Data Protection And Privacy Policy

Policy Information
Policy Title Data Protection And Privacy Policy
Issued by / Author Human Resource Department
Policy Owner Human Resource Department
Effective Date April 2023

1. Objective
As part of its social responsibility, the IAAS is committed to international compliance with data protection laws. This Data
Protection Policy is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation
of trustworthy business relationships and the reputation of IAAS as an attractive employer and a Business Partner.
The Data Protection Policy provides adequate level of data protection prescribed by the European Union Data Protection
Directive and the national laws for cross-border data transmission, including in countries that do not yet have adequate data
protection laws.
2. Scope
This Data Protection and Privacy
IAAS at all levels and grades, including directors, senior executives, officers, employees (whether permanent, fixed-term or
temporary), consultants, contractors, trainees, seconded staff, casual employees, volunteers, interns, agents, or any other
person associated with IAAS
any individual or organization, who / which come into contact with IAAS or transact with IAAS and also includes actual and
potential clients, suppliers, business contacts, consultants, intermediaries, representatives, subcontractors, agents,
advisers, joint ventures and government & public bodies (including their advisers, representatives and officials, politicians and
political parties). This policy is an organizational commitment and is applicable to all internal/direct employees of the
Organization.

Identity and Access Solutions Pvt Page 1

LtdConfidential
 The Data Protection Policy extends to all processing of personal data4
The Data Protection Policy extends to all processing of personal data. In countries where the data of legal entities is protected
to the same extent as personal data.

3. Responsibility
3.1. Human Resources
Train Employees on the policy guidelines and the importance to adhere to this policy.
Involve respective supervisors/managers for discussion on any violation of the policy and issue a warning as found
appropriate.
3.2. Every employee and every contractor on IAAS premises is expected to follow this policy and to report any concerns to IAAS
management.
3.3. We share the privilege and responsibility of complying with our Code. This means we are all expected to:
Know the Code: We must read and understand our Code and all related company policies, procedures and standards
that apply to our daily work.
Ask Questions: We must ask questions and seek advice if we are unsure about how to handle a situation or need guidance
on where to find information.
Raise Concerns: We are encouraged to raise concerns, even if they are difficult, and to ensure that our direct reports are
comfortable raising issues.
Never Retaliate: We are strictly prohibited from retaliating against anyone who seeks advice, raises a concern or reports
misconduct.
3.4. Failure to comply with the Code and related policies, or applicable laws, may result in an investigation and disciplinary action,
including termination of employment or services.
3.5. Speaking Up - We all have an obligation to speak up about potential, suspected or actual violations of company policies or
applicable laws. By doing so, we uphold our Values and our commitment to integrity, honesty and ethical business practices.
In addition, it allows us to address problems and concerns before they become serious issues for our company. If you wish
to ask a question or raise a concern, you may reach out to anyone with whom you feel comfortable, including:
Any manager or supervisor
Human Resources
Ethics Committee

4. Policy Guidelines
4.1. Application of national laws
This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing
national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that
it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection
Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data

Identity and Access Solutions Pvt Page 2

LtdConfidential
 processing under national laws must be observed.
4.2. Principles for processing personal data
4.2.1. Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be
collected and processed in a legal and fair manner.
4.2.2. Restriction to a specific purpose
Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent
changes to the purpose are only possible to a limited extent and require substantiation.
4.2.3. Transparency
The data subject must be informed of how his/her data is being handled. In general, personal data must be collected
directly from the individual concerned. When the data is collected, the data subject must either be aware of, or
informed of:
The identity of the Data Controller
The purpose of data processing
Third parties or categories of third parties to whom the data might be transmitted
4.2.4. Data reduction and data economy
Before processing personal data, you must determine whether and to what extent the processing of personal data is
necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense
involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may
not be collected in advance and stored for potential future purposes unless required or permitted by national law.
4.2.5. Deletion
Personal data that is no longer needed after the expiration of legal or business process-related periods must be
deleted. There may be an indication of interests that merit protection or historical significance of this data in individual
cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the
corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
4.2.6. Factual accuracy; up-to-dateness of data
Personal data on file must be correct, complete, and if necessary kept up to date. Suitable steps must be taken to
ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
4.2.7. Confidentiality and data security
Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable
organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as
accidental loss, modification or destruction.
4.3. Reliability of data processing
Collecting, processing and using personal data is permitted only under the following legal bases. One of these legal bases is
also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.
4.3.1. Customer and partner data

