Privacy Policy

Last Updated on January 2022

1. Introduction

Your privacy is important to us. Mindtree Limited and its group companies (‘Mindtree,’) is committed to respecting your privacy while using our website. This Mindtree Data Privacy Policy (“Policy”) defines the requirements to ensure compliance with the applicable data privacy laws and regulations applicable to Mindtree’s collection, use, and transmission of Personal Data and Sensitive Personal Data for information collected by us about you.

Protecting the privacy rights of data subjects and safeguarding their Personal Data is now being treated as a basic right of an individual and a legal requirement in many parts of world. Mindtree, being a global organization, respects the privacy of data subjects and is committed to complying with the applicable data privacy laws and legislations (including but not limited to EU General Data Protection Regulation 2016/679, California Consumer Privacy Act, The Privacy Act 1988 (Australia) including the Australian Privacy Principles (APP), Data Protection Act 2018 (UK), Information Technology Act 2000 read along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Personal Data Protection Act 2012 (Singapore) and other applicable privacy laws to the extent that they apply to Mindtree’s data processing and business operations) (the “Data Privacy Laws”).

2. Policy Statement

This Policy is designed to explain and set out Mindtree’s procedures and policies when processing Personal Data and Sensitive Personal Data (the meaning of which are set out below) by the organization. This Policy defines the requirements to ensure compliance with the Data Privacy Laws applicable to Mindtree’s collection, use, and transmission of Personal Data and Sensitive Personal Data.

3. Scope

The scope of this Policy applies to Mindtree, its affiliates, business partners, employees, and Third Parties providing services to Mindtree (together “Mindtree”, “we” or “us”). It covers Processing (including but not limited to collection, storage, usage, transmission and destruction) of Personal Data and Sensitive Personal Data of Mindtree’s current and previous employees, prospective candidates, current, prospective and previous customers, current and previous partners/vendors, website visitors, sub-contractors and visitors, (together “you”/ “your”) by Mindtree during the course of its business activities.

Mindtree acts as a Data Controller with respect to any Personal Data or Sensitive Personal Data it holds about you. Mindtree is responsible for ensuring that it uses your Personal Data in compliance with the Data Privacy Laws. The relevant entities that may act as the Data Controller are listed in Section 23 of this Policy

This Policy sets out the basis on which any Personal Data, Personal Information and Sensitive Personal Data about you that you provide to us, that we create, or that we obtain about you from other sources, will be processed by us.

4. Definitions

The meaning of some of the terms in use in the Policy are explained below:

Term Description
Personal Data Any information of Data Subject which can reasonably associate or link to an identifiable natural person or could include anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, economic, cultural or social identity of that natural person.
Personal Information (applicable only to California residents) Information pertaining to residents of California that identifies, relates to, de-scribes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, but does not include information that is lawfully made available from federal, state or local government records, nor does it include “deidentifed” or “aggregate customer information” as those terms are defined pursuant to the CCPA. Mindtree does not collect Personal Information from California residents that are under the age of 16.
Sensitive Personal Data Defined as any information revealing an identified or identifiable natural per-son’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic information, biometric information for the purpose of uniquely identifying a natural person, data concerning health, or information concerning an individual’s sex life or sexual orientation, and data relating to offenses, or criminal convictions. With respect to California residents, in addition to the preceding, the term also includes national origin or ancestry, sexual orientation, sex (including, gen-der, gender identity, and gender expression), pregnancy, childbirth and med-ical conditions related to same, age, physical or mental disability, veteran status, genetic information and citizenship.
Process, Processes, Processed or Processing Means any operation or set of operations which is performed on Personal Data or Personal Information or Sensitive Personal Data or on sets of Personal Data or Personal Information or Sensitive Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Consent Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which the Processing of their Personal Data, Personal Information and/or Sensitive Personal Data via a statement or by a clear affirmative action, signifies agreement to the processing of their Personal Data, Personal Information and/or Sensitive Personal Data.
Data Subject Relates to a particular natural person (i.e. an identified or identifiable natural person to whom the Personal Data relates. In case of a minor/ individual with mental disabilities, the data subject would be represented by a legal representative (parent/ guardian). For the purpose of clarity of this Policy, “Data Subject” means Mindtree current and previous employees, prospective candidates, current, prospective and previous customer personnel, current and previous partner/vendor personnel, website visitors, sub-contractors and visitors. Mindtree does not collect Personal Data/ Personal Information and Sensitive Personal Information from Data Subjects that are under the age of 18. For the purpose of CCPA, Data Subject shall include California residents.
Data Controller Means a person or organization who (either alone, or jointly, or in common) determines the purposes for which and the manner in which any Personal Data are, or are to be, Processed. For the purposes of this Policy, references to Data Controller shall mean references to Mindtree and its affiliates, where relevant.
Data Processor Is a person or organization who Processes the Personal Data on behalf of and under the instruction of the Data Controller.
Third Party In relation to Personal Data or Personal Information or Sensitive Personal Data means any person other than the Data Subject, the Data Controller, or any Data Processor or other person authorized to process data for the Data Controller.
“Sell,” “selling,” “sale,” or “sold,” Means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data or Personal Information by the business to another business or a Third Party for monetary or other valuable consideration.
Protected Health Information” or “PHI

