As a global IT and business consulting services organization, Techvedic is committed to maintaining levels of protection of Personal Data aligned to best practices in the industry which, as a minimum, comply with the requirements of the Applicable Data Protection Legislation and Techvedic’s contractual obligations.
As part of this commitment, Techvedic requires its Members and any third party engaged by Techvedic or providing goods and/or services to Techvedic (including third party suppliers, subcontractors and freelancers) to take appropriate measures to safeguard Personal Data in the execution of their functions.
Being transparent about the data we use, Techvedic has issued this Data Privacy Policy (“Policy”) to inform you about how and why we collect and Process your Personal Data, Techvedic privacy practices and your rights as Data Subjects with respect to the Processing of your Personal Data.
This Policy sets out the general standard that Techvedic has implemented when Processing Personal Data. This Policy applies when Techvedic acts as a Data Controller or as a Data Processor. It applies to the Processing of all Personal Data, irrespective of the nature or category of the Personal Data, regardless of the media on which that data is stored.
Further details for specific Processing activities are made available in the relevant privacy information notices.
Techvedic is committed to Process Personal Data to the same level of protection regardless of whether it Processes Personal Data for its own needs or for the needs of its clients or any third party. The implementation of this Data Privacy Policy requires that all Members of the Techvedic Legal Entities and any third party engaged by Techvedic fully participate in its application, without any exception.
For the purposes of this Policy, the following definitions apply:
“Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data and (ii) any implementing laws of the EU Data Protection Regulation and (iii) any applicable local laws relating to the Processing of Personal Data.
“Techvedic Legal Entities” refers to all legal entities controlled directly or indirectly by Techvedic Inc. that handle Personal Data, excluding any legal entities that are within the operational scope of Techvedic Federal.
“Data Controller” refers to any entity (i.e. natural or legal person, public authority, agency or other body) that, alone or jointly with other Data Controllers, determines the purposes and means of the Processing of Personal Data.
“Data Processor” refers to any entity (i.e. natural or legal person, public authority, agency or other body) acting on behalf of and under instructions from a Data Controller or another Data Processor to Process Personal Data.
“Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed, which could include e.g. a Techvedic member or an external consultant in a Techvedic internal context, or the employees or end users of a client in a business context.
“EEA” refers to European Economic Area, which consists of the European Union (EU) member countries, as well as Iceland, Liechtenstein and Norway, hereinafter also referred to as “Member States”.
“Employee” - for the purpose of this Policy only, this means an employee, staff member, worker, individual consultant, agent, officer or director, and “employment” shall be construed accordingly. Techvedic employees are referred to as “Member” or “Members”.
“Local Legislation” means local regulations, statutes, court orders or mandatory standards.
“Personal Data” refers to any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as the natural person’s name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.
“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
“Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.
This Policy sets out the general standard that Techvedic has implemented when Processing Personal Data. This Policy applies when Techvedic acts as a Data Controller or as a Data Processor. It applies to the Processing of all Personal Data, irrespective of the nature or category of the Personal Data, regardless of the media on which that data is stored.
Further details for specific Processing activities are made available in the relevant privacy information notices.
Techvedic is committed to Process Personal Data to the same level of protection regardless of whether it Processes Personal Data for its own needs or for the needs of its clients or any third party. The implementation of this Data Privacy Policy requires that all Members of the Techvedic Legal Entities and any third party engaged by Techvedic fully participate in its application, without any exception.
As part of its operations, Techvedic shall collect and Process Personal Data relating to:
Subject to Applicable Data Protection Legislation, some or all of the following Personal Data categories may be Processed by Techvedic and any third party engaged by Techvedic or providing goods and/or services to Techvedic:
4.1 Personal Data of our Members or former employees
When Processing Personal Data relating to our Members or former employees, acting as Data Controller, we will comply with Applicable Data Protection Laws (including where necessary any requirement to obtain consent from a Data Subject or the competent employee representative body – e.g. Works Council). In addition to this Policy, Techvedic's standard employment contracts, applicable policies and Member communications may specify the precise and detailed purposes for which Techvedic may, from time to time, collect and Process Personal Data.
