The protection of personal data is important to us. GVK BIO is committed to conducting its business in accordance
with applicable data protection regulations, and in line with the industry standards of ethical conduct. This
followed by all GVK BIO entities in its processing and protection of personal data.
GVK BIO is fully committed to ensuring continued and effective implementation of this policy, and expects all GVK
BIO employees and third parties to share in this commitment.
This Policy applies to all GVK BIO entities where a data subject’s personal data is processed:
- In the context of the business activities of the GVK BIO entity.
This Policy applies to all processing of personal data either in electronic form or where it is held in manual
files that are structured in a way that allows ready access to information about individuals. Wherever the
context requires in this Policy, personal data shall be interpreted to also include sensitive personal data.
This policy has been designed to establish a worldwide baseline standard for the processing and protection of
personal data by all GVK BIO entities. All inquiries about this Policy can be directed to firstname.lastname@example.org
3.1 Privacy Organization
Data subject concerns shall be addressed and their rights related to information access; objection to processing,
automated decision-making and profiling; restriction of processing; data portability; data rectification; and
data erasure shall be upheld through an internal data protection office.
If an individual makes a request relating to any of the rights above, GVK BIO shall consider each such request in
accordance with all applicable data protection laws and regulations. No administration fee will be charged for
considering and / or complying with such a request unless the request is deemed to be unnecessary or excessive
in nature. This demonstrates our commitment to data protection and it shall enhance the effectiveness of our
3.2 Policy Dissemination & Enforcement
The management team of each GVK BIO entities must ensure that all GVK BIO employees responsible for the
Processing of Personal Data are aware of and comply with the contents of this policy.
In addition, each GVK BIO entity will make sure all third parties engaged to process personal data on their
behalf are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained
from all third parties, whether companies or individuals, prior to granting them access to personal data
controlled by GVK BIO.
3.3 Compliance Monitoring
To confirm that an adequate level of compliance that is being achieved by all GVK BIO entities in relation to
this policy, the Organization will carry out periodical Data Protection compliance audit for all such entities.
Each audit will, inter alia, assess:
- Compliance with Policy in relation to the protection of personal data, including:
- The assignment of responsibilities
- Raising awareness
- Training of Employees
- The effectiveness of Data Protection related operational practices, including:
- Data Subject rights
- Personal Data transfers
- Personal Data incident management
- Personal Data complaints handling
- The level of understanding of Data Protection policies and Privacy Notices
- The currency of Data Protection policies and Privacy Notices
- The accuracy of Personal Data being stored
- The conformity of third party activities
The adequacy of procedures for redressing poor compliance and personal data breaches.
4. Data Protection and Privacy Principles
GVK BIO has adopted the following principles to govern its collection, use, retention, transfer, disclosure, and
destruction of personal data.
- Purpose Limitation: Personal data shall only be collected and processed for specific,
explicit, and legitimate purposes and not further processed in a manner that is incompatible with those
- Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly,
and transparently, regardless of the source of personal data collected.
- Data minimization: Personal data shall be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed. No personal data shall be stored beyond
what is strictly required.
- Accuracy: Personal data shall be accurate and kept up-to-date as per the instructions of
the data subjects.
- Storage Limitation: Personal data shall be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures
its appropriate security, including protection against unauthorized or unlawful processing, and against
accidental loss, destruction, or damage.
- Accountability: GVK BIO must demonstrate that the principles outlined above are met for all
personal data for which it is responsible.
5. Data Protection and Privacy Measures
In pursuance of the above principles, GVK BIO abides by the following measures.
- Privacy by design: All data protection requirements shall be identified and addressed when
designing new systems or processes and / or when reviewing or expanding existing systems or processes.
Protection Impact Assessment (DPIA) shall be conducted, for all new and / or revised systems or processes.
The impact of any new technology uses on the security of personal data shall be assessed.
- Training: All employees shall be given appropriate training regarding implementation of
data protection policies of the Company.
- Data collection: Personal data may be collected from related data subjects unless the
nature of the business purpose necessitates collection of personal data from other persons. If personal data
is collected from someone other than the data subject, the data subject shall be informed of the collection.
In all cases where notices are required to be issued to the data subject, these shall be issued promptly.
- Data subject notification: GVK BIO shall, when required by applicable law, contract, or
where it considers that it is reasonably appropriate to do so, provide data subjects with information as to
the purpose of the processing of their personal data, by way of a notice, and obtain consent only where the
legal basis of processing personal data is consent.
- Data processing: GVK BIO shall use personal data for the broad purposes of general running
and administration of GVK BIO entities, to provide services to GVK BIO’ customers, and the ongoing
administration and management of customer services. GVK BIO shall process personal data in accordance with
all applicable laws and contractual obligations.
