sudhaanmicrofinance.com

SUDHAAN MICRO SERVICES FOUNDATION
Menu

We aim to constantly improve our offerings and innovate; encourage the entrepreneurial spirit by extending differential banking solutions and promote financial inclusion. SMSF Microfinance. is a microfinance institution that helps its women & man customers in rural villages become economically self-sustainable by providing micro-loans.

Privacy Policy

Policy Statement

The purpose of this policy is to maintain the confidentiality and security of the personal information of SUDHAAN MICRO SERVICE FOUNDATION customers, employees, contractors, vendors and business partners and to ensure compliance with laws and regulations applicable to SUDHAAN MICRO SERVICE FOUNDATION. This policy should be read in conjunction with the online privacy policy published on the Sudhaan website

                                                                                                 Scope

This policy applies to all SMSF employees, contractors, vendors, customers and business partners who may receive personal information, have access to personal information collected or processed, or who may provide information to the Company.

This policy applies to all SMSF employees, contractors, vendors, customers and business partners who receive personal information from SMSF, have access to personal information collected or processed by SMSF, or who provide information to SMSF, regardless of geographic location.

All employees of SMSF are expected to support the Privacy Policy and Policies when they collect and/or handle personal information or are involved in the process of maintaining or disposing of personal information. This policy provides information to successfully fulfill the Company’s commitment to data privacy.

All subsidiaries and any third parties working with or for SMSF, and who have or may have access to personal information, are expected to have read, understand and abide by this Policy. No third party will be able to access personal information held by the company without entering into a confidentiality agreement.

As per smsf business processes, Personally Identifiable Information (PII)
is collected/stored in the following areas
* :www.sudhaanmicrofinance.com
* smsf branch application,
* Customer Onboarding Module,
* Mobile App for Customer Onboarding,
* LOS/LMS Module (Structured Loans)
* Web Module (Lead Management)
* SMSF OGL Web Application
* SMSF OGL Mobile Application (OGL & OGL Lite)
* Trucell/ Br.Net/ Mobile Application
* HRMS (Employee Details)
* Collection (Vendor Details)
* NCD (Depositor Details)
* CRM/Call Center Module, Dialer Module
* SMSF ESS Mobile Application (Lead Management)
* SMSF Board Meeting Web and Mobile/Tablet Application
* SMSF Application

                                                                                                             Responsibilities

The owner of the Data Privacy Policy will be the ISMS Officer. The ISMS Officer will be responsible for the maintenance and accuracy of this policy.

This policy will be reviewed for updates on an annual basis by the IT Strategy Committee.

In addition, the Data Privacy Policy will be updated based on any major changes within the organization’s operating environment, recommendations made by internal/external auditors and/or any changes brought about by regulatory/legal amendments.

                                                                                                             Policy Compliance

Compliance with the Data Privacy Policy will be reviewed annually by the Compliance Department to ensure continuous compliance monitoring through the implementation of compliance measurement and periodic review processes.

In cases where non-compliance is identified, the ISMS Officer will review the reasons for such non-compliance and report to the Compliance Department, along with a remediation plan. Depending on the conclusions of the review, the need for revisions to the policy may be identified.

In the event of continued non-compliance by the individuals concerned, action will be taken against them in accordance with the SMSF disciplinary process.

                                                                                                                                                   Data Privacy Principles

This Policy describes reasonable security practices and generally accepted privacy practices for the protection and proper use of SMSF’s personal information. These policies will govern the use, collection, disposal and transfer of personal information, except as specifically provided by this Policy or required by applicable law:
Notice: SMSF will provide data subjects with notice of how it collects, uses, stores and discloses their personal information.
Choices and Consent: SMSF will provide data subjects with choices and obtain their consent about how it collects, uses and discloses their personal information.
Data Subject Rights: AMFL will provide individuals with the right to control their personal information, including the right to access, amend, delete, restrict, port or object to certain uses of their information and the right to withdraw consent previously given in the notice.
Collection: SMSF will only collect data subjects’ personal information for the purposes identified in the Privacy Notice / SoW / Contract Agreement and only to provide the requested product or service.
Use, Retention and Disposal: SMSF will only use personal information collected for the purposes identified in the Privacy Notice / SoW / Agreement and in accordance with the consent given by the data subject.
SMSF will not retain personal information for longer than is necessary to fulfil the purpose for which it was collected and to maintain reasonable business records.       