means any written, oral, or electronic health information that is created by and/or received from a Covered Entity or a Business Associate of a Covered entity;

PHI includes, but is not limited to, any of the following documentation, if the documentation reveals an Individual’s identity and the Individual’s health status or payment issues:

  • medical records (such as hospital charts or doctor’s notes);
  • medical bills (such as bills for hospital or doctor’s services);
  • claims data (such as data on claims payments made by the Plans on an Individual’s behalf); and
  • insurance payment information (such as an explanation of benefits).
Individual means the person who is the subject of the protected health information.
Covered Entity means any health plan or any healthcare clearinghouse, or any healthcare provider who transmits PHI as per the standards developed by the Department of Health & Human Services (“HHS”) in electronic form.
Business Associate" means an entity that performs or assists a Covered Entity with a function or service involving the use or disclosure of PHI. The term Business Associate also applies to subcontractors of a Business Associate entity who perform PHI-related functions.
“Electronic Media”

means:

  • electronic storage material on which data is or may be recorded electronically, including devices in computers (e.g., hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
  • transmission media used to exchange information already in electronic storage media. Transmission media include, for ex, the Internet, extranet, intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including paper, voice via telephone, and facsimile, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

5. How we collect your Personal Data/ Personal Information / Sensitive Personal Data

We will collect and process the following Personal Data / Personal Information/ Sensitive Personal Data about you as follows:

Data Elements / Categories How we collect your data
Customer Personal Data or Personal Information in Projects Directly from you while Mindtree providing services to you
Business Partner/Vendor Personal Data or Personal Information Directly from you while Mindtree is receiving services from you.
Prospective Candidates

From Third Parties or other sources (for example via recruitment agencies or Mindtree employee referral but in each case only as far as legally permissible and only as far as is necessary to fulfil the position in question), which may also include public sources such as professional networking platforms or job portals.

Directly from you in case you have directly applied through the website;

Employee Data Directly from you during the course of your employment;
Visitor information Directly from you at the time of visiting our premises
Website Data Directly from you when you voluntarily fill out your information on the website through specific provided forms to receive information from us or contact you. The information that you are required to fill in the website are your identity information and contact details (e.g. First Name, Last Name, Work Email, Company Name). In general, you may browse our website without providing any Personal Data about yourself. In the website, we do not collect any of your Sensitive Personal Information
Website Cookies Refer to our Cookie Policy for information about our website cookies
Marketing Data, Events and Initiatives Directly from you when you contact (or you have been contacted) or interact with any Mindtree representative, via Mindtree website or events or conferences or workshops or Surveys that you attend, by telephone, email, online portal or in person or from professional networking platforms like Linkedin, Twitter.
Prospective Customers and business partners/ vendors Other customer/ business partner and vendor referral. Also refer to “website data”, “Marketing Data, Events and Initiatives”.

For California residents only and in addition to the preceding, if such Personal Information is collected from other electronic sources, over the internet, using a pen and paper, through an algorithm, or through any other means.

