1.1 Data Privacy Policy

The object of this Data Privacy Policy of Bajaj Allianz Life Insurance Company Ltd [BALIC] is to implement the security practices, procedures, and standards in BALIC so that the Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data or Information of whatsoever nature is securely handled and safe guarded while collecting, processing, storing, disseminating and or transmitting the same [whether by way of electronic data interchange or otherwise] and to prevent/stop the unauthorized access to/misuse of or exceeding the purpose or wrongful use of the Data of Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data of whatsoever nature.

1.2 Definitions:

In this policy, unless the context otherwise requires [Any changes/modifications made by Law or amendments thereof shall be deemed to have been automatically incorporated in this policy including the change of definition or addition of new definitions etc.]

• "Aadhaar Regulations"shall include Aadhaar (Targeted Delivery of Financial and other subsidies, Benefits and Services) Act, 2016, Aadhaar and other laws (Amendment) Act, 2019, Aadhaar (Authentication) Regulations 2016, Aadhaar (Data Security) Regulations, 2016 and other applicable regulations issued by Unique Identification Authority of India from time to time.
• "Access": with its grammatical variations and cognate expressions, means gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer system or computer network;
• "Customer Data": means Data as to Customer whether or not the Customer holds any Insurance Policy(s) of BALIC.
• "Data": means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner and or informal manner, and is intended/not intended to be processed, is being processed or has been processed in a computer/computer resource/computer system/computer network or otherwise than in computer/computer resource/computer system/computer network, and may be in any form (including computer print outs magnetic or optical storage media, punched cards, punched tapes or in any physical form not necessarily stored in computer/computer resource/computer system/computer network) or stored internally in the memory of the computer and shall also include Information or Personal Data or Information or Sensitive Personal Data or information of a person, Customer Data, Insurance Data etc.,;
• "Data Owner": Departments of BALIC which are concerned with collection or processing or transmission or dissemination or destroying the Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data, Insurance Data or Customer Data.
• "Data Subject": A data subject is a natural person who is the subject of Data, Information, Customer Data or Insurance Data or "Personal Data or information" or Sensitive Personal Data or Information of a person.
• "End User": Shall be construed as described in Section 4.4 of this Policy.
• "Employee": includes full, part time, on roll employees of BALIC and Contractual employees deployed to BALIC.
• "Grievance Officer": in charge of Customer Experience Unit [CEU], BALIC.
• "Information": includes data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche;
• "Insurance Data:" means Data as to Insurance Policy(s) issued by BALIC and shall also include the Data of Customer who holds Insurance Policy(s).
• "Password": means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information;
• Personal Data or Information:"Personal Data or information" means any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying or relating to such person or the property(s)/profession of a person or any other personal information of such person.
• Reasonable security policies, procedures and standards means as approved and followed by BALIC from time to time.
• Sensitive Personal Data or Information: Sensitive Personal Data or Information of a person means such personal Data or information which consists of information relating to :-
  • password;
  • financial information such as Bank account or credit card or debit card or other payment instrument details or Aadhaar Number;
  • physical, physiological and mental health condition;
  • sexual history or orientation;
  • medical records and history as to any type of ailments [including HIV/AIDS] and health status of insured and his/her family members;
  • Biometric information of person or employee;
  • any detail relating to the above clauses as provided to body corporate for providing service; and
  • any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
    Provided that any information that is freely and legally available or accessible in public domain or furnished under any statutory provisions for the time being in force shall not be regarded as sensitive Personal Data or Information for the purposes of these rules.
    Provided further that even if any Sensitive Personal Data or Information is freely available or accessible in public domain but the person who has put such information in public domain has put so illegally or by committing some offenses, then such Sensitive Personal Data or Information shall not be treated as legally available.
• "Secure system": means computer hardware, software, and procedure that- (i) are reasonably secure from unauthorized access and misuse; (ii) provide a reasonable level of reliability and correct operation; (iii) are reasonably suited to performing the intended functions; and (iv) adhere to generally accepted security procedures and also includes the Aadhaar Data Vault;
• Data Controller: The Data Controller is the "person" responsible for complying with the data privacy requirements and has full authority to decide how and why "Personal data" or customer data or insurance Data or "Personal information" is to be "processed" (this includes using, storing and deleting the data).
• Data Processor: When work is outsourced, the contracting organization/service provider has access to "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" which it "processes" on behalf of another organization. Processing primarily includes reading, amending, storing and deleting data. Therefore the Data Privacy Officer while outsourcing to Data Processor shall fully and completely assess (i) the reasonable security practices, procedures and standards followed by such Data Processor, (ii) creditworthiness and all other aspects required for faithful performance of duties by Data Processor and also (iii) there must be a suitable written contract in place, paying particular attention to data security. The data controller remains responsible for any breach of "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" brought about by the data processor.
• Data Processing: Data processing is any action taken as to "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" including the collection, use, disclosure, destruction and holding of data.
• Subject Access
  Individuals have a right to know what information is being held about them. The basic provision is that, in response to a valid request (including the fee, if required), the Data Controller must provide a intelligible copy of all the "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" about that Data Subject held at the time the application was made. The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some third party material, especially if any duty of confidentiality is owed to the third party, and limited amounts of other material. ("Third Party" means either that the data is about someone else, or someone else is the source.)
• Consent: Consent means "any freely given specific and informed indication of his/ her wishes by which the data subject or person authorized (by law or otherwise) to give information on behalf of the data subject signifies agreement to "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" relating to him/her being processed.
  The consent from the Data Subject shall be obtained at the time of receiving the Data to ensure transparency with the Data Subject and in compliance with applicable laws including Aadhaar Regulations. The sharing of information without consent is allowed only under Prevention of Money Laundering Act, 2002 and not otherwise. The consent may be obtained by a number of methods. These may include clauses in employment contracts, check boxes on replies to application or purchase forms, and click boxes on online forms where Personal Data are entered or oral confirmation through IVR /telephonic mode, or including suitable clause in the proposal form etc.