The SMSF will dispose of personal information after it has fulfilled its purpose – or as specified by the data subject.

Access: The SMSF will allow data subjects to inquire about the personal information about them that the SMSF holds and, where appropriate, provide access to their personal information for review and/or updating.

Disclosure to third parties: The SMSF will only disclose personal information to third parties/subsidiaries for the purposes identified in the Privacy Notice Agreement. The SMSF may from time to time disclose such personal information – as required – in accordance with national law. The SMSF will disclose personal information securely in accordance with the Agreement, the law and other sections – and where required – with the consent of the data subject.

Obligations for sub-processors: Where a processor (vendor or third party acting on behalf of the data processor of the SMSF) engages another processor (sub-processor) to carry out certain processing activities on behalf of the SMSF (controller), the same data protection obligations as set out in the contract between A and the processor or other legal acts shall be imposed on the sub-processor by means of a contract or other legal act, in particular by providing adequate guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the Information Technology Act, India and its amendments. Where the sub-processor fails to fulfil its data protection obligations, the primary processor (the relevant vendor or third party acting on behalf of the data processor of the SMSF) shall be fully liable to AMFL for the performance of that sub-processor’s obligations.
Protection of Privacy: The SMSF shall reasonably protect personal information from unauthorised access, data leakage and misuse.
Quality: The SMSF will take steps to ensure that personal information held on its records is ‘accurate and relevant to the purposes for which it was collected’. Monitoring and enforcement: The SMSF will monitor compliance with its privacy policy internally and with third parties and establish processes for dealing with enquiries, complaints and disputes.

                                                                                                                                           Notice

The notice shall be made readily accessible and available to data subjects before or at the time of collection of personal data or, alternatively, as soon as reasonably practicable. The notice shall be clearly and conspicuously displayed and provided online (e.g. by posting on websites/intranet portals/mobile applications) and/or offline (e.g. by post, courier, etc.). All websites (including intranet portals), and any products or services that collect personal data internally shall have a privacy notice. In the event of any cross-border transfer of personal data, data subjects shall be adequately informed by means of a notice prior to the transfer.
The privacy notice may include:
* The operating jurisdiction of the organization: third parties involved; business divisions and affiliates; lines of business; location.
* The type of personal data collected; source of the data; who is collecting the personal data, including contact information.
* The purpose of collecting the personal data.

* The assurance that the personal data will only be used for this purpose

The notice identifies and only if implicit and/or explicit consent is given
unless any law or regulation specifically requires otherwise.
* Any choices of the data subject regarding the use or disclosure of the information; the process and the steps to be followed to implement the data subject’s choices.
* The process for the data subject to change the means of communication and obtaining consent.

* The collection process and how the information is collected; How the information is used, including onward transfer to third parties.

* The process for storing and disposing of personal information; Ensuring that
personal information will be stored only for the period necessary to fulfill the stated
purpose, or for the period specifically required by law or regulation, and will be securely disposed of or anonymized after the stated purpose has been fulfilled.

* The process for accessing personal information;
The costs associated with accessing personal information (if any); The process for updating/correcting personal information; Resolution of disputes regarding personal information.

* How the information is protected from unauthorized access or use.

* How users will be notified of any changes made to the Privacy Notice.

* Disclosure process for third parties; ensuring that personal information will only be disclosed to third parties for the purposes identified; remedial measures for any misuse of personal information by third parties; security measures to protect personal information; means to maintain the quality of personal information; monitoring and enforcement mechanisms in place; description of the channels available for data subjects to make complaints; how internal staff, key stakeholders and customers can contact the organisation in relation to any privacy complaints or breaches; relevant contact information and/or other reporting mechanisms through which complaints and/or breaches can be registered.

Consequences of not providing the requested information.

                                                                                                            Choice and consent

Choice refers to the choices given to data subjects regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, which is often expressed by the way they exercise the choice.
* SMSFs will establish systems for collecting and documenting consent to the collection, processing and/or transfer of personal information.

