DPDP Consultants (“DPDP Consultants,” “we,” “us,” or “our”) respects and understands the importance of your privacy – and is therefore committed to affording complete protection of your personal information. It is in recognition of this need for security, our commitment to the DPDP Act 2023, and secured management of any information received/collected by us that DPDP Consultants has established this Privacy Notice.
This Privacy Notice (“Privacy Notice”) explains how we collect, use, protect, and disclose your personal information when you use the DPDP Consultants websites (the “Websites”) and/or DPDP Consultants products, solutions and services (collectively with the Websites, the “Services”). This Privacy Notice also explains how you can manage your information preferences.
This Privacy Notice applies to our websites – (www.dpdpconsultants.com), products & solutions and our marketing practices. We ensure total transparency in all our interactions with data principals. Data Privacy is important to us, and we strive to be transparent in our data collection and use practices.
Please note that this website is not designed for children under the age of 18, and we do not intentionally gather information about minors.
DPDP Consultants is dedicated to ensuring the security of your personal data through:
The following table outlines the categories of personal data we collect, the types of information captured under each category, the purposes for processing, and the corresponding legal basis.
| Sr. No. | Category of Personal Data | Types of personal information collected by category | Purpose | Legal Basis |
|---|---|---|---|---|
| 1 | Personal Information from Website Visitors | Name, email, phone number (via "Contact Us" forms or job applications) | To respond to inquiries, process job applications, or provide requested information | Consent (Section 6 of DPDPA) |
| 2 | Support and Maintenance Information | Name, email, phone number, payment details, eligibility information | To provide support and maintain products or services | Legitimate use (Section 7 of DPDPA) |
| 3 | Usage Information (Online Products & Applications) | IP address, device type, browser details, search terms | For website functionality, analytics, and service improvements | Legitimate use, Consent (Section 6 and 7 of DPDPA) |
| 4 | Marketing Campaign Emails | Email activity data (email opened, links clicked) | To improve marketing strategies and engagement | Consent (Section 6 of DPDPA) |
| 5 | Social Media Interactions | Information about interactions with buttons or tools, browser data | To understand user engagement and improve user experience | Legitimate use (Section 7 of DPDPA) |
| 6 | Job Applications | Resume data, contact details | To process job applications | Consent (Section 6 of DPDPA) |
| 7 | Hosted Services (Third-party Service Providers) | Data processed by technology services (e.g., web hosting, analytics) | To provide technology services and maintain product offerings | Legitimate use (Section 7 of DPDPA) |
| 8 | Legal Obligations | PI required by court orders or legal processes | Legal compliance | Legitimate use (Section 7 of DPDPA) |
| 9 | Mergers and Acquisitions | Customer PI (if transferred) | Continuity of service during company mergers or acquisitions | Legitimate use (Section 7 of DPDPA) |
DPDP Consultants retains personal data only for as long as necessary. Our records management and retention policies ensure timely deletion of data based on the following criteria:
Data may be retained to fulfil legal and contractual obligations where applicable.
Information and data files are stored on our servers and the servers of companies we hire to provide services to us. We use AWS Cloud, infrastructure to store such data, and the data is stored with strict security measures. We do not share, sell, or lease any kind of information collected to any third parties.
We understand that the security of your information is vital and have in place strong administrative, technical, and physical security controls and measures to keep data safe and secure. Our privacy practices are designed to provide protection for your personal information, all over the world. To protect information stored in our servers, through Amazon Web Service infrastructure at various locations like the US, Australia, and India, access is limited (through user/password credentials and two-factor authentication) to those employees who require it to perform their job functions. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to multifactor authentication, data encryption, firewalls, and physical access controls to buildings and files We would like to caution our visitors about phishing attacks, wherein unscrupulous third parties seek to extract sensitive and confidential information from you by posing as a genuine website or by sending an email misrepresenting it to be from a genuine source. Please be aware that we never seek sensitive or confidential information such as regarding your financial or health record through emails or through our websites. If you receive such a message claiming to be from DPPD Consultants, then please do not reply to it and immediately bring it to our attention by contacting us at dpo@dpdpconsultants.com. DPDP Consultants also recognizes the receipt, transmission, or distribution of spam emails (unsolicited bulk emails) as a major concern and has taken reasonable measures, to minimize the transmission and effect of spam emails in its computing environment.