The purpose of this Policy is to enable BALIC to:

• Implement the reasonable security practices, procedures and Standards in BALIC so that the Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data, Insurance Data or Customer Data of whatsoever nature is securely handled and safe guarded by implementing such reasonable security practices, procedures and standards as is required by law.
• Comply with applicable statutory provisions, rules and regulations in respect of data privacy and data protection including but not limited to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, as amended from time to time.
• To the extent that any provision of this Policy deals with any matter governed by the Aadhar Regulations, this Privacy Policy shall be read in conjunction with the Bajaj Allianz Life Insurance Company Aadhaar Data Governance Policy.
• Extend its commitment towards data privacy and data protection of Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data of whatsoever nature is in line with reasonable security practices, procedures and standards.
• Enable the Data Subject and third parties to know, understand and duly follow & comply with the Data Privacy Policy of BALIC while accessing, using and transmitting any Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature.
• Ensure that the Data is accessed, stored, safe kept, processed and or transmitted/disclosed by following a reasonable security practices, procedures and standards by way of managerial, technical, operational and physical security control measures that are commensurate [but not less than security practices, procedures and standards prescribed by Information Technology Act] with the, Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature.

3.1 BALIC is committed to complying with the applicable Indian privacy laws and regulations as to, Personal Data or Information and or Sensitive Personal Data or Information of a person or all other Data or Information of whatsoever nature and have efficient security practices and procedures.

3.2 This policy applies to all Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data or Information of whatsoever nature, including Data in electronic form or Physical form. If any of the aspects of Information Technology Act and rules and regulations framed thereunder are not covered in this Policy, then in that case it shall be deemed that all the provisions of Information Technology Act and rules, regulations and guidelines framed thereunder and any amendments thereto, from time to time, are hereby specifically incorporated in this Policy and accordingly all the persons shall be bound to comply with various practices, procedures and safe guards to safe keep, store, keep confidentiality, secure transmission and or not to misuse or exceed the use & purpose for which it was disclosed and or not to allow to be used for the purposes for which it was not disclosed.

