- Corporate Privacy Policy
- Website Privacy Policy
- UK Job Applicant Privacy Policy
- Disclaimer
Corporate Privacy Policy
1. Introduction
Firstsource Solutions Limited (“FSL”, ”us”, “we”) is a business process management company providing services in the banking and financial services, customer services, telecom and media, and healthcare sectors.
FSL is committed to ensuring that personal data is collected and processed fairly, lawfully, and in a transparent manner as per the requirements of applicable privacy legislations.
Personal data is any information (including opinions and intentions) which relates to an identified or identifiable natural person.
This Privacy Policy (hereinafter referred to as “Policy”) sets forth the general principles which underlie FSL’s specific practices for collecting, using, disclosing, storing, retaining, disposing, accessing, transferring, or otherwise processing personal data.
2. Purpose
This Policy sets forth the expected behaviors of FSL personnel and third parties in relation to the collection, use, disclosure, storage, retention, disposal, access, transfer, and any other processing of personal data.
FSL’s leadership is fully committed to ensuring continued and effective implementation of this Policy and expects all FSL employees and third parties to share in this commitment. Any breach of this Policy will be taken seriously and may result in disciplinary action.
3. Scope
This Policy covers the processing of personal data of employees (including current and past employees, full-time, and part-time employees, on contract personnel, consultants, interns, and other such individuals), clients, suppliers, business partners, and other identifiable individuals by an FSL entity on behalf of an FSL entity, as applicable.
Where FSL processes personal data on behalf of its clients, FSL shall follow appropriate policies and practices agreed with its clients for the safe handling of personal data.
This Policy is applicable to all employees of FSL, subsidiaries, and joint ventures where FSL has a controlling interest, as well as business partners who process personal data on FSL’s behalf.
This Policy covers processing of personal data in electronic form (including but not limited to electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.
Any processing of personal data by an FSL entity will be governed by the applicable privacy regulation/s. If certain regions have specific regulatory requirements, those requirements will take precedence over this Policy.
In case of conflict between this Policy and the Data Protection Policy and Procedure, the stricter of the two shall prevail.
(Please refer Appendix 1– Data protection legislations considered). Country and industry-specific laws and regulations shall take precedence over this Policy.
[1] The documents pertaining to specific requirements in the USA are referenced in Appendix 5.
4. Definition of Key Terms
Below is a brief description of key terms that regularly come into play with Data Protection:
Term | Definition |
---|---|
Anonymization/Dissociation | Data amended in such a way that no individual can be identified from the data (whether directly or indirectly) by any means. As per Mexico’s Federal Data Privacy Law (FDPL), dissociation is the procedure by which personal data cannot be associated with the owner or allow, due to its structure, content or degree of disaggregation, its identification |
Biometric Data | Personal Data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. |
Blocking[1] | The identification and conservation of personal data once the purpose for which they were collected has been fulfilled, with the sole purpose of determining possible responsibilities in relation to their treatment, until the legal or contractual prescription period of these. During said period, personal data may not be processed and after this, it will be cancelled in the corresponding database. |
Consent | Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. As per Mexico’s FDPL, expression of the will of the data owner by which data processing is enabled. Further, tacit/implied consent is valid for processing personal data. |
Database[2] | The ordered set of personal data referring to an identified or identifiable person. |
Data Controller/Personal Information Controller/Entity Responsible/Data Fiduciary[3] | This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed. As per the United Kingdom’s Data Protection Act, 2012 (DPA), any person on whom the obligation to process personal data is imposed by an enactment, for purposes and by means required by the enactment will also be considered as a data controller. As per Mexico’s FDPL, person responsible means physical or legal person of a private nature who decides on the processing of personal data. As per Philippines DPA, 2012, Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. As per Digital Personal Data Protection Act 2023, a data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. |
Data Processing Agreement | A legally binding contract that states the rights and obligations of each party concerning the protection of personal data. |
Data Processor/ Personal Information Processor/ Processor[4] | In relation to personal data, means any person who processes the data on behalf of the data controller. For clients, Firstsource is a data processor, and we will only process data under the instruction of the client who will be the data controller. As per Philippines’ DPA 2012, Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. |
Data Protection | The process of safeguarding personal data from unauthorized or unlawful disclosure, access, alteration, processing, transfer, or destruction. |
Data Protection Authority | An independent public authority responsible for monitoring the application of the relevant data protection regulation set forth in national law. |
Data Subject/Individual /Data Owner/Data Principal[5] | A natural person (living) individual whose Personal Data is processed by a data controller or processor. As per Digital Personal Data Protection Act 2023, Data Principal means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. |
Encryption | The process of converting information or data into code, to prevent unauthorized access. |
Non-Adequate Country | Non-Adequate Country means a country that under the applicable law is deemed not to provide an “adequate” level of data protection. |
Personal Data/ Personal Information[6] | Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. |
Privileged Information[7] | Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. |
Process/Treatment, Processed, Processing | The term “Processing of Personal Data” refers to any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. As per Mexico’s FDPL, treatment means obtaining, using, disclosing, or storing personal data, by any means. The use covers any action of access, management, use, transfer, or disposal of personal data. |
Profiling | Any form of automated processing of personal data where personal data is used to evaluate specific or general characteristics relating to an identifiable natural person to analyze or predict certain aspects concerning the natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location, or movement. |
Pseudonymization | Data amended in such a way that no individual can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified. |
Special Categories of Personal Data / Sensitive Personal Data[8] | Personal Data revealing a Data Subjects racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. As per Philippines’ Data Privacy Act, 2012, apart from the above, the following data sets also fall within the definition of sensitive data: 1. Age 2. Color 3. Education 4. Committed or alleged offence, and any proceedings related to it 5. Documents issued by government agencies such as Social Security Number, Tax Identification number etc. 6. Specifically established by an executive order or an act of Congress to be kept classified |
Standard Contractual Clauses (SCCs) | Standard contractual clauses (SCCs) are standardized and pre-approved model data protection clauses that serve as a tool for entities to comply with the requirements of the EU GDPR for transferring personal data to countries outside of the EEA (to non-adequate countries). |
International Data transfer Agreement (IDTA)/IDTA Addendum | IDTA are standardized and pre-approved model data protection clauses that serve as a tool for entities to comply with the requirements of the UK GDPR for transferring personal data to countries outside of the UK (to non-adequate countries). |
5. Objectives
The objectives of this Policy are to:
- Ensure that processing of personal and sensitive personal data by or on behalf of FSL complies with the data protection principles and follows the lawful basis for processing, as per the applicable data protection laws.
