Our Educational Technology Services backed by analytics, AI and machine learning focusses on hyper personalized engagement over the lifetime of the learner.
We go beyond study and class time. We focus on the moments of choice, engagement and success. All of the points in the learning journey that go unrecognized but have incredible impact on the entire learner experience.
Firstsource Solutions Limited (“FSL”,”us”, “we”) is a business process management company providing services in the banking and financial services, customer services, telecom and media, and healthcare sectors.
FSL is committed to ensuring that personal data is collected and processed fairly, lawfully and in a transparent manner as per the requirements of applicable privacy legislations.
Personal data is any information (including opinions and intentions) which relates to an identified or identifiable natural person.
This Privacy Policy (hereinafter referred to as “Policy”) sets forth the general principles which underlie FSL’s specific practices for collecting, using, disclosing, storing, retaining, disposing, accessing, transferring, or otherwise processing personal data.
This Policy sets forth the expected behaviors of FSL personnel and third parties in relation to the collection, use, disclosure, storage, retention, disposal, access, transfer, and any other processing of personal data.
FSL’s leadership is fully committed to ensuring continued and effective implementation of this Policy and expects all FSL employees and third parties to share in this commitment. Any breach of this Policy will be taken seriously and may result in disciplinary action.
This Policy covers the processing of personal data of employees (including current and past employees, full time, and part time employees, on contract personnel, consultants, interns, and other such individuals), clients, suppliers, business partners and other identifiable individuals by an FSL entity on behalf of FSL entity, as applicable.
Where FSL processes personal data on behalf of its clients, FSL shall follow appropriate policies and practices agreed with its clients for the safe handling of personal data.
This Policy is applicable to all employees of FSL, subsidiaries and joint ventures where FSL has a controlling interest, as well as business partners who process personal data on FSL’s behalf.
This Policy covers processing of personal data in electronic form (including but not limited to electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.
Any processing of personal by a FSL entity will be governed by the applicable privacy regulation/s. If certain regions have specific regulatory requirements, those requirements will take precedence over this Policy.[1]
In case of conflict between this Policy and the Data Protection Policy and Procedure, the stricter of the two shall prevail.
(Please refer Appendix 1– Data protection legislations considered). Country and industry-specific laws and regulations shall take precedence over this Policy.
[1] The documents pertaining to specific requirements in the USA are referenced in Appendix 5.
Below is a brief description of key terms that regularly come into play with Data Protection:
Term | Definition |
Anonymization/Dissociation | Data amended in such a way that no individual can be identified from the data (whether directly or indirectly) by any means. As per Mexico’s Federal Data Privacy Law (FDPL), dissociation is the procedure by which personal data cannot be associated with the owner or allow, due to its structure, content or degree of disaggregation, its identification |
Biometric Data | Personal Data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. |
Blocking[1] | The identification and conservation of personal data once the purpose for which they were collected has been fulfilled, with the sole purpose of determining possible responsibilities in relation to their treatment, until the legal or contractual prescription period of these. During said period, personal data may not be processed and after this, it will be cancelled in the corresponding database. |
Consent | Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. As per Mexico’s FDPL, expression of the will of the data owner by which data processing is enabled. Further, tacit/implied consent is valid for processing personal data. |
Database[2] | The ordered set of personal data referring to an identified or identifiable person. |
Data Controller/Personal Information Controller/Entity Responsible/Data Fiduciary[3] | This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed. As per the United Kingdom’s Data Protection Act, 2012 (DPA), any person on whom the obligation to process personal data is imposed by an enactment, for purposes and by means required by the enactment will also be considered as a data controller. As per Mexico’s FDPL, person responsible means physical or legal person of a private nature who decides on the processing of personal data. As per Philippines DPA, 2012, Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. As per Digital Personal Data Protection Act 2023, a data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. |
Data Processing Agreement | A legally binding contract that states the rights and obligations of each party concerning the protection of personal data. |
Data Processor/ Personal Information Processor/ Processor[4] | In relation to personal data, means any person who processes the data on behalf of the data controller. For clients, Firstsource is a data processor, and we will only process data under the instruction of the client who will be the data controller. As per Philippines’ DPA 2012, Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. |
Data Protection | The process of safeguarding personal data from unauthorized or unlawful disclosure, access, alteration, processing, transfer, or destruction. |
