Digital Personal Data Protection (DPDP) Act Compliance Policy

DevLabs Alliance Pvt. Ltd.
(DevLabs Technology is a technology arm of DevLabs Alliance)

1. Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's landmark legislation that governs the processing of digital personal data to safeguard individuals' privacy while balancing lawful data usage for legitimate purposes. This Policy outlines the principles, procedures, roles, and responsibilities adopted by DevLabs Alliance Pvt. Ltd. (hereinafter referred to as "the Company") to ensure compliance with the DPDP Act, 2023, applicable rules, and internationally recognized data protection standards.

2. Objective

This Policy aims to:

• Ensure lawful, fair, and transparent processing of digital personal data.
• Protect the rights of individuals (Data Principals).
• Implement robust measures for data privacy, security, accountability, and redressal.
• Demonstrate compliance with the DPDP Act, 2023, and related statutory requirements.

3. Scope

This Policy applies to:

• All employees, contractors, consultants, interns, and third-party vendors who process personal data on behalf of the Company.
• All digital personal data collected, stored, transmitted, or otherwise processed by the Company.
• All data processing activities conducted within or related to Indian data subjects, regardless of the location of the data processor.

4. Definitions

For the purpose of this Policy, the terms used shall have the meanings assigned under the DPDP Act, 2023:

• Personal Data: Any data about an individual who is identifiable by or in relation to such data.
• Data Principal: The individual to whom the personal data relates.
• Data Fiduciary: Any person, company, or entity that determines the purpose and means of processing personal data.
• Processing: Any automated or manual operation performed on personal data, including collection, storage, usage, disclosure, or erasure.
• Consent: A freely given, specific, informed, unambiguous, and affirmative indication of the Data Principal's agreement to process personal data.
• Significant Data Fiduciary: As designated by the Central Government based on factors like volume of data processed, risk of harm, and impact on sovereignty.

5. Principles of Data Processing

The Company adheres to the following data protection principles:

• Lawful and Fair Processing: Personal data shall be processed lawfully and with the informed consent of the Data Principal.
• Purpose Limitation: Data shall be collected for specific, clear, and lawful purposes and not further processed in a manner incompatible with those purposes.
• Data Minimization: Only the minimum data necessary for the stated purpose shall be collected and processed.
• Accuracy: Reasonable steps shall be taken to ensure data is accurate and up-to-date.
• Storage Limitation: Data shall be retained only as long as necessary for the purposes for which it was collected.
• Security Safeguards: Appropriate technical and organizational measures shall be in place to prevent unauthorized access, alteration, or disclosure.
• Accountability: The Company shall demonstrate compliance with applicable data protection obligations.

6. Legal and Regulatory Compliance

The Company complies with the following legal provisions:

Under the Digital Personal Data Protection Act, 2023 (DPDP Act):

• Section 4 & 6 mandate that personal data must be processed lawfully with valid consent and clear notice to the Data Principal (individual).
• Section 7 provides for deemed consent under specific circumstances such as medical emergencies, legal requirements, or public interest functions.
• Section 8 outlines core obligations of Data Fiduciaries, including ensuring data accuracy, purpose limitation, implementing technical safeguards, and ensuring timely data deletion.
• Section 14 requires Data Fiduciaries to establish a grievance redressal mechanism for users to raise concerns regarding data processing.
• Sections 15 & 16 focus on mandatory breach reporting and impose penalties for non-compliance.
• Punishment: Financial penalties under the Act may extend up to ₹250 crore for serious violations like failure to protect personal data, improper processing, or breach notification delays.

Under the Information Technology Act, 2000:

• Section 43A holds a corporate body liable if it fails to implement reasonable security practices and procedures while handling sensitive personal data. Punishment: Compensation up to ₹5 crore may be awarded to the affected individuals for negligence in safeguarding personal data.
• Section 72A penalizes any person who, in breach of a lawful contract, discloses personal information obtained while providing services. Punishment: Imprisonment up to 3 years, and/or fine up to ₹5 lakh.