The main purposes for Processing Personal Data (including Sensitive Personal Data) relating to Members may include the following:
Payroll, Pension, Finance and Shares - Techvedic may share relevant Personal Data with pensions and share scheme administrators, scheme providers, insurance companies, tax authorities and other similar service providers in relation to employment obligations and Member benefits. Techvedic will also Process Personal Data for the purpose of identifying and paying Members.
Commercial Administration and Management - Techvedic may use Personal Data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management, and complying with and managing business partner contractual obligations (including Member placement/assignment with clients).
Employee Administration and Management - Techvedic may process Personal Data (including where appropriate, and subject to this Policy and the Applicable Data Protection Legislation, Sensitive Personal Data) about Members and (where relevant) their dependents and next of kin, for purposes related to their employment with Techvedic. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), visa applications and other immigration requirements, communications to and from Members, Member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and Member benefits. From time to time, and subject to local requirements, Techvedic may offer its Members a range of benefits and discounts that it has negotiated with other companies and may supply relevant Personal Data to carefully screened third-party organizations to offer and provide such benefits.
Enterprise Security and Quality Control - Techvedic provides its Members computers, laptops and (mobile) phones enabling access to the Internet, e-mail and social media, Techvedic Intranet and various software applications and tools. Besides these digital equipment, Techvedic may also provide cars and physical workspaces (all being company property). Techvedic trusts that each Member acts responsibly and lawfully when using company property and strictly abides by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable Use Policy and the policy governing the use of thirdparty software. For security reasons only, Techvedic may monitor its premises with cameras. Techvedic may have good and legally justifiable reasons to monitor the use of digital equipment/devices and digital traffic through the equipment and devices used by Members taking into consideration the necessity for monitoring and the Member’s privacy. Incidental investigations will only be conducted for substantial reasons in targeted situations and Techvedic Global Security will always be involved in such investigations, taking into account the security incident investigation and reporting processes. Techvedic organization-wide monitoring and recording of Internet usage history and e-mail correspondence will only be implemented following a collective consultation process with the Works Council.
Corporate Finance, Mergers and Acquisitions – From time to time, Techvedic buys, sells and/or transfers group companies, business assets, financial instruments/arrangements, and contracts. In relation to such opportunities, operations and arrangements, Techvedic may share relevant Personal Data with potential buyers, sellers, professional advisors and regulatory authorities (incl. make regulatory filings with relevant governmental authorities), subject to obligations of confidentiality and local legal restrictions.
Regulatory, Professional and Membership Requirements – Techvedic may process Personal Data about Members, and transfer Personal Data to relevant regulatory bodies, governmental authorities and professional/trade/industry organizations in relation to membership applications and renewals, regulatory requirements (including security, regulatory/legal reporting requirements), professional standards, etc.
Health, Safety, Law and Insurance – Techvedic may Process and transfer Personal Data to appropriate third parties (including Techvedic facilities’ managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.
Compliance with local legal requirements and agreed practices – Techvedic may process and transfer Personal Data to other entities within the Techvedic Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed upon with Members, employee representatives, data protection officers, and/or data protection authorities/regulators.
4.2 Personal Data of our clients
When Processing Personal Data of our clients, we will act as a Data Processor, following duly documented instructions of the relevant clients for the following purposes:
Management of governance, delivery and closing for client projects and services including recruitment operations, training, suppliers and subcontractor management, billing, invoicing, reporting and audit activities;
Management of client projects and services cross-industries such as banking, utilities, manufacturing, insurance, government, retail, consumer and services, health and life sciences, transportation and logistics, oil and gas or communications and media, including Personal Data entry, correction and consolidation, storage, record-keeping and back-up, data management and analysis, individual enquiry management, application and infrastructure management, development and testing, correspondence, delegated/consolidated/outsourced IT system administration, hosting and management including access control and audit, asset management, expense Processing, marketing and research analysis.
