1. Personal Data Protection Mission of ICICI Securities Limited
ICICI Securities Limited ("ICICI Securities" or “the Company” or "we"), as a part of its business activities, collects and uses personal and sensitive personal information about its customers, employees, vendors and others with whom the Company deals with. In addition, the Company may occasionally be required to collect and use information of this kind to comply with applicable regulatory/statutory requirements. Thus, there arises a need to protect the Personal Information collected by the Company and the ICICI Securities is strongly committed to protecting the privacy of the individuals whose Personal Data it holds, and processing such Personal Data in a way that is consistent with applicable data protection legislation, and the principles set out below. This Personal Data Protection Standard (the "Standard") should be read in conjunction with the 'Addendum to Personal Data Protection Standard' (the "Addendum"), which sets out additional data personal data protection requirements for individual clients residing in European Union in compliance with EU General Data Protection Regulations (GDPR)
2. The objective of this Standard
This Standard sets out how ICICI Securities should handle Personal Data received from, or about, its employees (including branch offices), existing or prospective clients, customers and other third parties.
The objective of this Standard is to:
- set the minimum standards on how Personal Data should be handled within ICICI Securities;
- create a responsible culture of data protection within ICICI Securities;
- identify and promote compliance with all applicable data protection laws and regulations;
- identify and manage the legal, regulatory and other obligations with respect to the protection of Personal Data; and
- increase employee awareness of data protection in general, and of acceptable data handling practices and applicable requirements in relation to Personal Data.
3. The scope of this Standard
This Standard applies to all employees of ICICI Securities (including its branch offices) and any third parties who collect, possess, use, disclose, transfer, store, or by any other means have access to Personal Data regardless of their geographic location.
This Standard should also be read in conjunction with the ICICI Group’s Information Security Policy, the Record Management Policy and Code of Business Conduct and Ethics. ICICI Securities shall set up a framework to ensure implementation of this Standard across ICICI Securities.
Exclusions – This Standard does not apply to our overseas Subsidiaries as they would have their own Privacy Policies. Further this standard shall not apply to anonymised data. Anonymisation in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data subject cannot be identified, which meets the standards of irreversibility specified by Data Protection Authority of India.
4. Applicable Laws & Regulations
ICICI Securities shall adhere to and comply with all applicable laws, regulations and standards relating to data protection and privacy in each of the jurisdictions set out in the Addendum.
5. Collection of Personal Data
ICICI Securities may collect Personal Data from Data Subjects in the following ways:Directly:
- Where the Data Subject is aware of or cognizant of the Personal Data being collected (For example: when the Data Subject fills out a physical or online form and is knowingly providing the required personal data).
- Where the Data Subject may not necessarily be aware of or cognizant of the Personal Data being collected (For example: when the Data Subject interacts online with ICICI Securities’ digital property where various online identifiers and other Personal Data are collected).
- Where the Data Subject’s Personal Data is collected from third parties (For example: ICICI Securities may use a third party to collect personal data on its behalf, such as when conducting customer surveys or similar activities).
6. Role of ICICI Securities
ICICI Securities is accountable to its Data Subjects for the Personal Data collected or processed by it.
- ICICI Securities acts as a “Data Controller” where it determines the purposes and means of processing the Personal Data;
- ICICI Securities acts as a “Joint Controller” where it determines the purposes and means of processing Personal Data in conjunction with an external party;
- ICICI Securities acts as a “Data Processor” where it processes Personal Data on behalf of another entity (e.g. as a service provider).
7. Personal Data Protection Principles
ICICI Securities is committed to maintaining the accuracy, confidentiality and security of Personal Data under its control. Reasonable steps will be taken to ensure that Personal Data is adequate, relevant, up to date, not excessive and wherever possible obtained directly from the Data Subject. ICICI Securities will establish the necessary processes to demonstrate its compliance with the personal data protection principles set out below:
ICICI Securities shall be accountable towards its Data Subjects for ensuring the personal data protection of the Personal Data it processes. ICICI Securities should be able to demonstrate that any processing undertaken by it or on its behalf is in accordance with the applicable data protection laws & regulations.
ICICI Securities shall take reasonable steps to ensure that the Personal Data it collects and processes is complete, accurate and up-to-date. ICICI Securities shall at a minimum take the following measures for ensuring the accuracy of Personal Data:
- While accepting any customer applications and other service requests, ensure that the handwriting is readable and mandatory fields are completed.
- Exercise caution when entering/amending customer/employee information into ICICI Securities' systems or when adding any additional notes in customer/employee files.
