top of page
Privacy Policy

Digital Personal Data Protection Act, 2023 Compliance

​

1. INTRODUCTION AND SCOPE

This Privacy Policy explains how Dr John Mathews ("Data Fiduciary," "we," "us," "our," or the "Organization"), an individual consulting professional based in Mumbai, Maharashtra, India, collects, processes, uses, discloses, protects, and manages personal data in connection with the operation of this website and the delivery of anti-money laundering (AML) consulting services, educational content, AML strategy advisory, and indicative assessment reports based on the DAREM

This Policy is established in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), which collectively form the applicable legal framework for the processing of personal data in India. This Policy applies to all data processing activities undertaken through this website, affiliated digital platforms, and email communications initiated through website contact mechanisms, regardless of the location of the data principal or the jurisdiction from which the website is accessed.

For the purposes of the DPDP Act, Dr John Mathews [BJ1] functions as a Data Fiduciary, meaning this individual determines the purposes and means of processing personal data and assumes all corresponding obligations and liabilities under the Act and Rules. This designation means personal data is collected, processed, and managed under direct control and responsibility, with full accountability to data principals and regulatory authorities.

​

This Policy applies globally, with particular emphasis on the rights and protections afforded under Indian law. The DPDP Act extends to all personal data collected from individuals residing in India or processed in connection with offering goods or services to such individuals, irrespective of where the data is stored or processed.

​

2. OUR COMMITMENT TO DATA PROTECTION

Dr John Mathews is firmly committed to the protection of personal data as a fundamental right and recognizes the importance of transparency, accountability, and respect for individual autonomy in all data processing activities. This commitment is reflected in the following foundational principles:

Lawful and Transparent Processing: All personal data is processed in strict compliance with the DPDP Act and applicable rules, regulations, and notifications issued by the Government of India. Data is processed only for lawful purposes and in a transparent manner, with clear prior notice to all data principals regarding what data is collected, why it is collected, how it will be used, who will have access to it, and how long it will be retained.

​

Purpose Limitation: Personal data collected for a specified, explicit, and legitimate purpose will not be processed in any manner that is incompatible with that purpose. Any new use of existing personal data requires fresh, explicit consent from the data principal or must be justified under an alternative legal ground for processing recognized by the DPDP Act.

​

Data Minimization: Only such personal data as is necessary and proportionate to the stated purpose of processing is collected and retained. Unnecessary or excessive data collection is actively avoided through systematic review of data inventories and processing activities.

Accuracy and Completeness: Reasonable efforts are undertaken to ensure that personal data remains accurate, complete, and up to date throughout its processing lifecycle. Data principals are provided with accessible mechanisms to correct or update inaccurate or incomplete information.

​

Storage Limitation[BJ2] : Personal data is retained only for the period necessary to fulfill the purpose for which it was collected or to comply with applicable legal obligations. Upon expiration of the retention period, data is securely deleted or anonymized in such a manner that it cannot be attributed to any identifiable individual.

​

Security and Confidentiality: Appropriate technical and organizational safeguards are implemented throughout the data processing lifecycle to protect personal data against unauthorized access, accidental loss, destruction, alteration, and disclosure.

Accountability: Dr John Mathews maintains comprehensive records of all data processing activities, including records of consent, purposes, lawful grounds, retention schedules, and security measures. These records are maintained to demonstrate compliance with the DPDP Act and to enable transparent communication with data principals and regulatory authorities.

​

3. DATA FIDUCIARY IDENTIFICATION AND CONTACT

Data Fiduciary: Dr John Mathews
Location: Mumbai, Maharashtra, India
Jurisdiction: India (Primary)

Grievance Officer and Data Protection Contact:

  • Name: Dr John Mathews

  • Email: hello@drjohnmathews.com

  • Contact Escalation: Inquiries will be acknowledged within 7 calendar days [BJ3] and substantively addressed within 30 calendar days. Queries concerning data protection, privacy concerns, grievances, or requests for exercising data principal rights should be directed to the contact details above. Grievances will be handled in accordance with the timelines and procedures established under the DPDP Act.

 

For any questions, grievances, or to exercise your rights as a Data Principal, please contact the Grievance Officer using the contact details provided above.

