of benefits;
  5. To monitor compliance with the internal rules of the Company (for example the Code of Ethics) and if necessary in relation to this, for investigative purposes;
  6. To meet legal and regulatory requirements and to comply with applicable law;
  7. To respond to any queries that Data Provider may have and to communicate information to Data Provider;
  8. To investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or as otherwise required by law;
  9. To disclose Personal Information to companies or individuals who are authorized by the Company to perform functions on behalf of the Company including but not limited to those which administer benefits, conduct background verification, provide administrative or other services to the Company such as mailing houses, telecommunication companies, information technology companies, insurance companies or agents, background check vendors;
  10. To disclose or transfer Personal Information to a third party who acquires, or proposes to acquire, Company’s business units, whether such acquisition is by way of merger, consolidation or purchase of all or a substantial portion of Company’s assets;
  11. To facilitate the provision of funds for official travel undertaken by Data Provider or provision of any other reimbursements due to Date Provider as per the policies of the Company; and
  12. To disclose Personal Information if legally required to, pursuant to an order from a governmental entity or in good faith. For example, Company may disclose the Personal Information to:
    1. conform to legal requirements or comply with legal process;
    2. protect Company’s rights or property or affiliated companies;
    3. prevent a crime or protect national or international security; or
    4. protect the personal safety of other employees or the public at large.

5. RETENTION OF INFORMATION

Except as reasonably required or otherwise permitted or required by applicable law or regulatory requirements, the Company endeavours to retain the Data Provider’s Personal Information only for as long as it believes is necessary to fulfil the purposes for which such information was collected (including, for the purpose of meeting any legal, administrative, accounting, regulatory or other reporting requirements or obligations). This information is safeguarded against inappropriate access and disclosure, as provided in Clause 7 below.

 

6. DISCLOSING PERSONAL INFORMATION

6.1    The Company shall not disclose to third parties or publish the Personal Information provided by the Data Provider, except in the manner described under this Privacy Policy and in compliance with applicable law.

6.2    The Company and its Authorised Persons may share and transfer Data Providers’ Personal Information with its affiliated companies for compliance, risk management and operational purposes and with other Authorized Persons such as those providing professional, legal, accounting or other advice or services, including any third party agencies that perform background checks on a Data Provider. The Company may also disclose and transfer the Personal Information to any other third party pursuant to the Data Provider’s express consent. Third parties are required to maintain strict standards of confidentiality for dealing in such Personal Information and to use it only in the course of providing services to the Company, in the manner and for the limited purposes authorized by the Company. Third parties receiving the Personal Information under any of the circumstances described above are required to not disclose or disseminate such information further.

6.3    Notwithstanding the above and subject to applicable law, the Personal Information of the Data Providers may be shared, without their prior consent, with government agencies mandated under the law to obtain information including SPDI for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Company may also disclose Personal Information to any third party pursuant to an order under the law in force, for instance, when responding to summons or similar legal process, to protect against fraud and to otherwise co-operate with law enforcement or regulatory authorities.

6.4    Subject to applicable law, the Company may, at its sole discretion, transfer Personal Information of the Data Provider to any other body corporate (as defined under the IT Act) or a person in India, or located in any other country, that ensures at least the same level of data protection that is adhered to by the Company as provided for under this Privacy Policy and applicable Indian law, provided such transfer is necessary for the performance of the lawful contract between the Company or any person on its behalf and provider of information or where the Data Provider has consented to the data transfer.

7. INFORMATION SECURITY PRACTICES AND PROCEDURES

7.1    The Company endeavours to maintain physical, technical and procedural safeguards that are appropriate to protect the Data Provider’s information against loss, misuse, copying, damage or modification and unauthorized access or disclosure.

7.2    The Company shall not be responsible for any breach of security or for any actions of any third parties or events that are beyond its reasonable control including but not limited to acts of government, computer hacking, unauthorised access to computer data and storage device, computer crashes, breach of security and encryption, poor quality of internet service or telephone service of the Data Provider, etc.

8. ACCESS TO PERSONAL INFORMATION

To receive a copy of the information in the Company’s records, or to provide instructions to the Company on correcting or updating the Personal Information maintained by it, the Data Provider can send an e-mail to the Company at info@laurus.bio. The Data Provider is entitled to review the information provided by him/ her or on his/ her behalf and ensure that any inaccurate or deficient Personal Information is immediately corrected.

9. GRIEVANCES

In case of any privacy related concerns, feedback or grievance in relation to the Company’s Privacy Policy, Data Providers may contact the Company Secretary, the designated Grievance Officers for this purpose. The Company shall employ all commercially reasonable efforts to address the same.

10. REVISION TO THIS PRIVACY POLICY AND DISCLAIMER

10.1     The Company may from time to time update, change or modify this Privacy Policy based on its commercial or legal obligations. The Privacy Policy shall come to effect from the date of such update, change or modification. The Data Providers should check the website, www.laurus.bio for the most updated version of the Privacy Policy.

10.2     The Company shall not be responsible for any breach of security or for any actions of any third parties or events that are beyond Company’s reasonable control including but not limited to acts of government, computer hacking, unauthorized access to computer data and storage device, computer crashes, breach of security and encryption, poor quality of internet service or telephone service, etc.

11. INTERPRETATION OF PRIVACY POLICY

11.1    This Privacy Policy does not create or confer upon any individual any rights, or impose upon the Company any obligations outside of, or in addition to, any obligations imposed by the applicable Indian information security laws.

11.2 If and to the extent that this Privacy Policy is not in accordance with the applicable law, the provisions of applicable law shall be deemed to prevail.

11.3   Severability Each clause of this Privacy Policy shall be and remain separate from and independent of and severable from all and any other clauses herein except where otherwise expressly indicated or indicated by the context of the Privacy Policy. The decision or declaration by a court of competent jurisdiction, that one or more of the clauses are null and void shall have no effect on the remaining clauses of this Privacy Policy.