1. Introduction
Cutting Chai Content (“CCC” or the “Company”) creates content for its clients, who may be any natural person or an incorporated entity like a company, corporation or any affiliate of the corporate entity (“Clients”), and for its independent projects. For this, CCC collects and processes data from individuals across the world, including residents in the European Union (EU). CCC is committed to conducting its business in accordance with applicable data protection requirements, including the General Data Protection Regulation 2016/679 (“GDPR”). This policy sets out the existing practices and guiding principles for CCC, when collecting, using, holding, transferring, or sharing any Personal Data of EU residents.
2. Key concepts
- “Personal Data” is any information which relates to and may be used to identify any natural person, e.g. name, email address, images, and videos.
- “Data Subject” is any natural person whose data is collected and/or processed by CCC or its Contractors.
- For Client-commissioned projects, CCC collects Personal Data from Data Subjects and processes it solely based on documented instructions from the Client. In such cases, CCC is acting as a ‘data processor’ and Clients are the ‘data controllers’ under the GDPR. In such cases, the Client exercises control over the processing and CCC is only processing data for the Client. For CCC’s independent projects, CCC shall be the data controller. When CCC is collecting and processing Personal Data of employees or Contractors, it is a data controller.
- “Contractors” are any third parties who process Personal Data on behalf of CCC. Contractors are required to collect and process Personal Data in accordance with this policy and their contract with CCC or with Clients.
Please note that any reference to the Client in this policy shall be in relation to Client commissioned projects where CCC shall be a data processor.
3. General principles for processing Personal Data
When collecting and processing Personal Data (whether as a data controller or a data processor), the Company, its employees and Contractors must adhere to the following principles:
- Fairness and lawfulness
Personal Data shall be processed lawfully, fairly and in a transparent manner. - Restriction to a specific purpose
Personal Data can only be processed for the purpose defined and communicated to the Data Subject at the time of collection. For Client-commissioned projects, the purpose is set out by Client instructions. Any subsequent changes to the purpose are only possible to a limited extent and due consent must be obtained from the Data Subject for using their Personal Data for a different purpose. - Transparency
The Data Subject must always be informed of how his/her Personal Data is being handled. As a general principle, Personal Data must be collected directly from the individual concerned. - Data minimization
CCC and its Contractors shall determine whether, and to what extent, the processing of Personal Data is necessary to achieve the purpose for which it is collected. For Client-commissioned projects, this is done as per Client instructions. - Storage and deletion
Personal Data that is no longer needed will be deleted. - Accuracy and completeness
Suitable steps must be taken to ensure that inaccurate or incomplete Personal Data is deleted, corrected, supplemented or updated. - Confidentiality and data security
CCC and its Contractors must treat Personal Data as confidential and secure it with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
4. How does CCC collect Personal Data?
Sources of collection:
CCC and its Contractors collect Personal Data from the following sources:- Data Subjects;
- Third party sources such as public databases, news archives, etc.; and
- Clients
Categories of data collected:
- Interviews: The Personal Data collected is project-specific. CCC collects the following Personal Data from Data Subjects who are interviewed: name, email address, residential address and phone number. Depending on the project requirements, CCC may collect photos and videos of Data Subjects, and ask for details relevant to a particular project, which could include their experiences, opinions of preferences. CCC may also collect data that is considered sensitive under the GDPR, namely, data about religious/ philosophical beliefs; medical or health data; racial/ ethnic information; sexual preferences, sexual orientation or sex life.
- Website visitors: CCC also collects device identifiers and IP addresses relating to visitors who access CCC’s website.
- Employees and Contractors: CCC collects the following data relating to its employees and Contractors: name, address, bank account information, any information required for tax documents or personal information required as per the Indian banking system for overseas remittances or to accompany submissions for tax purposes to the Indian authorities, including bank account holders name, name of bank, bank’s address, SWIFT/ IBAN/BIC code, account number, personal identification number, and passport details (photograph page).
Categories of data collected:
- Interviews: The Personal Data collected is project-specific. CCC collects the following Personal Data from Data Subjects who are interviewed: name, email address, residential address and phone number. Depending on the project requirements, CCC may collect photos and videos of Data Subjects, and ask for details relevant to a particular project, which could include their experiences, opinions of preferences. CCC may also collect data that is considered sensitive under the GDPR, namely, data about religious/ philosophical beliefs; medical or health data; racial/ ethnic information; sexual preferences, sexual orientation or sex life.
- Website visitors: CCC also collects device identifiers and IP addresses relating to visitors who access CCC’s website.
- Employees and Contractors: CCC collects the following data relating to its employees and Contractors: name, address, bank account information, any information required for tax documents or personal information required as per the Indian banking system for overseas remittances or to accompany submissions for tax purposes to the Indian authorities, including bank account holders name, name of bank, bank’s address, SWIFT/ IBAN/BIC code, account number, personal identification number, and passport details (photograph page).
Documenting purposes of collection:
CCC and its Contractors shall assess and document the reasons for the collection of any Personal Data before collection.Seeking Data Subjects’ consent:
CCC and its Contractors will obtain Personal Data only by lawful and fair means and where possible, with the knowledge and consent of the Data Subject concerned. When seeking consent, CCC shall provide sufficient notice to Data Subjects about how their Personal Data will be used/ handled and seek specific consent through a consent form.
Special Consent in cases of minors:
CCC and their Contractors shall ensure that in cases of collection and/or processing of Personal Data from children below the age of 16 years, express consent is obtained from the guardian of such minor.
Legal basis for collection and processing:
In certain limited cases, CCC may collect Personal Data without consent if:
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the CCC is subject to;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, or
- Processing is necessary for actions carried out for legitimate interests (including journalism).
Seeking consent for processing certain special categories of data:
‘Sensitive Personal Data’ includes data about racial and ethnic origin, political beliefs, religious or philosophical beliefs, union membership, criminal records and the health and sexual life of the Data Subject. Under applicable national law, further data categories may be considered highly sensitive or the content of the data categories can be filled out differently. When collecting such data, CCC and its contractors will get specific explicit consent from Data Subjects.
5. How is Personal Data stored and used by CCC?
- All Personal Data collected is stored in internal drives (physical hard drives or cloud-based file sharing platforms) whose access shall only be with the relevant team members of CCC and the relevant Contractors, on a need-to-access basis. Clients are granted access to Personal Data or processed Personal Data on a separate external cloud-based drive, as per their instructions and requirements.
- CCC uses the Personal Data of Data Subjects for the following purposes:
- Research and content development, including news articles, videos and other products for Clients, as per their instructions, and for CCC’s internal projects. CCC may further provide Personal Data to their Client’s related companies or organizations upon the Client’s request for similar purposes;
- Collation of data into data sets and for further field research and analysis such as inferences/ insights about Data Subjects’ behavior, as may be required by the Clients or for CCC’s internal projects; or
- The general running and business administration of CCC.
- If a particular type of processing involves high risk to Data Subjects, such as large-scale processing or systematic and extensive evaluation of personal aspects of individuals based on profiling sensitive data, CCC will conduct a data protection impact assessment.
6. What measures does CCC adopt to secure Personal Data?
CCC and the Contractors will adopt physical, technical, and organizational measures to ensure the security of Personal Data. The security safeguards are decided on the basis of level of risk to Data Subjects taking into account the state of art, costs of implementation and the nature, scope and context of processing. This is aimed at preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure/ access to Personal Data. Contractors are obliged to adopt the security measures set out in this policy in addition to any data security measures in their agreements with CCC. CCC will review the security measures adopted annually. Presently, CCC deploys the following measures:
- Prevent unauthorized persons from gaining access to data processing systems in which Personal Data are processed and having logical access controls on such systems;
- Prevent physical access to the servers or hard drives wherein Personal Data has been stored with measures such as locks, alarm systems, fences, cameras, etc.;
- Ensure that Personal Data is protected against undesired destruction or loss by having secured internet connections (e.g.: SSL/TLS technology), secured internal networks with firewalls and anti-virus software on the processing/storage systems;
- Encryption of devices or databases containing Personal Data (e.g. full disk encryption of laptops and mobile devices), and/or
- Personal Data will not be retained by CCC or Contractors for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed as per their Client instructions.
7. How does CCC respond to breaches?
- For the purpose of this policy, a ‘breach’ of Personal Data shall include “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.”