- Ensure that any requisite modifications to Personal Data held by ICICI Securities are communicated to any applicable Third Parties with whom the Personal Data has been shared.
- Provide appropriate and adequate opportunities and mechanisms to Data Subjects to communicate any changes or corrections to the Personal Data provided by them and implement such changes or corrections in accordance with due process.
7.3 Lawful bases for processing Personal Data
The processing of Personal Data shall be lawful only if and to the extent that at least one of the following bases for processing applies:
- The Data Controller has given to Data Subject a notice, at a time of collection of data, containing reasonable information with respect to purposes, categories, rights of Data Subject, etc. The Data Controller shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed and the Data Subject has given explicit consent to the processing of his or her Personal Data;
- The Personal Data may also be processed without the consent of the Data Subject if processing is necessary (i) for the performance of any function of the State authorized by law, (ii) under any law made by Parliament of State Legislature, (iii) for compliance with any order or judgment of any court of tribunal in India, (iv) to respond to any medical emergency involving a threat to life or a severe threat to the health of Data Subject or any other person, (v) to undertake any measure to provide medical treatment or health service to any individual during an epidemic, out-break of disease or any other threat to public health, (vi) undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order;
- The processing is necessary for the performance of a contract to which the Data Subject is a party, or with a view to entering into such a contract (e.g. where the processing is necessary to provide and manage a Data Subject's account);
- The processing is necessary to comply with any legal obligation to which ICICI Securities is subject, other than an obligation by contract (e.g. where the processing is necessary for compliance with ICICI Securities' regulatory obligations);
- The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest; or
- The processing is necessary for the purposes of the legitimate interests pursued by ICICI Securities or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
7.4 Lawful bases for processing Sensitive Personal Data
ICICI Securities may only collect and process Sensitive Personal Data when one of the following conditions are met:
- The Data Subject has given his/her written consent to the processing of that Sensitive Personal Data;
- The Sensitive Personal Data may also be processed without the consent of the Data Subject if processing is necessary (i) for the performance of any function of the State authorized by law, (ii) under any law made by Parliament of State Legislature, (iii) for compliance with any order or judgment of any court of tribunal in India, (iv) to respond to any medical emergency involving a threat to life or a severe threat to the health of Data Subject or any other person, (v) to undertake any measure to provide medical treatment or health service to any individual during an epidemic, out-break of disease or any other threat to public health, (vi) undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order
- The processing is necessary for the purposes of carrying out the obligations and specific rights of ICICI Securities;
- The processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent;
- The processing relates to Personal Data which are manifestly made public by the Data Subject;
- The processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- The processing is necessary for compliance with any regulatory or legal obligation to which ICICI Securities is subject;
- The processing is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or the prevention or detection of any crime that apply to ICICI Securities;
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
ICICI Securities shall obtain consent from Data Subjects when collecting Personal Data, wherever consent is relied upon as the legal basis for processing Personal Data. For the consent of the Data Subject to be valid, it must be freely given, informed, specific, obtained through an affirmative action and capable of being withdrawn. The consent should be collected from the Data Subject no later than at the commencement of the processing of their Personal Data. ICICI Securities shall have appropriate mechanisms in place to allow Data Subjects to, at any time during the lifecycle of their association with ICICI Securities or later, if applicable, have an option to withdraw any consent they have provided for the processing of their Personal Data. Such individuals shall be informed of the consequences of denying or withdrawing their consent including the ability or inability of ICICI Securities to process transactions or deliver products and services upon withdrawal.
7.6 Purpose Limitation
ICICI Securities shall only collect Personal Data for specific, explicit and legitimate purposes only, and ICICI Securities shall process Personal Data only for the purpose(s) that it was collected for. ICICI Securities shall ensure that it documents the purpose(s) for processing the Personal Data that is collected within each applicable process, function or relationship. ICICI Securities employees shall exclusively use the Personal Data they have access to for the performance of their duties and in order to fulfill their employment obligations only.
7.7 Data Minimization
ICICI Securities shall establish appropriate processes and controls to ensure that it collects only that Personal Data from Data Subjects which is adequate, relevant and limited to the purposes for which it is to be processed.
7.8 Storage Limitation
ICICI Securities shall store Personal Data only as long as may be reasonably necessary to satisfy the purpose for which it is processed, Personal Data may be retained for a longer period of time only if such retention is explicitly mandated, or necessary to comply with any obligation under law. The Personal Data shall otherwise be retained in accordance with ICICI Securities’ Record Management Policy. Personal Data records shall be periodically reviewed to assess whether it is necessary to retain such Personal Data. ICICI Securities shall take reasonable steps to destroy or permanently anonymise any Personal Data that is identified as being unnecessary, or otherwise in accordance with ICICI Securities' Record Management Policy.