6. Purpose and Lawful basis of Processing

Your Personal Data may be stored and processed by us in the following ways and for the following lawful purposes:

  • Where you have applied for a role with us, to review and process your job application with us and (only where legally permissible and where strictly necessary to assess your suitability for the relevant role) to conduct background screening checks on you (when permitted or required by the applicable law);
  • To carry out activities relating to your employment contract with us (including, but not limited to, processing your salary, administering benefits, managing and providing training relevant to your role and managing your performance);
  • To provide our products and services to you;
  • To comply with any legal and regulatory obligations that we have to discharge;
  • To establish, exercise or defend our legal rights or for the purpose of legal proceedings;
  • Where you are an employee or visitor to our premises, to record and monitor your use of our premises and/or information technology systems in order to maintain its security and protect them against fraud or unauthorised entry;
  • Use it for our legitimate business interests, such as operating our website, managing the efficient management and operation of our business, conducting marketing activities designed to improve the products and services we offer to you, and administering the security of our business (“Legitimate Business Interests”); and
  • Use it to prevent and respond to actual or potential fraud or illegal activities.
  • Internal Research: We may Process Personal Information for internal research for technological development and demonstration.
  • Transactional: We may transfer Personal Information as an asset through a merger, acquisition, bankruptcy or other transaction in which a Third Party assumes control of the business in whole or in part. In such event, the Third Party cannot materially alter how it uses or shares the acquired Personal Information subject to certain exceptions.

We are entitled to Process your Personal Data, Personal Information or Sensitive Personal Data in these ways because of the following reasons:

  1. Performance of Contract: We may process your Personal Data, Personal Information or Sensitive Personal Data, where necessary to enter into a contract with you or to perform our obligations under a contract with you. E.g processing of personal data for employment purposes (such as processing your salary, administering benefits) or providing services to our customers which are necessary to execute the contract. If you do not provide Personal Data for processing under this legal basis, we may not be able to perform as per the respective contract.
  2. Consent: Where permitted under applicable local laws, we may (but usually do not) process your Personal Data, Personal Information or Sensitive Personal Data based on your prior consent. In such cases, you have the right to withdraw your consent at any time by contacting the details below provided in this Privacy Policy. In certain limited circumstances, even after withdrawal of Data Subject consent, we may be entitled to continue processing your Personal Data where we have a lawful reason to do so and as communicated to you.
  3. Legitimate Interests: We may process your Personal Data, Personal Information where it is necessary for our Legitimate Business Interests as a company, including to manage, which are outlined above.
  4. Legal Obligations: We may process your Personal Data, Personal Information where it is necessary in order to comply with applicable legal and/or regulatory obligations, establish, exercise or defend our legal rights or for the purpose of legal proceedings and to prevent and respond to actual or potential fraud or illegal activities.
  5. Other “Public Interest” Grounds: We may process your Personal Data, Personal Information (or where relevant, your Sensitive Personal Data) on other public interest grounds where it is subject to regulatory requirements where Processing is necessary by us for the performance of a task mandated by governmental authorities, regulatory authorities or any other law enforcing authorities in the public interest.
Data Elements / Categories Purpose of Collection Lawful Basis
Mindtree Customer’s data/Customer’s customer data that is shared with Mindtree to be processed in the role of a Processor / Sub-processor Providing services to fulfil the contractual obligations with Mindtree’s customers in the role of a Processor. This data will not be shared/processed for any other purpose other than what is stated in the contract between Mindtree and its Customers Performance of the contract or business purpose
Partner/Vendor Personal Data or Personal Information Receiving Services from Vendor/ Partner: to receive products and services from you; Performance of the contract or business purpose
Prospective Candidates Employment Opportunities: Where you have applied for a role with us, to review and process your job application with us and (only where legally permissible and where strictly necessary to assess your suitability for the relevant role) to conduct background screening checks on you (when permitted or required by the applicable law); Legitimate interest of Mindtree or business purpose
Employee Data Employment related activities: To carry out activities relating to your employment contract with us; Performance of contract, compliance with laws and legitimate interest or business purpose
Visitor information Security Purposes: Where you are a visitor to our premises, to record and monitor your use of our premises and/or IT systems in order to maintain their security and protect them against fraud or unauthorised entry Legitimate interest or business purpose
Marketing Data, Website Data, initiatives, survey and Events Marketing purposes: To engage in marketing and business development activities in relation to our products and services. This may include email and SMS marketing, other marketing communications as well as organising events. Use it for our legitimate business interests, such as operating our website, managing the efficient management and operation of our business, conducting marketing activities designed to improve the products and services we offer to you, and administering the security of our business Consent, Legitimate Interest or business purpose
Website Cookies Marketing purposes: Where you use functionality or visit our website including, subject to acquiring your prior consent where legally necessary, the use of cookies on our website (see our Cookie Policy for more information) Consent, Legitimate Interest