Identity and Access Solutions Pvt Page 3

LtdConfidential
 Data processing for a contractual relationship
Personal data of the relevant prospects, customers and partners can be processed in order to establish,
execute and terminate a contract. This also includes advisory services for the partner under the contract if this
is related to the contractual purpose. Prior to a contract during the contract initiation phase personal data
can be processed to prepare bids or purchase orders or to fulfill other requests of the prospect that relate to
contract conclusion. Prospects can be contacted during the contract preparation process using the
information that they have provided. Any restrictions requested by the prospects must be complied with
Data processing for advertising purposes
If the data subject contacts a IAAS company to request information (e.g. request to receive information
material about a product), data processing to meet this request is permitted. Customer loyalty or advertising
measures are subject to further legal requirements. Personal data can be processed for advertising purposes
or market and opinion research, provided that this is consistent with the purpose for which the data was
originally collected. The data subject must be informed about the use of his/her data for advertising purposes.
If data is collected only for advertising purposes, the disclosure from the data subject is voluntary. The data
subject shall be informed that providing data for this purpose is voluntary. When communicating with the data
subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving
consent, the data subject should be given a choice among available forms of contact such as regular mail, e-
mail and phone. If the data subject refuses the use of his/her data for advertising purposes, it can no longer
be used for these purposes and must be blocked from use for these purposes. Any other restrictions from
specific countries regarding the use of data for advertising purposes must be observed.
Consent to data processing
Data can be processed following consent by the data subject. Before giving consent, the data subject must be
informed in accordance of this Data Protection Policy. The declaration of consent must be obtained in writing
or electronically for the purposes of documentation. In some circumstances, such as telephone conversations,
consent can be given verbally. The granting of consent must be documented.
Data processing pursuant to legal authorization
The processing of personal data is also permitted if national legislation requests, requires or allows this. The
type and extent of data processing must be necessary for the legally authorized data processing activity, and
must comply with the relevant statutory provisions.
Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary for a legitimate interest of IAAS. Legitimate interests are
generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches
of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual
cases, there is evidence that the interests of the data subject merit protection, and that this takes
precedence. Before data is processed, it is necessary to determine whether there are interests that merit
protection.

Identity and Access Solutions Pvt Page 4

LtdConfidential
 Processing of highly sensitive data
Highly sensitive personal data can be processed only if the law requires this or the data subject has given
express consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal
claims regarding the data subject. If there are plans to process highly sensitive data, the Chief Officer
Corporate Data Protection must be informed in advance. Automated individual decisions Automated
processing of personal data that is used to evaluate certain aspects (e.g. creditworthiness) cannot be the sole
basis for decisions that have negative legal consequences or could significantly impair the data subject. The
data subject must be informed of the facts and results of automated individual decisions and the possibility to
respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.
User data and internet
If personal data is collected, processed and used on websites or in apps, the data subjects must be informed
of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any
cookie information must be integrated so that it is easy to identify, directly accessible and consistently
available for the data subjects. If use profiles (tracking) are created to evaluate the use of websites and apps,
the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only
be effected if it is permitted under national law or upon consent of the data subject. If tracking uses a
pseudonym, the data subject should be given the chance to opt out in the privacy statement. If websites or
apps can access personal data in an area restricted to registered users, the identification and authentication
of the data subject must offer sufficient protection during access.
4.3.2. Employee data
Data processing for the employment relationship
In employment relationships, personal data can be processed if needed to initiate, carry out and terminate
the employment agreement. When initiating an employment relationship, the
be processed. If the candidate is rejected, his/her data must be deleted in observance of the required
retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is
also needed to use the data for further application processes or before sharing the application with other
entities.
In the existing employment relationship, data processing must always relate to the purpose of the
employment agreement if none of the following circumstances for authorized data processing apply.
If it should be necessary during the application procedure to collect information on an applicant from a third
party, the requirements of the corresponding national laws have to be observed. In cases of doubt, consent
must be obtained from the data subject.
There must be legal authorization to process personal data that is related to the employment relationship but
was not originally part of performance of the employment agreement. This can include legal requirements,
collective regulations with employee representatives, consent of the employee, or the legitimate interest of
the company.