ICICI Securities shall ensure that checks are required to be made prior to any disclosure of Personal Data to a third party to ensure that:
- there are legal and/or regulatory grounds (including a lawful basis) for such disclosure;
- only the minimum amount of Personal Data necessary is disclosed to third parties; and
- an appropriate record of all such disclosures of Personal Data is maintained, which shall demonstrate the lawful basis for such disclosure.
ICICI Securities shall transfer Personal Data to only those third parties who have similar levels of data protection mechanisms and controls in place, as specified in this Standard or only after execution proper Non-Disclosure Agreement whereby ICICI Securities can ensure the protection of such transferred Personal Data. Where Personal Data is being transferred across geographical boundaries, ICICI Securities shall establish appropriate processes and controls to comply with the cross- border transfer requirements of the host and destination jurisdiction(s).
ICICI Securities shall ensure that all the Personal Data it processes is kept secure using appropriate technical and organizational measures including necessary policies, processes and controls. ICICI Securities shall implement and maintain as a minimum the information security standards and frameworks required by applicable laws and regulations. These security standards shall include but are not limited to:
- having appropriate physical access controls in place to protect Personal Data from unauthorized or illegal access and environmental threats/hazards;
- having protective measures for Personal Data at rest which could include encryption or pseudonymization;
- identifying and assessing security threats in connection with Personal Data processing and creating corresponding threat models;
- • appointing appropriate persons to be responsible for the organization of Personal Data processing and security;
- stress testing the readiness and effectiveness of information security measures; and
- providing personnel training to ICICI Securities employees in data protection and security procedures.
Below is a non-exhaustive list of how ICICI Securities employees can safeguard the Personal Data that ICICI Securities Processes:
- any customer application forms should be stored in fireproof place; Data contained in spread sheets should be password protected. Necessary guidelines issued by ICICI Bank Ltd - Information Security Group (ISG) would be followed in this regard;
- cabinets in the workplace should be locked at the end of each working day and should not be vulnerable to access from third parties unless access is specifically permitted;
- access to databases containing Personal Data should be limited to authorized persons on a “need to know basis” (including access to external email providers such as Hotmail, Gmail etc.);
- Data carried in portable media (e.g. CDs/Disks/USBs/Tapes etc.) should be encrypted when transported from the ICICI Securities Data source to such portable media;
- Data should be retained in accordance with the ICICI Securities Record Management Policy;
- the Personal Data of any Data Subject contained in e-mails, saved onto desktop folders or kept in hard copy, that does not need to be maintained, should be destroyed immediately (or if not destroyed, caution should be maintained that such information is not altered/tampered with so as to cause harm or prejudice to any Data Subject or cause potential reputational risk to ICICI Securities). This includes hard copies of files or paper records that do not need to be archived and are unnecessary to be kept; and
- ICICI Securities employees should be vigilant at all times when handling Personal Data and must be aware of their responsibilities and obligations as set out in this Standard.
7.12 Rights of Data Subjects
ICICI Securities is committed to provide its Data Subjects with all applicable rights as mandated by applicable data protection legislation in the jurisdictions set out in the Addendum. ICICI Securities shall implement the relevant mechanisms, processes and procedures to facilitate these rights for the Data Subjects. The Data Subject shall have the following rights:
- Right to Confirmation and access- The Data Subject shall have right of confirmation over the processing activities undertaken by the Data Controller with respect to Personal Data. The data Subject shall have the right to access in one place the identities of the data processors with the categories of personal data shared with them.
- Right to Correction and erasure:
The Data Subject shall have the right to-
- the correction of inaccurate or misleading personal data.
- the completion of incomplete personal data.
- the updating of personal data that is out-of-date.
- the erasure of personal data which is no longer necessary for the purpose for which it was processed.
- Right to be forgotten- The Data Subject shall have the right to restrict or prevent the continuing use/disclosure of his personal data by a data controller where such disclosure-
- has served the purpose for which it was collected or is no longer necessary for the purpose.
- was made with the consent of the Data Subject and such consent has since been withdrawn.