7. Processing Sensitive Personal Data

We may, where legally permissible, process your Sensitive Personal Data on the following lawful bases:

  • Explicit Consent is obtained from you where required under applicable local laws or in specific circumstances
  • Where you are physically or legally incapable of giving consent, but the processing is necessary to protect your vital interest for example, where emergency medical care is needed.
  • Without explicit consent when such Processing is specifically authorised or mandated by appli-cable local Data Privacy Laws including but not limited to circumstances where Mindtree is per-mitted to process Sensitive Personal Data

8. Personal Data of Individuals below 18 years

We may process Personal Data or Sensitive Personal Data of any individuals below the age of 18 years only for travel and immigration purposes. If we are required to process Personal Data or Sensitive Personal Data of such individuals, then we shall do so by taking explicit written consent from their legal guardians. If it comes to your knowledge that we have unintentionally collected or received Personal Data or Sensitive Personal Information about an individual below the age of 18 years directly from them, then immediately notify Us in the contact details provided in this Policy and we will accordingly delete such information.

Note: If you are below the age of 18 years, then we do not want you to provide any of your Personal Data in our website.

9. How we will be using your Personal Data/ Personal Information for Direct Marketing

For direct marketing, we will be using your Personal Data/ Personal Information in the following ways (to the extent in compliance with applicable local laws).

  1. Manage and maintain our relationship with you, including responding to an inquiry, question or comment made by you.
  2. To engage in marketing and business development activities in relation to improve Mindtree’s products and services.
  3. Improve the products and services we offer to you, and administering the security of our business.
  4. To conduct analysis and market research to improve this website
  5. Inform you about our service offerings by communicating through email, SMS, phone and any other similar communications means
  6. Respond to any legal process or as required by law in response to any court order, subpoena or a law enforcement agency, defending us in case of legal disputes or to take action against any illegal activity and to address any potential threat to the physical safety of a person.
  7. California residents who provide Personal Information are entitled to request information about themselves that we shared with Third Parties for their own direct marketing purposes (if applicable), including the categories of information and the names and addresses of those businesses. We do not currently share the Personal Information of California residents with Third Parties for their own direct marketing purposes.

10. Events and Initiatives

We organize and participate in events and initiatives. In such cases this Policy applies to participants and speakers together with any other supplementary information that is provided in relation with each event. In the event we appoint any Third Parties to conduct or organize such events and initiatives, your Personal Data or Personal Information shall be shared to such Third Parties under contractual obligations with such Third Parties in compliance with applicable Data Privacy Laws. The processing of Personal Data/ Personal Information by such Third Parties shall however be governed by the respective parties’ privacy policies and the contractual obligations entered with us.

11. Retention and Disposal of Personal Data or Personal Information

How long we continues to hold your Personal Data/ Personal Information will vary depending principally on:

  • Purposes identified in this Policy for using the Personal Data/ Personal Information/ Sensitive Personal Information – we will need to keep the information for as long as is necessary for the relevant purpose; and
  • Legal obligations – laws or regulation may set a minimum period for which we will have to keep your Personal Data/ Personal Information/ Sensitive Personal Information
  • Disposal of Personal Data/ Personal Information/ Sensitive Personal Information shall be handled with utmost care and shall be governed in accordance with reasonable data security practices as detailed by its internal policies governing data disposal.
  • Personal Data/ Personal Information/ Sensitive Personal Data shall only be Processed for the period necessary for the purposes for which it was originally collected as per the Mindtree Retention Policy.

12. Cross Border Transfer

We are a part of the Larsen and Toubro Group companies which is an international group of companies and, as such, transfer your Personal Data/ Personal Information/ Sensitive Personal Information to various countries where we and our parent company and affiliates operates.

We may transfer Personal Data/ Personal Information/ Sensitive Personal Information between our group companies and data centres for the purposes described in this Policy. We may also transfer Personal Data/ Personal Information/ Sensitive Personal Information to our Third Party suppliers, customers or business partners in different geographic locations.