 

4. CATEGORIES OF PERSONAL DATA COLLECTED

The Organization collects personal data only when it is necessary to provide services, respond to inquiries, or fulfill compliance obligations. Personal data collected through various touchpoints is categorized as follows:

​

4.1 Contact and Consulting Inquiry Forms

When a visitor or prospective client submits a contact form, consulting inquiry form, or similar communication mechanism available on this website, the following personal data may be collected:

  • Identification Information: Full legal name or professional designation

  • Professional Information: Job title, professional designation, area of specialization or professional expertise

  • Contact Information: Primary email address, mobile telephone number, landline telephone number, or alternative contact number.

  • Organizational Information: Name of employer, organization, company, or firm; nature of business or industry sector

  • Inquiry Content: The substantive content of the query, question, or consulting request, which may include contextual information about the individual's organization, existing AML controls, compliance challenges, regulatory issues, or business operations.

 

Data principals are expressly cautioned against submitting passwords, personal identification numbers, passport numbers, Aadhaar numbers, government-issued identification document numbers, biometric data, health information, financial account details, or any information that would be classified as sensitive personal data under applicable law through unsecured contact forms or general inquiry mechanisms. If such information is submitted inadvertently, it will be deleted immediately upon discovery.

 

4.2 Dedicated DAREM Report Request Forms

The Organization offers an indicative DAREM assessment tool that generates educational reports based on input data. When a data principal requests a DAREM report, the following personal data is collected:

  • Identification Information: Full name of the requesting individual

  • Contact Information: Mobile telephone number, professional email address.

  • Professional Information: Job title, professional designation, area of responsibility

  • Organizational Details: Name of the employing organization, company, or enterprise; jurisdiction of organization; organizational structure or size

  • Business Attributes and Risk Profile Information: Data concerning the organization's AML/financial crime control environment, including presence or absence of specific control mechanisms, process descriptions, risk assessments, compliance framework maturity, previous regulatory interactions, or business process descriptions related to the organization's compliance posture[BJ4] 

 

This data is processed exclusively to generate an indicative, educational report. The Organization conducts limited analysis of these business attributes for the purpose of improving the DAREM model methodology and analytical accuracy.

 

4.3 Technical and Usage Data (Automatic Collection)

When a visitor accesses, browses, or interacts with this website, certain technical information is automatically collected by website infrastructure, analytics systems, and security mechanisms. This technical data is collected without explicit action by the visitor and includes:

  • Network Information: IP address (which may permit approximate geographic location inference), domain name, Internet Service Provider (ISP) information.

  • Device Information: Device type and model, unique device identifiers, operating system name and version, browser type and version, browser language settings

  • Behavioural Data: Pages visited and their sequence, date and time of access, duration of time spent on each page or section, links clicked or activated, buttons clicked, form interactions (including form submission status), scroll depth, exit pages.

  • Cookie and Tracking Information: First-party cookie identifiers and values (where cookies are enabled), persistent identifier mappings, session identifiers.

  • Performance Data: Page load times, error messages encountered, abandoned transactions or incomplete forms.

 

Technical data is collected through conventional web server logs, analytics packages (where consent-based analytics are enabled), and security monitoring systems necessary for website operations, fraud prevention, and cybersecurity.

 

5. LAWFUL GROUNDS FOR PROCESSING AND EXPLICIT CONSENT

The DPDP Act permits personal data processing based on either explicit consent or certain legitimate grounds recognized by the statute. The Organization processes personal data on the following lawful grounds:

 

5.1 Explicit Consent (Primary Basis)

Consent-Based Processing: The primary lawful ground for processing personal data is explicit, free, specific, informed, unconditional, and unambiguous consent obtained from the data principal through clear affirmative action. Consent is required before the processing of personal data in the following circumstances:

  • Contact and Consulting Inquiries: Processing of name, email, telephone number, and query content submitted through contact forms requires explicit consent provided at the moment of form submission.

  • DAREM Report Generation: Processing of organizational and business attribute data for report generation requires explicit consent provided through the DAREM form interface.

 

Withdrawal of Consent: A data principal may withdraw consent at any time by sending written communication to the Grievance Officer using the contact details in Section 3. Withdrawal of consent is effective immediately, and processing of personal data must cease. Where consent is withdrawn, the Organization will delete the relevant personal data within thirty (30) calendar days unless continued retention is permitted under another lawful ground (such as legal or regulatory obligation).