Data Protection Authority | An independent public authority responsible for monitoring the application of the relevant data protection regulation set forth in national law. |
Data Subject/Individual /Data Owner/Data Principal[5] | A natural person (living) individual whose Personal Data is processed by a data controller or processor. As per Digital Personal Data Protection Act 2023, Data Principal means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. |
Encryption | The process of converting information or data into code, to prevent unauthorized access. |
Non-Adequate Country | Non-Adequate Country means a country that under the applicable law is deemed not to provide an “adequate” level of data protection. |
Personal Data/ Personal Information[6] | Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. |
Privileged Information[7] | Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. |
Process/Treatment, Processed, Processing | The term “Processing of Personal Data” refers to any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. As per Mexico’s FDPL, treatment means obtaining, using, disclosing, or storing personal data, by any means. The use covers any action of access, management, use, transfer, or disposal of personal data. |
Profiling | Any form of automated processing of personal data where personal data is used to evaluate specific or general characteristics relating to an identifiable natural person to analyze or predict certain aspects concerning the natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location, or movement. |
Pseudonymization | Data amended in such a way that no individual can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified. |
Special Categories of Personal Data / Sensitive Personal Data[8] | Personal Data revealing a Data Subjects racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. As per Philippines’ Data Privacy Act, 2012, apart from the above, the following data sets also fall within the definition of sensitive data: 1. Age 2. Color 3. Education 4. Committed or alleged offence, and any proceedings related to it 5. Documents issued by government agencies such as Social Security Number, Tax Identification number etc. 6. Specifically established by an executive order or an act of Congress to be kept classified |
Standard Contractual Clauses (SCCs) | Standard contractual clauses (SCCs) are standardized and pre-approved model data protection clauses that serve as a tool for entities to comply with the requirements of the EU GDPR for transferring personal data to countries outside of the EEA (to non-adequate countries). |
International Data transfer Agreement (IDTA)/IDTA Addendum | IDTA are standardized and pre-approved model data protection clauses that serve as a tool for entities to comply with the requirements of the UK GDPR for transferring personal data to countries outside of the UK (to non-adequate countries). |
The objectives of this Policy are to:
Leadership of FSL is committed to ensuring and upholding data privacy principles as well as compliance requirements of applicable data privacy laws.
To demonstrate commitment to data protection, and to enhance the effectiveness of compliance efforts, FSL shall establish a Data Privacy Team (DPT). The DPT shall operate with independence and shall be headed by the Data Protection Officer (DPO). The DPO shall be a suitably skilled individual who has been granted all necessary authority. The DPO shall report to FSL’s senior leadership.
FSL’s processing of personal data shall be governed by the following principles:
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This means, FSL shall inform the data subject what processing will occur (transparency), the processing shall match the description given to the data subject (fairness), and it shall be as per the permitted lawful bases specified in the applicable data protection regulation (lawfulness).
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means FSL shall specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This means FSL shall not collect or otherwise process any personal data which is beyond the specified purposes.
Personal data shall be accurate and, kept up to date to the extent practically possible.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (subject to regulatory requirements). This means FSL shall, wherever possible, store personal data in a way that limits or prevents identification of the data subject when no longer required for the processing purpose.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. This means that FSL shall use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is maintained throughout the data processing lifecycle.
The data controller shall be responsible for and be able to demonstrate compliance. This means FSL shall demonstrate that the six data protection principles (outlined above) are met for all personal data for which it is responsible.
Data Sources
Personal data shall be collected only from the data subject unless one of the following apply:
I. Mexico
FSL shall ensure the following while obtaining consent for processing personal data of data subjects of Mexico: –
For processing personal data (excluding sensitive/financial personal data), providing a privacy notice with information regarding data processing suffices the requirement for tacit consent (which is required for processing non-sensitive data), provided that the privacy notice is not opposed by the data subject.
II. Philippines
FSL shall ensure the following while obtaining consent for processing personal data of data subjects of Philippines: –
FSL shall, where required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data and other relevant processing details.
I. India
FSL shall provide the data subjects the option to request privacy notice specified in any of the languages specified in the eighth schedule of the Constitution of India.
