The TDCX group of companies is committed to the protection of the Personal Data of its customers, employees, suppliers and business partners, in particular as regards compliance with the provisions of the EU General Data Protection Regulation.
Accordingly, this document creates Binding Corporate Rules (the “BCRs”) that are legally binding on the following TDCX (“TDCX”) companies (“the TDCX Group” or the “TDCX Entities”), namely:
as well as on any companies that subsequently become members of the TDCX Group.
All the TDCX entities bonded to this BCR can be contacted at 750D Chai Chee Road, #06-01/06 ESR BizPark @ Chai Chee, Singapore 469004
The objective of the BCRs is to provide adequate protection for the transfers and processing of Personal Data by TDCX staff and entities in the TDCX Group, its companies, subsidiaries, affiliates and any other entity under its ownership or control.
The BCRs explain how this commitment is implemented by the TDCX Group throughout its operations. They specifically set out TDCX’s approach to transfers of Personal Data between entities in the TDCX Group and apply to TDCX’s operations worldwide.
The BCRs are communicated to all TDCX employees and are published on the external TDCX website accessible at www.tdcx.com.
When collecting personal data for its processing, TDCX will provide the data subjects with all the information related to the processing of their data, and particularly with that indicated in articles 13, 14 and 47 of the GDPR. In particular, this information will be provided by giving access to the relevant Privacy Policy (which will vary depending on whether the data subject is a TDCX employee or a candidate for employment). If necessary, TDCX will send the additional information that may result of application in a more detailed manner and in a more appropriate medium for its better presentation, understanding or file by the Data Subject.
1.1 Scope
The BCRs apply to all Personal Data of employees, candidates for employment, customers, suppliers, contractors, business partners and other natural persons in the European Economic Area (“EEA”), collected and used by TDCX.
They specifically set out TDCX’s approach to transfers of Personal Data between entities in the TDCX Group. In this sense, this BCRs are legally binding for all the TDCX Entities, including their employees.
For the privacy rules applicable to TDCX Employee Personal Data, please refer to the Employee Privacy Notice. For privacy rules applicable to the Personal Data of candidates for employment, please refer to the [Candidate Privacy Notice]
1.2 Effective Date
The BCRs enter into force on [8 June 2019] (the “Effective Date”). The TDCX BCRs supersede all prior TDCX privacy policies and notices that exist on the Effective Date to the extent they cover the same issues or conflict with the BCRs.
1.3 Implementation of the BCRs
(a) Data Protection Officer
The operation of the BCRs are the responsibility of the Data Protection Officer. If there is a question as to the interpretation, implementation or applicability of the BCRs, TDCX staff shall seek the advice of the Data Protection Officer prior to conducting any relevant Processing.
(b) Data Protection Authority
For the purposes of compliance with the GDPR, TDCX has selected the Agencia Española de Protección de Datos (“AEPD”) an agency of the government of Spain as its Supervisory Authority.
© Applicable law being implemented by the BCRs
The BCRs implement the obligations created by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
TDCX is committed to interpreting the terms of the BCRs according to the GDPR and relevant guidance from the European Data Protection Board and the AEPD.
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data
“Data Protection Officer” means the person appointed by TDCX to oversee the observance of applicable data laws by Staff (including Processors), and to oversee the implementation of TDCX’s data compliance policies
“Data Subject” means an identified or identifiable natural person
“European Economic Area” means the area of the European Union Member States and Iceland, Liechtenstein and Norway where the European Economic Area treaty of 1 January 1994 applies
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), as amended or modified from time to time
“Legitimate Purpose” means the unauthorized purpose for collecting and processing Personal Data set out in Article 5 of these BCRs
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Process or Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and to Process means to carry out any of these operations or set of operations
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller
“TDCX Group” means the list of TDCX entities listed in paragraph 2 of the Introduction to the BCRs and any entities that subsequently becomes a group company
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin; political opinions or membership of political parties or organizations; religious or philosophical beliefs; membership of a professional or trade organization or union; physical or mental health or condition, including disabilities; sexual orientation; criminal record; or social security numbers issued by state or public authorities.