 

5.2 Legitimate Grounds for Processing Without Prior Consent

The DPDP Act recognizes certain legitimate grounds for processing personal data without obtaining prior explicit consent from the data principal. The Organization processes personal data without prior consent in the following circumstances:

  • Voluntary Disclosure: Where a data principal voluntarily provides personal data to the Organization for a specified purpose and does not affirmatively object to processing, the Organization may process such data for that specified purpose without prior express consent, provided the data principal has received clear notice.

  • Legal and Regulatory Compliance: Personal data may be processed without consent to comply with mandatory legal obligations, court orders, directives from regulatory authorities, or to respond to lawful requests from competent government agencies investigating financial crimes, fraud, money laundering, or regulatory violations.

  • Fraud Prevention and Cybersecurity: Technical and behavioural data may be processed without consent for the purposes of detecting, investigating, and preventing unauthorized access, data breaches, fraud, malicious activities, or security incidents affecting the website or systems.

  • Employment and Consultant Relationship: Where a data principal has engaged the Organization as a consulting client, personal data may be processed without consent to the extent necessary to establish, perform, and manage the consulting engagement, including performance of consulting services, billing, and dispute resolution.

 

6. PRIVACY NOTICE AND CONSENT REQUEST REQUIREMENTS

The DPDP Act and Rules mandate that a clear, plain-language privacy notice be provided to data principals before consent is sought. This Privacy Policy serves as the comprehensive notice document. Additionally, specific notices are displayed with each data collection mechanism as follows:

 

6.1 Contact Form Privacy Notice

The following notice is displayed prominently above the "Submit" button on all general contact and consulting inquiry forms:

Privacy Notice: By submitting this contact form, you consent to the processing of your personal information (name, email address, telephone number, and the content of your inquiry) for the purposes of responding to your inquiry, providing information about our AML consulting services, and follow-up communication regarding the services or topics you inquire about. Your data will be processed in accordance with our Privacy Policy and the Digital Personal Data Protection Act, 2023. You may withdraw your consent at any time by sending written notice to our Grievance Officer. Your information will be deleted after resolution of your inquiry and our consultation response, unless you consent to continued communication or unless we are required to retain it for legal or regulatory purposes. No automatic professional relationship or consulting engagement is created by submitting this form. For detailed information about how we process your data, please review our complete Privacy Policy.

 

6.2 DAREM Form Privacy Notice

The following notice is displayed prominently near the "Generate Report" button on the DAREM request form:

Consent Confirmation: I confirm that (1) I am authorized by my organization to submit the information contained in this form; (2) I have read and understood the Privacy Policy; (3) I consent to the processing of my personal information and my organization's business attribute data for the purposes of generating an indicative DAREM assessment report; and (4) I understand that the DAREM report is generated solely for educational and informational purposes and is not professional advice, audit finding, or regulatory guidance.

Educational Use Acknowledgment: I acknowledge and agree that the DAREM report is an auto-generated, indicative assessment based solely on the inputs I have provided and is intended for educational purposes only. I will verify the accuracy of my inputs and the reasonableness of the resulting assessment. I will consult with qualified AML compliance professionals, external auditors, or legal counsel before relying on the report for compliance decisions or regulatory matters.

 

7. PURPOSES OF PROCESSING

Personal data is processed only for the following specific, lawful, and explicit purposes. Processing for purposes other than those listed below is strictly prohibited:

 

7.1 Response to Inquiries and Delivery of Consulting Services

The Organization processes contact information (name, email, telephone) and inquiry content for the purpose of:

  • Acknowledging receipt of inquiries submitted through contact forms.

  • Responding substantively to questions or requests for information

  • Providing information about the Organization's services, expertise, or experience

  • Scheduling preliminary or exploratory discussions, if the data principal requests such engagement.

  • Preparing for, conducting, and follow-up to consulting engagements where a separate, written consulting agreement has been executed between the data principal's organization and the Organization.

Processing for this purpose is necessary to fulfill the data principal's explicit request and to provide the services requested.

 

7.2 Generation of Indicative DAREM Assessment Reports

The Organization processes organizational business attribute data and professional information collected through the DAREM form for the purposes of:

  • Generating an auto-calculated, indicative DAREM assessment report that reflects the organization's compliance maturity profile.

