Privacy Policy

This Privacy Policy applies to Seven Star Fruits Private Limited [“SSFPL”], a part of the Mahyco Grow® group of companies (“Mahyco Grow Group”).

SSFPL is an Indian Company registered under the Companies Act, 1956, having its registered office at 19 Raj Mahal, 84 Veer Nariman Road, Mumbai – 400 020.  SSFPL is a part of the Mahyco Grow® group of companies (“Mahyco Grow Group”).

1.  Objective
(a) The purpose of this policy is to provide for detailed guidelines and practices to collect, protect and maintain the privacy of personal information, including sensitive personal information and personally identifiable information, of persons who provide such information to SSFPL (hereinafter “Providers”) and ensure compliance with applicable laws and regulations.

(b) Sensitive Personal Data or Information is defined under Rule 3 of the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “Rules”) as:

Sensitive personal data or information of a person means such personal information which consists of information relating to, -

  • password;
  • financial information such as bank account or credit card or debit card or other payment instrument details ;
  • physical, physiological and mental health condition;
  • sexual orientation;
  • medical records and history;
  • biometric information;
  • any detail relating to the above clauses as provided to body corporate for providing service; and
  • any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Personal information is defined under Rule 2(i) of the Rules as:

“Personal Information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

Sensitive Personal Data or Information, Personal Information and any other non-public personal information, together hereinafter “SPDI”.

2.  Scope
This policy is applicable to all SSFPL employees, as well as third parties such as contractors, vendors, interns, associates, customers and business partners (“Third Parties”) who may receive SPDI, have access to SPDI collected or processed, or who provide such information to SSFPL.  SSFPL is committed to compliance with applicable law on privacy of data and information.

3.  Obligations of SSFPL relating to collection, use of and access to SPDI:
(a) No SPDI shall be collected by SSFPL or its employees without obtaining prior written consent of the Provider, which shall include informing the Provider regarding the purpose and usage of the SPDI to be collected. Provided, the collection of SPDI and the purpose and usage thereof, is compliant with the Rules.  The Rules are attached to this policy as ‘Schedule 1’.

(b) All SSFPL employees and any Third-Party working with or for SSFPL, and who have or may have access to SPDI, shall have read, understood and comply with this policy and Rules.  No Third Party may access SPDI held by SSFPL without having first entered into a confidentiality agreement and provided that the Provider has accorded his/her prior written consent for the same.

(c) SPDI may only be collected for a lawful purpose connected with a function or activity of SSFPL and if necessary for the purpose and may only be used for such purpose.  SPDI may only be retained by SSFPL for as long as it is required for the said purpose and no longer, or as otherwise required by law. SPDI may be reviewed by the Provider on request and corrected or amended if found inaccurate or deficient if feasible, but SSFPL shall not be responsible for the authenticity of the SPDI as provided by the Provider.

(d) Prior to the collection of information, including SPDI from a Provider, SSFPL, or the SSFPL employee collecting such information shall provide the option to the Provider not to provide the information sought to be collected.  Provider shall also be given the option to withdraw his/her consent previously given, provided that the withdrawal of consent shall be given in writing to the registered office address of SSFPL given above and addressed to the Grievance Officer whose name and address is provided below.  In the event of withdrawal of consent previously given or non-provision of consent, SSFPL shall have the option not to provide the goods or services for which the SPDI was sought to be collected.

4.  Obligations of SSFPL relating to security of SPDI:
(a) SPDI shall be kept protected from unauthorised access, leaks and misuse.

(b) SSFPL shall keep SPDI secure as per the obligations detailed in Rule 8 of the Rules.  SSFPL shall implement and maintain security standards, procedures and practice commensurate with industry standards such as IS/ISO/IEC codes of best practices for data protection.

(c) SPDI security shall be the responsibility of the Information Technology Department of SSFPL, which shall implement the security procedures and processes for SSFPL, as well as develop processes to respond to enquiries and address and resolve unauthorised access, leaks and misuse.

(d) The Information Technology Department of SSFPL shall also be responsible to ensure regular and independent reviews of the security practices and procedures, by third party auditors duly approved by the Central Government.

5.  Obligations of SSFPL relating to disclosure and transfer of SPDI:
(a) Except where disclosure is necessary for compliance of a legal obligation, SPDI shall not be disclosed by SSFPL or any SSFPL employee to any Third Party without the prior written permission of the Provider, such permission may be obtained either at the time of collection of the SPDI or at the time of disclosure to the Third Party.  For the purposes of providing the permission to SSFPL disclose, the Provider shall be informed of the name of the Third Party transferee, the type of SPDI being disclosed, purpose of such disclosure and location of the Third Party transferee.

(b) Where SSFPL is obliged to disclose SPDI to government agencies mandated to collect such information, prior written consent of the Provider shall not be required.

(c) SPDI may only be transferred to a third party, whether in India or in any other country, that ensures the same level of data protection adhered to by SSFPL. 