- Make all the stakeholders aware about the processes that need to be followed for collection, usage, disclosure/transfer, retention, archival and disposal of personal data.
6. Governance
Leadership of FSL is committed to ensuring and upholding data privacy principles as well as compliance requirements of applicable data privacy laws.
To demonstrate commitment to data protection, and to enhance the effectiveness of compliance efforts, FSL shall establish a Data Privacy Team (DPT). The DPT shall operate with independence and shall be headed by the Data Protection Officer (DPO). The DPO shall be a suitably skilled individual who has been granted all necessary authority. The DPO shall report to FSL’s senior leadership.
7. Policy statements
7.1 Data protection principles
FSL’s processing of personal data shall be governed by the following principles:
- Principle 1: Lawfulness, Fairness and Transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means FSL shall inform the data subject what processing will occur (transparency), the processing shall match the description given to the data subject (fairness), and it shall be as per the permitted lawful bases specified in the applicable data protection regulation (lawfulness).
- Principle 2: Purpose Limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means FSL shall specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
- Principle 3: Data Minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This means FSL shall not collect or otherwise process any personal data which is beyond the specified purposes.
- Principle 4: Accuracy: Personal data shall be accurate and kept up to date to the extent practically possible.
- Principle 5: Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (subject to regulatory requirements). This means FSL shall, wherever possible, store personal data in a way that limits or prevents identification of the data subject when no longer required for the processing purpose.
- Principle 6: Integrity & Confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. This means that FSL shall use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained throughout the data processing lifecycle.
- Principle 7: Accountability: The data controller shall be responsible for and be able to demonstrate compliance. This means FSL shall demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
7.2 Data Collection
Data Sources
Personal data shall be collected only from the data subject unless one of the following apply:
- The nature of the business purpose necessitates collection of the personal data from other persons or bodies.
- The collection is required to be carried out under emergency circumstances to protect the vital interests of the data subject or to prevent serious loss or injury to another person.
7.2.1 Consent
FSL shall obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, FSL shall seek such consent. The data subjects shall be given option to withdraw or revoke their consent by writing to the Data Protection Officer (DPO) at dataprivacy@firstsource.com. The data subject shall be duly informed of their right to revoke or withdraw consent.
7.2.1.1 Geography-specific requirements for consent
I. Mexico
FSL shall ensure the following while obtaining consent for processing personal data of data subjects of Mexico:
- As per Mexico’s Federal Data Privacy Law (FDPL), consent is the only lawful basis for processing personal data of data subjects of Mexico.
- For processing sensitive or financial personal data, FSL shall obtain explicit consent from data subjects such as employees, vendors, clients, prospects, and any other such category of data subjects in Mexico before processing such data.
- For transferring personal data outside the borders of Mexico, explicit consent shall be obtained.
For processing personal data (excluding sensitive/financial personal data), providing a privacy notice with information regarding data processing suffices the requirement for tacit consent (which is required for processing non-sensitive data), provided that the privacy notice is not opposed by the data subject.
II. Philippines
FSL shall ensure the following while obtaining consent for processing personal data of data subjects of the Philippines:
- Provide a provision to allow an agent (specifically authorized) to give consent on behalf of the data subject.
- For processing privileged information and/or sensitive data of data subjects of the Philippines, consent shall be obtained prior to processing such data.
- For transferring personal data outside the borders of the Philippines, explicit consent shall be obtained.
7.2.2 Notice
FSL shall, where required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data and other relevant processing details.
FSL shall provide a privacy notice to data subjects in the following manner:
- To employees – at the time of onboarding or along with the employment agreement.
- To candidates – at the time of collecting their CV (Curriculum Vitae), Resume, cover letter, and other such documents containing personal data.
- To customers – at the time of entering stakeholder details in CRM.
- To service providers – at the time of onboarding the vendors.
- Visitors to office premises – at the time they provide their details for the visitors’ log.
- Marketing prospects – at the time of data collection (for both offline and online).