- In case a breach of Personal Data comes to the notice of CCC and/or the Grievance Officer, the Grievance Officer shall promptly identify such breach and record all necessary information pertaining to such breach in a notification report (“Report”). Such Report shall contain a description, in clear and plain language, of the nature of the Personal Data breach, details of the categories of Personal Data involved, an approximate number of the Data Subjects concerned, and and the measures which have been undertaken by CCC as a data controller for the mitigation and remedying such breach. The Report shall be delivered to the relevant supervisory authority under the GDPR within 72 hours of the alleged Personal Data breach.
- In case a breach of Sensitive Personal Data comes to the notice of CCC and/or the Grievance Officer, the Grievance Officer shall act similarly, as for a Personal Data breach, and deliver the Report to the relevant supervisory authority under the GDPR and additionally to the affected Data Subjects as soon as possible after the preparation of the Report. The Report shall additionally contain the name and contact details of the Grievance Officer or other contact from which more information can be obtained, details of the likely consequences of the Sensitive Personal Data breach and information as to the measures taken or proposed to be taken to address the Sensitive Personal Data breach.
- In cases of complaints by Data Subjects, the Grievance Officer will initiate an investigation into the incident and look specifically into the source of the leak of Personal Data and will inform the Data Subject of the progress and the outcome of the complaint at reasonable periods of time.
8. What are the rights of Data Subjects?
- Data Subjects shall have the following rights in relation to their Personal Data:
- Right to information. Data Subjects can request for information about the purpose for which the Personal Data is collected, and how the same would be stored and processed.
- Right to rectification. In the event that any Personal Data provided by Data Subjects is inaccurate, then the Data Subjects shall have the right to provide the accurate Personal Data for rectifying such Personal Data immediately.
- Right to the restriction of Personal Data processing. Data Subjects have a right to object to the usage of their Personal Data for advertising and/or market research.
- Right to erasure. Data Subjects have right to demand the deletion of their Personal Data after the purpose for which it was collected ceases to apply.
- Right to opt-out. If applicable Data Subjects may opt out of receiving promotional emails and/or push notifications on their devices from CCC by writing to them.
- Right to lodge a complaint. Without prejudice to any other administrative or judicial remedy, Data Subjects have the right to lodge a complaint with the relevant supervisory authority against the use of any Personal Data. Data Subjects may approach the Grievance Officer, as per clause 9 of this policy, to lodge such complaints as well.
- Right to information. Data Subjects have a right to receive a copy of all their Personal Data which is collected. They further have a right to know the identity of the third parties with whom their Personal Data is transmitted or shared.
- Data Subjects may file a complaint with our Grievance Officer regarding any queries/complaints they have towards the exercise of any of their rights related to their Personal Data. In relation to Client commissioned projects, CCC shall facilitate the forwarding of such requests of Data Subjects to the Client. For independent projects, CCC shall take note and action itself in relation to such requests.
9. How can Data Subjects exercise their rights and raise grievances?
- A Grievance Officer, appointed by CCC, shall supervise the compliance of this policy in cases where CCC is a data controller.
- For such cases, the Data Subjects may approach the Grievance Officer at any time to raise concerns regarding a Personal Data breach or a request for information. Data Subjects may also reach out to the Grievance Officer for exercise of their rights such as access, rectification or deletion as described in Para 8.
- Contact details of the Grievance Officer are below:
Name: Grievance Officer
Email: info@cuttingchaicontent.com
10. Where will Personal Data be stored/ will it be shared across borders?
CCC is based in India. As an offshore processor for EU Clients, CCC may require Personal Data of EU residents to be transferred outside the EU to India. When collecting Personal Data, EU residents will be informed that their Personal Data may be shared/ transferred to CCC or its Contractors in India and their explicit consent will be obtained through a consent form.
11. Miscellaneous
- This policy will be reviewed by CCC every three years, unless there are any changes to regulations or legislation that would enable a review earlier.
- All Contractors that have access to Personal Data shall be well versed with their responsibilities under this policy. In addition, each Contractor will update themselves about/provide regular Data Protection training and procedural guidance for their staff.
- CCC must ensure that all their employees responsible for the processing of Personal Data are aware of and comply with the contents of this policy. In addition, each third party engaged to process Personal Data on CCC’s behalf, in addition to Contractors, shall be made aware of and comply with the contents of this policy.