Statement on Compliance with the GDPR for Comviva

Background

Data Protection laws are evolving continuously and Comviva is committed in protecting Personal Information (PI) and Sensitive Personal Information (SPI) through its well established and maintained Privacy Program driven by internal Data Privacy Framework and Governance Model.

General Data Protection Regulation (“GDPR”) that came into force on May 25, 2018, in the form of a legislation that aims to enhance data protection for European Union (EU) and European Economic Area (EEA) [28 member- countries of EU plus Norway, Liechtenstein, and Iceland] (herein collectively referred to as “EU”) residents.

GDPR is a game changer for many organizations, requiring obligations to review internal processes and to ensure that appropriate technical and organizational measures are in place to embed data privacy and protection in their internal culture while putting in place the right governance.

These changes are designed to enable them to act as accountable organizations and to be able to demonstrate compliance with the principles relating to personal data processing under enhanced liabilities and sanctions.

It provides an opportunity to design, build and enforce increased trust across the entire organization by safeguarding the personal data rights of individual citizens, customers, and all other stakeholders resulting into wider operational and business gains.

 

Introduction

Comviva is committed to high standards of information security and privacy. Comviva place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001, ISO 9001/TL9000.

Comviva complies with applicable GDPR regulations, as a data controller and as a data processor, while also working closely with customers and partners to meet contractual obligations for procedures, products and services.

Comviva is committed to ensuring the security and protection of the PI and SPI that Comviva processes, and to provide a compliant and consistent approach to data protection. Comviva has a robust and effective data protection program in place which complies with existing applicable laws and abides by the data protection laws like GDPR. However, Comviva recognises its obligations in updating and expanding this program to meet the requirement of GDPR.

 

Appointment of organization wide Data Protection Officer for Comviva

Comviva has adopted GDPR that came into force in 2018. A Data Privacy and Protection Program has been designed and updated at Comviva and a coherent Governance Model has been adopted to comply with the requirements of GDPR. A Privacy Team has been established at Comviva, which works on all the requirements of data protection laws including GDPR (such as privacy by design and default, breach notification, data subject rights, etc.).

Mr. Naveen Tandon is Comviva’s Data Privacy Officer (DPO). He is currently the Chief Information Officer (CIO). His appointment as DPO of Comviva, came into effect from 23 Oct 2019. He will work independently and report to the Privacy Steering Committee as defined in the Privacy Governance Framework.

This appointment is in conformity to the General Data Protection Regulations (GDPR) which officially became EU Regulation 2016/679, heralding a new era of data protection across the European Union, leading to varied ramifications for companies around the world.

Comviva’s Data Protection Officer will inform, advice and monitor compliance. Comviva has implemented controls and tools as appropriate that support the process, provide necessary privacy, security safeguards and ongoing delivery of data privacy and data protection objectives.

Responsibilities of the DPO:

  1. Serving as a supervisor for the Privacy Team and enforcing privacy policies and recommended practices;
  2. Informing and advising the organization (as the controller or the processor) and its employees about their obligations to comply with the GDPR and other data protection laws;
  3. Monitoring compliance with the GDPR and other applicable data protection laws;
  4. To be the first point of contact for supervisory authority and for individuals whose data is processed (employees, customers, third parties, etc.);
  5. Imparting awareness and training to Comviva personnel on important compliance requirements;
  6. Allocating required resources and skills for conducting periodic privacy reviews to ensure compliance and address potential issues proactively;
  7. Ensuring preparation of report on review findings and presenting it to the Privacy Steering Committee;
  8. Monitoring performance and providing advice on the impact of data protection efforts; and
  9. Interfacing with data subjects to inform them about how their data is being used, their rights to have their Personal Information updated or erased, and what measures the company has put in place to protect their Personal Information.

 

Comviva’s commitment to GDPR compliance

Comviva has built on existing security certifications, including ISO 9001/TL9000, ISO 27001 to ensure its GDPR compliant. It is important to recognize that compliance is a shared responsibility and all organizations will need to adapt business processes and data management practices.

Comviva is committed to the principles inherent in the GDPR and particularly to the concepts of privacy by design in all our products, the right to be forgotten, consent and a risk-based approach.

