The Key Principles for the foundation of commitment to maintain Privacy and Confidentiality are as follows:
I. Transparency: Organization needs to be transparent about the collection and use of PII and Customer Data. Unit that collect PII and Customer Data must disclose to individuals and customers how PII and Customer Data will be collected, used and shared. They must collect, use, and share PII and Customer Data in accordance with its disclosures and with applicable laws and regulations. Disclosures must be clear, visible and easily accessible, and available or provided before or at the time of collection of the PII and Customer Data, or as soon after the collection as feasible.
II. Purpose Limitation: Organization should only use PII and Customer Data for the purpose it was collected and disclosed and for purposes that are compatible with the specified and disclosed purposes; also complying with legal and/or regulatory obligations
III. Proportionality: Organization should limit the collection and the use of PII and Customer Data to that which is required for the purpose disclosed or as is reasonably necessary or appropriate to provide products and services. It must only share PII and Customer Data with affiliates, Third Parties and other parties to the extent necessary for the fulfilment of the specified or permissible compatible purposes or for compliance with legal and/or regulatory obligations and as permitted by applicable laws and regulations.
V. Accuracy: Organization should maintain PII and Customer Data that is complete, accurate, and up-to-date for which it has a shared responsibility with customers. Where provided by applicable laws and regulations, customers can review the accuracy of their data held by the organization and have it corrected, amended, or made complete. Where necessary to comply with data quality standards as set forth, it must update PII and Customer Data in a timely manner, when reliably informed about changes.
VI. Participation: Organization should allow customers to participate in the management of their PII where legally required. It must honor customer communication preferences, access requests and correction requests to the extent provided by law or regulation. Where provided by applicable laws and regulations, individuals upon proper authorization may review the accuracy of their PII and where appropriate or legally required, request to have it corrected, completed or amended. Customers may request not to receive marketing material or solicitations and to receive marketing communications via their preferred channels (e.g., email, phone, text messages, etc.) to the extent feasible and in accordance with applicable laws and regulations. Organization must comply promptly with marketing opt-out requests in consultation with Legal, Compliance and/or regulatory authorities as required.
VII. Confidentiality: Organization should maintain confidentiality of PII and Customer data. It must take appropriate measures, commensurate with the risk of loss or unauthorized disclosure, to keep PII and Customer Data confidential. It may share PII and Customer Data as necessary, with the consent of and/or disclosure to the individual or customer, or where it is required to fulfil legal and/or regulatory obligations, to address complaints, conduct investigations and otherwise as permitted by applicable laws and regulations. Additionally, it must take appropriate steps to ensure that Third Parties that receive or collect PII or Customer Data or use it on its behalf maintain the confidentiality of the PII and Customer Data.
VIII. Retention: Organization must keep PII and Customer Data for only as long as required and permitted. It must implement procedures to keep PII and Customer Data for only as long as required in accordance the Records Retention Schedule. It must proactively and securely delete or De-Identify PII and Customer Data that is no longer required
IX. Data Transfers: Organization must comply with applicable laws and regulations when transferring PII and Customer Data to other legal entities or third parties. It is responsible for identifying instances where PII or Customer Data will be transferred to or accessed by other legal entities or third parties. It must ensure compliance with applicable laws and regulations before making such transfer or allowing such access. It must validate that all controls and documentation, as well as regulatory notifications or approvals for the transfer or access of PII and Customer Data are in place prior to the transfer or access of PII and Customer Data across jurisdictions, as required by applicable laws and regulations.
X. Accountability: Organization must be committed to fostering and maintaining a culture of Privacy and Confidentiality compliance and controls. On a periodic basis, it must review and monitor the effectiveness of its measures to confirm compliance with this Policy and Privacy laws and regulations. It must assess and mitigate privacy risks at all stages of relevant processes and activities. It must have processes and systems in place enabling them to evidence compliance with the Policy and applicable laws and regulations.