Following a clear mandate from our Partners and our Customers, Manak Waste Management Private Limited (Cashify), in 2019, constituted a dedicated cross-functional compliance team and defined the roadmap to GDPR compliance.
What is GDPR?
The General Data Protection Regulation (GDPR), which came into effect from May 25, 2018, empowers European Union (EU) residents by placing them in control of their personal information and upholding strict protocols for organizations that collect and process this information.
The GDPR lays down seven core principles. They are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The Data We Collect
GDPR defines Data Controllers as an entity that determines the purposes for which and the means by which personal data is processed. Data Controllers decide ‘why’; and ‘how’; the personal data should be processed. The data processor processes personal data only on behalf of the Controller. Cashify acts a Data controller or Data processor depending on the origin of the transaction.
For the transactions that originate on Cashify platform (Website, App), Cashify is Data controller. Cashify is Data processor where it processes data for its partners who are Data controllers. The data controllers specify the kind of data required from the data subject, i.e. the customer. As the data processor, we process data based on the requirements stated by Data controller.
This data can be of three types:
A. Personal Information (PI): That can identify a person. For instance, email id, mobile number, ID card number, and photo, etc.
B. Non-Personal Information (non PI): Such as the first name, last name, and device details, etc.
C. Sensitive Personal Information (SPI): Such as biometrics, genetic data, sexual orientation, race, and ethnicity, etc. Explicit Consent from Data Subjects
Data Subject Rights
Cashify has implemented processes to acknowledge and respect Data Subject Rights. A data subject can email us at “email@example.com” and request to exercise Data Subject Rights. Since Cashify is both Data controller and Data Processor (processing data at the behest of Data Controllers), the verification authority to validate the Customers Data Subject Right request is decided basis the origin of transaction.
Data Subject Rights consist of:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision-making and profiling
A. Data Storage and Security: Cashify is hosted on AWS and has put in place industry standard practices for managing the data in transit and data at rest.
B. Data retention: Cashify maintains data from the transactions enabled on its own platform and the ones enabled on Widgets/Apps enabled for partners. The retention period is defined in accordance with the business and legal needs. We however understand and appreciate the needs to provide flexibility to Data controllers to define data retention period for their own customers. Such provisions are agreed and defined in the contract between the Partners (Data Controller) and Cashify (Data Processor).
The time-frames can be specified in the contract based on the partner’s specific requirements. The partner can choose to have the data deleted from our cloud-based servers as desired. After the termination or expiry of the contract, the partner can place a request to remove all data by writing to us at “firstname.lastname@example.org”. We validate the request and, if needed, seek confirmation from the partner before processing the request. Cashify Customers can also request for deletion of their credentials by writing to us at “email@example.com”. After validating the request, the details are deleted within 15 days of receiving customer request.
C. Data Breach Management: We continually monitor and upgrade our systems and processes to maintain the highest standards of data management and privacy practices. In an unlikely event of a data breach, we intend to notify our partner (Data Controllers) and Data subject (where Cashify is Data controller) immediately and no later than 24 hours after becoming aware of such a breach.
Our commitment to world-class standards, In order to meet the world class standards for Data Privacy and Data Security, Cashify has taken steps to be General Data Protection Regulation (GDPR) compliant. Cashify also has ISO 27001:2013 certification in pending. The company also conducts VAPT for its website and App to assess security threats for its platforms. Cashify is committed to aligning itself with global best practices in data compliance and is dedicated to infosec and data privacy. To that end, the company has a dedicated team working on these requirements.