DATA PROTECTION POLICY

I. SUMMARY:
Your privacy is important to us. Please take a moment to read this Data Protection Policy so that you know and understand the purposes for which the Foundation may collect, use and/or disclose your Personal Data.

II. POLICY:
This Data Protection Policy outlines how your Personal Data will be managed in connection with your employment or your relationship as a trainee, vendor, consultant etc with Youth4Jobs Foundation (hereinafter referred to as either Foundation/ Data Fiduciary) and in accordance with the Digital Personal Data Protection Act 2023 and The Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (the “IT Rules”).
The terms of your employment/contract/agreement/ understanding with the Foundation should be read in conjunction with provisions of this Data Protection Policy.

III. SCOPE:
The policy applies to all staff, including management, employees (including contract employees – ad hoc or daily wage basis, either directly or through an agent with or without the knowledge of the employer, and may be working for remuneration), trainees (i.e vulnerable adults including carers/parents), interns, volunteers, beneficiaries, stakeholders, donors and auditors, consultants, vendors, service providers and anyone working on behalf of /for Youth4Jobs etc.

IV. PURPOSE:
Personal data means data about an individual who is identifiable by or in relation to such data including without limitation to name, address, contact information, Aadhaar, Pan details, employment history, educational background, income certificate, Disability certificate etc.
The Foundation shall collect your Personal Data from time to time for its records, communication purposes, background and reference check purposes, research, archiving, statistical purpose, placement purposes etc. Foundation shall use its discretion for the collection of such information which shall vary from person to person. Data processing shall be carried on in accordance with such standards as may be prescribed.

V. DUTIES OF INDIVIDUAL (INCLUDING PARENT/CARERS OF VULNERABLE ADULTS):
An individual shall perform the following duties, namely:
a. comply with the provisions of all applicable laws for the time being in force while exercising rights;
b. to ensure not to impersonate another person while providing his/her personal data for a specified purpose;
c. to ensure not to suppress any material information while providing his/her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
d. to ensure not to register a false or frivolous grievance or complaint with a Foundation or the Authority;
e. to furnish only such information as is verifiably authentic, while providing the Personal Data, accessing it, exercising the right to correction, updating or erase.

VI. CONFIDENTIALITY & LIMITATION OF USE OR DISCLOSURE:
The Foundation shall protect your personal data in its possession or under its control, and ensures that adequate measures are in place to protect the confidentiality of your Personal Data, including in respect of any processing undertaken by it or on its behalf by a Data Processor/ Consent Manager.
The Foundation shall take reasonable security safeguards to prevent personal data breach and to avoid the risk of unauthorised/accidental/ unlawful disclosure, access, alteration or loss of your Personal Data including without any limitation to records of all allegations/concerns which are recorded along with all the personal data of the complainant, the victim, the alleged perpetrator, witness etc.
The Foundation provides restricted access to your Personal Data to its staff/employees etc on a need-to-know basis.
The Foundation will share your Personal Data with a third party, statutory/ regulatory body only when it is required to serve the purpose of the Foundation or with respect to legal compliance. The Foundation will use its discretion to decide which information of personal data is required to be shared.

VII. DATA PROTECTION OFFICER:
The Foundation shall appoint a Data Protection Officer:
Name: Anila Mathur
Contact Information: anila@youth4jobs.org

ROLES & RESPONSIBILITIES OF DATA PROTECTION OFFICER:
a. To establish the posts and roles of those officers involved in the processing of the personal data;
b. To carry out data mapping to identify the personal data that is subject to processing and the procedures involving in the processing;
c. To monitor the Data processor/Consent manager if they process the records of the Personal Data in a prescribed manner.
d. To monitor and check if the records are maintained and stored by the Data processor/ Consent manager as prescribed by the law.
e. To share the Personal Data as and when required by the Foundation in compliance with law.
f. To identify risk and carry out a risk assessment when processing personal data;
g. To conduct periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Individuals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Individuals and such other matters regarding such process as may be prescribed.
h. To implement security measures and to develop a plan to implement those security measures that are still pending;
i. To carry out a gap analysis to verify those security measures for which implementation is still pending;
j. To put in place a procedure to anticipate and mitigate any risks arising from the implementation of new technologies when processing personal data
k. To conduct periodic audits and submit such reports to the board.
l. To respond to queries, complaints and the complaints pertaining to Data Protection policy filed under Grievance Redressal Policy.
m. To do such other acts to protect the Personal Data and to mitigate the breach of data or loss of data etc.
n. To conduct training for those officers involved in the processing.
o. To maintain a record of all emails pertaining to complaints, queries etc.