Identity and Access Solutions Pvt Page 5

LtdConfidential
 Data processing pursuant to legal authorization
The processing of personal employee data is also permitted if national legislation requests, requires or
authorizes this. The type and extent of data processing must be necessary for the legally authorized data
processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility,
the interests of the employee that merit protection must be taken into consideration.
Collective agreements on data processing
If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorized
through a collective agreement. Collective agreements are pay scale agreements or agreements between
employers and employee representatives, within the scope allowed under the relevant employment law. The
agreements must cover the specific purpose of the intended data processing activity, and must be drawn up
within the parameters of national data protection legislation.
Consent to data processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be
submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or
electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in
which case it must be properly documented. In the event of informed, voluntary provision of data by the
relevant party, consent can be assumed if national laws do not require express consent. Before giving consent,
the data subject must be informed in accordance with IV.3. of this Data Protection Policy.
Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary to enforce a legitimate interest of the IAAS. Legitimate
interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g.
valuation of company) nature.
Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence
that the interests of the employee merit protection. Before data is processed, it must be determined whether
there are interests that merit protection.
Control measures that require processing of employee data can be taken only if there is a legal obligation to
do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control
measure must also be examined. The justified interests of the company in performing the control measure
(e.g. compliance with legal provisions and internal company rules) must be weighed against any interests
meriting protection that the employee affected by the measure may have in its exclusion, and cannot be
performed unless appropriate. The legitimate interest of the company and any interests of the employee
meriting protection must be identified and documented before any measures are taken. Moreover, any
additional requirements under national law (e.g. rights of co-determination for the employee representatives
and information rights of the data subjects) must be taken into account.
Processing of highly sensitive data
Highly sensitive personal data can be processed only under certain conditions. Highly sensitive data is data

Identity and Access Solutions Pvt Page 6

LtdConfidential
 about racial and ethnic origin, political beliefs, religious or philosophical beliefs, union membership, and the
health and sexual life of the data subject. Under national law, further data categories can be considered highly
sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a
crime can often be processed only under special requirements under national law.
The processing must be expressly permitted or prescribed under national law. Additionally, processing can be
permitted if it is necessary for the responsible authority to fulfill its rights and duties in the area of employment
law. The employee can also expressly consent to processing.
If there are plans to process highly sensitive data, the Chief Officer Corporate Data Protection must be
informed in advance.
Automated decisions
If personal data is processed automatically as part of the employment relationship, and specific personal
details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic
processing cannot be the sole basis for decisions that would have negative consequences or significant
problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that
a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision.
The data subject must also be informed of the facts and results of automated individual decisions and the
possibility to respond.
Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are
provided by the company primarily for work-related assignments. They are a tool and a company resource.
They can be used within the applicable legal regulations and internal company policies. In the event of
authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national
telecommunication laws must be observed if applicable.
There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To
defend against attacks on the IT infrastructure or individual users, protective measures can be implemented
for the connections to the IAAS network that block technically harmful content or that analyze the attack
patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and
internal social networks can be logged for a temporary period. Evaluations of this data from a specific person
can be made only in a concrete, justified case of suspected violations of laws or policies of the IAAS. The
evaluations can be conducted only by investigating departments while ensuring that the principle of
proportionality is met. The relevant national laws must be observed in the same manner as the Group
regulations.

4.4. Transmission of personal data

Transmission of personal data to recipients outside or inside the IAAS is subject to the authorization requirements for processing
personal data. The data recipient must be required to use the data only for the defined purposes.