Where we transfer your Personal Data/ Personal Information/ Sensitive Personal Information outside of the European Economic Area (“EEA”), we will ensure that it is protected and transferred in a manner consistent with applicable Data Privacy Laws. This can be done in a number of different ways, for instance:

  • the country to which we sends the Personal Data/ Personal Information/ Sensitive Personal Information may be approved by the European Commission as a jurisdiction with offering an “adequate” level of Data Privacy Laws;
  • and, where applicable, we have implemented additional (technical, contractual and/or organisational) measures to secure the transfer of your personal data;
  • the recipient organisation has signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your Personal Data/ Personal Information/ Sensitive Personal Information.

In other circumstances, Data Privacy Laws may permit us to use other transfer mechanism to transfer your Personal Data/ Personal Information/ Sensitive Personal Information outside of Europe. In all cases, however, any transfer of your Personal Data/ Personal Information/ Sensitive Personal Information will be compliant with applicable Data Privacy Laws.

You can obtain more details of the protection given to your Personal Data/ Personal Information/ Sensitive Personal Information when it is transferred outside the EEA (including a sample copy of the safeguards) by contacting us using the details set out within this Policy.

13. Security of Personal Data/ Personal Information/ Sensitive Personal Data/ PHI

In order to comply with our data security obligations under applicable Data Privacy Laws, we has adopted the following physical, technical and organizational security measures to ensure the security of your Personal Data/ Personal Information and Sensitive Personal Data and PHI::

  • That includes the prevention of their alteration, damage, loss, unauthorized processing or access, having regard to the nature of the data and the risks to which they are exposed by virtue of human action or the physical or natural environment.
  • We shall comply with the security safeguards as per our contractual and statutory requirements in consultation with its internal I.T department.
  • The Office of Data Privacy and Chief Information Security Officer shall assess the security measures implemented to safeguard Personal Data, Personal Information and Sensitive Personal Data on a regular basis and update the same, where required.
  • All employees and contractors shall be imparted with mandatory Privacy training (e.g., Training on Embedding Privacy in Software Development etc.). Further confidentiality agreements and Non-Disclosure Agreements shall be signed by all employees and contractors on or before their joining date with Mindtree.
  • We have implemented the following safeguards to ensure the data We collects, stores, processes and shares is secure:
    • Physical Security Controls
      • Facility Perimeter, HD access reader, Data Centre, Video surveillance
    • IT Infrastructure Controls
      • Encryption, DLP, Data masking, controlled Portable ports, Access Control, Unauthorized software check, Data destruction, System Hygiene measures, Monitoring, User Access Management, Patch Management, Vulnerability Management.

We have implemented an incident and breach management procedure to ensure that exceptions in data privacy compliance are promptly reported to the Office of the Data Privacy.

14. Privacy by Design

  • We have established a process to proactively embed privacy at the initial planning/design stages and throughout the complete development process of new processes/ services/ technologies and/or platforms that involve Processing of Personal Data.
  • Considerations have been made for technical and organizational measures to enhance privacy (e.g. pseudonymization, anonymization, data minimization, data aggregation etc.).In addition, we shall take appropriate technical and organizational measures to ensure that Personal Data collected or Processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
  • With respect to the Personal Information of California residents and in addition to the above, we will use measures to enhance the privacy of your Personal Information through the use of measures to “aggregate consumer information” or to “deidentify” such Personal Information as those terms are defined by the CCPA.

15. Your Rights

You have certain rights relating to your Personal Data/ Sensitive Personal Data provided for under applicable Data Protection Laws.