4.3 Personal Data relating to other Data Subjects
Techvedic may also Process Personal Data relating to other Data Subjects (e.g. enquirers, website visitors, marketing/business contacts, prospective candidates, Techvedic offices’ visitors, etc.) for the purposes described below:
Techvedic will usually act as a Data Controller in relation to such Processing operations and any third party engaged by Techvedic or providing goods and/or services to Techvedic will act as Processor.
Techvedic will Process Personal Data only when strictly necessary and apply further principles on the basis of whether Techvedic acts as a Data Controller or as a Data Processor.
5.1 Principles when Techvedic acts as a Data Controller
Transparency, fairness and lawfulness: Techvedic will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this Policy through the use of data privacy notices clearly setting out information necessary for compliance with the Applicable Data Protection Legislation.
Defining a purpose: any Processing of Personal Data by Techvedic, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.
Data minimization: once the purpose for Processing Personal Data has been established, Techvedic will only collect Personal Data to the extent required for accomplishing such purpose. Each instance of Data Processing detail is to be reviewed as part of the early solution design phases and included in the Data Privacy and Security review and approval process or otherwise in order to ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.
Quality of Personal Data: throughout the life cycle of any Personal Data Processing, Techvedic will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, Techvedic will provide adequate means for Data Subjects to inform Techvedic in case of any change in their Personal Data.
Data retention limitation: Techvedic will ensure that it does not keep your Personal Data for a longer period than strictly necessary to achieve the purpose for which your Personal Data is collected. Consequently, Techvedic will determine before the performance of the Processing an appropriate retention period. In doing so, Techvedic will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing while taking into account the following factors:
Defining a legal basis: in addition to the above principles, any Processing may be performed only where it falls under one of the circumstances identified below:
If none of the above legal basis apply, Techvedic will seek and retain the Data Subjects’ prior consent before Processing its Personal Data, being understood that Data Subject’s consent is valid when (i) it is freely given by a clear affirmative act; and (ii) it represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.
Technical and Organizational Measures: Techvedic will implement appropriate technical and organizational measures, at least equivalent to those prescribed in Techvedic’s Enterprise Security Management Framework (ESMF), to guard against unlawful access and/or Processing of Personal Data. In particular, Techvedic will grant access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed. Where Techvedic uses a third party to undertake Processing on its behalf it will ensure that equivalent measures are put in place by that third party through contractual agreements. In the event of unlawful access and/or Processing, Techvedic will comply with its Information Security Policy and related procedures.
Data Protection Impact Assessment (DPIA): Techvedic shall be responsible for monitoring Data Processing compliance with Applicable Data Protection Legislation. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the protection of your data, Techvedic shall implement a data protection impact assessment procedure that shall enable Techvedic to:
Data Privacy Impact assessment document will be retained for the duration of Data Processing to which they apply.
5.2 Principles when Techvedic acts as a Data Processor
Techvedic will ensure that it Processes Personal Data solely in accordance with the documented instructions of the Data Controller.
In particular, such Processing shall be:
The Data Controller remains solely responsible for ensuring a valid legal basis for the Processing performed by Techvedic and that the required Processing complies with Applicable Data Protection Legislation including the retention period to be applied. Nonetheless, Techvedic will promptly inform the Data Controller if, in its opinion, an instruction of the latter infringes the Applicable Data Protection Legislation.
Unless otherwise instructed by the Data Controller, Techvedic will apply (as a minimum) the same security baseline as it applies when it is acting as a Data Controller. Security measures which do not comply with the security baseline (as a minimum) will require the approval of Techvedic Privacy and Security representatives.
Techvedic will provide reasonable assistance to the Data Controller to support it in undertaking its obligations under Applicable Data Protection Legislation. The assistance to be provided by Techvedic to Data Controller for compliance purposes in accordance with this section will be subject to the financial, technical and organizational conditions agreed between Techvedic and Data Controller in the relevant agreement. Upon termination of the relevant Data Processing agreement, Techvedic and any third party engaged by Techvedic will either destroy or return all Personal Data to the client according to its instructions and Applicable Data Protection Legislation. In case of destruction, Techvedic will certify to the Data Controller that such deletion took place. In case of a return, Techvedic will ensure the confidentiality of the Personal Data transferred to the Data Controller by adhering to client’s instructions.
