Bank Logo
  020 27371290
  ho@gajananbank.com

Privacy & Policy

Home / Privacy & Policy

1. Purpose

The purpose of this policy is to maintain the privacy of and protect the personal information of employees, contractors, vendors, interns, associates, customers and business partners of Bank and ensure compliance with laws and regulations applicable (refer annexure A ‘Data Privacy Annexures’ document) to Bank.

2. Scope

This policy is applicable to all Bank employees, contractors, vendors, interns, associates, customers and business partners who may receive personal information, have access to personal information collected or processed, or who provide information to the organization. This Policy applies to all Bank employees, contractors, vendors, interns, associates, customers and business partners who receive personal information from Bank, who have access to personal information collected or processed by Bank, or who provide information to Bank, regardless of geographic location. all employees of Bank are expected to support the privacy policy and principles when they collect and / or handle personal information, or are involved in the process of maintaining or disposing of personal information. this policy provides the information to successfully meet the organization’s commitment towards data privacy. All partner firms and any Third-Party working with or for Bank, and who have or may have access to personal information, will be expected to have read, understand and comply with this policy. No Third Party may access personal information held by the organization without having first entered into a confidentiality agreement.

3. Definition

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data.

4. Collection of Personal Information

Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.

  • Personal information shall not be collected unless either of the following is fulfilled:
  • The data subject has provided a valid, informed and free consent;
  • processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • processing is necessary for compliance with the organizations legal obligation;
  • processing is necessary in order to protect the vital interests of the data subject; or
  • processing is necessary for the performance of a task carried out in the public interest
  • Data subjects shall not be required to provide more personal information than is necessary for the provision of the product or service that data subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of personal information shall be avoided or limited when reasonably possible.
  • Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
  • When using vendors to collect personal information on the behalf of Bank, it shall ensure that the vendors comply with the privacy requirements of Bank as defined in this Policy.
  • Bank shall at minimum, annually review and monitor the information collected, the consent obtained and the notice / SoW / contract agreement identifying the purpose.
  • The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.
  • Bank shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources.
  • Personal information may only be used for the purposes identified in the notice / SoW / contract agreements and only if the data subject has given consent;
  • Personal information shall be retained for as long as necessary for business purposes identified in the notice / SoW / contract agreements at the time of collection or subsequently authorized by the data subjects.
  • When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
  • Bank shall have a documented process to communicate changes in retention periods of personal information required by the business to the data subjects who are authorized to request those changes.
  • Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by Bank or for the benefit of the data subject. Additionally, Bank has the right to retain the personnel information for legal and regulatory purpose and as per applicable data privacy laws.
  • Bank shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with the organization’s data privacy policy.

5. Disclosure to Third Parties

Data Subject shall be informed in the privacy notice / SoW / contract agreement, if personal information shall be disclosed to Third Parties / partner firms, and it shall be disclosed only for the purposes described in the privacy notice / SoW / contract agreements and for which the data subject has provided consent.

  • Personal information of data subjects may be disclosed to the Third Parties / partner firms only for reasons consistent with the purposes identified in the notice / SoW / contract agreements or other purposes authorized by law.
  • Bank shall notify the data subjects prior to disclosing personal information to Third Parties / partner firms for purposes not previously identified in the notice / SoW / contract agreements.
  • Bank shall communicate the privacy practices, procedures and the requirements for data privacy and protection to the Third Parties / partner firms.
  • The Third Parties shall sign a NDA (Non-Disclosure Agreement) with Bank before any personal information is disclosed to the Third Parties partner firms. The NDA shall include the terms on non-disclosure of customer information.

Security Information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred and disposed by Bank.

  • Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
  • Management shall establish procedures that maintain the logical and physical security of personal information.
  • Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
  • Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices.

6. Roles and Responsibilities

The owner for the Privacy Policy shall be the Privacy Officer. the Privacy Officer shall be responsible for maintenance and accuracy of this policy. Any queries regarding the implementation of this Policy shall be directed to the privacy officer.

This policy shall be reviewed for updates by Privacy Officer on an annual basis. additionally, the privacy policy shall be updated in-line with any major changes within the organization’s operating environment or on recommendations provided by internal/ external auditors.

7. Policy Compliance and Review

Compliance to the privacy policy shall be reviewed on an annual basis by Privacy Review Team to ensure continuous compliance monitoring through the implementation of compliance measurements and periodic review processes. For proactive detection of data breaches, please refer breach management policy. In cases where non-compliance is identified, the privacy officer shall review the reasons for such non-compliance along with a plan for remediation and report them to Privacy Review Team.

Depending on the conclusions of the review, need for a revision to the policy may be identified. In instances of persistent non-compliance by the individuals concerned, they shall be subject to action in accordance with the Bank Disciplinary Policy.

Privacy Review Team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.

  • The internal audit shall consist of the review of the following:
  • personal information collected from data subjects;
  • the purposes of the data collection and processing; o the actual uses of the data;
  • disclosures made about the purposes of the collection and use of such data;
  • the existence and scope of any data subject consents to such activities;
  • any legal obligations regarding the collection and processing of such data, and
  • the scope, sufficiency, and implementation status of security measures.
  • The Privacy Review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Privacy Management committee.
  • The Data Privacy Officer along with Privacy Coordinators shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture
  • Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.

8. Amendments (Revision History)

Amendments to this policy will be published from time to time and circulated to the Bank.

Post-Implementation Policy Review: Annually

9. Document History

As per version control sheet.