(d) Any third party to whom SPDI is disclosed shall not and is not permitted to disclose it further to any other person.

6.  Grievance Officer:
SSFPL shall address all discrepancies in SPDI and grievances of Providers in time-bound manner but in any event within a month from the date of receipt of the grievance or escalate it per the breach management policy.  The Grievance Officer appointed for this purpose is:

Grievance Officer:   Rajsingh Patil
Mailing address:    SEVEN STAR FRUITS
19, Raj Mahal, 4th Floor,84 Veer Nariman Road,
Mumbai - 400020, Maharashtra, India.
Email address:        rajsingh.patil@sevenstar.in

7. Prior informed consent (“PIC”):
A PIC form shall be developed by SSFPL for obtaining the prior written consent of the Provider, and shall include informing the Provider regarding -

  • clear and easily accessible statements of its practices and policies;
  • SSFPL's business and areas of operation;
  • types of personal information to be collected, where such information is to be obtained from and who will collect the SPDI;
  • the purpose and usage of the SPDI to be collected,
  • assurance that SPDI will be securely maintained and protected from unauthorised access and leak;
  • that the SPDI will be used only for the purpose identified unless otherwise mandated by law or regulation;
  • reasonable security practices and procedures as provided under the law;
  • intended recipients of the information;
  • the name and address of the agency that is collecting the information & the agency that will retain the information;
  • that the Provider has the option to refuse to provide SPDI or withdraw consent even after having provided it and the process to be followed to exercise the options;
  • the process for a Provider to change his / her contact details;
  • If there is to be any onward transfer to Third Parties, who such Third Parties are, their business, location and security measures for protection of SPDI;
  • assurance that the SPDI will be retained only as long as necessary to fulfil the purposes, or for a period specifically required by law or regulation and will be disposed-off securely or made anonymous post the completion of the purpose;
  • process of Provider to request to access SPDI and costs, if any, for the same;
  • process to review / correct the SPDI;
  • provision for resolution of any discrepancies & grievances with respect to processing of information;
  •  the name and contact details of the Grievance Officer; 
  • how users will be notified of any changes made to privacy notice;
  • Consequences of not providing the requested information.

 
8.  Obligations of SSFPL related to choice and consent of the Providers:

  • Choice refers to the options the Providers are offered regarding the collection and use of SPDI.  Consent refers to the agreement of the Providers to such collection and use of SPDI. 
  • SSFPL shall establish protocols and procedures for the collection and documentation of Provider’s consent to the collection, processing, and/or transfer of SPDI as well as procedure in the event consents are withdrawn after having been given. 
  • SSFPL shall review the privacy policies of the Third Parties and types of consent obtained by Third Parties before accepting SPDI from Third-Party sources.

9. Collection of SPDI
After obtaining consent in writing through letter or fax or email from the Provider, SPDI may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all SPDI.

  • SPDI shall not be collected unless at least one of the following is fulfilled:
  • the Provider has provided a valid, informed and free consent;
  • collection of SPDI is necessary for the performance of a contract to which the Provider is a party or in order to take steps at the request of the Provider prior to entering into a contract;
  • collection of SPDI is necessary for compliance with SSFPL’s legal obligations; or
  • collection of SPDI is necessary for the performance of a task carried out in the public interest
  • Providers shall not be required to provide more SPDI than is necessary for the provision of the product or service that Provider has requested or authorised.  If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of SPDI shall be avoided or limited when reasonably possible.
  • SPDI shall be anonymised when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
  • When vendors are used by SSFPL to collect SPDI on its behalf, SSFPL shall ensure that the vendors comply with the privacy requirements of SSFPL as defined in this policy.
  • SSFPL shall at minimum, annually review and monitor the SPDI collected, the consent obtained and the purpose for which the SPDI was collected.
  • The project team/support function shall obtain approval from IT before adopting the new methods for collecting personal information electronically.
  • SSFPL shall review the privacy policies and collection methods of Third Parties before accepting SPDI from Third-Party sources.

10. Use, Retention and Disposal of SPDI:

  • SPDI may only be used for the purposes identified and only if the Provider has given its consent;
  • SPDI shall be retained only for as long as necessary for business purposes identified at the time of collection or subsequently authorised by the Providers.
  • When the use of SPDI is no longer necessary for the purposes for which it was collected, a method shall be in place to ensure that the SPDI is destroyed or is anonymised in a manner sufficient to make the SPDI non-personally identifiable.
  • SSFPL shall have a documented process to communicate changes in retention periods of SPDI required by the business to the Providers who are authorised to request those changes.
  • SPDI shall be erased if its storage violates any of the data protection rules or if knowledge of the data is no longer required by SSFPL or for the benefit of the Provider.  SSFPL reserves the right to retain SPDI for legal and regulatory purposes and as per applicable data privacy laws.
  • SSFPL shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with this policy.