  • The right to request access to your Personal Data/ Sensitive Personal Data and the processing activities on the Personal Data/ Sensitive Personal Data and, where applicable, receive a copy of your Personal Data/ Sensitive Personal Data. Please note that there may be circumstances in which we are entitled to refuse requests for access or to receive copies of your Personal Data/ Sensitive Personal Data.
  • Request that your Personal Data/ Sensitive Personal Data is corrected if it is inaccurate or incomplete.
  • Request erasure of your Personal Data/ Sensitive Personal Data in certain circumstances. Please note that there may be circumstances where you ask us to erase your Personal Data but we are legally entitled to retain it.
  • Request that the processing of your Personal Data/ Sensitive Personal Data is restricted in certain circumstances.
  • Object to processing of your Personal Data/ Sensitive Personal Data in certain circumstances. Again, there may be circumstances where you object to our processing of your Personal Data/ Sensitive Personal Data but we are legally entitled to refuse that request.
  • Receive your Personal Data/ Sensitive Personal Data provided to us as a Data Controller in a structured, commonly used and machine-readable format in certain circumstances and/or request that we transmit that Personal Data/ Sensitive Personal Data to a Third Party where that is technically feasible. Please note that this right only applies to Personal Data/ Sensitive Personal Data which you have actually provided to us.
  • Lodge a complaint with an applicable data protection supervisory authority, if you think that any of your data protection rights have been infringed by us. We can, via the contact details provided in this Policy, tell you which data protection supervisory authority is relevant to the processing of your Personal Data/ Sensitive Personal Data.
  • If the Processing of your Personal Data/Sensitive Personal Data is based on (explicit) consent, you can withdraw your consent at any time by contacting us. Please bear in mind that in certain circumstances it may be lawful for us to continue processing your Personal Data/ Sensitive Personal Data without your consent if we have another legal basis (other than consent) for doing so.
  • Right to have onsite access of your Personal Data (for Mexico only).
  • Right to raise a request to cancel processing of your Personal Data (for Mexico only).

Following are the rights applicable to the respective jurisdictions

Data Subject Rights Europe including UK US Mexico Australia Singapore India
Right to Information / Access Yes Yes Yes Yes Yes
Right to withdraw consent (opt out) Yes Yes Yes Yes Yes
Right to Object processing Yes Yes
Right to Restrict processing Yes Yes
Right to Erasure (to be Forgotten) Yes Yes Yes
Right to Rectification Yes Yes Yes Yes Yes
Right of Data Portability Yes Yes Yes
Right not subject to automated decision making/profiling Yes
Right to Complain to the Supervisory authority Yes Yes Yes Yes Yes
Right not to be subject to discrimination for the exercise of rights California Residents
Opt out of sale of data California Residents
Right to raise a request to cancel processing of your Personal Data Yes
Right to have onsite access of your Personal Data Yes

To exercise the rights outlined above in respect of your Personal Data/ Sensitive Personal Data or to receive more details, you may raise a request by clicking the link: Access Your Rights Here or by contacting Dataprotection.Office@mindtree.com

If you belong to any other jurisdiction that is not listed above, you may reach out to the us by raising a request by clicking the link: Access Your Rights Here or by contacting Dataprotection.Office@mindtree.com

15.1.1.1 California Privacy Rights

The CCPA provides California residents with the right to request disclosure of the categories and specific pieces of Personal Information that the business collects, sells or discloses concerning California residents and we shall provide such information without charge to the requesting California resident after verifying the request. We are required to provide such information no more than twice in a 12-month period. Under the CCPA, “collects” includes information bought, rented, gathered, obtained received and accessed whether actively, passively or by observing the California resident, provided, however, that we are limited in terms of what we can disclose when such information is Sensitive Personal Data.

The CCPA requires that we provide data portability to California residents.

Subject to certain exceptions, the CCPA grants rights to California residents to request the deletion of their Personal Information.

The CCPA prohibits discrimination against California residents that elect to exercise their rights under the CCPA.

The CCPA prohibits any agreement or contract that seeks to waive or limit California residents’ rights under the CCPA.

Please contact the Data Privacy Officer if you are attempting to fulfill any of the above requests by clicking at Access Your Rights Here or writing to Dataprotection.Office@mindtree.com

California residents who provide Personal Information are entitled to request information about themselves that we shared with Third Parties for their own direct marketing purposes (if applicable), including the categories of information and the names and addresses of those businesses. We do not currently share the Personal Information of California residents with Third Parties for their own direct marketing purposes.

16. Automated profiling and decision making

We do not use any automated decision making (including profiling) to process your Personal Data/ Personal Information/ Sensitive Personal Data.