8. Additional Personal Data Protection Measures for ICICI Securities
ICICI Securities shall establish and update necessary processes & procedures to facilitate the establishment and management of the requirements of this Standard. This includes the following:
8.1 Information Classification of Personal Data and Sensitive Personal Data
All Personal Data and Sensitive Personal Data shall be categorized as ‘Confidential’ information as per the Information Security Policy of ICICI Securities. All policies, processes and controls applicable to the above categorization shall automatically be applicable to Personal Data and Sensitive Personal Data.
8.2 Regulatory Bodies Management
ICICI Securities shall establish appropriate processes and controls to ensure that it is able to fulfil its requisite reporting obligations to, and any other obligations involving, any relevant data protection regulatory bodies in each applicable jurisdiction.
8.3 Records of Processing Activities/Record Keeping
ICICI Securities shall keep records of all processing activities involving Personal Data. These records include but are not limited to –
- Records of consent obtained (and any withdrawal of consent) from Data Subjects
- Records of any periodic review of information security safeguards
- Records of any Data Subject's rights request.
9. Privacy Incident Management
ICICI Securities shall establish appropriate processes and controls to manage any privacy incidents or Personal Data Breaches. These processes and controls shall specifically include:
9.1 Reporting of Personal Data Breaches
ICICI Securities employees should notify ICICI Securities Data Protection Officer (the "DPO") of any incident where he/she believes or suspects that there has been an actual or suspected Personal Data Breach, or breach of this Standard. If an ICICI Securities employee loses or suspects that they have lost any confidential information (whether or not containing Personal Data) in any form, or a laptop, phone, iPad or any other device that contains or permits access to any of ICICI Securities or any individuals' confidential information, (whether or not the device is owned by ICICI Securities), they must take the following steps: notify the DPO within 48 hours; and provide as much detail as possible about the confidential information, data, Personal Data and/or device that has potentially been lost or stolen. Upon evaluation, the DPO shall report any such incidents to the Information Technology (IT) Risk Committee of ICICI Securities on a quarterly basis. The DPO of ICICI Securities shall ensure that in the event of a Personal Data Breach, ICICI Securities complies with any necessary procedures under applicable data protection legislation, as further set out in the Addendum.
9.2 Potential Action by ICICI Securities for breach of this Standard
Any breach or violation of this Standard by an ICICI Securities employee will be treated as 'Gross Misconduct', as defined in the ICICI Securities Code of Business Conduct and Ethics and will be dealt with as per the disciplinary procedure articulated in the ICICI Securities Code of Business Conduct and Ethics and/or Employee Accountability Matrix.
9.3 Personal Data Protection Awareness & Training
ICICI Securities shall hold regular 'Personal Data Protection Awareness and Training Programs' for its employees and teams that are likely to handle Personal Data and Sensitive Personal Data on a regular basis.
10. Responsibilities of ICICI Securities employees
Each employee of ICICI Securities agrees that they will:
- comply with the data protection principles & obligations as set out in this Standard at all times when accessing or otherwise processing any Personal Data (of which ICICI Securities is a Data Controller) in the course of their employment;
- keep all Personal Data confidential, and comply with the confidentiality obligations set out in their contracts of employment;
- process Personal Data only as part of their duties to ICICI Securities and never for any other person or organization, or for their private own use;
- bring any actual or suspected Personal Data Breach or breach of this Standard to the attention of the DPO and the Compliance team; and
- complete the annual e-learning module on personal data protection.
11. Processing of Personal Data on behalf of ICICI Securities by vendors and third party service providers
Proper due diligence should be undertaken by the relevant business owner before using any third parties that will process Personal Data on behalf of ICICI Securities, to ensure that such third parties have adequate data protection controls in place. Further, no Personal Data shall be shared without executing proper Non-Disclosure Agreement. Relationships with all third parties should be documented by way of written contract, which shall contain as a minimum details on which party will act as a Data Controller and Data Processor, and each parties' obligations with regards to Personal Data (both during and after the end of the relationship) and non-disclosure.
The obligations on the third parties under contract should include that they:
- keep the Personal Data secure and not disclose such Personal Data to a third party without informing ICICI Securities;
- put in place appropriate security safeguards/measures to maintain the confidentiality of the Personal Data;
- act as per the terms of the written agreement with ICICI Securities;
- allow ICICI Securities to conduct audits;
- obtain prior written approval from ICICI Securities before appointment of sub- processors who will use the transferred Personal Data;
- notify ICICI Securities in writing without undue delay and in any event within 24 hours of discovery of a Personal Data Breach;
- provide the requisite information to ICICI Securities in relation to exercise of any Data Subject rights; and
- delete/destroy/return the Personal Data as per the retention periods mentioned in the written agreement.