This policy applies, to the extent applicable, to all employees of BALIC (full, part time, on roll, Contractual), individual agents, licensed Corporate Agents, Insurance Intermediaries, Brokers, Referral Companies, Web aggregators, insurance Marketing Firms, Tele Marketers providing Tele calling services to BALIC, service providers providing various services and or infrastructure and or facilities, consultants, suppliers and vendors and also all such other persons and entities who:

• Provide Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature to BALIC, regardless of geographic location.
• Receive or knows or comes into possession of Personal Data or Information or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature from BALIC.
• Have access to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature collected, stored, safe kept, processed/to be processed or transmitted by BALIC.
• Who transmit the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, within or outside BALIC.

Data Owner must consult with BALIC’s Data Privacy Officer to determine the classification and data privacy and annexures applicable under this Policy.

4.1 Data Privacy Officer

The Data Privacy Officer is entrusted with the following responsibilities as to Personal Data or Information or Sensitive Personal Data or Information or any other Data or Information of a person/entity:

• Briefing the management of BALIC on data privacy policies, procedures and responsibilities of various persons who access, receive, provide or transmit.
• Reviewing the data privacy policies and procedures.
• Advising employees of BALIC on various data privacy issues, precautions and safeguards to preserve the strict confidentiality and privacy of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature.
• Ensuring that continual data privacy trainings are conducted for employees of BALIC [on roll and off roll and or full time or part time].
• Advising reasonable security practices, procedures and Standards for Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature.
• Examining, Handling and closing of all issues relating to reasonable security practices, procedures and Standards to be complied with as to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature.
• To take care of any other issues of whatsoever nature relating to reasonable security practices, procedures and Standards to be taken/followed for storage, safe keeping, dissemination, transmission, preservation, confidentiality, restrictions on disclosing the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature and all other related matters in regard to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature including Customer Data or Insurance Data.
• Upon appeal by concerned person, to act as appellate authority against the decision of Grievance Officer.
• Data Privacy Officer will also discharge duties of Data Controller.

The Associate Vice President for Legal shall be designated Data Privacy Officer.

4.2 Role of Grievance Officer

In case of any feedback or grievance, inputs, or feedback regarding protection or any other issues as to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, the Grievance Officer may be contacted. On receipt of the request, the Grievance Officer shall take necessary steps, within a reasonable time, to ensure that proper steps, safeguards and suitable action, if warranted, is taken to redress the grievance/complaint.

The contacts details for the BALIC Grievance Office is as mentioned on the company website

Grievance Officer: In charge of Customer Experience Unit, BALIC

4.3 Team / Department

Each team or department or person who access, receive, provide or transmits Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature shall take reasonable security practices, procedures and Standards that are commensurate with the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature being transmitted while storing, safe keeping, disseminating, transmission, preserving.

4.4 End-users:

The end-users viz. all employees of BALIC (full, part time, on roll, Contractual), individual agents, licensed Corporate Agents, Insurance Intermediaries, Brokers, Referral Companies, Tele Marketers providing Tele calling/Marketing services to BALIC, service providers providing various services and or infrastructure and or facilities, consultants, suppliers and vendors and also all such other persons and entities shall read, understand and abide by this Data Privacy Policy. They are also expected to safeguard and follow the strict confidentiality of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, including Customer Data and or Insurance data. Any disclosure or transmission of Data of BALIC or its Customers/prospective Customers/Insured/Beneficiaries of Insurance Policies of BALIC shall be only for BALIC's Business purpose and shall be only on need to know and after obtaining permission of Data Privacy Officer for such disclosure or transmission. End-users shall not disclose or transmit the Data to any person who is not entitled to receive and without obtaining the permission of Data Privacy Officer in writing [by email or otherwise]. Any disclosure or transmission of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, including Customer Data and or Insurance Data to third parties, or to personal email ID of End-users with an intention to misusing or other wise to part to third parties or to outside BALIC systems shall be deemed to be breach of Confidentiality and unauthorised disclosure/transmission of above mentioned Data etc., for which respective End-users shall be solely liable. Further, any compromise of secret password by End-users which results in breach of Confidentiality or unauthorised disclosure/transmission as mentioned hereinabove, shall be the main responsibility and liability of such End-user who compromised. This is apart from liability of any person who breaches confidentiality mentioned hereinabove by accessing and misusing the computer systems of other End-users.