In some cases, and at our discretion this information may be accessed by respective organizations to correct any mistake in that information, and to delete any information we no longer have business reasons for retaining. You can do this by sending us an email. DPDP Consultants strives to comply with all applicable laws around the globe that are designed to protect your privacy and information, no matter where that information is collected, transferred, or retained. Although legal requirements may vary from country to country, we intend to adhere to the principles set forth in this Privacy Notice even if information is transferred from your country to other countries that may not require an adequate level of protection for your information.
DPDP Consultants does not transfer personal data outside India. We ensure that all data collected and processed remains within the country's jurisdiction, in compliance with the provisions of the Digital Personal Data Protection Act, 2023, while maintaining stringent security measures to protect your information.
Under certain circumstances, by law, you have the right to:
You may request the correction of inaccurate or incomplete personal data held by us, ensuring it remains accurate and current. Please inform us if your personal data changes during your association with us.
You can request the deletion of personal data where you believe there are no lawful grounds for its continued processing.
Requests for access to or copies of your personal data must be submitted in writing. We will endeavour to respond within a reasonable timeframe, typically within one month, in compliance with Data Protection Legislation. This information will be provided free of charge unless the request is manifestly unfounded or excessive.
You may nominate an individual who, in the event of your death or incapacity, can exercise your data rights on your behalf.
You have the right to access grievance redressal mechanisms provided by data fiduciaries or consent managers, ensuring prompt responses within specified timeframes. If your grievance remains unresolved after exhausting these mechanisms, you have the right to file a complaint with the Data Protection Board.
To ensure your privacy and security, we may take reasonable measures to confirm your identity before processing any request. For inquiries or to exercise your rights, please contact us at dpo@dpdpconsultants.com.
If your personal data is being processed based on consent, you have the right to withdraw it at any time by reaching out to dpo@dpdpconsultants.com. However, this will not impact our ability to process data collected before the withdrawal or continue certain processing activities on lawful grounds other than consent.
If you feel that your data privacy rights have been compromised despite our efforts, we encourage you to approach DPDP Consultants first to resolve the issue. You may also choose to file a complaint with the relevant Data Protection Board or pursue legal action in a competent court within your country of residence, workplace, or where the alleged violation took place.
To request data erasure, rectification, or access as a job applicant, please contact us directly. For any other rights, feel free to reach out using the contact information provided.
We’re constantly trying to improve our Websites and Services, so we may need to change this Privacy Notice from time to time as well. We will inform you regarding material changes, for example, placing a notice on our websites when we are required to do so by applicable law. You can see when this Privacy Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Privacy Notice.
You may contact the Data Protection Board of India if you have any concerns about how DPDP Consultants has handled your personal data and you also have the right to make a complaint at any time to the Data Protection board of India, the Indian enforcement authority for data protection issues if DPDP Consultants has not been able to provide reasonable and timely resolution to your request or grievances.
If we decide to change our Privacy Notice, we will post those changes on this page, so our users are always aware of the information we collect and how we use it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether we use their information in this different manner. We will use information in accordance with the Privacy Notice under which the information was collected. Where links are provided to other websites it should be noted that they are not and cannot be governed by our Privacy Notice. We cannot guarantee your privacy when you access other websites through any link provided on this website.
The following definitions of terms used in this document are drawn from Section 2 of Digital Personal Data Protection Act, 2023, (DPDPA-2023) enacted by Parliament of the Republic of India on,11th August 2023 to provide protection and security with regard to the processing of individuals digital personal data.
Digital Personal Data: As defined under Section 2 (n) Any information relating to an identified or identifiable natural person ("Data Principal") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, financial information, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person collected in digital form or in non-digital form and digitised subsequently within territory of India.