FSL shall also provide a privacy notice to the data subjects in case any new purpose is identified for processing personal data before such information is used for new purposes.
FSL’s website shall include a ‘Privacy Policy’ and ‘Cookie Policy’, which shall inform the website’s visitors about the processing of their personal data in relation to their activities while accessing the website. Additionally, the website shall obtain visitors’ consent on the deployment of cookies as applicable.
7.2.3 Geography-specific requirements for notice
I. India
FSL shall provide the data subjects the option to request a privacy notice specified in any of the languages specified in the eighth schedule of the Constitution of India.
7.3 Data use
7.3.1 Data processing
FSL shall process personal data when at least one of the following requirements are met:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering a contract.
- Processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject).
- Processing personal data, but not sensitive personal data, is necessary for employment purposes.
If the purposes of processing personal data change over time or data is to be used for a new purpose which was not originally anticipated, the processing shall only be performed if:
- The new purpose is compatible with the original purpose; or
- FSL obtains the data subject’s specific consent for the new purpose.
- In order to determine whether a new purpose is compatible with the original purpose, FSL shall obtain guidance and approval from the DPO and take into account:
- Any link between the purpose for which the personal data was collected and the reasons for intended further processing.
- The context in which the personal data has been collected, in particular regarding the relationship between the data subject and the data controller/ data processor.
- The nature of the personal data, in particular whether sensitive personal data are being processed.
- The possible consequences of the intended further processing for the data subject.
- The existence of appropriate safeguards pertaining to further processing, which may include measures such as encryption, anonymization or pseudonymization.
7.3.2 Sensitive personal data
FSL shall avoid the processing of sensitive personal data where it is not required for the purposes for which the data is collected (or subsequently processed). Where sensitive personal data is required to be processed, FSL shall limit access to appropriate persons.
7.3.2.3 Geography-specific requirements for processing sensitive data
I. Mexico
As per FDPL, for processing sensitive and financial data, FSL shall obtain explicit consent of the data subjects and record the same.
II. Philippines
As per DPA, for processing sensitive data, FSL shall obtain explicit consent of the data subjects.
7.3.3 Data retention
- Personal data shall not be retained by FSL for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed.
- The length of time for which personal data is to be retained shall be determined by considering the applicable legal and contractual requirements, both minimum and maximum, that influence the retention periods.
7.3.4 Data disposal
- Personal data shall be deleted, destroyed, or anonymized as soon as it has been confirmed that there is no longer a need to retain it or if it is in violation of any of the data protection principles.
- Personal data disposal shall follow FSL’s data disposal process to ensure the safe disposal of personal data and avoid unauthorized retrieval.
7.3.5 Direct marketing
FSL shall not send promotional or direct marketing material to a data subject (for example, through digital channels such as email and the Internet or conventional channels including but not limited to fax, email, SMS, and MMS) without first obtaining their consent.
The data subject shall be informed at the point of first contact that they have the right to withdraw consent, at any stage, from having their data processed for marketing purposes. If the data subject withdraws consent to processing of their personal data, the minimum required details to identify the data subject shall be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.
Further, FSL shall not disguise or conceal its identity in any direct marketing communication and shall provide the contact details of the DPO so that the data subject may send a request to opt-out or unsubscribe from such communication.
7.4 Record maintenance
For the purpose of demonstrating accountability, appropriate records related to processing personal data shall be maintained, including but not limited to the following:
- Record of processing activities (RoPAs) shall be maintained and shall be reviewed and updated on a periodic basis.
- Inventory of personal data shall be reviewed and updated on a regular basis.
- Data Flow Diagram (DFD) shall be reviewed and updated on a regular basis.
- Data breach record shall be maintained for all the data privacy breaches as well as incidents.
- Data Protection Impact Assessment (DPIA) shall be carried out on a periodic basis for applicable processes/applications to ensure risks to personal data are identified and managed.
- Legitimate Interest Assessment (LIA) shall be carried out on a periodic basis for processes where legitimate interest is relied upon as a lawful basis of processing.
- Consent request and withdrawal forms shall be maintained to ensure and demonstrate that data subject has consented to or opted-out of processing their personal data.
- Data subject rights management templates shall be maintained for all data subject requests received by FSL.
- Privacy by Design (PbD) assessments shall be maintained for FSL’s applications and processes processing personal data.
- Privacy audits’ results and mitigation plan to ensure that the privacy related requirements are reviewed on a regular basis.
7.5 Data security
FSL shall ensure robust safeguards are in place to protect personal data by ensuring the following to protect personal data:
- Ensure that the data resides behind a firewall with access restricted to authorized personnel.
- Prevent persons entitled to use data processing systems from accessing personal data beyond their needs and authorization.
- Ensure that in the case where processing is carried out by another entity on our behalf, the data is processed only in accordance with the data processing addendums and the agreed contractual obligations.
- Ensure confidential waste bins are made available to all areas processing sensitive data.
- Ensure applicable controls as per standards - ISMS, PCI DSS, and HITRUST are reviewed on a regular basis.
- Ensure that there is a defined password policy which is enforced at an organizational level.
- Ensure data security and privacy training, as well as refresher training for employees, are conducted on a regular basis.
- Ensure role-based access control is provided to applications and supporting infrastructure.
