EU-US Data Privacy Framework

Overview

By this EU-US Data Privacy Framework (DPF) Notice, Neeyamo Inc. (hereinafter referred to as “Neeyamo,” “we,” “us,” or “our”) illustrates how we collect, use and disclose personally identifiable information that we receive in the US from the European Economic Area (EEA which includes the European Union, Lichtenstein, Norway, Iceland and the United Kingdom (UK including Gibraltar). Neeyamo may also further rely on other compliance mechanisms, such as data processing agreements based on EU Standard Contractual Clauses. All the terms, capitalized or otherwise, used in this Notice shall have the same meaning as Neeyamo’s Privacy policy, which can be found at https://www.neeyamo.com

Commitment to Principles

Neeyamo recognizes that the EEA has established strict regulations regarding the handling of EEA Personal Data of the residents of EEA and/or UK, including requirements to provide adequate protection for such Personal Data transferred outside of the EEA and/or UK (and Gibraltar). To provide the required protection of the Personal Data about corporate customers, clients, suppliers, and business partners in the EEA and/or UK, received in the USA, Neeyamo has elected to self-certify to the EU-US Data Privacy Framework (DPF) administered by the US Department of Commerce.

For purposes of enforcing compliance with the EU-US DPF, Neeyamo is subject to the jurisdiction and enforcement authority of the US Federal Trade Commission.

Neeyamo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Neeyamo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit: https://www.dataprivacyframework.gov/s/

Types of personal data collected

Neeyamo, being in the HR industry, collects sensitive and personal data required to process all activities such as Background Verification, Payroll, HR-related services, and technologies, where there is a legal basis and/or the legitimate reason, with your required consents, both directly and indirectly.

We collect such personal data as a Data processor, to provide our services to our customers. When Neeyamo handles data for our Client’s we may be a data controller or data processor, depending on the specifics of our contract. In such case, Neeyamo makes sure that the obligations of the Standard Contractual Clauses are being adhered to when the EEA data is further transferred for processing.

The Personal data transferred concern the following categories of data:

  • Contact information such as Full Name, Home Address, Email Address, Date of Birth, and Financial information
  • Documentation: Education/ Employment documents and Identity proofs.
  • Payroll data, such as banking data necessary to make payments to data subject, compensation information, data on leave, paycheck details (including the following: total gross salary, employees wage tax (withheld by the employer), employees compulsory social security deduction, employees compulsory retirement deduction, employees compulsory unemployment deduction, employees additional medical care deduction, other compulsory or additional employees deductions, employees voluntary retirement deduction, employees voluntary medical care deduction, other employees voluntary deductions, total employee deductions, total net salary, expenses refund and advances, banking details, and third party payments (where acting as an employer surrogate when the employee is on leave for long-term sickness, accident at work or other reason).

Special categories of data (if required and as applicable)

  • Bank account information
  • Where applicable, religious affiliation and information required deducting sick payments (if required for payroll and tax processing); Passport, Social security numbers, details of disabilities, if any.
  • Other special categories of personal data contained in payroll information (if any)
  • Activities, interactions, preferences, transactional information and other computer and connection information (such as IP address) relating to use of our websites and our services
  • Log files, information collected by cookies and similar technologies about the pages viewed, links clicked, and other actions taken when accessing our website.

We collect and process customer personal information both directly and indirectly.

  • to provide service(s) agreed through commercial contracts,
  • managing customer account within our applications,
  • to verify customer identity or to perform any other authentication that we need to provide service(s),
  • to maintain customer personal profile,
  • to provide the services that customer has requested, including processing transactions,
  • to tailor/customize our website or other services we provide to customer as per customer requirement.
  • to enable third parties to perform services or functions on our behalf, for example, where this is necessary to process a transaction or provide services.
  • to comply with applicable laws and regulations.

Notice

Neeyamo notifies Data Subjects about its data practices regarding Personal Data received by Neeyamo in the US from EEA (including Liechtenstein, Norway and Iceland) and/or UK (and Gibraltar). Neeyamo will not use or disclose Personal Data transferred from an EEA Member State and/or UK(and Gibraltar) to the United States, for any purpose that has not previously been disclosed to the data subjects unless:

  1. The data subjects have received notice and an opportunity to exercise choice, as described below, with respect to such use or disclosure; or
  2. Applicable law permits the use or disclosure without requiring that Neeyamo first comply with the Notice and Choice Principles.