7. Data Breach Response

In the event of a data breach:

• An internal assessment will be initiated immediately to ascertain scope, impact, and risks.
• Incidents shall be reported to the internal authority and escalated without delay.
• Corrective measures will be implemented to prevent recurrence.
• If the breach is likely to cause harm, affected Data Principals and the Data Protection Board of India will be notified promptly, in accordance with the DPDP Act.

8. Appointment of Data Protection Officer (DPO)

Where mandated (e.g., designation as a Significant Data Fiduciary), the Company shall appoint a Data Protection Officer who will:

• Act as the Company's liaison with the Data Protection Board of India.
• Monitor and enforce data protection compliance across departments.
• Address grievances raised by Data Principals regarding their personal data.

9. Grievance Redressal Mechanism

Data Principals may file complaints regarding:

• Inaccurate data: Complaints related to the processing or retention of incorrect or outdated personal data, which may result in harm or misrepresentation.
• Refusal to correct or delete data: Instances where the Company fails to act on legitimate requests for correction or deletion of personal data as per the rights of the Data Principal.
• Consent withdrawal issues: Concerns arising from the Company's failure to honour a Data Principal's withdrawal of consent, leading to continued or unauthorized processing of personal data.
• Breach of privacy rights: Any act or omission by the Company that results in a violation of the Data Principal's privacy rights, including unauthorized access, sharing, or misuse of personal data.

Grievances can be submitted via email to grivience@devlabsalliance.com and must include contact details and a brief description of the issue. All grievances will be addressed within 30 working days. If unresolved, complaints may be escalated to the Data Protection Board of India.

10. Engagement with Third-Party Data Processors

The Company may engage third-party processors to handle personal data on its behalf, under the following conditions:

• A written agreement outlining responsibilities and compliance with this Policy.
• Prior due diligence of the third party's privacy and security practices.
• Periodic audits to ensure ongoing compliance.
• Cross-border data transfers will comply with the rules under the DPDP Act and government guidelines.

11. Training and Awareness

• All employees shall undergo mandatory data protection training upon joining.
• Regular refresher sessions and awareness campaigns shall be held.
• Contractors, interns, and third-party vendors may also be required to participate in orientation on data privacy obligations.
• Training records shall be maintained for audit and compliance purposes.

12. Penalties for Non-Compliance

Non-compliance with this Policy or the DPDP Act may lead to the following consequences:

Penalties under DPDP Act, 2023:

• Up to ₹250 crore for failure to take reasonable security safeguards.
• Up to ₹200 crore for breach of Data Principal's rights.
• Up to ₹50 crore for failure to report data breaches.

Internal Disciplinary Action:

• Suspension, warning, or termination of employment or contract.
• Legal proceedings in case of gross misconduct or willful violation.

13. Frequently Asked Questions (FAQ)

Q1: What is considered personal data under the DPDP Act?

A: Any digital information that identifies or relates to an individual, such as name, email, IP address, biometric data, etc.

Q2: Can I withdraw my consent once given?

A: Yes, consent can be withdrawn at any time by the Data Principal, and processing must stop unless covered under deemed consent or legal obligation.

Q3: What should I do if I suspect a data breach?

A: Immediately notify the internal IT/security team or the Data Protection Officer.

Q4: What are my rights as a Data Principal?

A: Right to access, correct, delete data, and grievance redressal.

Q5: Who do I contact for privacy-related concerns?

A: Reach out to our Grievance Officer at grivience@devlabsalliance.com.

14. Review and Amendments

This Policy will be reviewed annually or as required due to changes in law or business operations. Amendments will be communicated to all stakeholders accordingly.

Contact Information

Grievance Officer

• Email Address: grivience@devlabsalliance.com
• Company Address: 946 A&B Unit, 9th floor, JMD Megapolis, Sohna Road, Gurugram, Haryana - 122018