- Ensure users’ logical access and physical access are deactivated in a timely manner post-termination.
- Ensure user access reconciliation is performed and corrective action is taken in case of any discrepancies.
- Ensure security patches and antivirus are updated on a periodic basis.
7.5.1 Privacy by design (PbD)
FSL shall apply Privacy by Design principles by applying strong privacy practices early and consistently to projects and business processes which involve personal data processing. The obligation to enforce privacy by default shall apply to the types of personal data collected, the extent of processing, the period of storage, and the accessibility of the personal data.
7.6 Data protection impact assessment
Each business function of FSL shall ensure that where required as per the applicable privacy regulation, a Data Protection Impact Assessment (DPIA) is conducted, in consultation with the DPO, for any new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA shall then be submitted to the DPO for review and approval.
7.7 Legitimate Interest Assessment
Each business function of FSL shall ensure that where required as per the applicable privacy regulation, a Legitimate Interest Assessment (LIA) is conducted, in consultation with the DPO, for any existing or new and/or revised systems or processes where legitimate interest is relied upon as lawful basis for processing.
7.8 Data subject rights requests
FSL shall establish a process to enable and facilitate the data subject rights related to:
- Right of Access: The data subject can request access to and request a copy of their personal data being processed by FSL.
- Right to Rectification: The data subject can request rectification of inaccurate personal data, or to have incomplete personal data completed.
- Right to be Forgotten / Right to Erasure: The right to be forgotten / right to erasure entitles the data subject to request the erasure of their personal data.
- Right to Object to Processing: The data subject can object (i.e., exercise their right to “opt-out”) to the processing of their personal data particularly in relation to profiling or to marketing communications.
- Right to Restriction of Processing: The data subject can request this right where certain conditions apply to have a right to restrict the processing.
- Right of Portability: The data subject can request this right if they want the data, we hold about them to be transferred to another organisation.
- Right to Object to Automated Processing, including profiling: The data subject can request this right to object to subject to the legal effects of automated processing or profiling.
- Right to judicial review/complain: The data subject can request this right if FSL refuses their request under rights of access, a reason for refusal shall be communicated to the data subjects.
On receiving a request when a data subject exercises any of his or her rights, FSL shall respond to the requests within stipulated timelines as per the applicable data protection laws.
7.9 Data protection training
All FSL employees that have access to personal data shall have their responsibilities under this Policy outlined to them as part of their onboarding training. Additionally, FSL shall conduct refresher data protection training annually.
7.10 Cross-border Data Transfer
In order for FSL to carry out its operations effectively, there may be occasions when it is necessary to transfer personal data from one FSL entity to another or to share personal data with service providers that are located overseas, or to allow access to the personal data from an overseas location. Should this occur, the FSL entity sending / allowing access to the personal data shall remain responsible for ensuring protection for that personal data.
FSL shall handle the transfer of personal data between FSL entities, where the location of the recipient entity is a non-adequate country as per safeguards mentioned in applicable laws (such as obtaining consent, SCC, IDTA etc.). FSL shall transfer only the minimum required personal data and ensure adequate security measures for protection of personal data during the transfer.
7.11 Transfers to third parties
FSL shall only transfer personal data to or allow access by third parties through a Data Processing Agreement (DPA), when it is assured that the information will be processed legitimately and protected appropriately by the recipient. These agreements shall clarify each party’s responsibilities in respect to the personal data transferred. The third party shall establish procedures to meet the terms of their agreement with relevant FSL entity/subsidiary to protect personal data and demonstrate compliance with the data transfer requirements as per applicable data protection laws.
Personal data shall be disclosed to data processor (such as vendor and contractor) only for identified lawful purposes and after obtaining appropriate consent from the data subjects/ providing appropriate notice, as applicable, unless a law or regulation allows or requires otherwise. Where FSL is outsourcing services to a third party (including cloud computing services), FSL shall consider whether the outsourcing will entail any non-adequate country transfers of personal data.
7.12 Breach reporting
FSL shall establish robust personal data breach detection, investigation, and reporting procedures.
Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data shall immediately notify the DPO providing a description of the breach.
FSL shall investigate all reported incidents to confirm whether a personal data breach has occurred. If a personal data breach is confirmed, FSL shall take necessary steps to minimize the risks to the rights of the data subjects. FSL shall keep a record of all breaches.
8. Changes to this Policy
This document is effective as of January 2024. We may amend this document from time to time. Please refer to the document on a regular basis.
9. Contact Us
In case of any questions or concerns about this Privacy Policy, or your dealings with the personal data, you can contact dataprivacy@firstsource.com for clarifications.
10. Appendices
10.1 Appendix 1 – Data protection legislation considered
Below is the list of data protection laws that have been taken into consideration in developing this Policy:
- United Kingdom’s Data Protection Act (DPA), 2018
- United Kingdom’s General Data Protection Regulation (GDPR), 2022
- Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (FDPL), 2010
- Philippines’ Data Privacy Act (DPA) 2012
- India’s Digital Personal Data Protection Act, 2023
10.2 Appendix 2- Data Protection Authorities
Country | Data Protection Authority | Address |
United Kingdom | Information Commissioner Office (ICO) | Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
Mexico | National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) | Insurgentes Sur 3211 Colonia Insurgentes Copilco, Coyoacán, Ciudad de México‘ |
Philippines | National Privacy Commission (NPC) | 5th Floor Delegation Building, PICC Complex, Vicente Sotto Avenue, Pasay City, Metro Manila 1307, or email us at dpo@privacy.gov.ph. |
10.3 Appendix-3 – Exemption
As per the Digital Personal Data Protection Act, 2023, this policy shall not apply to the following:
- Processing of personal data of data principals outside India pursuant to any contract entered into with a foreign party.
- Necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies.
[1] The documents pertaining to specific requirements in the USA are referenced in Appendix 5
[2] Definition of blocking as per Mexico’s Federal data privacy law
[2] Definition of database as per Mexico’s Federal data privacy law
[3] For maintaining consistency, the term Controller is used in place of the above terms in this Policy.
[4] For maintaining consistency, the term Processor is used in place of the above terms in this Policy.
[5] For maintaining consistency, the term data subject is used in place of the above terms in this Policy.
[6] For maintaining consistency, the term personal data is used in place of the above terms in this Policy.
[7] Definition of privileged information as per Philippines’ Data Privacy Act, 2012.
[8] For maintaining consistency, the term sensitive data is used in place of the above terms in this Policy.
Privacy Policy
Overview
Firstsource Solutions Limited (this expression means and includes its affiliates and subsidiaries) has created this Website Privacy Policy in order to demonstrate Firstsource’s commitment to privacy. This Website Privacy Policy demonstrates Firstsource’s (‘we’, ‘our’, ‘us’) information gathering and dissemination practices for its corporate website (www.firstsource.com) or such other websites of Firstsource (together referred hereafter as “Website”).
Firstsource is committed to protect the privacy and security of your (users accessing Firstsource Website and/or leaving information on Firstsource Website) personal data.
This Website Privacy Policy (“Policy”) does not define how third parties, whose external links are present on Firstsource’s Website, use or process your personal data (the terms personal data and data information are interchangeable). We encourage you to read their respective privacy policies and know your privacy rights before interacting with them.
Relationship
We are the Data Fiduciary / Data Controller of your personal data that we collect and process through the Website. This means we determine how and why personal data is processed.
What personal data do we collect and how
Information Given by the User (You)
We may receive, use, and store any information which you enter on our Website or give us in any other way, such as:
- By submitting a web form on our Website, you will share with us information such as your name, phone number and email address to enable us to reply to you. It is stored until the marketing campaign is active in the tool. The data is stored until the user unsubscribes. This will be treated as a lawful consent and your personal data will not be shared outside of Firstsource.
- If you are applying for a vacancy with us, please refer to the job vacancy privacy policy for further information on how your data will be used. © Firstsource Solutions Limited l Restricted | March 1, 2024 4
- We do not share any personal information collected with any third parties. When completing a web form, we will store and process personal data as per applicable laws.
- o Case 1: Forms on the contact page marked “Suppliers”, “Recruitment”, “Employees”, “Media/Press”, “Investors”, “Analysts” and “Other”
- We will gather your name, phone number, email address, company, and job title (if applicable), Firstsource office you wish to contact (if applicable), and an optional message. Your details and message will be:
- a) Sent via email to the relevant person within the organisation;
- b) Stored in our database as long as required for business purposes or such other time as per applicable law before permanent deletion. This information can be removed from our database in case you wish to withdraw consent by sending an email requesting withdrawal of consent to the email address dpo@firstsource.com.
- We will gather your name, phone number, email address, company, and job title (if applicable), Firstsource office you wish to contact (if applicable), and an optional message. Your details and message will be:
- o Case 2: All other web forms (excluding job applications)
- We will gather your name, phone number, email address, location, web page on which you filled out the form, actions taken on our Website, company and job title, industry, the solutions you are interested in, and an optional message.
- We will also ask in a clear manner for your consent to:
- a) Receive marketing communications, and, separately,
- b) Receive personal emails from Firstsource personnel, such as business development representatives. These options will either be presented as checkboxes, or be clearly indicated in the form title, e.g., “Sign up for our mailing list”.
- Your details and messages and any form of communication with you will be stored in our marketing automation system as long as required for business purposes or such other time as per applicable law. If you opted in to receiving marketing communications, you will be added to the general mailing list and any other mailing lists based on your indicated industry and desired solutions. You may unsubscribe at any time by emailing dpo@firstsource.com or clicking “Unsubscribe” at the bottom of any marketing email.
- If you opted in to receiving personal messages, your details and message will be sent to a relevant member of our business development team. Your details may also be stored in Active Campaign and Salesforce, our CRM system.
- You can contact us at dpo@firstsource.com at any time to remove your information. We will not, without your explicit consent, disclose to anyone outside of Firstsource Solutions Limited any personal information you provide to us when you visit the website.
