This privacy policy (“Privacy Policy”) provides the practices and policies applicable to RBI for handling of or dealing in Personal Information, including Sensitive Personal Data or Information (as defined below) that is lawfully collected by RBI.
Reference to “you” or “your” in this Privacy Policy refers to any natural person who provides to RBI any information referred in Schedule 1 of this document or any user(s) of RBI’s website or business applications whether or not, you avail the Services offered by RBI.
“Act” shall mean the Information Technology Act, 2000 and Rules thereunder as amended from time to time.
“Information” shall mean and include Personal Information and Sensitive Personal Data and Information as may be collected by RBI.
“Personal Information (PI)” shall have the same meaning as under Rule 2 (i) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 as amended from time to time. For ease of reference Rule 2 (i) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 is re-produced under Schedule 1.
“Rules” shall mean the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 as amended from time to time.
“Registered User” shall mean such user whose registration is accepted by RBI.
“Sensitive Personal Data and Information (SPDI)” shall mean and include information under Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 as amended from time to time. For ease of reference Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 is re-produced under Schedule 1.
“Services” for the purpose of this Privacy Policy shall mean any person who by way of registration has sought or in any manner has requested the services of RBI
All words and expressions used and not defined in this document but defined in the Act or the Rules shall have the meanings respectively assigned to them in the Act or the Rules.
RBI is fully committed to respecting your privacy and shall ensure that your Information is safe. This privacy policy sets out the practices adopted in respect of Information, including the types of Information that is collected, how the Information is collected, how the Information is used, how long the Information is retained and with whom it is shared (“Privacy Policy”). This Privacy Policy is published in compliance with the provisions of the Act and the Rules made thereunder that require publishing the privacy policy on RBI’s website. RBI urges you to read this Privacy Policy carefully before you use or opt to access any services of RBI or decide to part with any Personal Information including the information listed under Schedule 1.
1. Collection of Information
1.1 You may use RBI’s website to access Information, learn about its products and services, read publications and check career opportunities etc. without providing any PI/SPDI.
1.2 RBI may collect and process PI/ SPDI provided by you in the following forms:
Information that you provide to RBI in physical form whether sent through post or courier or handed over to a RBI representative in person; and
You will at all times have the option of not providing RBI with PI/SPDI that RBI seeks to collect. Even after you have provided RBI with any PI/SPDI, you will have the option to withdraw the consent given earlier. In such cases, RBI will have the right to not provide or discontinue the provision of any service that is linked with such PI/SPDI.
2. USE OF INFORMATION COLLECTED
2.1 Any information, if collected will be used in connection with the relevant purpose as per the contract and as under Section 1.2. The provider of information availing any Services from RBI shall be deemed to have consented to RBI for the use of such information as under this policy.
2.2 Employees, suppliers or consultants of RBI shall be duly advised about the purpose for which any Information is being collected at the time of such collection.
3. SHARING OF INFORMATION
3.1 Where PI/SPDI is required to be shared, arising out of any contractual obligation, RBI shall part with such PI/SPDI only in accordance with your consent for the same.
3.2 To the extent necessary to provide you the requested Services or to the extent required under applicable law, we may provide your PI/SPDI to the following Third Parties without notice to you:
3.3 proceedings: In the event, RBI is required to respond to subpoenas, court orders or other legal process, your PI/SPDI may be disclosed pursuant to such subpoena, court order or legal process, which may be without notice to you.
4. SECURITY OF INFORMATION
4.1 RBI strives to ensure the security, integrity and privacy of your PI/SPDI and to protect your Information against unauthorized access, alteration, disclosure or destruction. Stringent security measures (physical, electronic and managerial) are in place to protect against the loss, misuse, and alteration of the PI/SPDI under our control. RBI’s servers Page 4 of 6 are accessible only to authorized personnel and your Information is shared with employees and authorized personnel strictly on a ‘need to know’ basis.
4.2 As a technology driven financial market infrastructure RBI uses and has a comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the Information being protected. RBI periodically assesses, audits and updates its information security protocols and policies to achieve the highest standards on a continuous and ongoing basis.
4.3 You may review the Information you have provided to RBI at any time. On your request, RBI will ensure that any PI/SPDI notified to be inaccurate or deficient, shall be corrected or amended. However, RBI shall not be responsible for the authenticity of the PI/ SPDI.
4.4 Notwithstanding anything contained in this Privacy Policy or elsewhere, RBI shall not be held responsible for any loss, damage or misuse of your PI/SPDI, if such loss, damage or misuse is attributable to a Force Majeure Event.
5. RETENTION AND REVOCATION OF INFORMATION
5.1 Your PI/SPDI will be retained with RBI as long as you avail the Services of RBI or for such period as may be necessary under applicable law.
5.2 In the event, you wish to no longer avail the Services of RBI or intend to request that RBI no longer retain your PI/SPDI or where you intend to modify the current PI/ SPDI, you may contact RBI as provided hereinbelow.
6. NOTIFICATION OF CHANGES
6.1 From time to time, RBI may update this Privacy Policy. The Last Updated Date of this policy, stated below (6.3), indicates the last time this policy was revised or materially changed. Checking the effective date below allows you to determine whether there have been changes since the last time you reviewed the policy.
6.2 In the event, if you object to any of the changes, and you no longer wish to use the Services or intend to revoke your consent to retain your PI/SPDI with RBI, you may contact RBI as provided hereunder.
7. INQUIRIES
RBI respects and is sensitive to the rights as granted in the data protection laws. Should you have questions about the Privacy Policy or RBI’s information collection, use and disclosure practices, you may contact the Grievance Officer as per the details given hereinbelow. RBI will use reasonable efforts to respond promptly to requests, questions or concerns you may have regarding the use of your PI/SPDI.
8. GRIEVANCE OFFICER
You may contact the Grievance Officer to address any discrepancies and grievances you may have with respect to your Information with RBI. The Grievance Officer will redress your grievances expeditiously.
Rule 2 (i)
“Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
Rule 3
Sensitive personal data or information of a person means such personal information which consists of information relating to:-
password;
financial information such as Bank account or credit card or debit card or other payment instrument details ;
physical, physiological and mental health condition;
sexual orientation;
medical records and history;
Biometric information;
any detail relating to the above clauses as provided to body corporate for providing service; and
any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.