4.5 Enforcement:

Breach of the Data Privacy Policy will lead to (i) suitable disciplinary action and or may attract suitable legal action/proceedings and/or costs, expenses, penalties, damages, claims against employees and (ii) suitable legal action/proceedings and/or costs, expenses, penalties, damages, claims etc., against any person/entity [other than employee].

The aforesaid action shall be apart from BALIC taking suitable steps under the relevant MOU/Agreement/contract or understanding with such defaulting End-user, as BALIC may be deemed fit and proper.

4.6 Appointments:

Appointments of the designated officers under this Policy shall be done with the approval of the Chief Executive Officer (CEO). The CEO shall also be entitled to make any changes in the appointment of the designated officers.

BALIC shall:

• Comply with both the law and reasonable security procedure, practice and Standard to ensure privacy of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature, including Customer Data or Insurance Data.
• Abide by Data Subject’s rights as to privacy of his/her Personal Data or Information and or Sensitive Personal Data or Information of a person.
• Provide training and support for End-users who handle Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature, including Customer Data or Insurance Data, so that they can ensure to maintain confidently and consistently in compliance with this Data Privacy Policy.
• Provide awareness as to maintaining confidentiality and Data security training inclusive of data privacy policy.
• Ensure to avoid unauthorized access and/or disclosure/transmission of Personal Data or Information and or Sensitive Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, which will intrude privacy of persons and or cause harm to individuals.

  This shall include:

  • Keeping strict confidentiality of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature.
  • Store and safe keep the Data by following reasonable security practices, procedures and standards.
• Take all possible safe guards to protect against unauthorized or unlawful processing of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature, including Customer Data or Insurance Data and not to incur or allow loss, destruction or damage of such Data either accidentally or otherwise. These shall include:
  • Adopting prescribed security practices and procedures.
  • Taking steps to ensure physical safe keeping and security.
  • Applying controls for giving access to or disclosing or transmitting the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature.
  • Establishing a Business Continuity/ Disaster Recovery Plan.
  • Training all employees on security systems, policies and procedures and safe guards.
  • Detecting and investigating breaches of security and Data privacy policy in the event of their occurrence.
  • follow the international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" or (ii) such security practices and procedures of BALIC have been certified or audited on a regular basis by entities through independent auditor, so that the reasonable security procedures and practices and standards of BALIC are treated as reasonable security practices and procedures. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.

6.1 Transfer of Data or Information

a. Transfer of Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data of whatsoever nature, to Third Parties

• Personal Data or Information and or Sensitive Personal Data or Information of a person and or all other Data of whatsoever nature, including Customer Data and Insurance data shall not be transferred or transmitted or disclosed or disseminated to any third person, legal entity, corporations, associations, firms, trusts, societies, non-profit organizations or any other legally formed entities or not legally formed association of persons/associations, country or territory, unless reasonable security practices, procedures and Standards are duly taken that are commensurate with the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data or Information of whatsoever nature, including Customer Data or Insurance data, being transmitted, transferred or disclosed.
• reasonable security practices, procedures and Standards have been taken to maintain the required level of strict confidentiality and data protection and access and or disclosure of the Data is provided only on "need to know basis and also only to the extent it is required"
• "Personal Data or Information" or Customer Data or Insurance Data may be communicated to any third persons, legal entity, corporations, associations, firms, trusts, societies, non-profit organizations or another legally formed entities or not legally formed association of persons/associations, country or territory only for reasons consistent with the purposes for which such data were originally collected or other purposes authorized by law.
• All sensitive personal data or Information transferred outside of the company or across public communications networks shall be protected against unauthorized disclosure and unauthorized access.
• All transfers of "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" to any third persons, legal entity, corporations, associations, firms, trusts, societies, non-profit organizations or any other legally formed entities or not legally formed association of persons/associations, country or territory for further processing shall be subject to suitable written documentation.