  • Permitting the data principal to view and download the report directly from the website for educational and informational purposes.

  • Undertaking limited analysis of aggregated and anonymized business attribute data to evaluate the effectiveness and accuracy of the DAREM model, identify common control gaps, and refine the analytical methodology.

The DAREM report is strictly educational and is not a professional audit, regulatory assessment, or basis for compliance decisions.

 

7.3 Website Maintenance, Security, and Improvement

The Organization processes technical and usage data for the following operational purposes:

  • Maintaining the technical infrastructure, functionality, and availability of the website

  • Diagnosing technical problems, troubleshooting errors, and conducting performance testing

  • Detecting, investigating, and preventing unauthorized access, data breaches, fraud, malicious use, or violation of website terms

  • Implementing security measures including firewalls, intrusion detection, log analysis, and incident response

  • Understanding visitor behaviour and interaction patterns through analytics (where consent-based analytics are enabled) to improve website content, user experience, navigation, and educational value.

  • Optimizing website performance, page load times, and functionality based on usage patterns.

 

7.4 Legal and Regulatory Compliance

The Organization may process personal data without prior consent to comply with:

  • Mandatory reporting requirements under AML/counter-terrorism financing laws, including the Prevention of Money Laundering Act, 2002

  • Court orders, regulatory directives, or lawful requests from government agencies, law enforcement, or financial intelligence units

  • Compliance with tax authorities, employment law requirements, and other statutory obligations

  • Preservation of evidence and response to legal disputes, claims, or litigation

 

7.5 Business Communication and Service Notifications

The Organization may process contact information to send:

  • Essential Service Communications: Confirmations of consulting engagements, status updates on deliverables, invoices, and notifications regarding changes to terms of service or this Privacy Policy. These communications cannot be opted out of while using the services.

  • Optional Communications: Notifications regarding new content, educational articles, webinars, events, or updates to the DAREM model or AML best practices. Optional communications include a clear, easy unsubscribe mechanism that is functional in every communication.

 

7.6 Prohibited Uses

Personal data will NOT be used for the following purposes:

  • Direct marketing or commercial advertising without prior explicit consent

  • Profiling or automated decision-making that produces legal or similarly significant effects.

  • Transfer, sale, or commercial licensing to third parties.

  • Tracking or behavioural monitoring beyond what is necessary for website operation and security.

  • Any use incompatible with the purposes specified above

 

8. DATA SHARING AND RECIPIENTS

Personal data is shared with third parties only on a need-to-know basis, where necessary to fulfill the specified purposes of processing, and only where adequate safeguards are in place. The following categories of recipients may receive personal data:

 

8.1 Data Processors and Contractual Recipients

Website Hosting and Infrastructure Providers: The Organization engages third-party providers for website hosting, server infrastructure, and database management. These providers act as Data Processors under the DPDP Act and process personal data only on the documented instructions of the Organization. Contractual agreements with all infrastructure providers include mandatory compliance obligations regarding data security, confidentiality, and the DPDP Act.

 

Email and Communication Providers: The Organization may use third-party email service providers for sending communications to data principals. These providers act as Data Processors and are bound by contractual obligations to process data only for the purpose of transmitting communications.

 

Analytics and Security Vendors: Where a data principal has consented to analytics, the Organization engages third-party analytics providers to understand website usage patterns. Security monitoring vendors may be engaged to detect and respond to security threats. All such vendors are bound by confidentiality agreements and contractual data protection obligations.

 

8.2 Professional Advisers

The Organization may disclose personal data to professional advisers including:

  • Legal Counsel: Personal data may be disclosed to legal counsel for the purposes of obtaining legal advice, managing disputes, or ensuring compliance with legal obligations.

  • Chartered Accountants and Tax Advisers: Financial and transaction data may be shared with accountants for the purposes of financial record-keeping, audit, and tax compliance.

  • Auditors: Where an independent audit is conducted, personal data necessary for audit purposes may be shared with authorized auditors under confidentiality obligations.

 

8.3 Regulatory and Law Enforcement Authorities

Personal data may be disclosed to:

  • Data Protection Board of India: The Organization must notify the Data Protection Board in case of any personal data breach, as required by the DPDP Act.