12. Organization and Governance
ICICI Securities will establish an appropriate organization structure to design, implement and manage the procedures and guidelines set out in this Standard (the "Personal Data Protection Program"). ICICI Securities shall designate data protection managers/representatives from each business function to ensure the proper implementation of this Standard. ICICI Securities will also establish the necessary governance mechanism(s) to ensure the proper governance of its Personal Data Protection Program. ICICI Securities has appointed Head – Compliance as DPO for carrying out the following functions:
- providing information and advice to ICICI Securities on its obligations under this Standard;
- monitoring the Personal Data processing activities of ICICI Securities to ensure that such Processing does not violate any provision of this Standard;
- providing advice to ICICI Securities where required on the manner in which data protection impact assessments must be carried out, and carry out the review of such assessment;
- providing advice to the data processors, where required on the manner in which internal mechanisms may be developed in order to satisfy the principles set out under this Standard;
- providing assistance to and cooperating with any applicable data protection supervisory authorities;
- act as the point of contact for any Data Subject who wishes to raise a grievance to ICICI Securities; and
- maintaining an inventory of all the Personal Data records maintained by ICICI Securities.
- issue directions, clarifications, necessary guidance for implementing this policy from time to time
13. Transparency & Accountability Measures
ICICI Securities Limited shall prepare a privacy by design policy containing—
- the managerial, organizational, business practices and technical systems designed to anticipate, identify and avoid harm to the Data Subject;
- the obligations of data controllers ;
- the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
- the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
- the protection of privacy throughout processing from the point of collection to deletion of personal data;
- the processing of personal data in a transparent manner; and
- • the interest of the Data Subject is accounted for at every stage of processing of personal data.
14. Non-Disclosure & Confidentiality Agreements
ICICI Securities shall incorporate appropriate non-disclosure and confidentiality clauses in its agreements and/or contracts with its employees as well as any external individuals who are privy to the Personal Data being processed by ICICI Securities or its associated Third Parties.
ICICI Securities shall have its Personal Data Protection Program audited by an internal audit team and by an independent data auditor, or as may further be required by applicable laws and regulations.
16. Grievances & Complaints
All personal data protection-specific complaints shall be recorded in writing and addressed in compliance with any applicable data protection legislation, or within thirty (30) days of the receipt of the grievance by ICICI Securities, whichever is earlier. Any personal data protection specific complaints received from Data Subjects should be directed to the DPO by the Customer Complaint Redressal team.
17. Review and Amendments
This Standard shall be reviewed annually and required to be approved by Committee of Directors. This Standard shall be changed in accordance with any changes in applicable laws or if any change is required by ICICI Securities for carrying out its day-to day functions.
18. Consequences for non-compliance with the personal data protection requirements
Any breach of this Standard by any ICICI Securities employee will be taken seriously and may result in disciplinary action against them. Any Personal Data Breach or breach of this Standard may result in reputational damage for ICICI Securities and regulators may also impose a financial penalty on ICICI Securities.
- “Controller” or "Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Data Subject” means a natural person (individual) whose Personal Data is processed by ICICI Securities or by another entity on behalf of ICICI Securities.
- “Financial data” means any number or other personal data used to identify an account opened by, or payment instrument issued by a financial institution to a data subject or any personal data regarding the relationship between a financial institution and a data subject including financial status and credit history.
- “Controller” means when two or more Controllers jointly determine the purposes and means of processing.
- “Official identifier” means any number, code, or other identifier, including Aadhaar number, assigned to a Data Subject under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a Data Subject.
- “Personal Data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. Personal Data includes but is not restricted to:
- Physical characteristics or description
- Telephone number
- Passport number
- Employment history
- Date of birth
- Name of children
- Age or gender of children
- Identifiers provided by devices, applications, tools & protocols (such as IP addresses) & Cookies
- Any other such identifiers that may be made possible by newer technologies that can be used to identify an individual, directly or indirectly.
- “Profiling” means any form of processing of personal data that analyses or predicts aspects concerning the behavior, attributes or interest of a Data Subject.
- “Sensitive Personal Data (SPD)” is special category of Personal Data which needs focused handling.
- Financial data
- Health data
- Official identifier
- Sex life
- Sexual orientation
- Biometric data
- Genetic data
- Transgender status
- Intersex status Caste or tribe
- Sensitive Personal Data is a subset of Personal Data. Hence, wherever Sensitive Personal Data is not mentioned separately in this document, it is deemed to be included under Personal Data. Consequently, all that is applicable to Personal Data is automatically applicable to Sensitive Personal Data.