11.  Access:
SSFPL shall establish a system to enable and facilitate exercise of Provider’s rights of access, review, rectification, withdrawal of consent and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of SPDI.

  • Providers shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing to the registered office address of SSFPL given above in this policy and addressed to the Grievance Officer.  SSFPL shall provide its response to a request within 72 hours of receipt of such written request.
  • Providers have the right to require SSFPL to correct or supplement erroneous, misleading, outdated, or incomplete SPDI.
  • Requests for access to or rectification of SPDI shall be directed to the Grievance Officer.
  • Each access request shall be recorded and documented as it is received and the corresponding action taken.
  • SSFPL shall provide SPDI to the Providers in a simple, understandable format and not in any code.

12.  Disclosure to Third Parties:
Providers shall be informed in the PIC form, if SPDI shall be disclosed to Third Parties, and it shall be disclosed only for the purposes described such form and for which the Provider has provided its consent.

  • SPDI of Providers may be disclosed to the Third Parties only after obtaining their consent with respect to such transfer and for reasons consistent with the purposes identified or other purposes authorised by law.
  • The Providers may be ensured that such transfer may be allowed only if it is necessary for the performance of the lawful contract between SSFPL or any person on its behalf and Provider of information.
  • SSFPL is satisfied that the Third Parties will ensure the same level of data protection that is adhered to by the SSFPL, as provided for under the law.
  • SSFPL shall notify the Providers prior to disclosing SPDI to Third Parties for purposes not previously identified to the Provider in the PIC form.
  • SSFPL shall communicate privacy practices, procedures and the requirements for data privacy and protection to the Third Parties.
  • The Third Parties shall sign a confidentiality and non-disclosure agreement (“CNDA”) with SSFPL before any SPDI is disclosed to such Third Parties, including the terms on non-disclosure of SPDI.

13. Security:
SPDI security policy and procedures shall be documented and implemented to ensure reasonable security for SPDI collected, stored, used, transferred and disposed by SSFPL.

  • Information labelling and handling guidelines shall include controls specific to the storage, retention and transfer of SPDI.
  • SSFPL’s Information Technology Department shall establish procedures that maintain the security of SPDI.
  • SSFPL’s Information Technology Department shall establish procedures that ensure protection of SPDI against accidental disclosure due to natural disasters and environmental hazards.
  • Incident response protocols shall be established and maintained to deal with incidents concerning SPDI or privacy practices.
  • Anyone noticing or becoming aware of any breach of SPDI shall notify the Information Technology Department of SSFPL immediately.  It shall be the responsibility of this department to act on the intimation of the same immediately and in any event within 6 hours of the receipt of information of breach.

14. Monitoring and enforcement:
(a) Dispute Resolution and Recourse -
Privacy related incidents and breaches are addressed by a SPDI breach management policy which includes the following:

  • a clear escalation path from the Grievance Officer up to the senior management, legal counsel / group legal office, and the board based on type and/or severity of the privacy incident / breach.  A process to register all the incidents/complaints and queries related to data privacy is defined therein.
  • SSFPL shall perform a periodic review of all the complaints related to SPDI privacy to ensure that all the complaints are resolved in a timely manner and resolutions are documented and communicated to the Providers.
  • The law mandates that the Grievance Officer shall redress the grievances of Provider of information expeditiously but within one month from the date of receipt of grievances.
  • An escalation process for complaints unresolved at the level of the Grievance Officer for the period of one month, and disputes, shall be designed and documented.
  • Communication of privacy incident / breach reporting channels and the escalation path shall be provided to all Providers.

(b) Dispute Resolution and Escalation Process for Employees of SSFPL -
Employees with inquiries or complaints about the processing of their SPDI shall first discuss the matter with their immediate supervisor.  If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Officer.

(c) Dispute Resolution and Escalation Process for Providers and Third Parties -
Providers and Third Party with inquiries or complaints about the processing of their SPDI shall bring the matter to the attention of the Grievance Officer in writing.  Any disputes concerning the processing of the SPDI of non-employees shall be resolved through arbitration under the Arbitration and Conciliation Act, 1996.

(d) Compliance Review -
A privacy review team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.

  • The internal audit shall consist of the review of the following:
  • SPDI collected from Providers;
  • the purposes of the SPDI collection and processing;
  • the actual uses of the SPDI;
  • disclosures made about the purposes of the collection and use of such SPDI;
  • the existence and scope of any Provider consents to such activities;
  • any legal obligations regarding the collection and processing of such SPDI, and
  • the scope, sufficiency, and implementation status of security measures.
  • The privacy review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the management of SSFPL.
  • The Grievance Officer along with the Information Technology Department shall take actions on the findings from the internal audit and work on the recommendations for improvement.
  • Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.

Schedule 1

The Information-Technology-Reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-Rules2011-PDF-File.pdf