VIII. CONSENT & REVOCATION OF THE CONSENT:
You are well aware that you have provided your free consent while sharing your personal data with the Foundation. In the cases of Vulnerable Adults who are not in a position to provide a consent, their respective carers/ parents have consented to share their data through a verifiable consent and that of the Vulnerable Adults with the Foundation.
Every request for consent shall be presented to the respective Individual (including not limited to Vulnerable Adults)/ Vulnerable Adults’ parents/carers (i.e., for Vulnerable Adults who not in a position to provide a consent) in a clear and plain language, giving the option to access such request in English or any language specified in the 8th Schedule to the Constitution and providing the contact details of a Data Protection Officer.

EXCEPTIONS TO OVERRIDE CONSENT TO SHARE PERSONAL DATA:
The Foundation may waive the consent of an individual/ parent or carers of the Vulnerable adults:

• for responding to a medical emergency involving a threat to the life/ abuse or immediate threat to the health/ abuse of the Individual (i.e., the owner of the Personal Data) or any other individual;

• for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;

• for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster (i.e., meaning as per clause (d) of section 2 of the Disaster Management Act, 2005, or any breakdown of public order.

• for the purposes of employment or those related to safeguarding the Foundation from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by Individual who is an employee/staff/contractual worker/ intern/ volunteer etc.

In the event you wish to withdraw your consent to any use of your personal data please contact the HR Department (i.e.,Consent Manager/ Data Processor with respect to Data Protection) to know about the procedures and limitations. The consequences of the withdrawal referred shall be borne by the individual and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.

Please note that this Data Protection Policy neither supersedes/replaces any other previous consents provided by you nor shall it affect any rights pertaining to your Personal Data that the Foundation collects, stores, uses, shares, processes, transfers, analyses, discloses in accordance with the applicable laws for compliance purpose.

IX. RETENTION OF PERSONAL DATA:
Please note, the Foundation will retain your data in as accurate as possible manner till such period it is required for the intended purpose/ to meet the statutory/ regulatory compliance and then your Personal Data will be deleted in a reasonably practicable manner as per the process. The Foundation shall also limit the use/ access of your Personal Data.

X. COMPLAINTS/QUERIES:
In case of any queries or if you wish to update your data or access the data etc; please contact the HR Department. This will not apply to Trainees, as they will have to contact the Operations Department.
Please note, the Foundation shall maintain your data as accurate as possible. It is your duty to provide accurate data to the Foundation, to complete/update your personal data with the Foundation and if you find any inaccurate/ misleading data in your personal data, it is your duty to notify the same to the HR Department as per procedures and update/rectify your data/or such errors.
In the event of any complaints or if you feel your personal data is being misused or if there is a data breach, please feel free to contact the HR Department immediately so that the necessary action can be taken without any delay. You can also refer to the Grievance Redressal Policy to raise your concern/ complaint etc and the Data Fiduciary or Consent Manager will respond to such concerns/ complaints pertaining to Personal Data.

XI. DISSEMINATING/REVIEWING POLICY:
This Data Protection Policy shall be clearly communicated to staff, employees, interns, volunteers, carers/parents and management. The HR will be responsible for cascading this information.
This Data Protection Policy shall be updated from time to time to be in compliance with Statutory and Regulatory laws and requirements. The HR will ensure that updated policy is circulated to the management, staff, employee, interns, volunteers and carers/parents.

Please note that in the event of any conflict or inconsistency between the terms of your employment/contract/agreement/ understanding and the provisions of this Data Protection Policy, then the provisions of this Data Protection Policy shall prevail.

Approved by the Board of Directors – September 2023