* Data subjects will be informed of the choices available to them regarding the collection, use and disclosure of personal information.

Consent (written or electronic) will be obtained from data subjects before or at the time of collection of personal information or as soon as reasonably practicable.

* Changes to data subject preferences will be managed and
documented. Consent or withdrawal of consent will be documented in an appropriate manner.

* Preferences will be implemented and respected in a timely manner. If persona    When collecting information, the information must be used for purposes not specified in the notice / SOW / agreement, the new purpose must be documented, the information provider must be notified and consent must be obtained prior to such new use or purpose.
* The information provider must be notified if the information collected is used for marketing, advertising, etc.
* The SMSF will review the third party’s privacy policy and the third party’s consent form before receiving personal information from a third party information source.  

Collection of Personal Information

Personal data may be collected online or offline. Regardless of the method of collection, the same privacy protections will apply to all personal data.
* Personal data will not be collected unless one of the following conditions is met:

o The data subject has given a valid, informed and free consent.

o The processing is necessary for the performance of a contract by the data subject or to take steps at the data subject’s request before entering into a contract.

o The processing is necessary for compliance with a legal obligation to which the organization is subject.

o The processing is necessary to protect the vital interests of the data subject.

o The processing is necessary for the performance of a task carried out in the public interest
* The data subject shall not be required to provide more personal data than is necessary for the provision of the requested or authorised product or service. If any data is requested that is not necessary for the provision of a service or product, such fields will be clearly marked as optional. The collection of personal data will be avoided or limited where reasonably possible.
* Personal information will be de-identified when the purposes for which personal information is collected can reasonably be achieved without personally identifiable information.
* When using vendors to collect personal information on behalf of the SMSF, it will ensure that the vendors comply with the SMSF’s privacy requirements as defined in this policy.

The SMSF will, at a minimum, review and monitor the notice/SOW/contract identifying the information collected, consent obtained and purposes on an annual basis.
* The relevant department/function will obtain approval from the CTO before adopting new methods for collecting personal information electronically.

The SMSF will review the third party’s privacy policy and collection procedures before receiving personal information from a third party data source.

Use, Retention and Disposal

* Personal information may only be used for the purposes identified in the Notice /

SOW / Agreement and only if the data subject provides consent.
* Personal information will be retained for as long as necessary for the business purposes identified in the Notice /

SOW / Agreement at the time of collection or as later authorized by the data subject.

* When the use of personal information is no longer necessary for the business      For this purpose, a procedure will be put in place to ensure that the information is destroyed – in a manner that prevents unauthorised access to the information or that the information is not sufficiently de-identified to render it personally identifiable.
* The SMSF will have a documented process in place to notify data subjects of changes to the retention periods required by the business to request such changes.
* If the storage breaches any data protection regulations or knowledge of the data is no longer required by the SMSF – or in the interests of the data subject – then the personal information will be deleted. Additionally, the SMSF has the right to retain employee information for legal and regulatory purposes and in accordance with applicable data privacy laws.
* AMFL will conduct an internal audit on an annual basis to ensure that the personal information collected is being used, stored and disposed of in accordance with the organisation’s data privacy policy.

                                                                                                                             Access

The SMSF shall establish and implement a system for the right to access, block, delete, oppose, rectify, and, in accordance with applicable law, give notice of inappropriate disclosure of personal information.
* Data subjects shall have the right to access their own personal information upon written request and upon specified request. The SMSF shall respond to the request within 72 hours of receipt of the written request.
* Data subjects shall have the right to request the SMSF to rectify or supplement personal information that is inaccurate, misleading, out of date, or incomplete.
* Requests for access to or rectification of personal information shall be recorded and documented by the relevant departmental head of the project or support function responsible for accessing the information, as soon as the information is received.
* Privacy Coordinators shall record and document the receipt of each access request and the action taken accordingly.

The SMSF shall provide the personal information to data subjects in a simple and understandable format upon receipt of the information.