6.2 Disclosures at the time of Data Collection

• Information regarding purpose of collection, usage and reasonable Security practices, procedures and standards must be disclosed to the Data subject and/or any other person from whom Sensitive Personal Data or Information of a person is obtained. Provided however, if such Data collection is obtained by BALIC from its customers/prospective Customers/insured in the normal course of its business of Soliciting and procuring the life Insurance business, then no need of informing the Data subject as to purpose of usage as the same is meant for our life insurance business.
• In the case of employees, the disclosures may be made in the employment contract or in any other modes and ways as may be deemed feasible by BALIC and permitted by law.
• The disclosure to Data subject may be given orally, electronically or in writing. If given orally, the person making the disclosures should use an approved and suitable script or form. The records should be retained establishing the fact, date, content, and method of disclosure.
• BALIC or any person on its behalf shall not publish the sensitive personal data or information.
• The third party receiving the sensitive personal data or information from BALIC or any person on its behalf as hereinabove shall not disclose it further. BALIC to have such agreement/clauses with third parties to suitably safeguard sensitive personal data or information in this regard.

6.3 Source of Data or Information

a. Sources of Personal Data or Information or Sensitive Personal Data or Information of a person

• Personal Data or Information and or Sensitive Personal Data or Information of a person shall be collected by BALIC and or its authorized Agents, Intermediaries/insurance intermediaries including Corporate Agents only if Personal Data or Information or sensitive Personal Data or Information is considered necessary for the business of BALIC, unless the nature of the business purpose necessitates collection of the Sensitive Personal Data or Information of a person from other persons or bodies authorized by law [such as credit information companies or other person duly authorized by law] or otherwise to give information on data subject and the data subject is a direct or indirect beneficiary of the business. Provided however due precautions and safe guards shall be exercised while collecting the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature from persons or bodies authorized by law or otherwise to give information on data subject and use of such Personal Data or Information and or Sensitive Personal Data or Information shall be sparingly and on need to know and need to use such Personal Data or Information and or Sensitive Personal Data or Information. Such Personal Data or Information or sensitive Personal Data or Information shall (i) be retained only for such period as is required to be retained/archived as per legal requirements and accordingly shall not retain such data for period more than is required under law, Unless otherwise agreed under contract/agreement executed in this regard, (ii) be used for the purposes for which same is collected, (iii) at the request of data subjects allow review of such Personal Data or Information and or Sensitive Personal Data or Information if the same is inaccurate or deficit and to rectify the same subject to Data subject providing suitable justification and documents for such rectification, (iv) BALIC is not responsible for authenticity of such Personal Data or Information and or Sensitive Personal Data or Information, (v) the Data subject shall have sole discretion as to whether or not he will share/provide the Personal Data or Information or sensitive Personal Data or Information of him/her [however if data subject is not providing Personal Data or Information or sensitive Personal Data or Information of him/her which is necessary to issue suitable insurance policies or have business relation, BALIC is at liberty not to provide its services by not issuing suitable insurance policy(s) or other insurance services or deny to have a business relation (vi) if Data subject subsequently withdraws consent for BALIC's continued holding of Personal Data or Information or sensitive Personal Data or Information of him/her, BALIC shall have the option of terminating the concerned insurance policies or other insurance services or business relation which are issued/ effected/provided basing on the data subjects Personal Data or Information or sensitive Personal Data or Information
• For disclosure or transmission, to third parties or to persons who are not required to know the same, of data subjects Personal Data or Information or sensitive Personal Data or Information, BALIC shall take prior written consent of such Data subjects unless such disclosure is required as per legal obligations or pursuant to statutory order under the law or under Court order/direction for the time being in force. BALIC shall not publish such Personal Data or Information or sensitive Personal Data or Information.
• BALIC or any authorized person on its behalf may transfer sensitive Personal Data or Information or personal Data or information, to any other body corporate or a person in India, that ensures the same level of data protection that is adhered to by BALIC as provided for under Information Technology Act read with all Rules and regulations thereunder, from time to time, only if it is necessary for the performance of the lawful contract between BALIC or any person on its behalf and Data subject or where such Data subject has consented to data transfer. Transmitting or disclosure of Personal Data or Information or sensitive Personal Data or Information to any person or entity situated outside India shall be only for BALIC’s business of insurance or reinsurance, including ordinary course of business and related issues in the process of claim scrutiny and settlement etc., and that of its holding Company and for no other purpose.

