Data Protection and Privacy Policy

Introduction

Asia Capital Limited is committed to protecting the privacy and confidentiality of personal information entrusted to us by our customers, employees, and business partners. This policy outlines our approach to data protection and privacy management.

Scope and Applicability

This policy applies to:

• All personal data processed by Asia Capital Limited
• All employees, contractors, and third-party processors
• All systems, processes, and technologies handling personal data
• All business operations and customer interactions

Legal Framework

Our data protection practices comply with:

• Information Technology Act, 2000 and Rules
• Personal Data Protection Bill (when enacted)
• Reserve Bank of India guidelines
• International standards (ISO 27001, GDPR principles)

Data Protection Principles

1. Lawfulness and Fairness

• Data processing based on legitimate grounds
• Transparent communication about data use
• Fair treatment of data subjects
• Respect for individual rights

2. Purpose Limitation

• Data collected for specific, legitimate purposes
• Use limited to stated purposes
• No secondary use without consent
• Regular purpose review and validation

3. Data Minimization

• Only necessary data collected
• Proportionate to business needs
• Regular data audits and cleanup
• Deletion of unnecessary information

4. Accuracy and Currency

• Data kept accurate and up-to-date
• Regular verification processes
• Correction mechanisms in place
• Quality assurance procedures

5. Storage Limitation

• Data retained only as long as necessary
• Clear retention schedules
• Secure disposal procedures
• Regular review of stored data

6. Security and Confidentiality

• Appropriate technical safeguards
• Organizational security measures
• Access controls and monitoring
• Regular security assessments

Types of Data We Process

Customer Data

• Personal identification information
• Financial and transaction data
• Contact and communication records
• Credit history and assessment data
• Device and technical information

Employee Data

• Employment and HR records
• Performance and training data
• Health and safety information
• Payroll and benefits data

Business Partner Data

• Contact and company information
• Commercial and contractual data
• Performance and compliance records

Data Collection Practices

Consent Management

• Clear and specific consent requests
• Granular consent options
• Easy withdrawal mechanisms
• Consent record maintenance

Notice and Transparency

• Privacy notices at collection points
• Clear explanation of data use
• Contact information for queries
• Regular privacy notice updates

Data Quality

• Accuracy verification procedures
• Regular data validation
• Correction and update processes
• Quality monitoring systems

Data Security Measures

Technical Safeguards

1. Encryption

   • Data encrypted in transit and at rest
   • Strong encryption algorithms (AES-256)
   • Key management procedures
   • Regular encryption audits

2. Access Controls

   • Role-based access management
   • Multi-factor authentication
   • Regular access reviews
   • Privileged user monitoring

3. Network Security

   • Firewall and intrusion detection
   • Secure communication protocols
   • Network segmentation
   • Regular vulnerability assessments

4. Data Loss Prevention

   • Automated monitoring systems
   • Content filtering and blocking
   • Data classification schemes
   • Incident detection and response

Organizational Measures

1. Staff Training

   • Regular privacy awareness training
   • Role-specific security training
   • Incident response procedures
   • Compliance requirements education

2. Vendor Management

   • Due diligence on data processors
   • Contractual data protection clauses
   • Regular vendor assessments
   • Performance monitoring

3. Policy and Procedures

   • Comprehensive policy framework
   • Standard operating procedures
   • Regular policy updates
   • Compliance monitoring

Individual Rights

We respect and facilitate the following rights:

Right to Information

• Clear privacy notices
• Response to information requests
• Regular communication updates
• Accessible information formats

Right to Access

• Access to personal data held
• Information about processing purposes
• Details of data recipients
• Retention period information

Right to Rectification

• Correction of inaccurate data
• Completion of incomplete data
• Verification of corrected data
• Notification to third parties

Right to Erasure

• Deletion when purpose fulfilled
• Withdrawal of consent processing
• Objection to processing
• Technical deletion procedures

Right to Data Portability

• Data provided in structured format
• Commonly used file formats
• Direct transmission where possible
• Verification of identity

Data Retention and Disposal

Retention Schedules

Secure Disposal

• Physical destruction of paper records
• Secure wiping of electronic media
• Certificate of destruction
• Disposal audit trails

Data Breach Management

Incident Response Process

1. Detection and Assessment

   • Incident identification
   • Impact assessment
   • Risk evaluation
   • Classification of breach

2. Containment and Investigation

   • Immediate containment measures
   • Detailed investigation
   • Evidence preservation
   • Root cause analysis

3. Notification and Communication

   • Regulatory notification (within 72 hours)
   • Customer notification (without delay)
   • Stakeholder communication
   • Public disclosure if required

4. Recovery and Improvement

   • System restoration
   • Security enhancement
   • Process improvement
   • Lessons learned documentation

Third-Party Data Sharing

Legitimate Sharing Purposes

• Service delivery and operations
• Legal and regulatory compliance
• Credit assessment and verification
• Fraud prevention and detection

Sharing Safeguards

• Data processing agreements
• Adequate protection standards
• Purpose and scope limitations
• Regular compliance monitoring

International Transfers

• Adequacy assessment of destination
• Appropriate safeguards implementation
• Standard contractual clauses
• Binding corporate rules where applicable

Monitoring and Compliance

Regular Audits

• Annual data protection audits
• Process compliance reviews
• Technical security assessments
• Third-party certifications

Performance Metrics

• Data subject request response times
• Breach detection and response times
• Training completion rates
• Compliance assessment scores

Governance Structure

• Data Protection Officer appointment
• Privacy committee oversight
• Regular board reporting
• Stakeholder engagement

Training and Awareness

Staff Training Program

• General privacy awareness
• Role-specific training modules
• Regular update sessions
• Competency assessments

Training Coverage

• Data protection principles
• Individual rights and procedures
• Security measures and protocols
• Incident response procedures

Contact Information

Data Protection Officer

• Name: [To be appointed]
• Email: dpo@asiacapital.in
• Phone: +91-22-4711-8305
• Address: Data Protection Office, Asia Capital Limited

Customer Queries

• Email: privacy@asiacapital.in
• Phone: +91-22-4711-8300
• Website: www.asiacapital.in/privacy

Regulatory Complaints

If unsatisfied with our response, customers may contact:

• RBI: crpc@rbi.org.in
• Cyber Crime Reporting: www.cybercrime.gov.in

This policy is reviewed annually and updated to reflect changes in law, regulation, and best practices. The current version is always available on our website and at all branch locations.