For the avoidance of doubt, nothing in this Policy limits Techvedic’s right to keep Personal Data for the purpose of existing litigation or to bring or defend future claims, in accordance with applicable legal statutes of limitation applicable to Techvedic.
5.3 Principles when Techvedic Processes Sensitive Personal Data
Techvedic, when acting as a Data Controller, will Process Sensitive Personal Data if and only if it is strictly required.
In such case, Techvedic shall ensure that at least one of the following conditions is met:
Where Techvedic, as a Data Processor, is required to Process Sensitive Personal Data, Techvedic will follow the Data Controller’s written instructions and apply the measures agreed to between parties, which shall be at least equivalent to the Techvedic Security Baseline.
The Data Controller shall ensure a valid legal basis for the Processing performed by Techvedic.
In any case Techvedic will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation and comply with any mandatory specific hosting and Processing conditions.
5.4 Privacy by design/Privacy by default
As demonstrated by the commitments made under this Policy, Techvedic is committed to providing the appropriate level of protection for the Personal Data it processes. To ensure that the principles defined in this Policy are effectively considered when Techvedic processes Personal Data, Techvedic will identify and address any data protection constraints at the beginning of a new project so that the principles contained herein are reflected in the design of the project and appropriately implemented.
Where Techvedic acts as Data Processor, the Data Privacy organization, shall review and approve the Privacy aspects of the proposal and / or services developed for a client. Where Techvedic acts as Data Controller, the Data Privacy organization will have to provide approval of any new Techvedic internal project prior to the commencement of its development and subsequently implemented.
Where a solution is developed to become a Techvedic Intellectual Property to be proposed to clients as part of Techvedic’s services, the Data Privacy organization shall provide its approval.
6.1 Incident Management
Techvedic has a mature, standards-based security incident response and management process designed to handle all phases of a security incident. Members’ responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution. Incident records are maintained and reported to senior management as required. High-priority incidents are managed through Techvedic’s 24x7 Global Security Operations Centre (SOC), where highly trained, full-time incident response professionals coordinate response efforts. Techvedic’s Data Privacy team is immediately engaged in the incident management process whenever Personal Data is suspected to be involved.
6.2 Notification of Personal Data Breach
Whether acting as a Data Controller or as a Data Processor, if Techvedic reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed has occurred, Techvedic will provide security incident notification and status updates to the relevant Data Protection Authority, to Data Subjects and/or to the Data Controller, in accordance with Applicable Data Protection Legislation or any other local applicable laws.
Similarly, and for the sake of clarity, in the event a Personal Data breach is identified by a third party engaged by Techvedic, the third party will have to inform Techvedic as agreed upon in the relevant agreement.
As part of Techvedic operations, we may collect your Personal Data and disclose them to:
Techvedic will disclose your Personal Data if the disclosure is reasonably necessary to protect Techvedic’s rights and pursue available remedies, enforce Techvedic’s terms and conditions, investigate fraud, or protect Techvedic’s operations or users.
Techvedic may also disclose your Personal Data to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and Local Legislation, and after careful review, the legality of any order to disclose data. Techvedic will challenge the order if there are grounds under the law of the country of destination to do so.
Transfer of EU Personal Data shall refer to Personal Data of EU residents or Data Subjects located within the EU being Processed (e.g. accessed, sent, used, viewed, copied, deleted) in a third country outside the EEA.
8.1 Within Techvedic
Techvedic acting as a Data Controller or Data Processor will Transfer EU Personal Data in accordance with the Applicable Data Protection Legislation and in accordance with Techvedics’ Binding Corporate Rules (“BCR”), approved under GDPR by the French Supervisory Authority on July 22nd, 2021. This means that your rights as Data Subject remain the same no matter where your Personal Data is Processed.