Identity and Access Solutions Pvt Page 7

LtdConfidential
 In the event that data is transmitted to a recipient outside the IAAS to a third country this country must agree to maintain a
data protection level equivalent to this Data Protection Policy. This does not apply if transmission is based on a legal
obligation. A legal obligation of this kind can be based on the laws of the domiciliary country of the company transmitting
the data. In the alternative, the laws of the domiciliary country of the company can acknowledge the purpose of data
transmission based on the legal obligation of a third country. If data is transmitted by a third party to a IAAS company, it
must be ensured that the data can be used for the intended purpose.
If personal data is transferred from a company with its registered office in the European Union/European Economic Area to
a company with its registered office outside of the European Economic Area (third country), the company importing the
data is obligated to cooperate with any inquiries made by the relevant supervisory authority in the country in which the
party exporting the data has its registered office, and to comply with any observations made by the supervisory authority
with regard to the processing of the transmitted data. The same applies to data transmission by company from other
countries. If they are part of an international certification system for binding corporate rules on data protection, they must
ensure cooperation with the relevant auditing offices and agencies. Participation in such certification systems must be
agreed with the Chief Officer Corporate Data Protection.
In the event that a data subject claims that this Data Protection Policy has been breached by the company located in a third
country that is importing the data, the company located in the European Economic Area that is exporting the data
undertakes to support the party concerned, whose data was collected in the European Economic Area, in establishing the
facts of the matter and also asserting his/her rights in accordance with this Policy against the company importing the data.
In addition, the data subject is also entitled to assert his or her rights against the company exporting the data. In the event
of claims of a violation, the company exporting the data must document to the data subject that the company importing the
data in a third country (in the event that the data is further processed after receipt) did not violate this Data Protection
Policy. In the case of personal data being transmitted from a company located in the European Economic Area to a company
located in a third country, the data controller transmitting the data shall be held liable for any violations of this Policy
committed by the company located in a third country with regard to the data subject whose data was collected in the
European Economic Area, as if the violation had been committed by the data controller transmitting the data. The legal
venue is the responsible court where the company exporting the data is located.
4.5. Contract data processing
Data processing on Behalf means that a provider is hired to process personal data, without being assigned responsibility for
the related business process. In these cases, an agreement on Data Processing on Behalf must be concluded with external
providers and IAAS. The client retains full responsibility for correct performance of data processing. The provider can
process personal data only as per the instructions from the client. When issuing the order, the following requirements must
be complied with; the department placing the order must ensure that they are met.
4.5.1. The provider must be chosen based on its ability to cover the required technical and organizational protective
measures.
4.5.2. The order must be placed in writing. The instructions on data processing and the responsibilities of the client and
provider must be documented.

Identity and Access Solutions Pvt Page 8

LtdConfidential
 4.5.3. The contractual standards for data protection provided by the Chief Officer Corporate Data Protection must be
considered.
4.5.4. Before data processing begins, the client must be confident that the provider will comply with the duties. A provider
can document its compliance with data security requirements in particular by presenting suitable certification.
Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the
contract.
4.5.5. In the event of cross-border contract data processing, the relevant national requirements for disclosing personal data
abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country
only if the provider can prove that it has a data protection standard equivalent to this Data Protection Policy. Suitable
tools can be:
Agreement on EU standard contract clauses for contract data processing in third countries with the provider
and any subcontractors.
Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data
protection level.
Acknowledgment of binding corporate rules of the provider to create a suitable level of data protection by the
responsible supervisory authorities for data protection.
4.6. Rights of the data subject
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot
pose any disadvantage to the data subject.
The data subject may request information on which personal data relating to him/her has been stored, how

(e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain
unaffected.
If personal data is transmitted to third parties, information must be given about the identity of the recipient
or the categories of recipients.
If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.
The data subject can object to the processing of his or her data for purposes of advertising or market/opinion
research. The data must be blocked from these types of use.
The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if
the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or
ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting
protection must be observed.
The data subject generally has a right to object to his/her data being processed, and this must be taken into
account if the protection of his/her interests takes precedence over the interest of the data controller owing
to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
4.7. Confidentiality of processing

Identity and Access Solutions Pvt Page 9

LtdConfidential
 Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is
prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of
his/her legitimate
information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and
separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or
to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship
about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
4.8. Processing security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental
loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before
the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to
protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of
processing, and the need to protect the data (determined by the process for information classification). In particular, the
responsible department can consult with its Information Security Officer (ISO) and data protection coordinator. The technical
and organizational measures for protecting personal data are part of Corporate Information Security management and must
be adjusted continuously to the technical developments and organizational changes.
4.9. Data protection control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection
audits and other controls. The performance of these controls is the responsibility of the Chief Officer Corporate Data
Protection, the data protection coordinators, and other company units with audit rights or external auditors hired. The
results of the data protection controls must be reported to the Chief Officer Corporate Data Protection. IAAS
Supervisory Board must be informed of the primary results as part of the related reporting duties. On request, the results of
data protection controls will be made available to the responsible data protection authority. The responsible data protection
authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.
4.10. Data protection incidents
All employees must inform their supervisor, data protection coordinator or the Chief Officer Corporate Data Protection
immediately about cases of violations against this Data Protection Policy or other regulations on the protection of personal
data (data protection incidents). The manager responsible for the function or the unit is required to inform the responsible
data protection coordinator or the Chief Officer Corporate Data Protection immediately about data protection incidents. In
cases of
Improper transmission of personal data to third parties,
Improper access by third parties to personal data, or
Loss of personal data
The required company reports (Information Security Incident Management) must be made immediately so that any
reporting duties under national law can be complied with.