6.4 Data Subject's Rights

• Data subjects shall be entitled to obtain the information about his/her own "Personal Data or Information" and or "Sensitive Personal Data or Information of a person or Customer Data or Insurance Data upon specific written request made in compliance with Reasonable policies, procedures and standards established by BALIC.
• Data subjects shall have the right to require BALIC to correct or supplement erroneous, misleading, outdated or incomplete Personal Data or Information and or Sensitive Personal Data or Information of a person by providing the written request in this regard duly supported by documentary evidence for such requested change.

BALIC may scrutinize and screen the request of Data subject and deny, unnecessary requests by or on behalf of a data subject as the data included in insurance contract or other Data cannot be changed on such unnecessary request or requests of Data Subject without any basis. Any request for change of Personal Data or Information and or Sensitive Personal Data or Information of a person in insurance contracts shall be subject to Terms and Conditions of respective insurance policy and also subject to underwriting call as to change in premium and or whether to accept risk basing on such changed Personal Data or Information and or Sensitive Personal Data or Information of a person.

6.5 Personal / Sensitive Data or Information of a Person

a. Personal Data or Information and or Sensitive Personal Data or Information of a person

Personal Data or Information and or Sensitive Personal Data or Information of a person shall not be disclosed or transmitted by BALIC or its employees or End-users, unless:

• Same is specifically directed by statutory authority having such powers or by judicial or quasi-judicial order/judgment or,
• The same is called by any entity/person/Government Official under any of the applicable provisions of any statute/law,
• The data subject expressly consents or,
• Where the data subject is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the data subject or,
• Such disclosure is required for Business/operational purpose of BALIC.

b. Sharing of Personal Data or information

Subject to customer consent, BALIC may share Personal Data or Information (including Sensitive Personal Data or Information) with group companies and/or affiliates and/or other third party that is interested in providing service to the customers, which are additional to life insurance services. The Customer may, at any time, inform BALIC of his/her decision to revoke the consent to share Personal Data or Information. Personal Data or Information of customers who have either not consented for sharing or have revoked their consent shall not be shared by BALIC. If revocation of consent is after sharing of customer Personal Data or Information by BALIC, steps shall be taken to inform the entity with whom Personal Data or Information of the customer has been shared not to use it any further after revocation of consent and also takes steps to destroy the data. Any sharing of Personal Data or Information shall be for specified services only.

6.6 Direct Marketing

• BALIC shall make it clear to the data subject if his/her Personal Data or Information and or Sensitive Personal Data or Information or Customer Data or Insurance Data or "Personal Data or information" might be used for any marketing purpose, and the data subject will be given a clear "opt- out" option from having his/her data used for such purposes at any stage.

6.7 Data Quality Assurance

• Data subjects shall be entitled to obtain the following information about their own "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" upon a request made in compliance with reasonable policies and procedures established by BALIC.
• BALIC shall not be responsible for the authenticity of the "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" or information supplied by the provider of information to BALIC or any other person acting on behalf of BALIC.
• "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" must be kept only for the period necessary for purpose it was collected and/or if required under any law for the time being in force unless otherwise agreed under contract/agreement executed in this regard.
• "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" should be erased if its storage violates any of the data privacy rules or if the data is no longer required by BALIC or for the benefit of the data subject.

