1. Context

The General Data Protection Regulation (GDPR), which came into existence in 2018, calls for a better focus on the data regulatory framework in Europe and for specific protocols to which all Convergent staff must adhere. As part of the work we are executing, Convergent collects and holds Identification and Personal Data about respondents, panellists, staff, clients, and suppliers to conduct businesses. The protocol mandates adherence to procedures and systems that all Convergent staff, consultants, and concerned people must seek to follow. This policy details how we intend to protect Personal Data and ensure that all Convergent staff are familiarized with the rules governing their use of Personal Data to which they have access during their work. All staff must know their local Admin Officer who handles the data and whom they can contact when needed.

If you have any questions, please get in touch with Surya AV, CEO, at surya.av@convergentview.com

2. Definitions
Personal Data

Personal data is any information that belongs to an identified or identifiable living individual. Please note that information can be called Personal Data even if you are not aware of the individual's name, email address, mobile numbers, or other phone numbers or other identifiers. Such personal data includes online identifiers such as cookies, HTML, etcetera. Sensitive Personal Data is information about the subject's racial or ethnic origin, political opinions, religious or similar beliefs, memberships (or non-membership), health condition (including physical and mental), criminal offenses, or related proceedings.

Purposes of the Business

The purposes for which Convergent may use such data include, but are not restricted to:

  • Conducting research and surveys of various nature

  • Gathering statistical evidence to input into the market research data

  • Compliance with the legal, regulatory and corporate governance obligations and good practice

  • Ensuring business policies are adhered to (such as policies covering email and internet use)

  • Operational reasons, such as recording transactions, training & quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring, and checking

  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration, and assessments

  • Monitoring staff conduct, disciplinary matters

  • Marketing the business of Convergent
Research Methodologies:

As per the industry norms from time to time and which are adopted and innovated by Convergent regularly

Applicability

This policy applies to everyone working with the organization for business purposes. All such stakeholders must be familiar with these policies and comply with their terms at all times. Failure to do so can be treated as a disciplinary offense.

This policy supplements our other policies relating to internet and email use. The policy is subject to modifications through addition or deletion from time to time as deemed necessary by the organization. You will be appraised of the changes from time to time through appropriate training or any other method deemed appropriate by the organization.

Responsibilities

The Project Managers & Administration are responsible for:

  • Updating the Convergent management about data protection responsibilities, risks, and issues.

  • Review and revise all data protection procedures and policies regularly.

  • Organize and conduct data protection training for all staff members.

  • Be available to answer questions on data protection that may come from the staff, board members, and other stakeholders

  • Be available to individuals, clients, and employees who wish to know which of their data is being held by Convergent

  • Conduct due diligence and approve third parties who handle the company's data, any contracts or agreements regarding data processing.

  • To ensure all computers, systems, services, software, and equipment meet acceptable security standards

  • Identify and research third-party services Convergent is considering using to store or process data

3. Data Processing Activities

Convergent shall attempt to record data processing activities in a data inventory. We must hold a record of each processor of Personal Data and a list of where this data is stored. Such a record shall include all suppliers, sub-processors, and third parties.

Convergent shall assess risks of data collection and processing activities. Such risk assessment may be done on Convergent's various research methodologies, data collection methods, data processing activities to flag data protection risks, areas that need to be amended or escalated for advice. These assessments of data protection risks should be undertaken and reviewed periodically.

Rights that can be executed

Convergent observes that individuals have the following rights:

  1. The right to access

  2. The right to rectification

  3. The right to erasure

  4. The right to be informed

  5. The right to restrict processing

  6. The right to data portability

  7. The right to object

  8. The right to withdraw Consent and

  9. Rights concerning automated decision making and profiling

If anyone requests that one or more of these rights be exercised, and the relevant conditions are met, Convergent shall review and respond with assistance within 60 days.

Confidentiality Notices

Convergent considers it essential to maintain transparency and provide accessible information to individuals about using personal data. Such transparency would mean including the following details in all confidentiality notices on how we collect data and what we will do with it:

  • Nature of the information that is being collected.

  • The individuals who are collecting it.

  • The method in which it is collected.

  • The purpose for which it is collected.

  • How it is intended to be used.

  • Who are the recipients of this, either in whole or in parts?

  • Identity and contact details of data controllers.

  • If there is any transfer planned for the third country and related safeguards.

  • The period for which the data is planned to be stored.

4. Lawful Collection and Use of Personal Data

We have an obligation to the Government, the legal system, and the clients to explain the legal basis for procuring and processing Personal Data. These legal bases are listed below and could be different for each use case:

  • We have the required Consent for the use of Personal Data;

  • It is necessary for us to use the Personal Data to perform a contract;

  • It is necessary for us to process Personal Data to comply with a legal obligation;

  • It is necessary for us to Personal Data to protect interests;

  • The processing is necessary to perform a task in the public interest; or

  • The use of Personal Data is necessary for our (or our clients') legitimate interests (in which case we will explain what those interests are).

5. Research on Special groups & Consent

As per the Data Protection norms, children, mentally challenged, hospitalized individuals, and people undergoing severe treatments might not be in a condition to provide Consent to allow their data to be processed and such consents obtained are not valid. The Consent on behalf of the children must be given by parents or legally authorized guardians (the legal definition will depend on each jurisdiction). The default age of a child under the data protection differs as per the country's norms unless specific legislation in a jurisdiction permits it to be lower. Any collection of Children's data must follow the country's norms and should have the approval of the requisite authority if necessary.

6. Institutional Review Board

The researchers are advised to apply and seek a review of their research approach, research tools, and the ethical protocols proposed for the study through an Institutional Review Board or Independent Ethics Committees. This decision can be taken on a case-to-case basis in consultation with the client organization and the stakeholders involved.

7. IT Policies

All Convergent staff should comply with the organization's IT policies, which are detailed and updated from time to time. The IT policies are directly linked to protecting the data and the necessary impact on the data protection norms the organization intends to follow.

8. Data and Duration Minimisation

Convergent has a policy not to hold data longer than necessary for legitimate business interests. It shall minimize the amount of data and its duration that is collected regarding data subjects wherever necessary.

9. International Data Transfers

If Personal Data is to be transferred outside the area from which it is gathered, all Convergent staff must ensure that adequate protections and safeguards are in place.

10. Capacity Building

All Convergent staff must complete data protection training each year, which will either be provided online or face to face. It is the responsibility of all line managers to ensure that all relevant staff attends such training, and the same must be confirmed to the human resources managers. Failure to deliver on this may be considered a disciplinary offense.

11. Data Handling

All data processing shall be undertaken following Convergent's data handling protocol. Risk assessments should be conducted regularly to assess compliance.

12. Data Incidents

In the event of a data incident or if you have any concerns, you must carry out the data incident notification procedure immediately.

13. Audit's to ensure compliances

Regular internal audits may be carried out to ensure that Convergent complies with this policy. All staff, partners, stakeholders, and suppliers are obliged to assist with such audits. We may also have audits from clients from time to time, and we shall endeavor to comply with such exercises when necessary to meet our contractual obligations.

If you have any questions about this policy or any of the Convergent GDPR Guidance, please get in touch with Surya AV, CEO, at surya.av@convergentview.com