7.3.1 Data processing
FSL shall process personal data when at least one of the following requirements are met:
If the purposes of processing personal data change over time or data is to be used for a new purpose which was not originally anticipated, the processing shall only be performed if:
7.3.2 Sensitive personal data
FSL shall avoid the processing of sensitive personal data where it is not required for the purposes for which the data is collected (or subsequently processed). Where sensitive personal data is required to be processed, FSL shall limit access to appropriate persons.
7.3.2.3 Geography-specific requirements for processing sensitive data
I. Mexico
As per FDPL, for processing sensitive and financial data, FSL shall obtain explicit consent of the data subjects and record the same.
II. Philippines
As per DPA, for processing sensitive data, FSL shall obtain explicit consent of the data subjects.
7.3.3 Data retention
7.3.4 Data disposal
7.3.5 Direct marketing
FSL shall not send promotional or direct marketing material to a data subject (for example, through digital channels such as email and the Internet or conventional channels including but not limited to fax, email, SMS, and MMS) without first obtaining their consent.
The data subject shall be informed at the point of first contact that they have the right to withdraw consent, at any stage, from having their data processed for marketing purposes. If the data subject withdraws consent to processing of their personal data, the minimum required details to identify the data subject shall be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.
Further, FSL shall not disguise or conceal its identity in any direct marketing communication and shall provide the contact details of the DPO so that the data subject may send a request to opt-out or unsubscribe from such communication.
For the purpose of demonstrating accountability, appropriate records related to processing personal data shall be maintained, including but not limited to the following:-
FSL shall ensure robust safeguards are in place to protect personal data by ensuring the following to protect personal data:-
7.5.1 Privacy by design (PbD)
FSL shall apply Privacy by Design principles by applying strong privacy practices early and consistently to projects and business processes which involve personal data processing. The obligation to enforce privacy by default shall apply to the types of personal data collected, the extent of processing, the period of storage and the accessibility of the personal data.
Each business function of FSL shall ensure that where required as per the applicable privacy regulation, a Data Protection Impact Assessment (DPIA) is conducted, in consultation with the DPO, for any new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA shall then be submitted to the DPO for review and approval.
Each business function of FSL shall ensure that where required as per the applicable privacy regulation, a Legitimate Interest Assessment (LIA) is conducted, in consultation with the DPO, for any existing or new and/or revised systems or processes where legitimate interest is relied upon as lawful basis for processing.
FSL shall establish a process to enable and facilitate the data subject rights related to:-
On receiving a request when a data subject exercises any of his or her rights, FSL shall respond to the requests within stipulated timelines as per the applicable data protection laws.
All FSL employees that have access to personal data shall have their responsibilities under this Policy outlined to them as part of their onboarding training. Additionally, FSL shall conduct refresher data protection training annually.
In order for FSL to carry out its operations effectively, there may be occasions when it is necessary to transfer personal data from one FSL entity to another or to share personal data with service providers that are located overseas, or to allow access to the personal data from an overseas location. Should this occur, the FSL entity sending / allowing access to the personal data shall remain responsible for ensuring protection for that personal data.
FSL shall handle the transfer of personal data between FSL entities, where the location of the recipient entity is a non-adequate country as per safeguards mentioned in applicable laws (such as obtaining consent, SCC, IDTA etc.). FSL shall transfer only the minimum required personal data and ensure adequate security measures for protection of personal data during the transfer.
FSL shall only transfer personal data to or allow access by third parties through a Data Processing Agreement (DPA), when it is assured that the information will be processed legitimately and protected appropriately by the recipient. These agreements shall clarify each party’s responsibilities in respect to the personal data transferred. The third party shall establish procedures to meet the terms of their agreement with relevant FSL entity/subsidiary to protect personal data and demonstrate compliance with the data transfer requirements as per applicable data protection laws.
Personal data shall be disclosed to data processor (such as vendor and contractor) only for identified lawful purposes and after obtaining appropriate consent from the data subjects/ providing appropriate notice, as applicable, unless a law or regulation allows or requires otherwise. Where FSL is outsourcing services to a third party (including cloud computing services), FSL shall consider whether the outsourcing will entail any non-adequate country transfers of personal data.
FSL shall establish robust personal data breach detection, investigation, and reporting procedures.
Any individual who suspects that a personal data breach has occurred due to the theft or exposure of personal data shall immediately notify the DPO providing a description of the breach.
FSL shall investigate all reported incidents to confirm whether a personal data breach has occurred. If a personal data breach is confirmed, FSL shall take necessary steps to minimize the risks to the rights of the data subjects. FSL shall keep a record of all breaches.