- o Case 1: Forms on the contact page marked “Suppliers”, “Recruitment”, “Employees”, “Media/Press”, “Investors”, “Analysts” and “Other”
The data we would like to collect via forms is:
Personal data type: | Source (where Firstsource obtained the personal data from if it has not been collected directly from you, the data subject): |
First and last name | Data subject |
Email address | Data subject |
Phone number | Data subject |
Company | Data subject |
Job title | Data subject |
Firstsource office you wish to contact | Data subject |
Your industry * | Data subject |
How can we help / desired solutions * | Data subject |
Conversion page * | Conversion page * |
Past activity on our website * | Cookies |
Location (down to city level) * | IP address |
Marketing consent * | Data subject |
Sales consent * | Data subject |
Message | Data subject |
Personal data type: | Source (where Firstsource obtained the personal data from if it has not been collected directly from you, the data subject): |
First and last name | Data subject |
Email Address | Data subject |
Phone Number | Data subject |
Company | Data subject |
Job Title | Data subject |
* Only relevant for forms in Case 2 (details above) |
E-mail Communications
To help us make e-mails more useful and interesting, we often receive a confirmation when you open an e-mail from Firstsource.com if your computer supports such capabilities.
Our Website provides users the opportunity to opt-out of receiving communications from us and our partners by reading the unsubscribe instructions located at the bottom of any e-mail they receive from us at any time.
Cookies
To improve your experience on our site, we may use ‘cookies’. Cookies are an industry standard and most major websites use them. A cookie is a small text file that our site may place on your computer as a tool to remember your preferences. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this you may not be able to use the full functionality of this Website. Please refer to the cookie policy for more detailed information.
IP Addresses
IP addresses are used by your computer every time you are connected to the internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by our web server as part of demographic and profile data known as “traffic data” so that data (such as the Web pages you request) can be sent to you.
Google Analytics
Our Website uses Google Analytics, a service which transmits Website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand Website traffic and webpage usage. By using this Website, you consent to the processing of data about you by Google in the manner described in Google’s Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google here.
Social Media
Firstsource also uses interfaces with social media sites such as Facebook, LinkedIn, Twitter, and others. If you choose to “like” or “share” information from this Website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your visits to this site with other personal information.
External Links
Our Website may contain links to other websites. Please be aware that we are not responsible for the privacy practices of such other sites. When you go to other websites from here, we advise you to be aware and read their privacy policy.
What Do We Use Your Personal Data For?
We use personal data to provide you with information that you have requested, including marketing purposes, sales (if you choose to be contacted for such sales and marketing purposes) and to process online applications.
Firstsource collects information including the following:
- Internet Protocol address – which will be anonymised, browser type, browser language, the date and time of your query. This information is collected in the interest of identifying any issues with the site, to establish which areas of the website are used more frequently and to help improve the website.
- Information provided through the web forms – including name, email address, and contact number will only be used for the purpose of the web form submission including new customer contact, media enquiries, and marketing. This will be processed under the lawful basis of consent.
Lawful Basis
We rely on the following lawful basis, for the above purposes:
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. (For example, we need to process for administrative and record keeping purposes, etc.)
- Where we need to protect your vital interests (or someone else's interests).
- Where we need to comply with a legal obligation.
- Where we have sought your explicit consent.
We will only use personal data for the purposes described above or as otherwise disclosed at the time we request such data from you. Should your personal data be processed for other purposes than those outlined in this Privacy Policy or other purposes than the ones your personal data has originally been collected for, we will update this information to provide you with information on that other purpose, and any additional relevant information.
Security
We have adopted reasonable and adequate security practices and procedures, in line with industry standards such as ISO 27001:2013, HITRUST, PCI DSS, HIPAA, etc., to include strategic, operational, managerial, technical, and physical security controls to safeguard and protect your data and information.
We take steps such as the following to protect your personal data:
- Ensure that the data resides behind the firewall with access restricted to authorized personnel.
- Prevent people entitled to use data processing systems from accessing personal data beyond their needs and authorization.
- Ensure that in the case where processing is carried out by another entity on our behalf, the data is processed only in accordance with the data processing addendums and the agreed contractual obligations.
The information in our custody and control is protected by adherence to reasonable security procedures to safeguard against unauthorized access. We apply encryption or other appropriate security controls to protect personal data when transmitted and stored by us.
How long do we store your personal data?
We retain personal data only for as long as it is needed for the business purpose defined and as provided under applicable laws. This includes meeting our professional and legal requirements, establishing, exercising, or defending our legal rights, and for archiving purposes.
Please note that retention periods vary in different jurisdictions and are set in accordance with regulatory and professional retention requirements.
Disclosure and transfer of personal information
Firstsource keeps your personal information confidential except where disclosure/transfer of personal information is required by an order under the law for the time being in force or by Government agencies, including law enforcement agencies having authority of law, upon their request in writing, even without obtaining your consent.
However, sometimes Firstsource uses third parties to process your information. Firstsource requires these third parties to comply strictly with its instructions and not to further transfer your personal information or use it for any purpose other than the purpose for which it is being collected by Firstsource. Firstsource also ensures that they do not use your personal information for their own business purposes unless you have explicitly consented. We ensure this by signing appropriate data processing agreements with such third parties.
We may transfer your personal data to other processing locations in cases where our data centres are in other geographical locations. In such instances, appropriate data transfer agreements are signed with FSL entities in accordance with applicable data protection laws.
Minor/Child’s personal data
Firstsource Website is not meant for minors under the age of 18 years. If you are a minor, please do not use this Website or provide any personal data to us. We are not required to collect any personal data from minors. If we find that any minor has used our application or provided any Personal Data, then we reserve our right to delete such personal data of the minor. If as an authorized user, you come to know that any minor has posted any Personal Data, then you may please contact us using the contact details mentioned in the “Contact Us” section of this privacy policy.