  • Government Agencies and Law Enforcement: Personal data may be disclosed to law enforcement agencies, financial intelligence units, tax authorities, or regulatory bodies in response to lawful requests, court orders, or mandatory reporting requirements.

  • Regulatory Bodies: Data may be disclosed to relevant regulatory or professional bodies where legally required.

 

8.4 Cross-Border Transfers

Personal data will be transferred outside India only in the following circumstances:

  • Countries with Adequate Protection: Transfer may occur to countries notified by the Government of India as ensuring adequate protection of personal data equivalent to Indian standards.

  • Contractual Safeguards: Transfer to countries not notified as adequate may occur only where appropriate contractual safeguards (such as Standard Contractual Clauses) are in place to ensure protection of personal data.

  • Explicit Consent: Cross-border transfer for purposes other than those listed above requires explicit prior consent from the data principal.

The Organization does NOT engage in the sale, rental, or commercial licensing of personal data to third parties.

 

9. DATA RETENTION, STORAGE, AND DELETION

Personal data is retained only for the period necessary to fulfill the purposes for which it was collected or to comply with applicable legal or regulatory retention requirements. Data that is no longer necessary is securely deleted or anonymized.

 

9.1 Retention Periods by Data Category

Contact and Consulting Inquiry Data:

  • Retention Period: From date of inquiry receipt through completion of consultation response plus three (3) to five (5) years[BJ5] , as necessary to maintain records of business relationships, respond to potential disputes, maintain audit trails, or comply with legal obligations.

  • Justification: Retention beyond the consultation period is necessary to maintain records of client interactions, respond to follow-up inquiries, and establish documented evidence of communications in the event of disputes or regulatory inquiries.

 

DAREM Report Request Data:

  • Retention Period: From date of report generation for up to two (2) years[BJ6] , to enable audit of the assessment methodology, evaluate model effectiveness, maintain security logs, and investigate potential security incidents.

  • Justification: Retention is necessary to support the iterative improvement of the DAREM model, investigate security incidents, and provide evidence of data processing in response to regulatory inquiries.

 

Technical and Website Access Logs:

  • Retention Period: Minimum of one (1) year; extended retention as permitted under applicable legal, regulatory, or contractual obligations.

  • Justification: Logs are retained as mandated by the DPDP Act for breach detection, incident investigation, and prevention of recurrence. Longer retention may be necessary under other applicable laws.

 

9.2 Deletion and Anonymization Process

Upon expiration of the retention period, or upon receipt of a deletion request from a data principal, personal data is deleted through one of the following methods:

  • Secure Deletion: Data is deleted from production systems using secure deletion techniques that overwrite the storage location multiple times, rendering recovery technically infeasible.

  • Anonymization: Where appropriate, personal data is anonymized such that it cannot be attributed to any identifiable individual, thereby removing the protections of the DPDP Act but retaining the analytical value for aggregate statistical purposes.

  • Archived Destruction: Data maintained in archived or backup systems is destroyed in accordance with the archive retention schedule.

 

9.3 Legal Hold and Litigation Preservation

Notwithstanding the above retention periods, where personal data is subject to a legal hold due to pending or threatened litigation, regulatory investigation, or law enforcement request, the data will be retained in a secure format until the legal matter is resolved or the hold is released.

 

10. COOKIES, TRACKING TECHNOLOGIES, AND ANALYTICS

 

10.1 Essential Cookies

The website uses essential cookies and similar tracking technologies necessary for core website functionality. These cookies are deployed without requiring consent and include:

  • Session Cookies: Temporary identifiers that maintain session state, enable form filling, and track navigation between pages.

  • Security Cookies: Cookies used to detect and prevent unauthorized access, fraud, and security threats.

  • Functionality Cookies: Cookies that remember user preferences such as language settings or accessibility settings.

Essential cookies do not track behaviour across websites and are deleted when the browser session ends or after a specified period.

 

10.2 Non-Essential Analytics Cookies

The Organization may deploy analytics cookies to understand visitor behaviour, content effectiveness, user journey, and website performance. These cookies are deployed only where a visitor has consented to non-essential cookies through a prominent cookie banner or preference management tool. Analytics cookies permit the Organization to:

  • Track which pages are visited and in what sequence.

  • Measure time spent on each page or section.

