EU General Data Protection Regulation - Data Privacy Annexure

This Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Jio Haptik Technologies Limited (“Company”) on behalf of Client in connection with the Services under the Jio Haptik Technologies Limited Terms and Conditions between Company and the Client (the “Agreement”).

This DPA is supplemental to, and forms an integral part of the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an executed amendment to the Agreement as the case maybe. The terms and conditions of the Data Processing Agreement apply where the EU General Data Protection Regulation (GDPR) applies to Client or to Jio Haptik Technologies Limited (Company) or to any of their respective Affiliates.

Company shall periodically update the terms of this DPA. Company shall keep the Client notified of amends if any via email.

The term of this DPA shall follow the Terms of the Agreement. Headings, word or phrases not otherwise defined herein shall have the meaning as set forth in the Agreement.

I. Unless explicitly stated otherwise in this contract, the Client shall be responsible to ensure that relevant consents as per applicable laws and regulations have been obtained from the individuals/ data subjects and recorded and the correctness and accuracy of such Personal Information and the Company shall have no liability towards the Client or the Users arising as a result of the collection, correctness, accuracy and processing of any such Personal Data. 

II. The Client shall be responsible to maintain records of all consent acceptance and refusal for seven years. The Client shall also be responsible to provide details of consent acceptance and/ or refusal within 15 calendar days of the Company’s written request for the same. The Client will be liable to pay for any damages that the Company incurs due to inaccurate and/ or insufficient consent records.

III. The Company will use the Personal Data only on the directions of the Client. The Company will not use Personal Data collected on behalf of the Client, received from the Client or its personnel or otherwise processed on behalf of the Client for any purpose other than as necessary to perform services under this Agreement.

IV. Parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

V. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of storing, controlling and/ or processing personal data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parties shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

VI. The Parties will ensure that they are in compliance with all applicable laws while handling any personal information and shall execute such agreements as may be necessary to ensure compliance with applicable laws. 

VII. The Company shall not under any circumstances, be liable for any damage, destruction, unauthorized access or loss of Personal Data.  

VIII. The subject matter and duration of the processing:

The chatbot is built to disseminate information about Client products and services and generate leads for the Client. These details are collected so that the prospect can be contacted via call and/or email by the Client. The Company shall retain Personal Data for a maximum duration of 7 years.

IX. The nature and purpose of the processing:

  • Leads generated from the bots will be shared with the Client. The Client may reach out to the leads over other channels like call and/or email for conversions and sale.
  • For bots that do not generate leads, Personal Data may be collected to respond to queries of data subjects when they utilize bots on the Client’s website.

X. Type of personal data:

Details collected by the data subject may include but not be limited to be name, phone number, email ID, company name and purpose of visit on Client’s website. Additional details may be requested to provide services mentioned as part of Client agreements and to comply with laws and regulations.

XI. The obligations and rights of the controller:

  • The controller (Client) is responsible to securely store and maintain privacy for subject data and Personal Data.

  • For customers availing Agent Chat functionality, the controller (Client) has access to the Company’s portal for accessing chat transcripts. Controls over information security for Personal Data in chat transcripts must be implemented.

  • Access to Analytics Dashboard will be provided by the Company. Controller (Client) should ensure appropriate safeguards for limiting and securing access.

  • It is the responsibility of the controller (Client) to implement any and all security measures for protection of Personal Data received from the Company.

XII. The obligations and rights of the processor:

  • Company (processor) will store Personal Data securely and limit access to this data through permissions.
  • Company (processor) is responsible to securely share Personal Data to the Client (controller).
  • Company (processor) will inform the Client (controller) in case of a data breach of Personal Data collected for that respective Client.

XIII. Rights of data subjects:

The Parties are responsible for ensuring the rights of data subjects in accordance with the following.

  • right of access by the data subject 

  • right to rectification

  • right to erasure (the right to be forgotten)

  • right to restriction of processing

  • notification obligation regarding rectification or erasure of personal data or restriction of processing or breach

  • right to data portability 

  • right to object to processing

The parties are responsible for assisting each other to the extent this is relevant and necessary for both parties to comply with their obligations to the data subjects.

Last updated on: 1st March 2022