“Staff” means all TDCX employees (including consultants, and temporary or permanent staff) as of the Effective Date, who Process Personal Data as part of their duties or responsibilities using TDCX data systems or working primarily from TDCX premises. For the purposes of these BCRs, consultants hired to work for TDCX are Staff.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, is or are authorized to Process Personal Data
3.1 Staff shall take appropriate, commercially reasonable measures to protect Personal Data from misuse or accidental, unlawful or unauthorized destruction, erasure, loss, alteration, modification, disclosure, acquisition or access
(a) Staff access
Staff shall have access to Personal Data only to the extent necessary to serve the applicable Legitimate Purpose and to perform their tasks.
Staff who have access to Personal Data shall meet their confidentiality obligations as specified by their contract and by TDCX staff guidelines and policies.
4.1 Processing of Personal Data shall be restricted to data that is reasonably adequate for and relevant to the applicable Legitimate Purpose. It should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Legitimate Purpose
TDCX shall take reasonable steps to delete or destroy securely Personal Data that is not required (or no longer required) for the applicable Legitimate Purpose.
Personal Data shall be held only:
(b) For as long as necessary to serve the applicable Legitimate Purpose;
© For as long as necessary to comply with an applicable legal requirement; or
(d) For as long as necessary in light of any applicable statute of limitations.
Promptly after the relevant retention period has ended, the Personal Data shall be treated in the following alternative ways
(a) It shall be securely deleted or destroyed; or
(b) It shall be pseudonymized in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, and that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed or attributable to an identified or identifiable natural person; or
© It shall be transferred to an archive (unless this is prohibited by applicable local law or an applicable TDCX records retention schedule).
The Data Subjects shall be required to inform TDCX if Personal Data they have provided are inaccurate, incomplete or outdated and TDCX shall rectify the data in accordance with Article 10.
Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
(a)
TDCX business purposes; or
(b)
TDCX management purposes.
5.1
Legitimate Purposes for the Processing of Personal Data necessary for TDCX Business purposes include:
(a)
The conclusion and execution of agreements with customers, suppliers and business partners, (including providing customer services and the purchasing goods and/or services);
(b)
Recording and financially settling the delivery of services, products and materials to and from TDCX;
(c)
Conducting marketing activities and promotions;
(d)
Finance and accounting management;
(e)
Research and development;
(f)
Internal management and control;
(g)
Fulfilling obligations under laws and regulations, including conducting relations with government and regulatory agencies; and
(h)
Corporate transactions, including those involving joint ventures, mergers, acquisitions, and divestitures.
5.2
Legitimate Purposes for the Processing of Personal Data necessary for TDCX management purposes include:
(a)
Internal management, such as Processing necessary for managing company assets, conducting internal audits and investigations, and implementing business controls;
(b)
Internal management, such as Processing necessary for implementing TDCX health, safety and security policy, including the protection of TDCX and TDCX Staff assets; authenticating customers, suppliers or business partners for status and access rights
(c)
Internal management, such as Processing necessary for complying with legal obligations; and
(d)
Internal management, such as Processing necessary to protect the vital interests of the Data Subject or of another natural person;
(e)
Internal Human Resources management necessary to implement and administer the contractual relationship between Staff and the relevant TDCX entity
5.3
TDCX shall ensure that whenever Personal Data is Processed, at least one of the following applies:
(a)
The Data Subject has given Consent to the processing of his or her Personal Data for one or more specific purposes;
(b)
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c)
Processing is necessary for compliance with a legal obligation to which TDCX is subject;
(d)
Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e)
Processing is necessary for the purposes of the legitimate interests pursued by TDCX, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
5.4
Since a Data Subject may refuse or withdraw Consent at any time, Processing by TDCX will only take place if TDCX has taken action that relies on Consent that has previously been given. If such Consent is withdrawn, TDCX shall discontinue Processing as soon as reasonably practical.
TDCX shall Process Sensitive Personal Data only to the extent necessary to serve a Legitimate Purpose as permitted under applicable law.
In situations when Sensitive Data is Processed based on a legal requirement other than the local law applicable to the Processing, or based on the express Consent of the Data Subject, Processing will only occur either: (i) Upon obtaining the prior approval of the Data Protection Officer; or (ii) under a privacy sub-policy governing the Processing.