  • Identify traffic sources (search engines, referrals, direct navigation)

  • Understand content relevance and engagement.

  • Identify technical errors or bottlenecks in the user experience.

 

Consent Mechanism: A clear, prominent cookie banner is displayed on the website permitting visitors to accept or decline non-essential cookies. Visitors may modify cookie preferences at any time through website settings or browser controls.

Third-Party Analytics: Analytics may be provided by third-party services (such as Google Analytics or similar platforms). These services are subject to their own privacy policies and terms. The Organization shares only aggregated, anonymized data with these services.

 

10.3 Managing Cookies

Visitors may manage cookies through their web browser settings, enabling or disabling all cookies (though this may impair website functionality) or selectively disabling specific categories. Most browsers provide instructions for managing cookies in their help sections.

 

11. SECURITY SAFEGUARDS AND DATA PROTECTION

The Organization implements comprehensive technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, and disclosure. These measures include:

 

11.1 Technical Security Measures

  • Encryption: Personal data in transit is protected using TLS (Transport Layer Security) encryption. Data at rest is encrypted using industry-standard encryption algorithms where technically feasible.

  • Access Controls: Access to personal data is restricted to authorized individuals who have a documented legitimate need to access the data. Access is granted on a least-privilege basis.

  • Activity Monitoring and Logging: All access to personal data systems is logged and monitored for unauthorized or suspicious activity. Logs are reviewed periodically to detect anomalies.

  • Data Masking and Tokenization: Where feasible, sensitive personal data is masked, obfuscated, or replaced with tokenized identifiers to limit exposure.

  • System Hardening: Servers, databases, and applications are hardened through security patches, vulnerability assessments, and penetration testing.

 

11.2 Organizational Safeguards

  • Data Protection Policies: Documented policies and procedures govern the collection, processing, storage, use, disclosure, and deletion of personal data.

  • Personnel Training: Individuals with access to personal data receive training on data protection obligations, confidentiality, and incident response procedures.

  • Vendor Management: All Data Processors and third-party recipients of personal data are subject to written contracts that mandate compliance with the DPDP Act and implementation of equivalent security safeguards.

  • Incident Response Plan: The Organization maintains a documented incident response plan for detecting, investigating, and remediating security breaches, with procedures for notifying affected individuals and the Data Protection Board.

  • Regular Audits: The Organization conducts periodic audits and assessments of data security controls to ensure continued effectiveness and compliance.

 

11.3 Limitation of Liability for Security

While the Organization implements reasonable security safeguards, no security measure is absolute, and perfect security is technically impossible. The Organization cannot guarantee that personal data will never be subject to unauthorized access, loss, or disclosure despite reasonable precautions. Data principals acknowledge and assume this inherent risk of data processing.

 

12. CHILDREN'S DATA AND VULNERABLE PERSONS

 

12.1 Restricted Collection of Children's Data

This website and its services are not directed to individuals under the age of eighteen (18) years. The Organization does not intentionally collect personal data from children. Where data from an individual under eighteen (18) is inadvertently collected, such data will be deleted immediately upon discovery, and the parent or lawful guardian will be notified.

Should a data principal be under eighteen (18) years of age, consent to the processing of personal data must be provided by a parent or lawful guardian. The Organization will make reasonable efforts to verify that the consenting party is indeed the parent or lawful guardian before processing data of a child.

 

12.2 Vulnerable Persons

Where a data principal is a person with a disability or incapacity and is unable to provide legal consent independently, the Organization will require consent from a lawful guardian or representative authorized under applicable law. Verification of guardianship authority is required before processing proceeds.

 

13. RIGHTS OF DATA PRINCIPALS UNDER THE DPDP ACT

The DPDP Act grants the following rights to all data principals. The Organization will facilitate the exercise of these rights upon receipt of a documented request:

 

13.1 Right to Be Informed

Data principals have the right to receive clear, plain-language information about:

  • What personal data is being processed?

  • The purposes for processing

  • The legal ground for processing

  • The duration for which data will be retained.

  • The identity of the Data Fiduciary

  • The rights available to the data principal

  • The contact details for the Grievance Officer

This right is fulfilled through this Privacy Policy and the privacy notices displayed with data collection mechanisms.