Access to information and your rights
You have the following rights with respect to your personal data:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply, you have the right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to judicial review – in the event that Firstsource refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.
Complaint
If you are concerned about an alleged breach of privacy law or any other regulation by Firstsource, you can contact the Firstsource Data Protection Officer who will investigate your complaint and give you information about how your personal data will be handled. You also have the right to complain to the data protection authority in your country, and their contact details are enlisted below:
Country | Data Protection Authority | Address |
---|---|---|
UK | Information Commissioner Office | Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF |
Mexico | National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) | Insurgentes Sur 3211 Colonia Insurgentes Copilco, Coyoancan, Ciudad de Mexico |
Philippines | National Privacy Commission | 5th Floor Delegation Building, PICC Complex, Vicente Sotto Avenue, Pasay City, Metro Manila 1307, or email us at dpo@privacy.gov.ph. |
Contact Us
If you have any questions or concerns about this Privacy Policy, or your dealings with this Website, you can contact dpo@firstsource.com for clarifications. Our Data Protection Officer can be contacted at:
Firstsource Solutions Limited,
Unit 201 to 204, 2nd Floor,
Block C2 Brigade Tech Gardens SEZ,
Brigade Properties Pvt. Ltd, Brooke fields,
Kundalahalli, Marathahalli Post, Bengaluru,
Karnataka, 560037
The residents of India may request the content of this policy in any of the 22 languages specified in the eighth schedule of the Constitution of India.
Changes to this Website Privacy Policy
We may update this Policy from time to time in line with Firstsource’s business requirements and changes in applicable laws.
UK Job Applicant Privacy Policy
1. Scope
All individuals applying for a job vacancy with Firstsource Solutions UK Limited
2. Privacy notice
Who are we?
Firstsource Solutions UK Limited is a business processing outsource company who collects and stores personal information regarding employees, clients, and as an outsourcing solutions provider, our client’s customers. Firstsource Solutions UK Limited is committed to ensuring this data is collected and processed fairly, lawfully and in a transparent manner and commits to adhering to the statutory duty to comply with the General Data Protection Regulation (GDPR).
Our UK Head Office address is:
Firstsource Solutions UK Limited, Space One, 1 Beadon Road, London, W6 0EA
Our Data Protection Officer can be contacted at:
- Firstsource Solutions UK Limited, Space One, 1 Beadon Road, London, W6 0EA
Personal data type: | Source (where Firstsource obtained the personal data from if it has not been collected directly from you, the data subject. Note if the personal data has been accessed from publicly accessible sources): |
Name | Data subject |
Address | Data subject |
Email address | Data subject |
Gender | Data subject |
Contact Number | Data subject |
Date Of Birth | Data subject |
Qualifications | Data subject |
Employment History | Data subject |
Reference Details | Data subject |
Ethnicity | Data subject |
Health Information | Data subject |
Criminal Offence Details | Data subject |
Credit Check Details | Data subject |
Eligibility To Work Documentation | Data subject |
The personal data we collect will be used for the following purposes:
- We need to process data to take steps as part of the recruitment process, prior to entering a contract with you. We may also need to process your data to enter into a contract with you if you are successful in your application for employment.
- In some cases, we need to process data to ensure that we are complying with our legal obligations. This includes eligibility to work documentation.
Our Lawful Basis for Processing Personal Data
- Contract
- Legal Obligation
- Legitimate Interests
- Article 9 for Special Category Data
- Article 9(2)(b) – employment
- Data Protection Bill – Schedule 1 Employment
Any legitimate interests pursued by us, or third parties we use, are as follows:
- We process health information in the interest of providing reasonable adjustments.
- We process ethnicity information in the interest of monitoring equality.
Special Categories of Personal Data Concerned
- Ethnicity
- Health Information
- Gender
- Community Background Information (Northern Ireland only)
2.2 Disclosure
Firstsource Solutions UK Limited will pass on your personal data to third parties during the recruitment process. The following third parties will receive your personal data for the following purpose(s) as part of the processing activities:
Third country (non-EU)/international organisation | Safeguards in place to protect your personal data | Purpose |
---|---|---|
Disclosure & Barring Service (DBS) UK | Information processed directly on the website by the recruitment team and stored securely on the access controlled website. | For the purpose of pre-employment criminal conviction checks for England and Wales. |
Disclosure Scotland | Information processed directly with Disclosure Scotland for background checks, criminal record and credit checks. | For the purpose of pre-employment checks in Scotland and Northern Ireland. |
Experian, UK | Information processed directly on Experian website which is access controlled and is also stored securely on the site. | For the purpose of pre-employment credit checks. |
Pass, UK | Information is processed directly through the Pass system by the data subject and held in an access controlled system. | For the purpose of job applications. |
Amris, UK | Information is processed directly through Amris by the data subject and held in an access controlled system. | For the purpose of job applications. |
Smart Hire, UK | Applicant Data is transferred from Amris to Smarthire. Smarthire is held on the Firstsource network and is access controlled. | To maintain applicant records and link to HRMS (SAP) system. |
2.3 Retention Period
For successful candidates Firstsource Solutions UK Limited will process personal data and will store the personal data for the length of your employment. In addition, further retention periods apply for Payroll and Recruitment information which will be held for up to 7 years after your employment ceases. Background checks for criminal convictions and credit checks will be completed on successful candidates and will be held on the Experian portal for 24 months. If you are unsuccessful in an application Firstsource Solutions UK Limited will retain your information for 1 year.