7.1 Requirements for Third Party Processors

Wherever BALIC relies on others to assist in its processing activities, it will choose a data processor that provides sufficient and reasonable security procedures, practices and standards and shall take all steps to ensure compliance with those measures by entering into suitable legal document.

7.2 Written Contracts for Third Party Processors

Each data processor [whose services are availed by BALIC] shall enter into suitable agreement/MOU with BALIC and whether there is or is not any agreement/MOU by such third party processors, the third party processors shall be bound to keep strict confidentiality of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature and shall take reasonable security procedures, process and standard from any unauthorized access or disclosure of the above Data. For the purpose of the obligation of the Data Processor vis a vis BALIC, any data, which comes in the possession or knowledge of the Data Processor by virtue of any activity being carried out in regards to BALIC, irrespective of the data being shared by BALIC or customer, shall belong to BALIC, including where it is obtained by the Data processor, on a device operated under By your own device (BYOD) scheme or otherwise. No right shall be claimed by the data processor on such data. This obligation and term shall apply to all data processors, including employees, representatives, intermediaries and such other persons, name, designation or nomenclature, as may be referred.

The third party Processors shall be required to comply with data privacy and security requirements that have been imposed on BALIC under Information Technology Act, rules/regulations/guidelines framed thereunder or under any other suitable and applicable legislation in India. And once the contract period / arrangement is over the third party processor shall return all the of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature provided by BALIC without retaining any of such data or derivatives thereof. Suitable indemnity in this regard shall be obtained from third party processors. The Third Party Processors shall use Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature only for the purpose for which it was provided by BALIC and shall not under any circumstances or conditions part with or disclose or otherwise inform to any person of what so ever nature about such Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature and any breach of these conditions shall entail the Third party data Processor to exemplary damages, penalties apart from suitable legal action [civil/criminal].

7.3 Audits of Third Party Processors

BALIC shall conduct regular checks on processing done by third party data processors, especially in respect of security measures.

8.1 Data Security Measures

BALIC shall adopt appropriate and reasonable security processes, procedures and standards by way of managerial, technical, operational and physical security control measures that are commensurate with the Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature.

• BALIC shall adopt suitable steps for the prevention of or alteration, loss, damage, unauthorized processing or access of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature, having regard to the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
• All information as to reasonable security process, procedure, controls and standards shall be implemented for security of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data in line with this Information Security Policy

8.2 Additionally, the Data Security measures as set out under the Bajaj Allianz Life Insurance Company Aadhaar Data Governance Policy, shall also apply to any Aadhar data.

9.1 Employees

Employees who are Data subjects with queries for inquiries or complaints about the processing and or use of their Personal Data or Information and or Sensitive Personal Data or Information of a person shall first discuss the matter with their immediate supervisor/reporting authority. If the data subject does not wish to raise an inquiry or complaint with an immediate supervisor/reporting authority, or if the supervisor/reporting authority and the data subject are unable to reach a satisfactory resolution of the issues raised, the employee should bring the issue to the attention of the Data Privacy Officer, in writing.

9.2 Non- Employees

Non-employee Data Subjects with inquiries or complaints about the processing of their Personal Data or Information and or Sensitive Personal Data or Information of a person should bring the matter to the attention of the Grievance Officer in writing. Against the decision of Grievance Officer Appeal can be filed with Data Privacy Officer in writing who will take suitable call on the same and such decision of Data Privacy Officer shall be final and binding on all parties to such inquiries or complaints. If the Non-employee Data Subjects is not agreeable to decision of Privacy officer, then if there is apparent and glaring mistakes or misconstruction in the decision of Privacy Officer, then the Non-employee Data Subjects may prefer review by CFO whose decision shall be binding and conclusive. Any unresolved disputes concerning Non-employee Data Subjects with inquiries or complaints will be resolved through binding arbitration of sole arbitrator to be appointed by BALIC and the proceedings and award will be as per Arbitration and Conciliation Act, 1996.