- Data retention: To ensure fair processing, personal data shall be retained only for as long
as necessary to fulfil the purposes of collection or as required by applicable laws. All personal data shall
be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to
- Data transfer: GVK BIO entities may transfer personal data internally or to third party
recipients. In order for GVK BIO to carry out its operations across its various entities, there may be
occasions when it is necessary to transfer personal data from one entity to another, or to allow access to
the personal data from an overseas location. Each GVK BIO entity will only transfer personal data to, or
allow access by, third parties when it is assured that the information will be processed legitimately and
protected appropriately by the recipient. An approved transfer mechanism with adequate safeguards shall be
used in all such cases.
- Data access: Access to personal data shall be granted only to authorized employees. Such
access shall be suitably granted, modified, and revoked in line with the employee lifecycle and access
- Data protection: Each GVK BIO entity shall adopt physical, technical, and organizational
measures to ensure the security of personal data. Further, adequate safeguards in the form of contractual
clauses and data transfer agreements shall be included when transferring personal data across jurisdictions
or to any third party.
In all cases where GVK BIO entities are processing personal data as a data processor, the data shall be
processed only in accordance with the instructions of the data controller.
- Data quality: GVK BIO shall adopt all necessary measures to ensure that the personal data
it collects and processes is complete and accurate in the first instance, and is updated to reflect the
current situation of the data subject as notified by such subject.
- Breach reporting: Any individual who suspects that a personal data breach has occurred due
to the theft or exposure of personal data shall immediately notify the internal Privacy Organization on email@example.com. The Privacy Organization shall
record and investigate all reported incidents to confirm whether or not a personal data breach has occurred.
If confirmed, the Privacy Organization shall follow the procedures prescribed in the Personal Data Breach
Management Guideline based on the criticality and quantity of the personal data involved, to notify the
relevant supervising authority and the affected data subjects within prescribed timelines.
- External privacy notices: Each external website provided by a GVK BIO entity shall include
an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law. All
privacy and cookie notices must be approved by the Privacy Organization prior to publication on any GVK BIO
- Law Enforcement Requests and Disclosures: If any GVK BIO entity receives a request from a
court or any regulatory or law enforcement authority for information relating to a GVK BIO contact, the data
subject shall be immediately notified.
- Complaint handling: Data Subjects with a complaint about the processing of their personal
data, should put forward the matter in writing to the Privacy Organization. An investigation of the
complaint shall be carried out to the extent that is appropriate based on the merits of the specific case.
The Privacy Organization shall inform the data subject of the progress and the outcome of the complaint
within a reasonable period. If the issue cannot be resolved through consultation between the data subject
and the Privacy Organization, the data subject may then, at their option, seek redress through mediation,
binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable
6. Publication Policy
This policy shall be available to all GVK BIO employees through the GVK BIO’s policy portal (intranet.gvkbio.com) or via alternative means as deemed appropriate by the Privacy
GVK BIO reserves the right to update this Policy at any time. Any updates shall be made available via means
deemed appropriate, in most cases through an email and / or publication on the GVK BIO’s website and intranet
||GVK Biosciences Private Limited, its subsidiaries.
||An organization that handles personal data and makes decisions
about its use is known as a data controller.
||An individual or organization that processes data on behalf of the
data controller. Although they are often third-party providers, a data controller can also be a data
|Data Protection Impact Assessment (DPIA)
||An analysis of how information is handled: (i) to ensure handling
conforms to applicable legal, regulatory and policy requirements regarding privacy; (ii) to
determine the risks and effects of collecting, maintaining and disseminating information in
identifiable form in an electronic information system, and (iii) to examine and evaluate protections
and alternative processes for handling information to mitigate potential privacy risks.
||The individual about whom information is being processed.
||A statement made to a data subject that describes how the
organization collects, uses, retains and discloses Personal Data.
||Any operation or set of operations which is performed on personal
data, such as collecting; recording; organizing; storing; adapting or altering; retrieving;
consulting; using; disclosing by transmission, dissemination or otherwise making the data available;
aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.
||Any information relating to a natural person, which could be used
for identifying such person, in particular by reference to a name, an identification number location
data, an online identifier or to one or more factors specific to their physical, physiological,
genetic, mental, economic, cultural or social identity.
|Sensitive Personal Data
||Such Personal Data which consists of information revealing the
Data Subject’s medical, financial, racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data
for the purpose of uniquely identifying a natural person, data concerning health or data concerning
a natural person’s sex life or sexual orientation.