6.1
Sensitive Data may be Processed under one or more of the following circumstances
(a)
Where the Data Subject has expressly consented to the Processing, including “opt-ins”;
(b)
When [TDCX is] providing services to the Data Subject providing the Sensitive Personal Data;
(c)
Where the Data Subject providing the Sensitive Personal Data is voluntarily participating in a research project or service/product test;
(d)
To prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, breaches of contract, violations of law, or other breaches of the terms of access to TDCX sites or assets;
(e)
To establish, exercise or defend a legal claim;
(f)
To protect the vital interest of the Data Subject or of another natural person, but only where it is impossible or impractical to obtain the relevant Consent first (such as an accident requiring urgent action);
(g)
Where this is required or necessary to comply with applicable law
6.2
Sensitive Data may only be processed for Secondary Purposes under the conditions set out in Article 7 below.
7.1
TDCX shall generally only Process Personal Data for the purposes for which they were originally collected (“Original Purpose”).
7.2
Such data may be Processed for a secondary purpose than the Original Purpose (“Secondary Purpose”) where the Original and Secondary Purposes are closely linked.
7.3
The provisions of this Article apply to the Processing of Sensitive Data for a Secondary Purpose.
7.4
In Processing data for a Secondary Purpose, TDCX shall conduct an impact assessment of the potential for harm to the Data Subject as a result of the Processing for a closely-linked Secondary Purpose, which shall assess the need for:
(a)
Limiting access to the Personal Data;
(b)
Implementing additional confidentiality and security measures;
(c)
Informing the Data Subject about the Secondary Purpose, including providing an opportunity to opt-out; and
(d)
Obtaining the Data Subject’s Consent.
7.5
Permitted reasons for Processing Personal Data for Secondary Purposes, subject to clearance by the Data Protection Officer, are:
(a)
Conducting internal audits or investigations;
(b)
Conducting statistical, historical or scientific research;
(c)
Dispute resolution management and using legal or business consulting services;
(d)
Management of insurance issues; or
(e)
Archiving.
TDCX shall limit the Processing of Personal Data to such data as is reasonably suitable for and relevant to the applicable Legitimate Purpose.
8.1
(a)
For the period required to address the applicable Legitimate purpose;
(b)
To the extent reasonably necessary to comply with an applicable legal obligation or requirement;
(c)
For as long as advisable in light of an applicable statute of limitations; and
(d)
Without prejudice to the above, TDCX may specify a time period for which certain categories of Personal Data will be kept (in a TDCX notice or TDCX records retention protocol).
TDCX shall take reasonable technical and physical steps safely and securely to delete or destroy Personal Data that is not required or no longer required for the applicable Legitimate purpose.
Direct marketing to existing or prospective customers shall be performed by TDCX only with the consent of the targeted individual.
9.1
For the purpose of addressing direct marketing communications to existing or prospective customers, TDCX shall do the following:
(a)
Obtain the prior affirmative consent of the targeted individual (to the extent that this is required by law);
(b)
Offer the individual the opportunity to choose not to receive such communications; and
(c)
In every subsequent direct marketing communication that is made to such individuals, offer the opportunity to opt-out of further marketing communication.
TDCX shall respect objections to marketing and if the targeted individual objects to receiving marketing communications from TDCX, or withdraws consent to receive such communications, TDCX shall cease sending further marketing materials as specifically requested by the individual and shall delete the individual’s Personal Data from its marketing data base (save under the conditions set out in Article 8).
TDCX shall inform Data Subjects whose Personal Data is collected and processed by publishing a Privacy Notice which shall explain and provide information as follows:
10.1
(a)
The TDCX entity responsible for the Processing of the Processed Personal Data and the contact details of the DPO, where applicable;
(b)
Information concerning the nature and categories of the Processed Personal Data, the categories of Third Parties to which the Personal Data are disclosed (if any), and on how the Data Subject who provides Personal Data can exercise rights under applicable laws.
(c)
Where reasonably available, the source, type, purpose and categories of recipients of the relevant Personal Data.
(d)
The Data Subject’s rights to access, rectify, delete or restrict access to the Personal Data provided and how such rights may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the TDCX website).The right to lodge a complaint with a supervisory authority.