- Some laws use different terminologies to categorize Sensitive Personal Data. For e.g., the EU GDPR uses the term ‘Special Categories of Data’. This Standard refers to every such category as ‘Sensitive Personal Data’.
Addendum for ICICI Securities Limited Personal Data Protection Standard for compliance of EU General Data Protection Regulation (GDPR)
1. The Scope of this Addendum
This Section A of the Addendum to the ICICI Securities Personal Data Protection Standard (the “Standard") (the "Addendum") covers ICICI Securities' data privacy and data handling obligations in the context of the customers resident outside of India particularly in individuals residing in European Union (EU).
As ICICI Securities also offers services to residents and individuals located EU and process Personal Data for the purposes of providing its various services namely stock broking, DP services, Research Analyst, Distribution of permitted products (the "EU Client Services"), this Section A is intended to provide guidance to ICICI Securities employees in relation to ICICI Securities’ legal obligations while handling personal data of the customer resident of EU. Customers shall be referred as Data Subjects.
2. Sensitive Personal Data
Sensitive Personal Data shall be limited to information about a Data Subject's:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life;
- sexual orientation; or
- information relating to criminal convictions and offences.
3. Rights of the Data Subject
ICICI Securities shall Process Personal Data in line with certain Data Subjects' rights. ICICI Securities is committed to protecting these rights as set out below, and shall ensure that it carries out its obligations without undue delay, and at any rate within one month of receiving the request, where feasible.
Where ICICI Securities employees receive a request from a Data Subject in respect of their rights under the GDPR, they may process the request as per the laid down process. In case of any concerns, Compliance team may be contacted for direction.
3.1 Right to be informed
ICICI Securities shall ensure that it is transparent about its processing of Personal Data and shall ensure that it provides, or will provide, privacy notice(s) to its Data Subjects:
- at the time of collection or before any Personal Data is collected from Data Subjects; or
- at the time of or before ICICI Securities changes its Privacy Notice and any procedures impacting Data Subjects; or
- prior to the usage of previously collected Personal Data for any new purposes not previously identified and notified to the Data Subjects.
- the identity and the contact details of ICICI Securities and, where applicable, ICICI Securities’ representative;
- the contact details of ICICI Securities' DPO;
- the purposes for which ICICI Securities will process Personal Data, as well as the legal basis for the Processing (i.e. to pursue ICICI Securities' legitimate interests);
- the recipients or categories of recipients of the Personal Data, if any;
- where applicable, the fact that ICICI Securities intends to transfer Personal Data to a third country or international organisation, and the relevant safeguards that it will use in compliance with the GDPR;
- the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of certain rights for Data Subjects to request from ICICI Securities access to and rectification or erasure of their Personal Data, or object to or restrict the processing of their Personal Data;
- their right to withdraw any given consent to ICICI Securities' Processing of their Personal Data at any time;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of their Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such Personal Data; and
- the existence of any automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
3.2 Right of Access
ICICI Securities shall ensure that Data Subjects are able to obtain, upon request:
- confirmation as to whether or not ICICI Securities is processing Personal Data concerning him or her; and
- a copy of their Personal Data.
- the purposes of processing;
- the categories of Personal Data concerned;
- the recipients or categories of recipient to whom the Personal Data has been or will be disclosed including recipients in third countries or international organisations;
- the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from ICICI Securities rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the Personal Data was not collected from the Data Subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
- its employees are trained on identifying, logging and reporting any data access requests received from Data Subjects;
- it has the mechanisms in place to provide the information set out above as soon as reasonably practicable, and at any rate within one month of receiving the request; and
- it provides such information in a commonly used electronic format, unless otherwise requested by the Data Subject.
3.3 Right to Rectification
ICICI Securities shall ensure that upon receipt of request for rectification from a Data Subject, without undue delay ICICI Securities has the internal mechanisms to rectify any inaccurate Personal Data and to complete incomplete Personal Data concerning the Data Subject. ICICI Securities shall ensure that all such requests for rectification are dealt with without undue delay, and at any rate within one month of receiving such request.
3.4 Right to Erasure
Upon request from a Data Subject, ICICI Securities shall comply with the request to erase their Personal Data without undue delay where one of the following grounds applies: the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws their consent on which the processing is based and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for ICICI Securities to continue processing the Personal Data;
- the Personal Data has been unlawfully processed; or
- the Personal Data has to be erased for compliance with a legal obligation to which ICICI Securities is subject.
