Policy on Privacy of Personal Information
(Version 5.0)
Classification: PUBLIC
Document ID: NOCPL_PO_02 (Part of)
1. Objective
The Company is in the custody of a multitude of data such as Personally Identifiable Information, Customer Data, Transaction data, and other critical data being stored, processed, or transmitted in the course of operations. Customer data would include data related to the borrower, co-borrowers, and nominee. The objective of the Policy on Privacy of Personal Information is to ensure that personal data collected and processed by the company is managed in accordance with the Data Privacy and Security Rules as mentioned in the IT Amendment Act 2011.
2. Policy
The Company shall ensure the security, privacy, and confidentiality of any sensitive personal data or information that it collects, receives, possesses, stores, or deals with.
2.1. Personal Information
Personal Information means personally identifiable information with or without the combination of
other information such as information provided via forms, surveys, applications, or other online
fields including but not restricted to name, postal or email addresses, telephone, mobile numbers,
account numbers, credit/debit card, unique identification number, and biometric information.
Sensitive Personal Information includes information collected that is related to the Password,
Financial Information, Medical Records and History of the Company and/or bank's customers and
employees.
Note: Any information that is freely available or accessible in the public domain or furnished under
the Right to Information Act, 2005, or any other law in force is not regarded as sensitive personal
information.
2.2. Mode of Collecting Personal Information
The Company collects personal information when a customer is:
i. On-boarded for an assessment regarding the viability of the issue of loan,
ii. Opening a loan account or performing transactions
The Company also collects personal information from others such as Credit bureaus, affiliates, or other companies.
The Company shall obtain consent from the customers’/end users who provide personal information and inform them regarding the purpose of usage before collecting the information.
The Company shall ensure that the provider of the personal information has the knowledge of the intended recipients of the information.
The Company shall not keep any sensitive personal data or information for longer than required for the purposes for which the information may lawfully be used or is otherwise required by any other law for the time being in force. The company ensures that sensitive personal information is used only for the purpose for which it is collected.
The Company shall ensure that the provider of the information can review the information at any time to ensure that it is correct. Also, information can be corrected/amended whenever required subject to providing sufficient documentation to support the correction/amendment. However, the Company shall not be held responsible for the authenticity of the personal information supplied by the provider.
The Company shall provide the option to the provider of the information not to provide data or information sought to be collected and also provide an option to withdraw its consent given earlier to the Company.
2.3. Purpose of Use
The Company shall ensure that the information collected is for lawful purposes only and the information provider must be aware of the same. The Company may use Personal Information:
i. to respond to customers’ inquiries and fulfill requests
ii. to send important information regarding the Site, changes to terms, conditions, and policies, and/or other administrative information to customers (to personalize the experience on the Site by presenting content, ads, or offers tailored to the customers)
iii. to allow customers to apply for products or services and to evaluate eligibility for such products or services
iv. to verify the customer's identity and/or location.
2.4. Disclosure of Information
The Company shall ensure that the provider of the information is fully aware about the third
parties/agencies and banks with whom the personal information is shared for processing.
However, the Company will share sensitive personal information without obtaining consent from
the provider if the information is shared with the Government agencies on written request for the
purpose of verification of identity, or for prevention, detection, and investigation including cyber
incidents, prosecution, and punishment of offenses. To prevent money laundering, the Company
will share the details of the transactions with the Income Tax Department.
The Company will never publish any sensitive personal information obtained from the provider of the information.
2.5. Use of Third-Party Data Processors
Requirements for Third-Party Processors: Where the Company relies on third parties to assist in its
processing activities, it will choose a Data Processor who provides sufficient security measures and
takes responsible steps to ensure compliance with those measures.
Written Contract for Third-Party Processors: The Company shall enter into a written contract with
the provider of each data processor requiring it to comply with data privacy and security
requirements.
Audit of Third-Party Processors: As part of the Company's internal data auditing process, it shall
conduct regular checks on processing by third-party data processors, especially in respect of
security measures.
2.6. Data Security
Physical, Technical, and Organizational Security Measures: The Company shall take customer
information confidentiality and security very seriously. Appropriate technical and organizational
security measures will be implemented to protect personal information, including internal security
procedures that restrict access to and disclosure of personal data within the Company. The
Company shall use encryption, firewalls, and other technology as well as security procedures to
help protect the accuracy and security of sensitive personal information and prevent unauthorized
access or improper use.
The Company shall adopt best practices for physical, technical, and organizational measures to
ensure the security of Personal Data, including the prevention of alteration, loss, damage,
unauthorized processing or access.
The Company shall ensure that unauthorized persons are not allowed to gain access to data
processing systems in which sensitive personal data or information is processed. It will further be
ensured that Personal Data cannot be read, copied, modified, or removed without authorization in
the course of electronic transmission during transport or storage on a data carrier; a mechanism for
checking to establish who is authorized to receive and who has received the information, will also
be provided.
2.7. Employee Confidentiality Agreements
All persons involved in any stage of processing personal data and information is explicitly made subject to a requirement of secrecy that continues even after the end of the employment relationship.
3. Grievances
For discrepancies and grievances pertaining to processing of Personal Information, the customer may get in touch with the Grievance Officer at customergrievance@nocpl.in
4. Changes to this Policy
The above policy is subject to changes from time to time with the approval of the appropriate authority. The Company will endeavor to notify the customer of any major changes; however, the customer may wish to check it each time he/she visits the Company’s website.
(February, 2023)