(e)
The Data Subject’s right to object to the Processing of his or her Personal Data for the purposes of TDCX’s or a third party’s legitimate interests, or where TDCX is carrying out a task in the public interest or exercising official authority vested in TDCX on the basis of compelling grounds related to the individual’s situation and information on how this right may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the TDCX website).
(f)
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
(g)
the existence of automated decision-making, including profiling,
10.2
(a)
The Data Subject exercising the rights referred to in Article 10.1 (d) and (e) may be requested to show proof of identity. In the case of a request to rectify, the Data Subject should be requested to explain why the Personal Data are incorrect and/or incomplete, and provide accurate replacement information, if this is not clear from the request. In the case of a request to delete Personal Data, the Data Subject should be asked which of the applicable grounds on apply, on which TDCX is to delete the Personal Data, if this is not clear from the request. Where TDCX holds a large volume of information on the Data Subject, he or she should be requested to specify the type of Personal Data in question and the processing activities to which the request relates.
(b)
The Data Protection Officer shall respond to the Data Subject making a request under Article 10.1 (d) and (e)above within one month of receipt of the request. The Data Protection Officer shall inform the Data Subject in writing either: (i) of TDCX’s position with regard to the request or the objection and any action TDCX has taken or will take in response to the request; or (ii) of the ultimate date on which the Data Protection Officer will inform the Data Subject of TDCX’s position, which date shall be no later than two months of the receipt of the request.
10.3
(a)
A Data Subject making a request under this Article shall be given the opportunity to file a complaint in accordance with Article 19 if:
(i)
The response to the request or the objection is unsatisfactory to the Data Subject; or
(ii)
The Data Subject has not received a response as required under Article 10.2 (b).
(b)
A Data Subject’s request or objection may be denied, under the guidance of the Data Protection Officer by TDCX, if:
(iii)
The request or objection is not sufficiently precise or specific or supported by evidence, despite TDCX’s requests for further information under 10.2 (a);
(iv)
The request or objection is manifestly unfounded or excessive, in particular because
i)
of its repetitive character
ii)
it is made within an unreasonable time interval since a prior request or objection.
TDCX may use automated tools to make decisions about Data Subjects but decisions shall not be based solely on the results provided by this process.
11.1
This restriction does not apply if:
(a)
The use of automated tools is required or authorized by law;
(b)
The automated tool is used to assess objectively the numeracy and language skills of a prospective candidate for employment with TDCX prior to shortlisting and the candidate has consented to the automated assessment;
(c)
The decision is made by TDCX to enter into or perform a contract provided that the request leading to a decision by TDCX was made by the Data Subject; or
(d)
Appropriate measures have been taken to safeguard the legitimate interests of the Data Subject (for example, the Data Subject has provided or been given an opportunity to express a view).
12.1
Appropriate and commercially reasonable technical, physical and organizational measures shall be taken by TDCX to protect Personal Data from its misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.
12.2
Staff shall be authorized to access Personal Data only to the extent necessary to serve the applicable Legitimate Purpose and to perform their tasks as TDCX employees. The relevant TDCX staff shall be subject to appropriate confidentiality obligations as specified by contract and in TDCX policies.
13.1
When transferring Personal Data to parties within the TDCX Group, TDCX shall transfer Personal Data only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (this includes processing for purposes for which the Data Subject has provided consent or for Secondary Purposes in accordance with Articles 5 and 7, respectively).
13.2
TDCX shall ensure that Personal Data shall be Processed within the TDCX Group in compliance with the terms of the BCRs and that the data privacy interests of Data Subjects concerned are protected as required by the BCRs and by applicable laws.
14.1
When transferring Personal Data to parties not members of the TDCX Group, a distinction shall be made between:
(a)
Third Party Data Processors, namely parties that Process Personal Data solely on behalf of TDCX and under TDCX’s direction; and
(b)
Third Party Data Controllers, namely Third Parties that Process Personal Data and determine the purposes and methods of the Processing (e.g. TDCX business partners that provide their own goods or services to Customers).
14.2
TDCX shall transfer Personal Data to a Third Party only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (including processing for Secondary Purposes or for purposes for which the Data Subject has provided consent in accordance with Article 5).
14.3
TDCX shall ensure that Third Party Data Controllers (other than public authorities) can Process Personal Data obtained in connection with their relationship with TDCX only if such Third Party Data Controllers have a written contract with TDCX, as stipulated in Article 14.7.