3.5 Right to Restrict Processing
ICICI Securities shall ensure that a Data Subject is able to obtain, upon request, the restriction of processing of their Personal Data where:
- the Data Subject contests the accuracy of their Personal Data and ICICI Securities is verifying the accuracy of the Personal Data;
- the Personal Data has been unlawfully Processed and the Data Subject opposes erasure and requests restriction instead;
- ICICI Securities no longer needs the Personal Data but the Data Subject needs ICICI Securities to keep it in order to establish, exercise or defend a legal claim; or
- the Data Subject has objected to ICICI Securities Processing their Personal Data and ICICI Securities is considering whether ICICI Securities’ legitimate grounds override those of the Data Subject.
- ICICI Securities has obtained consent from the Data Subject;
- it is for the establishment, exercise or defence of legal claims;
- it is for the protection of the rights of another person (natural or legal); or it is for reasons of important public interest.
ICICI Securities shall ensure that it communicates any rectification or erasure of Personal Data or restriction of processing carried out to each recipient to whom the Personal Data has been disclosed, unless it is unable to do so, or will involve disproportionate effort (following an assessment of the practicalities).
3.6 Right to Data Portability
ICICI Securities shall ensure that a Data Subject is able to receive, upon request, the Personal Data concerning the Data Subject which the Data Subject has provided to ICICI Securities, in a structured, commonly used and machine-readable format, where:
- the lawful basis that ICICI Securities has relied on to process such Personal Data is consent, or for the performance of a contract; or
- the processing is carried out by automated means.
ICICI Securities does not have to comply with a request for data portability where:
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the ICICI Securities; or
- if complying with the request will adversely affect the rights and freedoms of other Data Subjects.
3.7 Right to Object
ICICI Securities shall ensure that procedures are in place to consider and respond to requests from a Data Subject who objects to processing of Personal Data.
There are 3 situations in which a Data Subject can object to the processing of their Personal Data:
- Where a Data Subject objects to the processing of Personal Data for the purposes of direct marketing, ICICI Securities shall ensure that the processing is completely ceased for that Data Subject.
- Where a Data Subject objects to the processing of Personal Data for the purposes of public task (for the performance of a task carried out in the public interest and for the exercise of official authority vested in ICICI Securities) and legitimate interest, on grounds relating to Data Subject’s particular situation, ICICI Securities shall ensure that the Processing is ceased for that Data Subject unless ICICI Securities demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
- Where a Data Subject objects to the processing of Personal Data for scientific or historical research purposes or statistical purposes, on grounds relating to Data Subject’s particular situation, ICICI Securities shall ensure that the processing is ceased for that Data Subject unless the processing is necessary for the performance of a task carried out for reasons of public interest.
3.8 Rights related to Automated Decision-Making including Profiling
ICICI Securities shall ensure that procedures are in place to consider and respond to requests from a Data Subject who does not want to be a subject to a decision based solely on automated processing, including profiling.
4. Additional personal data protection measures for ICICI Securities
4.1 Obtaining consent from Data Subjects
ICICI Securities shall ensure that it obtains valid consent from Data Subjects where it is relying upon consent as the legal basis for processing (as specified in section 7.3) such Personal Data.
ICICI Securities shall ensure that the consent of the Data Subject is:
- freely given;
- specific and informed (i.e. they are provided with the information set out under Section 3.1 (Right to be informed) above);
- obtained through unambiguous and affirmative action (i.e. a written statement, the checking of a tick box or an affirmative oral statement);
- capable of being withdrawn; and
- collected from the Data Subject before the time of the commencement of the processing of their Personal Data.
Withdrawal of consent
ICICI Securities ensure that Data Subjects can withdraw their consent at any time, and shall have appropriate mechanisms in place to allow Data Subjects to, at any time during the lifecycle of their association with ICICI Securities or later, if applicable, have an option to withdraw any consent they have provided for the processing of their Personal Data.
Such individuals shall be informed of the consequences of denying or withdrawing their consent including the ability or inability of ICICI Securities to process transactions or deliver products and services upon withdrawal. Note that the withdrawal of consent will not impact any processing of personal data undertaken prior to the date of consent withdrawal.
4.2 Data privacy by design
ICICI Securities shall ensure that it considers data privacy and data protection issues during the initial design phase of any new systems, services, products or processes that ICICI Securities will implement, and continue to consider ways in which it could improve data privacy throughout the lifecycle of such new products and services.