9.3 Appeals in cases Employees who are Data subjects:

If the issue as to Employees who are Data subjects with queries for inquiries or complaints is not resolved through consultation with the data subject’s supervisor/reporting authority the Employee Data Subject may take up his/her Grievance with the Grievance Officer in writing. Against the decision of Grievance Officer Appeal can be filed with Privacy Officer in writing who will take suitable call on the same and such decision of Data Privacy Officer shall be final and binding on all parties to such inquiries or complaints. If the Non-employee Data Subjects is not agreeable to decision of Privacy officer, then if there is apparent and glaring mistakes or misconstruction in the decision of Privacy Officer, then the Non-employee Data Subjects may prefer review by CFO whose decision shall be binding and conclusive. Any unresolved disputes concerning Non-employee Data Subjects with inquiries or complaints will be resolved through binding arbitration of sole arbitrator to be appointed by BALIC and the proceedings and award will be as per Arbitration and Conciliation Act, 1996 and any statutory modifications thereof for the time being in force shall apply accordingly. The arbitration shall be conducted in English at Pune. And in the absence of mutual consent to refer to arbitration, the complaints may be subject to exclusive civil jurisdiction of courts at Pune.

Provided however if any disputes or grievance of Employee Data Subject is not relating to any issues as per this Policy the mechanism of Grievance under this clause shall not apply and the Grievance mechanism under Employment contract read with BALIC Polices shall apply.

BALIC shall conduct data privacy trainings for all their employees. These trainings sessions shall include, but not limited to the following:

• Access to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data will be given only on need to know basis to authorized persons and for authorized purposes of BALIC.
• The correct use of passwords, security tokens and other access mechanisms.
• The importance of limiting access to Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data, such as by using password protected screen savers, logging out when the information is not being used and attended by an authorized person.
• Securely storing manual files, print outs and electronic storage media containing Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data.
• A general prohibition on the transfer of Personal Data or Information and or Sensitive Personal Data or Information of a person outside of the internal network of BALIC and physical office premises of BALIC or to personal email ID of employees.
• Proper disposal of physical copies containing Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data by employing secure information disposal mechanisms like shredding etc.

Induction

All the employees who shall have access to any kind of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data shall have their responsibilities outlined and explained during their induction procedures.

Continuing Training

BALIC shall provide continual trainings to employees and related third parties on data privacy policy and in this regard Data Privacy Officer will take all suitable steps in this regard.

Further, BALIC shall conduct necessary training for its employees or third party operators as required under Aadhaar Regulations and elaborated in the “Bajaj Allianz Life Insurance Company Aadhaar Data Governance Policy”.

Annual Data Privacy Audit

BALIC shall review its data privacy processes, procedures and standards and security of Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data at least once each year. Audits shall also be carried out after any major changes that have an impact on Personal Data or Information and or Sensitive Personal Data or Information of a person or any other Data of whatsoever nature or Customer Data or Insurance Data.

Further, BALIC shall conduct all necessary audits and compliances under Aadhaar Regulations and elaborated in the Bajaj Allianz Life Insurance Company Aadhaar Data Governance Policy.

BALIC shall ensure compliance with Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, as amended from time to time and the UIDAI’s circular dated 25.07.2017 with respect to “Aadhaar Data Vault” including amendments made therein. For this purpose, the provisions of Bajaj Allianz Life Insurance Company Aadhaar Data Governance Policy, shall be read in conjunction with this Policy.

The issue of data privacy has been addressed as per provisions of Information Technology Amendment Act, 2008 through Sections 43A and 72A in particular.

Section 43A:Compensation for failure to protect data.

"Where a body corporate, possessing, dealing or handling any sensitive "Personal Data" or Customer Data or Insurance Data or "Personal Data or information" or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected."

Section 72A: Punishment for Disclosure of information in breach of lawful contract.

Section 72 A, states-
"Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal Data or information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both."