14.4
TDCX shall ensure that the data privacy rights of Data Subjects concerned by such Processing are protected contractually.
14.5
The transfer of business contact information may be made to a Third Party Data Controller without a contract if TDCX take reasonable steps to ensure that such information will be used by the Third Party Data Controller to contact the Data Subject for legitimate business purposes related to that same Data Subject’s business or interests.
14.6
TDCX shall not transfer, sell, lease, or offer for hire Business Contact Information in bulk to a Third Party Data Controller without consent except as permitted or required under applicable law and to the extent such transfer, sale, lease, or rent serves a Business Purpose (per Article 5.1).
14.7
Third Party Data Processors may Process Personal Data only if the Third Party Data Processor has a written contract with TDCX which includes terms and conditions addressing the following:
(a)
The Third Party Data Processor shall Process Personal Data only in accordance with TDCX’s instructions and for the purposes authorized by TDCX;
(b)
The Third Party Data Processor shall keep the Personal Data confidential;
(c)
The Third Party Data Processor shall take appropriate technical, physical, administrative and organizational security measures to protect the Personal Data;
(d)
The Third Party Data Processor shall not permit subcontractors to Process Personal Data in connection with its obligations to TDCX without the prior written authoriation of TDCX;
(e)
That TDCX shall have the right to review the security measures taken by the Third Party Data Processor and the Third Party Data Processor shall be required submit its relevant data processing facilities to audits and inspections by TDCX or any relevant government authority; and
(f)
The Third Party Data Processor shall promptly inform TDCX of any incident involving Personal Data, including hacking or data breaches concerning the obligations set out by the GDPR.
14.8
Transfers of Personal Data to a Third Party located in a country that is not considered by the European Commission to provide an ‘adequate level of protection’ for Personal Data under Chapter V of the GDPR (“Non-Adequate territory”) shall only be made if the following conditions are satisfied:
(a)
A contract has been concluded between TDCX and the relevant Third Party that provides for safeguards at a similar level of protection as that provided by the BCRs;
(b)
The contract shall conform to any model contract required under applicable local law (if any, including those covered by guidance from the European Data Protection Board or the AEPD);
(c)
In the case of any transfers of Personal Data from the EEA to the USA, the Third Party has been certified under the EU-US Privacy Shield as modified or succeeded by EU-US data treaties or any other similar scheme or treaty that is recognized as providing an ‘adequate’ level of data protection for GDPR purposes;
(d)
The Third Party has established binding corporate rules or a similar transfer control mechanism which provide adequate safeguards as required under applicable law and these have been deemed GDPR compliant by competent authorities;
(e)
The transfer is necessary for the performance of a contract with the customer, supplier or business partner or to take necessary steps at the request of the customer, supplier or business partner prior to entering into a contract;
(f)
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between TDCX and a Third Party;
(g)
The transfer is necessary to protect a vital interest of the Data Subject or of another natural person (for example, dealing with an emergency);
(h)
The transfer is necessary for the establishment, exercise or defence of a legal claim;
(i)
The transfer is required by any law to which the relevant TDCX entity is subject; or
(j)
The Data Subject has consented to such transfer, pursuant to the conditions set out in Article 14.9.
14.9
When seeking consent pursuant to Article 14.8(j), TDCX shall provide the Data Subject with the following information:
(a)
The purpose of the transfer;
(b)
The identity of the transferring TDCX entity;
(c)
The identity or categories of Third Parties to which the Personal Data will be transferred;
(d)
The categories of Personal Data that will be transferred;
(e)
The country to which the Personal Data will be transferred; and
(f)
The fact that the Personal Data will be transferred to a Non-Adequate territory.
14.10
Personal Data collected by TDCX in the EEA and transferred to a Third Party located in a Non-Adequate territory may in turn be transferred to a second Third Party located in that same or another Non-Adequate territory only if the following conditions are met:
(a)
The transfer must be necessary for compliance with a legal obligation to which the relevant TDCX entity is subject;
(b)
The transfer must be necessary to serve the public interest; or
(c)
The transfer must be necessary to satisfy a Legitimate Purpose of TDCX (per Article 5).