4.3 Personal Data Inventory Management
ICICI Securities shall create a 'Personal Data Inventory' to enable ICICI Securities in getting the requisite visibility over the Personal Data processed by it. This inventory shall be kept up-to-date and reviewed on a periodic basis.
4.4 Use of Data Protection Impact Assessments (DPIA)
ICICI Securities shall carry out Data Protection Impact Assessment (DPIA) of its Processing activities as and when required, after consultation with ICICI Securities’ DPO.
ICICI Securities shall consider carrying out a DPIA in any major project involving the use of Personal Data, which is likely to result in high risks to the rights and freedoms of Data Subjects.
4.5 Records of Processing Activities (ROP)
ICICI Securities shall keep records of all processing activities involving Personal Data for all the processes mentioned in the Personal Data Protection Standard and Addendum. These records include but are not limited to:
- Details of Processing activities and lawful grounds of Processing
- Details of categories of Personal Data and Data Subjects
- Details of any contracts in place with third party data processors
- Details of any recipients of Personal Data
- Details of applicable retention periods
- Records of consent and withdrawal of consent
- Records of erasure of Personal Data
- Records of periodic review of security safeguards
- Records of Data Subject right requests
- Records of data protection impact assessments
- Records of any Personal Data Breaches
4.6 Privacy and minors
With respect to banking services for minors, ICICI Securities will ensure that all privacy notices and other privacy information is drafted and presented in a way which is easy to understand for individuals under the age of 16.
Where ICICI Securities is seeking consent from a person under the age of 16 for the provision of online services, ICICI Securities shall ensure that appropriate consent is sought in line with applicable regulatory requirements.
4.7 Social Media Sites
ICICI Securities employees should always exercise caution when using any social media sites (which includes the use of Facebook, Instagram, Twitter and Snapchat), and refrain from using social media sites in a way which would cause them to be in breach of the Personal Data Protection Standard and Addendum, or of any confidentiality obligations owed to ICICI Securities.
4.8 Personal Data Breaches
Pursuant to the procedures set out in the Personal Data Protection Standard regarding Personal Data Breaches, the DPO should ensure that any Personal Data Breaches that are likely to result in a risk to the rights and freedoms of Data Subjects are notified to the relevant privacy supervisory authority(ies) without undue delay, and in any event, within 72 hours of becoming aware of the Personal Data Breach. The DPO shall also carry out an assessment of whether the Personal Data Breach is likely to result in a high risk to rights and freedoms of Data Subjects, and whether the affected Data Subjects will therefore also need to be notified. ICICI Securities shall ensure that it has internal processes in place for effecting such notifications. Personal Data Breaches can be notified through ‘Report a Personal Data Breach’ link on the Universe.
4.9 Data Retention
ICICI Securities shall store Personal Data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. Personal Data may be retained for a longer period of time only if such retention is explicitly mandated, or necessary to comply with any obligation under law. The Personal Data shall otherwise be retained in accordance with ICICI Securities’ Record Management Policy. Personal Data records shall be periodically reviewed to assess whether it is necessary to retain such Personal Data. ICICI Securities shall take reasonable steps to destroy or permanently anonymise any Personal Data that is identified as being unnecessary, or otherwise in accordance with ICICI Securities' Record Management Policy.
4.10 Data Protection Officer and European Representative
The GDPR requires ICICI Securities to appoint a Data Protection Officer if:
- It is a public authority or body (except for courts acting in their judicial capacity);
- Its core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
As ICICI Securities will offer services to EU Data Subjects, and process EU Personal Data for the purposes of providing the broking and other allied Services, ICICI Securities shall ensure that it has appointed a European representative (as required under Article 27 of the GDPR) unless ICICI Securities maintains an establishment in the EU. An EU Representative is required to co-operate with any supervisory authorities of each Member State upon request and on behalf of ICICI Securities.
5. International transfers of Personal Data
ICICI Securities shall only store or transfer the Personal Data of Data Subjects outside India in compliance with applicable regulatory requirements and where the means of transfer provides adequate safeguards. The most commonly relied upon mechanisms to provide adequate safeguards are where:
- the transfer is governed by a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by regulators for the transfer of personal data by controllers in India to controllers and processors in jurisdictions without adequate data protection laws;
- the transfer is necessary for the conclusion or performance of a contract between ICICI Securities and Data Subject, or with a third party, and the transfer is in the interests of the Data Subject for the purposes of that contract;
- there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation;
- ICICI Securities has put in place an intra-group agreement between its group entities; which incorporates the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws.