Data Privacy and Protection Policy

Version: 1.0 | Effective Date: [Insert Date]

Introduction
At Consulting Engineers Group Limited ("the Company"), we recognize the critical
importance of protecting the privacy and personal data of individuals with whom we
interact—be it employees, clients, partners, or third parties. In a digital and data-driven
environment, ensuring the confidentiality, integrity, and lawful handling of data is not only
a legal obligation but a fundamental responsibility. This Data Privacy and Protection Policy
has been formulated in alignment with the Digital Personal Data Protection Act, 2023
(DPDP Act), the Information Technology Act, 2000, and applicable international standards.
It defines the Company’s commitment to upholding the rights of data principals,
establishing clear roles and responsibilities, and embedding data protection principles into
all our operations. Through this policy, we aim to foster trust, promote transparency, and
safeguard all forms of personal and non-personal data processed across our organization.

1. Purpose
This Data Protection Policy outlines the principles and guidelines followed by Consulting
Engineers Group Limited ("the Company") to ensure the confidentiality, integrity, and
security of personal and non-personal data. It is framed in accordance with Indian
regulations including the Digital Personal Data Protection Act, 2023 (DPDP Act), the
Information Technology Act, 2000, and international best practices.
2. Scope
This Policy applies to:
 All Company employees (current and former), interns, contractors, vendors, and
consultants.
 All external service providers, partners, and third parties processing or handling data on
behalf of the Company.
 All data processing activities including but not limited to collection, storage, access, use,
sharing, transfer, retention, and disposal of data.
3. Definitions
 Personal Data: Any data that can identify an individual directly or indirectly.
 Sensitive Personal Data: Includes financial data, biometric data, health data, caste,
religion, etc.
 Data Principal: The individual to whom the personal data belongs.
 Data Fiduciary: The Company, which determines the purpose and means of processing
personal data.
 Data Processor: Any person or organization that processes data on behalf of the Data
Fiduciary.
 Processing: Collection, use, storage, transfer, sharing, or disposal of data.

4. Data Protection Principles

1. Lawfulness, Fairness, and Transparency: Data shall be collected and processed lawfully
and fairly.
2. Purpose Limitation: Data shall only be used for the purpose for which it is collected.
3. Data Minimization: Only data necessary for specified purposes shall be collected.
4. Accuracy: Data shall be kept accurate and updated.
5. Storage Limitation: Data shall be retained only as long as necessary.
6. Integrity and Confidentiality: Data shall be protected against unauthorized access, loss,
or damage.
7. Accountability: The Company is responsible for compliance with these principles and
shall be able to demonstrate such compliance.

5. Roles and Responsibilities

Data Protection Officer (DPO)
 Ensure implementation of and compliance with this Policy.
 Handle data subject access requests and grievances.
 Oversee data protection impact assessments (DPIA).
Information Technology (IT) Team
 Implement technical controls and security measures.
 Monitor systems for vulnerabilities and threats.
 Ensure secure data storage, access controls, and encryption.
All Employees
 Adhere to the provisions of this Policy.
 Participate in training and awareness sessions.
 Report any data protection violations or incidents.

6. Data Collection and Use

 Data shall be collected lawfully, with the consent of the data principal where applicable.
 Data collected will be limited to what is necessary for business, contractual, or legal
obligations.
 The Company may collect data directly from the data principal or from third-party
sources with appropriate safeguards.
 7. Rights of Data Principals
Data Principals have the following rights under the DPDP Act:
 Right to access their personal data.
 Right to correction and erasure.
 Right to withdraw consent.
 Right to data portability.
 Right to grievance redressal.
 Right to be forgotten.
Requests will be addressed within the legally mandated period.

8. Data Sharing and Third-Party Processing

 Third parties with access to personal data must be under contractual obligation to comply
with data protection standards.
 Data transfers, especially outside India, will be subject to appropriate safeguards.
 Data Sharing Agreements (DSAs) or Non-Disclosure Agreements (NDAs) will be enforced.

9. Data Security
 Security measures include firewalls, anti-malware tools, encryption, secure access
controls, and audit trails.
 All employees are responsible for the secure handling of data.
 Security policies will be reviewed and updated periodically.

10. Data Retention and Disposal

 Data will be retained as long as necessary for business, legal, or regulatory purposes.
 Upon expiry of retention, data will be securely disposed of via shredding or digital
deletion.

11. Data Breach Management

 Any suspected or actual data breach must be reported immediately to the DPO.
 Affected individuals and regulatory authorities will be notified as per legal requirements.
 Post-incident analysis will be conducted to strengthen preventive controls.
 12. Training and Awareness
 All employees will receive data protection training during onboarding and through regular
refresher sessions.
 Awareness campaigns will be conducted to promote a culture of data privacy.

13. Grievance Redressal and Complaints

 Data Principals may submit grievances to the DPO.
 If unsatisfied with the resolution, escalation to regulatory authorities is permitted.

14. Policy Review and Amendments

 This Policy will be reviewed annually or when required due to changes in laws or business
practices.
 Updates will be communicated to all stakeholders via official communication channels.

Approved by: [Name, Designation]

Date: [Insert Date]
Next Review Date: [Insert Date]

End of Document

Certainly! Here's a comprehensive and detailed explanation of the Data Protection

Principles outlined in Section 4 of your policy, written in a clear, precise, and professional
manner:

4. Data Protection Principles – Detailed Discussion

1. Lawfulness, Fairness, and Transparency
All data processing activities must adhere to the legal frameworks applicable under Indian
laws such as the DPDP Act, 2023 and the IT Act, 2000, as well as globally recognized best
practices. Lawfulness ensures that data is collected and used only when there is a
legitimate basis—such as user consent, contractual necessity, or legal obligation. Fairness
 requires that data is handled in a manner that does not deceive or harm the data
principal, while transparency demands that individuals are fully informed about what
data is being collected, why it is needed, how it will be used, and who it may be shared
with. Transparency is typically achieved through clear and accessible privacy notices,
consent forms, and open communication with stakeholders.
2. Purpose Limitation
Personal data must be collected for clearly defined, specific, and lawful purposes, and
must not be used in ways that are incompatible with those purposes. This principle
prevents misuse or repurposing of data after it has been collected. For instance, if data is
collected for employment verification, it should not be used later for unrelated marketing
activities without explicit consent. Organizations must ensure that internal teams,
systems, and third parties handling data do so strictly within the boundaries of the
original intent.
3. Data Minimization
Only data that is directly relevant and absolutely necessary for the specified purposes
should be collected and processed. This principle discourages excessive data collection
and reduces the risks associated with data breaches and misuse. For example, when
collecting customer data for service delivery, it may not be necessary to ask for sensitive
personal information like religion or health details unless mandated by law or directly
related to the service being offered. Implementing role-based access controls and
periodic audits can help enforce this principle.
4. Accuracy
It is essential that personal data remains accurate, complete, and up-to-date. Inaccurate
data can lead to negative consequences such as wrongful decisions or breaches of
contractual or legal obligations. The Company must implement mechanisms to regularly
review and update data, and must also provide data principals with the means to correct
inaccuracies. This includes easy access to update forms, automated reminders for
verification, and a clear correction request process.
5. Storage Limitation
Data should only be retained for as long as it is necessary to fulfill its intended purpose or
to meet legal, regulatory, or contractual obligations. Once the retention period expires,
the data must be securely deleted, anonymized, or archived. Unnecessary data
accumulation increases storage costs and cybersecurity risks. Implementing a data
retention schedule, combined with automated deletion or archival systems, helps ensure
compliance with this principle.
6. Integrity and Confidentiality
The Company is obligated to protect personal data against unauthorized access,
accidental loss, destruction, or damage. This involves implementing both technical
measures—such as encryption, firewalls, secure authentication—and organizational
safeguards—such as employee training, strict access controls, and incident response
protocols. Ensuring confidentiality is critical not just for compliance, but also for
maintaining trust and business continuity. All employees and third-party processors must
be regularly trained and monitored to uphold these security standards.
7. Accountability
The Company must not only comply with all data protection principles but also be able to
demonstrate such compliance. This involves maintaining thorough records of data
processing activities, conducting Data Protection Impact Assessments (DPIAs) where
necessary, appointing a Data Protection Officer (DPO), and embedding privacy by design
into all systems and processes. Accountability ensures that data protection is not an
afterthought, but a foundational element of corporate governance and risk management.

Let me know if you'd like this structured as a training guide or included with real-world
examples.

Sure! Here’s a detailed and well-structured clause for Section 6: Roles and Responsibilities
you can include in your policy:

6. Roles and Responsibilities

To ensure effective implementation and enforcement of this Data Privacy and Protection
Policy, clear roles and responsibilities have been assigned across the organization:
6.1 Data Protection Officer (DPO)
 The DPO is responsible for overseeing the Company’s data protection strategy and
ensuring compliance with applicable data protection laws and this Policy.
 Act as the primary point of contact for data principals, regulatory authorities, and internal
teams on data privacy matters.
 Manage and respond to data subject access requests, consent withdrawals, and other
privacy-related inquiries or grievances.
 Conduct and supervise Data Protection Impact Assessments (DPIAs) to evaluate and
mitigate risks related to personal data processing.
 Regularly review the Policy and recommend updates in response to changes in laws,
business operations, or technology.
6.2 Information Technology (IT) Team
 Implement, maintain, and monitor technical security controls to safeguard personal data,
including encryption, firewalls, access controls, and intrusion detection systems.
 Conduct regular vulnerability assessments and audits to identify and address potential
security risks.
 Ensure secure data storage, transfer, and disposal methods are followed in alignment
with this Policy.
 Collaborate with the DPO and other departments to enforce data privacy requirements in
system design and business processes.
6.3 All Employees, Contractors, and Third Parties
 Comply with the provisions of this Policy and all related data protection laws when
handling personal and sensitive data.
 Complete mandatory data privacy training and participate in awareness programs
organized by the Company.
 Immediately report any suspected data breaches, privacy violations, or security incidents
to the DPO or designated authority.
 Exercise caution and confidentiality in accessing, processing, or sharing data, ensuring it is
only used for authorized business purposes.
6.4 Management and Department Heads
 Promote a culture of data privacy within their teams and ensure compliance with this
Policy in all departmental activities.
 Support the DPO and IT team by facilitating necessary resources, cooperation, and
communication related to data protection initiatives.
 Review and approve data processing activities under their control, ensuring that such
activities comply with lawful purposes and data minimization principles.

If you want, I can help customize this further for specific roles in your organization or
simplify it for easy internal communication!

Certainly! Here's a comprehensive and precise clause for Section 6: Data Collection and
Use of your Data Privacy and Protection Policy:

6. Data Collection and Use

The Company is committed to collecting and using data in a lawful, transparent, and
purpose-driven manner. All data collection and processing activities are carried out in
accordance with applicable laws, including the Digital Personal Data Protection Act, 2023,
and are guided by the core principles of necessity, fairness, and accountability.
6.1 Lawful and Fair Collection
 Data shall be collected only for legitimate business, legal, or contractual purposes, and
with the explicit or implied consent of the data principal where required by law.
 Data collection will be preceded by clear communication to the data principal regarding
the purpose, legal basis, type of data collected, and rights available under this policy.
6.2 Types of Data Collected
Depending on the nature of the relationship, the Company may collect the following
categories of data:
 Personal Data: Including name, contact details, date of birth, identification documents,
address, and employment information.
 Sensitive Personal Data: Including financial information, health details, biometric data,
caste, religion, or other data classified as sensitive under applicable law.
 Non-Personal/Operational Data: Including system logs, device identifiers, and
anonymized analytics used to improve service performance and security.
6.3 Data Collection Methods
 Data may be collected directly from the data principal through forms, applications,
interviews, email communications, and digital platforms.
 In certain cases, data may also be collected indirectly through third-party service
providers, government databases, or public sources, provided lawful grounds and due
diligence are established.
6.4 Purpose of Use
The Company will use collected data strictly for the purposes for which it was obtained,
which may include but are not limited to:
 Human resource and payroll administration
 Service delivery and client engagement
 Legal and contractual compliance
 Regulatory reporting and audits
 IT system management and security
 Marketing and communication (only with proper consent)
6.5 Limitation on Use
 The Company shall not use personal data for profiling, automated decision-making, or
any secondary purpose without proper justification and, where required, fresh consent.
 Any new or extended use of data must be reviewed and approved by the Data Protection
Officer.
6.6 Consent Management
 Where consent is required, it shall be obtained in a clear, informed, and specific manner.
 Data principals have the right to withdraw consent at any time, and the Company will
cease processing such data unless an alternative lawful basis applies.
 Let me know if you’d like to include industry-specific use cases or build a visual flowchart
for internal training.