TDCX shall provide training on the BCRs and other data privacy and data security obligations and best practices to Staff who have access to Personal Data or who have responsibilities concerning the management of Personal Data.
TDCX shall bear responsibility for auditing all TDCX entities’ business processes and procedures involving the Processing of Personal Data to assess their compliance with the BCRs:
(a)
Such an audit shall be carried out on an [annual] [regular] basis by the internal TDCX audit team or an accredited external audit team or on the specific request of the Data Protection Officer.
(b)
Such audits shall be performed up to appropriate professional standards of independence, integrity and confidentiality.
(c)
The Data Protection Officer shall be informed of the results of the audits and a report submitted to TDCX senior management.
(d)
TDCX shall ensure that adequate steps are taken to address any shortcomings or breaches of the BCRs identified during the monitoring or auditing of compliance pursuant to this Article.
(e)
A copy of the audit results shall be provided to the AEPD upon request, which may in turn carry out a data protection audit if required.
(f)
Every member of the TDCX Group confirms that they may be audited by the AEPD and that they will abide by the advice of the AEPD on any issue related to the BCRs.
17.1
TDCX shall appoint a Data Protection Officer who is responsible for:
(a)
Supervising compliance with the BCRs;
(b)
Providing advice on the implementation of the BCRs and interpretation of GDPR obligations, including coordination with the General Counsel, and advice to the TDCX Board and senior management;
(c)
Organizing TDCX’s response to investigations or inquiries into the Processing of Personal Data by public authorities including the AEPD; act as the contact point of the AEPD and other supervisory authorities.
(d)
Presenting annual reports on compliance with GDPR obligations. Appropriate professional standards of independence, integrity and confidentiality shall be maintained when conducting TDCX internal compliance reviews;
(e)
Supervising TDCX’s response to any Data Requests or complaints about TDCX’s compliance with GDPR obligations;
(f)
Supervising TDCX’s response to any issues of compliance, including privacy issues and breaches of GDPR obligations (if these occur); and
(g)
wherever appropriate ensure that adequate steps are taken to address breaches of the BCRs identified during the monitoring or auditing of compliance
(h)
Supervise the allocation of responsibilities, the awareness and training of staff involved in processing operations, and the corresponding audits.
17.2
Non-compliance with the BCRs may result in disciplinary action and sanctions imposed on Staff, including termination of employment.
18.1
In a situation where a legal requirement to transfer Personal Data conflicts with the national laws of EEA Member States or other countries with legal requirements regarding cross-border data transfer, any relevant Personal Data transfer shall be authorized in advance by the Data Protection Officer. Where appropriate, guidance shall be requested from the AEPD or other competent public authority.
18.2
(a)
In a situation where there is a conflict between an applicable local law and the BCRs, TDCX staff must consult with the Data Protection Officer. Appropriate legal advice from local counsel shall be obtained. Where appropriate, guidance shall be requested from the AEPD or other competent public authority.
(b)
Where local law, including the GDPR and other EU legislation, requires a higher level of protection for Personal Data it will take precedence over the BCRs.
(c)
In all cases, Personal data shall be processed by TDCX in accordance with the GDPR, any other applicable law or relevant local legislation.
19.1
Data Subjects shall be entitled to submit a complaint internally within TDCX regarding compliance with the BCRs:
(a)
In accordance with the complaint procedure stipulated in the relevant privacy policy or contract; or:
(b)
Through the Data Protection Officer, who shall conduct an investigation of the complaint and where necessary and advise TDCX regarding appropriate compliance measures, monitoring such steps until their completion. The Data Protection Officer shall consult with the AEPD if appropriate on the measures to be taken.
19.2
Within one month of TDCX receiving a complaint, the Data Protection Officer shall inform the complainant in writing either:
(a)
Of TDCX’s response with regard to the complaint and any action TDCX has taken or proposes to take in response; or
(b)
The ultimate date on which the complainant will be informed of TDCX’s position, which date shall be no later than two months of the date of receipt of the complaint.
19.3
Complaints shall only be admissible if the complainant has followed the procedure set out in the BCRs. Any complaints of an individual concerning any right the individual may have under the BCRs shall be addressed to TDCX only and shall exclusively be brought before the AEPD (except in case of jurisdiction of a Data Protection Authority of one of the EEA countries) or the competent court in Spain.