 

13.2 Right to Access

A data principal may request access to all personal data held by the Organization that relates to the data principal. Upon receipt of a valid access request, the Organization will provide, within ninety (90) calendar days:

  • A copy of all personal data held.

  • Information concerning the processing activities conducted.

  • Details of any recipients with whom the data has been shared.

  • Information concerning the source of the data (if not directly provided by the data principal)

Access will be provided in a commonly used, machine-readable electronic format, free of charge (unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged).

 

13.3 Right to Correct and Complete

A data principal may request correction of personal data that is inaccurate, incomplete, or misleading. Upon receipt of a valid correction request, the Organization will:

  • Correct the identified inaccuracies.

  • Complete, incomplete, or partial information

  • Update data that has changed since the original collection

  • Make corrections within ninety (90) calendar days and notify the data principal of actions taken.

 

13.4 Right to Erasure (Right to Be Forgotten)

A data principal may request deletion of personal data in the following circumstances:

  • The personal data is no longer necessary for the purposes for which it was collected.

  • The data principal withdraws consent and no alternative lawful ground for processing exists.

  • The data principal objects to processing and no legitimate ground for processing supersedes the objection.

  • The personal data has been unlawfully processed.

  • Erasure is necessary to comply with a legal obligation.

 

Upon receipt of a valid erasure request, the Organization will delete the personal data within thirty (30) calendar days [BJ7] unless:

  • Continued retention is permitted under another lawful ground recognized by the DPDP Act

  • Continued retention is necessary for a legal, regulatory, or compliance obligation.

  • A legal hold or litigation preservation requirement applies.

The Organization will notify the data principal of the status of the erasure request.

Limitation: Erasure may not be granted where personal data is necessary for the performance of a consulting engagement that is currently active or for which dispute resolution is pending.

 

13.5 Right to Withdraw Consent

A data principal may withdraw consent to processing at any time by submitting written notice to the Grievance Officer. Withdrawal is effective immediately. Upon withdrawal:

  • Processing of personal data must cease immediately.

  • Personal data must be deleted within thirty (30) calendar days unless another lawful ground for retention exists.

  • The data principal will be notified of actions taken in response to the withdrawal.

Withdrawal of consent does not affect the lawfulness of processing conducted prior to the withdrawal.

 

13.6 Right to Nominate a Representative

A data principal may authorize another individual to exercise the data principal's rights under the DPDP Act on their behalf. A formal nomination or power of attorney document must be provided, along with identity verification of both the data principal and the nominee.

 

13.7 Right to Lodge a Grievance

A data principal may lodge a grievance or complaint with the Organization concerning any aspect of data processing or alleged violations of the DPDP Act.

 

14. EXERCISING RIGHTS AND GRIEVANCE REDRESSAL MECHANISM

14.1 Data Subject Access Request Procedure

To exercise any of the rights described in Section 13, a data principal must submit a written request to the Grievance Officer at the contact details provided in Section 3, clearly identifying:

  • The specific right being exercised (access, correction, erasure, consent withdrawal, etc.)

  • Sufficient identifying information to locate the relevant personal data.

  • Supporting documentation if the request is submitted by a representative or guardian.

  • Preferred format for response (electronic or paper, if applicable)

 

14.2 Grievance Officer Response Timeline

The Grievance Officer will:

  • Acknowledge Receipt: Acknowledge the request within seven (7) calendar days.

  • Substantive Response: Provide a substantive response or action within ninety (90) calendar days of receipt.

  • Extension: If additional time is needed due to the complexity of the request, the data principal will be notified and provided an extension not exceeding an additional sixty (60) days

  • Denial: If a request is denied, the data principal will be provided with reasons for the denial and information concerning the right to escalate to the Data Protection Board

 

15. POLICY AMENDMENTS AND UPDATES

This Privacy Policy is subject to periodic amendment to reflect changes in applicable law, regulatory guidance, business practices, or security standards. Material amendments to this Policy will be notified to affected data principals through:

  • Prominent notice on the website home page

  • Email notification to data principals with whom the Organization has an active consulting engagement.

  • Publication of the updated policy with a clearly marked "Last Updated" date.

​

Continued use of the website or services following notification of material amendments constitutes acceptance of the amended Policy. Data principals who do not accept amendments may request deletion of their personal data and termination of any consulting relationship.

bottom of page