17. Disclosure to Third Parties

  • We may disclose some of your Personal Data/ Personal Information/ Sensitive Personal Data to affiliates within our corporate group companies under the following circumstances:
    • Personnel administration, employee work and business management purposes.
    • To provide service that is legally bound by a valid contract.
    • To carry out day-to-day business transactions.
    • To identify and contact the Data Subject.
    • To ensure compliance to local laws and regulations.
    • Security Management
    • Events and Initiatives
  • We may also share Personal Data/ Personal Information/ Sensitive Personal Data outside of its corporate group where we relies on Third Parties to assist in its processing activities. This may include:
    • Third Party agents/suppliers or contractors, bound by obligations of confidentiality, in connection with the processing of your Personal Data/ Personal Information/ Sensitive Personal Data for the purposes described in this Policy. This may include, but is not limited to, information technology and communication services providers.
    • Third Parties relevant to the products and services that we provide. This may include, but is not limited to, hardware or software manufacturers, other professional services providers, regulators, authorities and other governmental institutions.
    • To the extent required by law, regulation or court order, for example if we are under a duty to disclose your Personal Data/ Personal Information/ Sensitive Personal Data in order to comply with any legal obligation.
    • You may reach out to the contact details provided in this Policy, if you would like to know the name of the Third Parties to whom we have shared your Personal Data.
  • With respect to disclosing Personal Data/ Personal Information/ Sensitive Personal Data to Third Parties, such written contracts with Third Parties will include restrictions prohibiting the Third Party from retaining, using or disclosing Personal Data/ Personal Information/ Sensitive Personal Data for any purpose except performing the services specified in the contract or as otherwise permitted by applicable Data Privacy Laws.
  • Where it discloses your Personal Data/ Personal Information/ Sensitive Personal Data to Third Parties Mindtree will seek to use a Data Processors or Subprocessors that are capable of providing sufficient security measures in accordance with applicable Data Privacy Laws and shall put in place contractual mechanisms to ensure that the relevant Data Processor or Subprocessor takes reasonable steps to ensure compliance with those measures.
  • Mindtree does not sell any Personal Data/ Personal Information/ Sensitive Personal Data under any circumstances.

18. Links to Third Party Websites

Our Website may provide links to other Websites, which have their own privacy policies. Such websites will be governed by their respective privacy policies and you may refer to them to understand how they process Your Personal Information. Some content or applications, including advertisements on Our Website accessed by You while availing Our services are served by third-parties. These third parties may use cookies alone or other tracking technologies to collect information about You when You use their services. The information they collect may be associated with Your Personal Information or they may collect information about Your online activities over time and across different websites and other online services. They may use this information to provide You with interest-based (behavioural) advertising or other targeted content. We do not control these third parties’ tracking technologies or how they may use the data which they have accessed. If You have any questions about an advertisement or other targeted content, You should contact the responsible provider/advertiser directly.

19. Quality of Personal Data/ Personal Information and Sensitive Personal Information

  • We shall ensure to implement reasonable Processes to monitor the quality of the Personal Data/ Personal Information and Sensitive Personal Data we store/ process.
  • Each business unit & support function within our organisation shall take steps to assure that Processed Personal Data/ Personal Information and Sensitive Personal Data is complete and accurate.
  • We shall implement a process to ensure that our employees can review, update and confirm on the accuracy and completeness of their Personal Data/ Personal Information and Sensitive Personal Data Processed by us.

20. HIPAA Privacy and Security Requirements

This section describes Mindtree’s obligations as a Business Associate under the Health Insurance Port-ability and Accountability Act (“HIPAA”).

I. Privacy Officer

Mindtree’s Data Protection Officer (as specified in Section 21 of this Policy) shall also act as the Privacy Officer and single point of contact for all queries on HIPAA-related matters for Mindtree. The Privacy Officer is also responsible for:

  • development and implementation of the policies and procedures pertaining to the protection of PHI and Mindtree’s obligations thereof;
  • compliance with the Privacy Rule;
  • establishing a breach notification process and coordinating with the Covered Entity on any breaches;
  • developing a training program; and
  • monitoring changes in the law and procedures that affect PHI.

II. Business Associate Agreements

Mindtree does not receive, access, use or otherwise process PHI without a Business Associate Agreement (BAA). The BAA ensures that the PHI received from a Covered Entity or Business Associate (hereinafter the Mindtree “customer”) is properly safeguarded in accordance with the applicable provisions of the HIPAA Privacy Rule, Security Rule, and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

The Privacy Officer shall maintain a log of all BAAs and manage any compliance requirements specified in such BAAs.