This document is effective as of January 2024. We may amend this document from time to time. Please refer to the document on a regular basis.
10.1 Appendix 1 – Data protection legislation considered
Below is the list of data protection laws that have been taken into consideration in developing this Policy:
Country | Data Protection Authority | Address |
United Kingdom | Information Commissioner Office (ICO) | Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
Mexico | National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) | Insurgentes Sur 3211 Colonia Insurgentes Copilco, Coyoacán, Ciudad de México‘ |
Philippines | National Privacy Commission (NPC) | 5th Floor Delegation Building, PICC Complex, Vicente Sotto Avenue, Pasay City, Metro Manila 1307, or email us at dpo@privacy.gov.ph. |
As per Digital Personal Data Protection Act, 2023, this policy shall not apply to the following:
[1] The documents pertaining to specific requirements in the USA are referenced in Appendix 5
[2] Definition of blocking as per Mexico’s Federal data privacy law
[2] Definition of database as per Mexico’s Federal data privacy law
[3] For maintaining consistency, the term Controller is used in place of the above terms in this Policy.
[4] For maintaining consistency, the term Processor is used in place of the above terms in this Policy
[5] For maintaining consistency, the term data subject is used in place of the above terms in this Policy.
[6] For maintaining consistency, the term personal data is used in place of the above terms in this Policy
[7] Definition of privileged information as per Philippines’ Data privacy Act, 2012.
[8] For maintaining consistency, the term sensitive data is used in place of the above terms in this Policy.
We will gather your name, phone number, email address, company and job title (if applicable), Firstsource office you wish to contact (if applicable), and an optional message.
Your details and message will be:
a) sent via email to the relevant person within the organisation
b) stored in our database for a period of no more than 60 days before permanent deletion
This information can be removed by request by contacting us.
Personal data type: | Source (where Firstsource obtained the personal data from if it has not been collected directly from you, the data subject): |
First and last name | Data subject |
Email address | Data subject |
Phone number | Data subject |
Company | Data subject |
Job title | Data subject |
Firstsource office you wish to contact | Data subject |
Your industry * | Data subject |
How can we help / desired solutions * | Data subject |
Conversion page * | Conversion page * |
Past activity on our website * | Cookies |
Location (down to city level) * | IP address |
Marketing consent * | Data subject |
Sales consent * | Data subject |
Message | Data subject |
* Only relevant for forms in Case 2 (details above) |
Firstsource keeps your personal information confidential except where disclosure/transfer of personal information is required by an order under the law for the time being in force or by Government agencies including law enforcement agencies having authority of law, upon their request in writing, even without obtaining your consent.
Supervisory authority contact details | Data Protection Officer (DPO) | |
---|---|---|
Contact Name: | Information Commissioners Officer | Data Protection Officer |
Address line 1: | Wycliffe House | Space One |
Address line 2: | Water Lane | 1 Beadon Road |
Address line 3: | Wilmslow | London |
Address line 4: | Cheshire | W6 0EA |
Address line 5: | SK9 5AF | |
Telephone: | 01625 545 745 |
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
“Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
(i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io. Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.”
Firstsource Solutions Limited (this expression means and includes its affiliates and subsidiaries) has created this Website Privacy Policy in order to demonstrate Firstsource’s commitment to privacy. This Website Privacy Policy demonstrates Firstsource’s (‘we’, ‘our’,
‘us’) information gathering and dissemination practices for its corporate website (www.firstsource.com) or such other websites of Firstsource (together referred hereafter as “Website”).
Personal data type: | Source (where Firstsource obtained the personal
data from if it has not been collected directly from
you, the data subject): |
First and last name | Data subject |
Email address | Data subject |
Phone number | Data subject |
Company | Data subject |
Job title | Data subject |
Firstsource office you wish to contact | Data subject |
Your industry * | Data subject |
How can we help / desired solutions * | Data subject |
Conversion page * | Conversion page * |
Past activity on our website * | Cookies |
Location (down to city level) * | IP address |
Marketing consent * | Data subject |
Sales consent * | Data subject |
Message | Data subject |
Personal data type: | Source (where Firstsource obtained the
personal data from if it has not been collected
directly from you, the data subject):
|
First and last name | Data subject |
Email Address | Data subject |
Phone Number | Data subject |