Here is a finalized and comprehensive version of Section 7: RIGHTS OF DATA PRINCIPALS,

tailored for inclusion in your Data Privacy and Data Protection Policy, in alignment with
Indian legal frameworks (IT Act, 2000; SPDI Rules, 2011; DPDP Act, 2023) and global best
practices:

7. RIGHTS OF DATA PRINCIPALS

CEG acknowledges and upholds the rights of all individuals whose personal data is
collected, processed, or stored in any capacity. These individuals, referred to as Data
Principals, are entitled to exercise the following rights under applicable Indian law,
including the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital
Personal Data Protection Act, 2023:
7.1 Right to Access
Data Principals have the right to obtain confirmation as to whether their personal data is
being processed and, if so, to access such data along with the purpose of processing,
categories of data held, recipients of such data, and duration of data retention.
7.2 Right to Correction and Erasure
Data Principals may request:
 Rectification of inaccurate or incomplete personal data.
 Erasure of data that is no longer necessary for the purpose it was collected or when
consent is withdrawn, subject to legal or contractual obligations.
7.3 Right to Data Portability
Where technically feasible, Data Principals shall have the right to receive their personal
data in a structured, commonly used, and machine-readable format and to transfer that
data to another data fiduciary.
7.4 Right to Restrict or Object to Processing
Data Principals may restrict or object to the processing of their data:
 When data is processed for direct marketing.
 When processing is based on legitimate interests and such interests are overridden by the
interests or rights of the individual.
7.5 Right to Withdraw Consent
 Where processing is based on consent, the Data Principal has the right to withdraw that
consent at any time. Upon withdrawal, the processing shall cease unless required by law or
for compliance with contractual obligations.
7.6 Right to be Informed
CEG shall ensure transparent processing by providing clear and accessible notices detailing
what personal data is being collected, why it is being collected, how it will be used, and the
rights of the individual.
7.7 Right to Grievance Redressal
Data Principals have the right to raise grievances with CEG’s Data Protection Officer (DPO)
regarding any aspect of data handling. All grievances shall be acknowledged within 3
working days and resolved within 30 working days.
7.8 Right to Nominate
In accordance with the DPDP Act, 2023, Data Principals shall have the right to nominate
another person to exercise their rights under this policy in the event of death or incapacity.

Would you like me to insert this section into your existing Word document and provide a
fresh download link?

Here's a comprehensive and legally-aligned version of the section titled:

8. Data Sharing and Third-Party Processing

CEG recognizes the necessity to share personal data with third-party service providers for
legitimate business purposes including HR operations, IT services, audits, legal advice,
payroll processing, cloud storage, and regulatory reporting. To ensure compliance with
Indian legal standards and safeguard data principals’ rights, CEG follows these principles
and procedures:
8.1 Due Diligence and Vendor Assessment
Before engaging any third-party data processor or service provider, CEG conducts a
thorough assessment to evaluate:
 The nature and sensitivity of data to be shared.
 The third party’s data protection policies and practices.
 Information security certifications (e.g., ISO 27001).
 History of regulatory compliance and incident reporting.
8.2 Legal Safeguards and Agreements
 CEG shall enter into a Data Processing Agreement (DPA) or appropriate contractual
arrangement with all third parties. These agreements include:
 Purpose and scope of processing.
 Obligations regarding confidentiality and data security.
 Restrictions on sub-processing.
 Breach notification and cooperation obligations.
 Return or deletion of data after contract termination.
8.3 Permitted Purposes
Third parties may only use the data shared by CEG for the specific, authorized purposes
defined in the contract. Unauthorized use, access, modification, or resale of data is strictly
prohibited.
8.4 Cross-Border Data Transfers
Data may only be transferred outside India when:
 The recipient jurisdiction offers an adequate level of data protection (as assessed by
Indian law).
 Data subject consent is obtained where applicable.
 Transfer is in accordance with applicable Indian regulations such as the IT Rules, 2011 and
DPDP Act, 2023.
8.5 Monitoring and Audits
CEG reserves the right to audit third-party service providers to verify compliance with
contractual obligations. This may include on-site inspections, penetration testing reports,
and review of data access logs.
8.6 Sub-Processors
Any engagement of sub-processors by third-party vendors must be pre-approved in writing
by CEG. Sub-processors must be bound by equivalent contractual and technical safeguards.
8.7 Accountability
Third-party processors are jointly accountable for any data breach or misuse. Liability
clauses are included in contracts to ensure enforceability of obligations and redress in case
of non-compliance.

Would you like this clause inserted into your Word document and updated version
generated for download?