2.4 Your rights as a data subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access: You have the right to request a copy of the information that we hold about you.
- Right of rectification: You have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten: In certain circumstances, you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing: Where certain conditions apply, you have the right to restrict the processing.
- Right of portability: You have the right to have the data we hold about you transferred to another organisation.
- Right to object: You have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling: You also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: In the event that Firstsource Solutions UK Limited refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
2.5 Complaints
In the event that you wish to make a complaint about how your personal data is being processed by Firstsource Solutions UK Limited (or third parties above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Firstsource Solutions UK Limited’s Data Protection Officer.
The details for each of these contacts are:
Supervisory authority contact details | Data Protection Officer (DPO) | |
---|---|---|
Contact Name: | Information Commissioners Officer | Data Protection Officer |
Address line 1: | Wycliffe House | Space One |
Address line 2: | Water Lane | 1 Beadon Road |
Address line 3: | Wilmslow | London |
Address line 4: | Cheshire | W6 0EA |
Address line 5: | SK9 5AF | |
Telephone: | 01625 545 745 |
3. Privacy Statement
Personal data
Under the EU’s General Data Protection Regulation (GDPR), personal data is defined as:
How we use your information
This privacy notice tells you how we will collect and use your personal data for the purposes of our recruitment process. The information collected will not be used for any other purpose than the recruitment process. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your HR file (electronic and paper-based) and retained during the period of your employment and, in some circumstances, afterwards. The periods for which your data will be held should you become an employee will be provided to you in the privacy notice for employees. For unsuccessful applicants, this data will be retained for 1 year.
Why does Firstsource Solutions UK Limited need to collect and store personal data?
As an employer, we need to collect personal data for the purposes of employment, including recruitment, HR and payroll activities as well as managing performance. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
Will Firstsource Solutions UK Limited share my personal data with anyone else?
We may pass your personal data on to third-party service providers contracted to Firstsource Solutions UK Limited in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with Firstsource Solutions UK Limited procedures.
How will Firstsource Solutions UK Limited use the personal data it collects about me?
Firstsource Solutions UK Limited will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Firstsource Solutions UK Limited is required to retain information in accordance with the law, such as information needed for income tax and audit purposes.
Under what circumstances will Firstsource Solutions UK Limited contact me?
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
Can I find out the personal data that the organisation holds about me?
Firstsource Solutions UK Limited, at your request, can confirm what information we hold about you and how it is processed. If Firstsource Solutions UK Limited does hold personal data about you, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of Firstsource Solutions UK Limited or a third party, information about those interests.
- The categories of personal data collected, stored, and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
What forms of ID will I need to provide in order to access this?
Firstsource Solutions UK Limited accepts the following forms of ID when information on your personal data is requested:
Passport, driving licence, birth certificate, utility bill (from last 3 months).
Contact details of the Data Protection Officer:
Data Protection Officer contact details | |
---|---|
Contact Name: | Data Protection Officer |
Address line 1: | Space One |
Address line 2: | 1 Beadon Road |
Address line 3: | London |
Address line 4: | W6 0EA |
Disclaimer
The information contained in this website is for general information purposes only. While Firstsource Solutions Limited (‘we’) endeavor to keep the information up-to-date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability, with respect to the website, of the information, services, or related graphics contained in the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
This site is subject to periodic update and revision. Materials should only be considered current as of the date of initial publication appearing thereon, without regard to the date on which you may access the information. We maintain the right to delete or modify information on this website without prior notice to any third party or person and shall maintain a complete discretion on the content published.
In no event shall we be liable for any loss or damage including without limitation any direct, indirect, special, or consequential loss or damage, loss of data, profits, business, reputation or any loss or damage whatsoever arising out of, or in connection with, the use of this website or any information contained herein.
Past financial performance should not be taken as an indication or guarantee of future performance and no representation and warranty, express or implied, is made regarding future performance.
Every effort is made to keep the website up and running. However, we take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control. We reserve the right, at our sole discretion, to correct any errors or omissions in any portion of the website. Any unauthorized use of this website may give rise to a claim for damages including criminal prosecution.
Unless otherwise stated, we or our licensors, as the case maybe own all intellectual property rights in the website and any information or material on the website. All our intellectual property rights in relation to the website are reserved.
Subject to the terms and conditions set forth herein, We will grant a non-exclusive, non-transferable, limited right to access this site and the materials thereon.
You agree not to:
- Interrupt or attempt to interrupt the operation of the site in any way.
- Intrude or attempt to intrude into the site in any way.
- Post any obscene, defamatory or annoying materials on the site.
- Obscure any material, including this notice, already posted on the site.
- Use the site or any contents thereof to defame, intimidate, annoy or otherwise cause nuisance or breach the rights of any person.
This disclaimer will be governed by and construed in accordance with the laws of India, and any disputes relating to the website or this disclaimer shall be subject to the exclusive jurisdiction of the courts in Mumbai, India.