                                                                                      Disclosure to Third Parties

If personal information is disclosed to third parties/partner organisations, the data subject will be informed in the privacy notice/SoW/contractual agreement, and it will only be disclosed for the purposes set out in the privacy notice/SoW/contractual agreement and for the purposes to which the data subject has given consent.
* Personal information of data subjects may only be disclosed to third parties/subsidiaries for reasons consistent with the purposes identified in the notice/SoW/contractual agreement or for other purposes permitted by law.
* The SMSF will notify data subjects before disclosing personal information to third parties/partner organisations

for purposes not previously identified in the notice/SoW/contractual agreement.

* The SMSF will communicate to third parties the privacy practices, procedures and requirements for data privacy and security.   

Subsidiaries.
* Third parties will sign an NDA (Non-Disclosure Agreement) with AMFL
before disclosing any personal information to third party partner companies. The terms will include non-disclosure of Personally Identifiable Information (PII).

Information security policies and procedures will be documented and implemented to ensure reasonable security of personal information collected, stored, used, transferred and disposed of by the SMSF
* Information asset labeling and management guidelines will include specific controls for the storage, retention and transfer of personal information.

The SMSF will establish procedures that will maintain the logical and physical security of personal information.

The SMSF will establish procedures that will ensure the protection of personal information against accidental disclosure due to natural disasters and environmental hazards.

Incident response protocols are established and maintained to deal with incidents involving personal information or privacy practices.

                                                                                                  Quality

Maintain the integrity and quality of personal information appropriate to the purpose for which it is collected and used and ensure that the information is reliable, accurate, complete and current.
* For this purpose, the Nodal/Data Protection Officer will have systems and procedures in place to ensure that the personal information collected is accurate and complete for the business purpose.
* The SMSF Internal Audit Department will conduct an annual assessment of the personal information collected to check the accuracy, completeness and relevance of the personal information.

                                                                                                                                   Storage of data

The SMSF shall ensure that any loan service provider/digital lending app engaged/

will not store personal information of borrowers, except for some basic minimum information (e.g. name, address, contact details of the customer, etc.) which may be required for the conduct of their business. The SMSF shall be responsible for the confidentiality and security of the customer’s personal information.

The SMSF shall ensure that no biometric information is stored/collected in the systems associated with the digital lending app/lender, unless permitted in accordance with the existing

statutory guidelines.

The SMSF shall ensure that the information is stored only on servers located within India, while ensuring compliance with

statutory obligations/

regulatory directives.

The information required under the Company’s archiving policy, which may be amended from time to time, while ensuring compliance with

statutory/

regulatory requirements.

                                                                                                        Dispute Resolution and Escalation Process for Customer / Third Party

If customers/third parties have any queries or complaints regarding the processing of their personal data, they should bring the matter to the attention of the Complaints Officer in writing. Any disputes regarding the processing of personal data of non-employees will be resolved through arbitration.

                                                                                                                          Compliance Review

The Internal Audit Team will conduct an internal audit (at least) annually to ensure compliance with the established privacy policy and applicable laws. • The internal audit will include a review of the following:  Actual use of the information.
Disclosure of the purpose of collection and use of such information.
The existence and extent of any data subject consenting to such activities.
Any legal obligations relating to the collection and processing of such information, and
The extent, adequacy and status of implementation of security measures.
* The internal audit team will document all incidents of non-compliance with the privacy policy and procedures and report them to the privacy management committee.
* The nodal/data protection officer will take action on the information received from the internal audit and work on recommendations to improve the privacy situation.
* Any changes made to the policy will be communicated to all employees, partners and customers/clients.

                                                                                                      Other Policies

In order to ensure compliance with the requirements of good corporate governance, the SMSF may adopt additional policies which shall be deemed to form part of this Data Privacy Policy. In the event of any conflict between the policies set out in this Policy and the requirements set out in the Data Privacy Policy, the requirements set out in the Data Privacy Policy shall prevail. The list of additional policies adopted by the SMSF is as follows: For other purposes, the above policies are to be read in conjunction with the Data Privacy Policy.
GlossaryTerm Definition
Data Subject A data subject who is the subject of personal and sensitive
personal data.
Personal data or
Personally
Identifiable
Information (PII)
PII is any information about an individual (the data subject).
which can
* any information that can be used to distinguish or
trace an
individual’s identity,
* Any other information that is linked or linkable to
an individual Examples included but not limited to: Name,
Address, Date of birth etc.