Identity and Access Solutions Pvt Page 10

LtdConfidential
 4.11. Responsibilities and sanctions
The executive bodies of the company are responsible for data processing in their area of responsibility. Therefore, they are
required to ensure that the legal requirements, and those contained in the Data Protection Policy, for data protection are
met (e.g. national reporting duties). Management staff are responsible for ensuring that organizational, HR, and technical
measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these
requirements is the responsibility of the relevant employees. If official agencies perform data protection controls, the Chief
Officer Corporate Data Protection must be informed immediately.
The relevant executive bodies must inform the Chief Officer Corporate Data Protection as to the name of their data
protection coordinator. Organizationally speaking, in agreement with the Chief Officer Corporate Data Protection, this task
can be performed by a data protection coordinator for multiple company or plants. The data protection coordinators are
the contact persons on site for data protection. They can perform checks and must familiarize the employees with the
content of the data protection policies. The relevant management is required to assist the Chief Officer Corporate Data
Protection and the data protection coordinators with their efforts. The departments responsible for business processes and
projects must inform the data protection coordinators in good time about new processing of personal data. For data
processing plans that may pose special risks to the individual rights of the data subjects, the Chief Officer Corporate Data
Protection must be informed before processing begins. This applies in particular to extremely sensitive personal data. The
managers must ensure that their employees are sufficiently trained in data protection.
Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many
countries and result in claims for compensation of damage. Violations for which individual employees are responsible can
lead to sanctions under employment law.

Identity and Access Solutions Pvt Page 11

LtdConfidential
5. Definitions
Data is anonymized if personal identity can never be traced by anyone, or if the personal identity could be recreated
only with an unreasonable amount of time, expense and labor.
Consent is the voluntary, legally binding agreement to data processing.
Data protection incidents are all events where there is justified suspicion that personal data is being illegally
captured, collected, modified, copied, transmitted or used. This can pertain to actions by third parties or employees.
Data subject under this Data Protection Policy is any natural person whose data can be processed. In some
countries, legal entities can be data subjects as well.
The European Economic Area (EEA) is an economic region associated with the EU, and includes Norway, Iceland and
Liechtenstein.
Highly sensitive data is data about racial and ethnic origin, political opinions, religious or philosophical beliefs, union
membership or the health and sexual life of the data subject. Under national law, further data categories can be
considered highly sensitive or the content of the data categories can be structured differently. Moreover, data that
relates to a crime can often be processed only under special requirements under national law.
Personal data is all information about certain or definable natural persons. A person is definable for instance if the
personal relationship can be determined using a combination of information with even incidental additional
knowledge.
Processing personal data means any process, with or without the use of automated systems, to collect, store,
organize, retain, modify, query, use, forward, transmit, disseminate or combine and compare data. This also
includes disposing of, deleting and blocking data and data storage media.
Processing personal data is required if the permitted purpose or justified interest could not be achieved without
the personal data, or only with exceptionally high expense.
Data Controller is the legally independent company of the IAAS, whose business activity initiates the relevant
processing measure.
A sufficient level of data protection in third countries is acknowledged by the EU Commission if the core of personal
privacy, as unanimously defined in the member countries of the EU is adequately ensured. When making its
decision, the EU Commission accounts for all circumstances that play a role in data transmission or a category of
data transmission. This includes the opinions under national law and relevant applicable professional standards and

Identity and Access Solutions Pvt Page 12

LtdConfidential
 security measures.
Third countries under the Data Protection Policy are all nations outside the European Union/ EEA. This does not
include countries with a data protection level that is considered sufficient by the EU Commission.
Third parties are anyone apart from the data subject and the Data Controller. In a case of Data Processing in Behalf
data processors in the EU are not third parties under the data protection laws, because they are assigned by law to
the responsible entity.
Transmission is all disclosure of protected data by the responsible entity to third parties.

Identity and Access Solutions Pvt Page 13

LtdConfidential