19.4
Under the BCRs, Data Subjects or other natural persons shall only be entitled to remedies available to them under applicable law, which shall include the right to damages. However, TDCX shall be liable only for direct damages (which excludes, without limitation, lost profits or revenue, and lost turnover) suffered by an individual resulting from a violation of the BCRs].
20.1 TDCX entities and Staff shall comply with the BCRs:
(a) The BCRs are binding obligations and failure to follow them may result in employee disciplinary action, including termination and other penalties as provided by law.
(b) TDCX accepts responsibility for and agrees to oversee the TDCX Group’s compliance with the BCRs and shall help ensure Third Parties take the necessary action to remedy any acts of non-compliance relating to the BCRs. If a member of this BCRs outside the EU violates the BCRs, the courts or other competent authorities in the EU will have jurisdiction and the Data Subject will have the rights and remedies against the TDCX entity that has accepted responsibility and liability
The BCR member that has accepted liability will also have the burden of proof to demonstrate that the BCR member outside the EU is not liable for any violation of the rules which has resulted in the Data Subject claiming damages. If the BCR member that has accepted liability can prove that the BCR member outside the EU is not responsible for the event giving rise to the damage, it may discharge itself from any responsibility
© The Data Protection Officer shall investigate claims of non-compliance to determine if a violation of the BCRs has occurred. If a violation is confirmed, the Data Protection Officer and the relevant concerned TDCX entity shall work together to address and resolve the violation within a commercially reasonable time.
20.2 TDCX customers, contractors, employees and candidates for employment shall have the right to claim enforcement of the BCRs or liability as third party beneficiaries as set out in the BCRs in respect of:
(a) Application of laws;
(b) Principles for processing Personal Data;
© Rights of access, rectification, erasure, restriction, objection to processing, right not to be subject to decisions based solely on automated processing, including profiling.
(d) Transparency and easy access to BCRs.
(e) Security, confidentiality;
(f) Consent;
(g) Transfers of Personal Data
(h) Direct marketing
(i) Complaint handling processes
(j) Liability and third party rights; and
(k) Obligations towards Data Protection Authorities.
TDCX customers, contractors, employees and candidates for employment shall have the right to claim appropriate compensation from TDCX before the AEPD or courts in accordance with the BCRs and applicable law. The enforcement rights and mechanisms described in this Article are in addition to other remedies or rights provided available under applicable law.
ARTICLE 21: OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES AND REGULATORS
21.1 Obligations towards the AEPD
21.2 Mutual Assistance and Cooperation with Data Protection Authorities
(a) TDCX entities shall cooperate and assist each other when responding to a request or complaint from an individual or an investigation or inquiry by the AEPD or other relevant data authority.
(b) TDCX entities shall abide by the advice of the AEPD on any issues regarding the interpretation of the BCRs.
21.3 Obligations towards the Singapore Data Protection Commission and data protection regulators worldwide
21.4 Mutual Assistance to and Cooperation with Regulators
(a) TDCX entities shall cooperate and assist one another when responding to a request or complaint from an individual or an investigation or inquiry by a Regulator.
(b) TDCX entities shall abide by the advice of Regulators on any issues regarding the interpretation of the BCRs.
21.5 TDCX Singapore Binding Corporate Rules
TDCX Singapore Binding Corporate Rules may be accessed on the TDCX website at www.tdcx.com/policies/bcr-sg.
22.1 The BCRs shall only be amended with the prior approval of the Data Protection Officer. Where applicable, the Data Protection Officer shall obtain the authorization of the AEPD for any relevant changes to the BCRs.
22.2 No transfer of data shall be made to an TDCX entity or Staff until the transfer is appropriately covered by the BCRs and relevant compliance measures are in operation.
22.3 Any amendment shall only enter into force after it has been approved by the Data Protection Officer and published on the TDCX website.
22.4 The Data Protection Officer shall be responsible for informing the AEPD of significant changes to the BCRs on an [annual[ [regular] basis. The Data Protection Officer shall inform the TDCX Board of the advice, guidance or response of the AEPD, if any.
22.5 Any request, complaint or claim involving the BCRs shall be determined by reference to the version of the BCRs that is in force at the time the request, complaint or claim is made.
Last updated: September 2024