In addition, Comviva aims to ensure that:

  1. Transparency with regard to the use of PI and SPI
  2. Any processing of PI and SPI data is in lawful manner, fair and transparent and used only for specific purposes
  3. PI and SPI data is accurate, up to date and deleted/ disposed as required under the GDPR
  4. PI and SPI data is kept safely and securely

 

Compliance Program at Comviva

Comviva has a robust ISO 27001:2013 based Information Security Management System (ISMS) and in order to ensure compliance has implemented additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors.

Comviva has drafted policies and procedures to comply with the requirements of GDPR and established the Privacy Compliance Monitoring Procedure, comprising gap analysis and Data Privacy Impact Assessments and supported by communication and training programmes.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

 

A Comprehensive Compliance Program at Comviva

For Comviva, Data Protection is a priority. We make this a reality by undertaking the following:

Governance – A global governance which includes Privacy Steering Committee, Data Protection Officer, Local Privacy Officers, Privacy Working Group guided by Security and Cybersecurity professionals at Corporate and local levels of customer engagement dedicated to ensuring deployment of the GDPR program

Awareness – Privacy and security awareness training for employees through e-learnings and test, including account-specific privacy and security training as per customer engagements

Security – Compliance with security standards’ best practices

Incident Management – Security incident response process and client-specific incident response plans as Comviva takes all security incidents very seriously

Policies and Procedures – Update and implementation of privacy and security policies, guidelines, procedures and tools to meet the requirements and standards of the GDPR Compliance:

  1. Data Protection – Accountability and governance measures are in place to ensure that Comviva understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
  2. Data Retention and Disposal – Comviva has updated its Data Retention and Disposal Policy and retention schedule to ensure that Comviva meets the ‘data minimisation’ and ‘storage limitation’ principles and that PI and SPI data is collected, processed, stored and destroyed in a manner that makes business and economic sense and complies with legal requirements and contractual obligations.
  3. Data Breach Management – Comviva’s Brach Management Procedure describes measures and ways to manage a reported, actual or suspected privacy incident /data privacy breach, its investigation, remediation solution, notifying respective data subjects, employees, third parties (as applicable) and adopting measures to prevent any future privacy breaches.
  4. International Data Transfers & Third-Party Disclosures – Where Comviva stores or transfers PI and SPI data outside the EU, Comviva have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Comviva will carry out strict due diligence checks with all recipients of PI and SPI to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
  5. Data Subject Access Request (DSAR) – Comviva has designed DSAR procedure to accommodate the 30-day timeframe for providing the requested information and for making this provision free of charge. The procedure highlights how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.

 

Privacy Notice/Policy – Comviva has updated its Privacy Policy to comply with the GDPR, ensuring that all data subjects whose PI and SPI data Comviva processes, have been informed of why Comviva need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.

Obtaining Consent – Comviva has updated its consent mechanisms for obtaining PI and SPI data, ensuring that individuals understand what they are providing, why and how Comviva use it and giving clear, defined ways to consent to us processing their information. Further, Comviva has developed stringent processes for recording consent, making sure that Comviva can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.

Privacy Audit – Company-wide maturity assessments and information audits will be carried out to identify and assess what PI and SPI data Comviva hold, where it comes from, how and why it is processed and if and to whom it is disclosed. Results of the same will be communicated to the highest level of management and mandatory remediation plans.

Data Subject Rights – In addition to the policies and procedures mentioned above Comviva ensures that the data subjects can enforce their data protection rights.

 

How to Contact

If you have any queries/ questions about Comviva’s privacy policy, privacy practices, privacy statement, any concerns or a complaint regarding the treatment of your privacy or a possible breach of your privacy, please contact our Data Protection Officer using the details set out below.

Contact Person: Naveen Tandon

Contact Address: 5th, 7th & 8th Floor, Capital Cyberspace, Golf Course Ext Rd, Sector 59, Gurugram, Haryana 122102

Alternatively, can be emailed to: dpo@comviva.com

 

DISCLAIMER

Comviva assumes no responsibly or liability for any errors or omissions in the content of this statement. This statement is provided “as is” and Comviva does not expressly or impliedly warrant, guarantee or make any representations concerning the use, results of use or inability to use or access the information or contents of the Website, in terms of the accuracy, reliability, completeness, functionality, performance, continuity, timeliness or otherwise, fitness for a particular purpose and/or non-infringement

This statement may be accessed from third party links over which Comviva has no control. Comviva does not make any warranties or representations of any kind as to the accuracy, currency, or completeness of any information contained in those third-party and external sites and shall have no liability for any damages or injuries of any kind arising from such content or information.