Upon termination of a BAA, Mindtree will return or destroy all PHI that it received and maintains from the customer, and no copies of such information will be retained. If return or destruction is not feasible, Mindtree shall continue to protect such PHI in accordance with the terms of the BAA and applicable law, until such time as the PHI remains in its possession and custody.

III. Use and Disclosure of Protected Health Information

Mindtree shall use and disclose PHI solely in accordance with the permitted uses laid out in the Business Associate Agreement between Mindtree and its customer, and in compliance with the purposes and standards prescribed under HIPAA.

In the event that a mandatory disclosure request as prescribed in the Act is made directly to Mindtree, whether by an Individual, in compliance with a legal directive, or to HHS for the purposes of enforcing HIPAA, Mindtree shall, to the extent permitted by law, notify the customer from whom such PHI was received, and shall make the requested disclosure in line with the guidance issued by such customer.

Mindtree shall not, in the absence of an authorization from the relevant Individuals, process PHI for any purpose other than the permitted purposes prescribed under applicable law and the BAA; provided however, that the responsibility for obtaining such authorization shall rest solely and exclusively on the Mindtree customer on whose behalf such processing shall occur and Mindtree shall not, to the extent permitted by law, be liable for any delay or failure by the customer to obtain the requisite authorizations.

IV. Training

Mindtree personnel that use, disclose, request, or have access to PHI in order to carry out their work-related functions are required to undergo the prescribed training to permit them to carry out functions in compliance with HIPAA. Training for employees with access to PHI will be pro-vided within a reasonable period of time after their date of assignment to the relevant project. Where applicable, such personnel will be required to take a refresher training annually and at additional times as determined by the Privacy Officer.

The Privacy Officer will maintain records of the dates of, and attendance at, all training sessions for six (6) years from the date of the applicable training session.

V. Violations of Policies and Procedures

Mindtree takes the policies and procedures regarding PHI very seriously. These policies and procedures are developed and implemented not only to ensure that PHI is used and maintained in a manner that is consistent with Mindtree’s commitment to privacy and protection of PHI, but also in a manner that is consistent and compliant with its obligations under the BAA and applicable law.

In the event that a Mindtree employee fails to comply with their obligations under the abovementioned policies and processes, they may be subject to sanctions, including warnings (verbal or written), and further disciplinary action up to and including termination of employment.

VI. Security Officer

Mindtree’s Chief Information Security Officer (CISO) shall act as the Security Officer for ensuring compliance with the security obligations prescribed in this section. The Security Officer will coordinate Mindtree’s security activities with the Privacy Officer. The details of the Security Officer are as follows:

Chandan Pani
Chief Information Security Officer
Chandan.Pani@mindtree.com

VII. Security Policies and Procedures

Mindtree has developed a robust information security framework in line with industry best practices to protect PHI under its control and custody, as detailed in Section 13 above.

21. Complaints and Grievances

Any complaints or grievances received about our use of Personal Data, Personal Information or Sensitive Personal Data should be promptly directed to the our Data Privacy Officer.

Complaints related to Personal Data, Personal Information, Sensitive Personal Data protection and any communications regarding enforcement of your privacy rights should be directed to the Data Privacy Officer at the following contact details:

Global Data Privacy Officer for Mindtree Limited:

Data Privacy Office: Global Village, RVCE Post, Mysore Road, Bangalore- 560059, India
Attention: Jagannath PV (Data Protection Officer)
Phone- +91 80 6706 410

Data Privacy Officer for Mindtree Limited (Germany Branch) and European Representative:
Matthias Meister: Email ID- Matthias.Meister@mindtree.com

United Kingdom Representative:
Nimish Khare: Email ID- Nimish.Khare@mindtree.com

With the relevant competent data protection authority. The name and contact details of the Data Protection Authorities in the European Union can be found here.

22. CCTV Surveillance

Where and only as far as permitted by applicable local laws, we may monitor the activities of individuals including visitors in our common area premises through CCTV footage. Such data shall be kept in accordance with Mindtree Retention Policy, after considering other statutory compliance requirements.

23. Policy Revisions and Publication

  • This Policy may be revised and updated from time to time.
  • The most recent version of this Policy will be available in this web page.

24. List of Mindtree Entities

We might transfer your personal data to our parent company Larsen & Toubro and its subsidiaries. You may reach out to the DPO contact details mentioned in Section 20 to identify whether any entity falls under Larsen & Toubro subsidiaries.