Should you require any information on Techvedic’s BCRs, please consult the Register of the European Data Protection Board or Techvedic - Privacy policy | Techvedic.com.
When Techvedic acts as Data Processor, prior specific or general consent is required in writing from the Data Controller before such transfer may be initiated.
Transfers of non-EU Personal Data shall take place in accordance with the Applicable Data Protection Legislation.
8.2 To third parties
Transfers of Personal Data to third parties shall take place in accordance with the Applicable Data Protection Legislation.
On a regular basis, Techvedic conducts due diligence and third party privacy and security risks assessments with all third parties engaged by Techvedic, to establish their corporate capabilities and maturity with respect to security and data protection.
Whenever Techvedic relies on such third parties to process Personal Data, Techvedic ensures that such third parties provide an adequate level of protection to the Personal Data they process as per Applicable Data Protection Legislation.
Data subjects have several rights under the Applicable Data Protection Legislation to request access to their Personal Data held by Techvedic and/or information about how Techvedic Processes their Personal Data. If you have any questions regarding the Processing of your Personal Data, please send your formal request to [email protected].
When acting as a Data Processor, upon request, Techvedic will provide its clients with relevant information enabling such clients to comply with their own obligations toward Data Subjects. Unless otherwise indicated in any contractual agreement, Techvedic shall not be required to inform Data Subjects directly thereof, as this remains the responsibility of the Data Controller.
As per Applicable Data Protection Legislation, where Techvedic acts as the Data Controller, you have the following rights:
Techvedic will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Data. Techvedic will require Data Processors that Process Personal Data to do the same. Techvedic may need to ask you further questions in relation to your Personal Data or to verify your identity.
Upon termination of employment contracts for whatever reason, Techvedic shall maintain the Personal Data of former employees for such time as shall be permissible in accordance with applicable laws and regulations and necessary for the provision of appropriate ongoing benefits and services (for example, Member share schemes and pension administration).
10.1 Compliance by Members
Members acknowledge the requirements and annually confirm acceptance of this Policy. In addition to this Policy, Members must also comply with other applicable confidentiality and privacy obligations, including those set out in any Applicable Data Protection Legislation, their employment agreements and Techvedic policies, processes and standards or client’s instructions.
Members must follow any mandatory Techvedic’s privacy training and awareness programs. These include, among other topics, mandatory web-based data privacy, information security, anti-corruption, and records management training, communication campaigns and specific trainings adapted to the different functions within the organization.
These trainings and awareness programs are regularly updated to reflect changes to the Applicable Data Protection Legislation.
Techvedic maintains a dedicated privacy page on Techvedic Intranet where policies, standards, guidance, information and other materials related to the global privacy program are made available to all Members.
10.2 Compliance by any third party engaged by Techvedic
In the event that any third party Processes Personal Data on behalf of Techvedic, such third party shall:
Techvedic maintains records of Processing activities carried out as a Data Controller or as Data Processor. Techvedic will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. Techvedic shall make a record(s) of Processing available to the supervisory authority on request.
This Policy may be amended from time to time to comply with Applicable Data Protection Legislation. Techvedic will ensure that Data Subjects are notified of any material changes to the Policy promptly, through an “update” on Techvedic.com, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to [email protected].
Techvedic has designated a Chief Privacy Officer (CPO) overseeing Techvedic’s global data protection strategy, enterprisewide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners who may also be appointed as Data Protection Officers in accordance with Applicable Data Protection Legislation.
In case of questions or concerns related to the interpretation or operation of this Policy, please send an email to [email protected] or contact Techvedic's Chief Privacy Officer at Paris - Carré Michelet, 10-12 Cours Michelet, 92800 Puteaux, France.
Privacy and data protection is high on our agenda. Our expertise in the management of complex projects and technologies contributes to the data privacy compliance priorities of our clients, and enables us to provide innovative services to support clients' compliance priorities.