Data Fiduciary: As defined under Section 2 (i) The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Principal: As defines under Section 2 (j) the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
Significant Data Fiduciary: As per Section 2 (z) Significant Data Fiduciary means any natural or legal person, public authority, agency or any other body, as may be notified by the Central Government under Section 10 on the basis of an assessment determining volume, sensitivity of personal data processed, risk to the rights of Data Principal, risk to electoral democracy, security of the state, impact on the sovereignty and integrity of India and public order.
Obligations of Significant Data Fiduciary: As stated under Section10 sub-section (2) of the DPDP Act 2023 the Significant Data Fiduciary shall have additional obligations for processing of the Digital Personal Data as mentioned-
The Significant Data Fiduciary shall—
(a) Appoint a Data Protection Officer who shall will (i) represent the Significant Data Fiduciary under the provisions of the Digital Personal Data Protection Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; (iv) Shall be the point of contact for the grievance redressal mechanism under the provisions of the Digital Personal Data Protection Act, 2023.
(b) Appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of the Digital Personal Data Protection Act, 2023.
(c) Undertake the following other measures, namely:
(i) Periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed.
(ii) Conduct Periodic audit.
(iii) Shall apply and use other measures, consistent with the provisions of the Digital Personal Data Protection Act, as may prescribed.
Data Processor: Section 2 (k) defines data processor as a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Fiduciary.
Processing: As defined under Section 2 (x) any wholly or partly automated operation or set of operations which is performed on digital personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Automated: This term is defined under Section 2 (b) automated means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data.
Data: This term is defined under Section 2(h) as representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
Digital Office: As defined under Section (m) an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode.
Person: As stated under Section 2(s)- “person” includes (i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses.
Child: As defined under Section 2 (f) an individual who has not completed the age of eighteen years as prescribed by law.
Member: As defined under Section 2 (q) a member of the data protection board and this includes the chairperson.
Proceeding: As defined under Section 2 (w) any action taken by the board under the provisions of Digital Personal Data Protection Act.
Specified Purpose: As defined under Section 2 (za) specified purpose means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder.
Notification: As defined under Section 2 (r) notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly.
Legitimate Uses: As defined under Section 7 of the Digital Personal Data Protection Act, a data fiduciary may process personal data for any of the following uses:
(a) Data Fiduciary for the specified purpose for which the Data Principal has voluntarily provided personal data, and in respect of which data principal has not indicated to the Data Fiduciary that data principal does not consent to the use of her personal data.
(b) For the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, (i) Data Principal has previously consented to the processing of personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit. (ii) Personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.
(c) For the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State.
(d) For fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force.
(e) For compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.
(f) For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.
(g) For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health.
(h) For taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the Data Fiduciary or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data principal without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not eliminate, the ability to link personal data to a data principal. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Personal Data Transfer Outside India: Processing of personal data globally is required as per the nature of business; Data Principals personal data will be shared internationally among our group companies. agents, contractors, and partners to carry out the services prescribed in this policy. Whenever company transfer Data Principals personal data globally, we adhere to the specific requirements mentioned under Section 16 sub-section (1) the Central Government may, by notification, restrict the transfer of personal data by Data Fiduciary for processing to such country or territory outside India as may be so notified. This ensures that the recipient country provides an adequate level of data protection.
Data Protection Board of India: The data protection board with the discretion of Central Government shall be established pursuant to Section 18 of the Indian Digital Personal Data Protection Act. The data protection board shall have the primary responsibility for dealing with personal data breaches for example when a data principal makes a complaint or to exercise rights under the Act about the processing of his or her personal data; data protection board is responsible to inquire such breach, to direct any urgent remedial or mitigation measures in the event of a personal data breach and impose penalty as provided in the respective Act. Personal Data Breach: As per the Digital Personal Data Protection Section 2 (u) any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Consent Manager: As defined under Section 2 (g) The consent manager is a person who registers with the Data Protection Board of India and facilitate effective and efficient consent management. Consent manager acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent and interoperable platform.