Choice

Neeyamo currently does not allow personal data to be either shared with a non- agent third party or used for any other reasons than it was provided for. If this practice should change in the future, we will notify individuals beforehand and provide opt-out choice. Neeyamo maintains reasonable procedures to help and ensure that EEA and/or UK (and Gibraltar) Personal Data are reliable for its intended use, accurate, complete, and current.

Use and disclosure of personal data and accountability for onward transfer

Neeyamo limits the access to Personal Data to its employees, subcontractors, and third-parties that have a specific business reason for accessing such Personal Data. Neeyamo has partnerships and alliances in leveraging expertise and knowledge of various countries’ local labor laws, labor union rules and collective labor agreements.

We have a triangulated framework for compliance that comprises three different sources providing us with updates for all the countries on the changing legislative requirements

  1. A central team of dedicated compliance experts to oversee and manage all compliance-related activities
  2. Partnership with leading global audit firms to warranty 100% compliance and to stay abreast in various aspects of compliance management
  3. Foot-on-the-ground presence in each and every jurisdiction through a network of carefully shortlisted in-country partners to guarantee the local compliance

Neeyamo shall disclose the personal information to our sub-contractors, who would be engaged to provide part of the services on our behalf to our customer or are part of the supply chain in rendering service to customers by handling a portion of the process, in accordance with contractual agreements with customer and applicable laws & regulations.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal information, please submit a written request to privacy@neeyamo.com. Note that, Neeyamo may be required to share EEA and/or UK (and Gibraltar) based personal data in response to lawful requests by public authorities including to meet national security and/or law enforcement requirements.

Neeyamo’s accountability for personal data that it received in the United States under the Data Privacy Framework Principles (DPF Principles) and subsequently transfers to a third party is as described in the DPF Principles. In particular, Neeyamo remains responsible and liable under the DPF Principles if third-party that it engages to process the personal data on its behalf, do so in a manner inconsistent with the Principles, unless Neeyamo proves that it is not for a party to the event(s)-giving rise to the damage.

Neeyamo may be required to release personal data of EU and/or UK individuals in response to legal requests by lawful authorities including to meet law enforcement and national security requirements.

Security

Neeyamo is committed to safeguarding the Personal Data that it receive from the EEA and/or UK from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Neeyamo implemented the Technical and Organizational security measures to safeguard Personal Data. For example, facility security designed to prevent unauthorized access to Neeyamo computers. Electronic security measures including, for example, network access controls, passwords and access logging provide protection from hacking and other unauthorized access. Considering the technology threats and ransom ware attacks, Neeyamo has implemented cyber-security framework and controls to safeguard Personal data.

Data integrity and purpose limitation

Neeyamo will use personal data only for the purposes for which it collected or subsequently authorized by customer. Neeyamo will take reasonable steps to ensure that personal data is relevant to its intended use. Neeyamo depends on you to update and correct your personal data to the extent necessary for the purposes for which it is collected and subsequently authorized by you.

Access

Neeyamo recognizes the right of EU and UK individuals to access their data. Upon request, Neeyamo will provide you with access to the personal information that we hold about you. You may also request to correct, amend, or delete incorrect information or request erasure of the personal information we hold about you if it is being or has been processed in violation of the DPF Principles. An individual who wishes to exercise this right should direct their query to privacy@neeyamo.com or via post at Neeyamo Data Privacy office to the Attention of DPO, Neeyamo Enterprise Solutions Private Limited, Lvl-1, IT-05 Blue ridge SEZ, Hinjewadi Phase-1, Pune-411057, Maharashtra, India. Upon such request to remove or correct the Personal data, we will respond within a reasonable timeframe or as required by law. Neeyamo may require verification of identity before providing access to Personal Data. Please note that in cases where Neeyamo is acting as a data processor on behalf of a customer, we may have to forward your request to that entity, which remains the data controller for your information.

Recourse, enforcement and liability

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-US DPF, Neeyamo commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. EU individuals with inquiries or complaints should first contact Neeyamo by email at privacy@neeyamo.com or via post at: to the Attention of DPO, Neeyamo Enterprise Solutions Private Limited, Lvl-1, IT-05 Blue ridge SEZ, Hinjewadi Phase-1, Pune-411057, Maharashtra, India.

Neeyamo has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

For Human Resources Data

If your complaint involves human resources data transferred to the United States from the EEA and/or UK in the context of the employment relationship and Neeyamo does not address it satisfactorily, Neeyamo commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) or the United Kingdom Information Commissioner’s Office (ICO), as applicable and to comply with the advice given by that authority. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB National Programs

Contact details for the EU data protection authorities found at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

UK individuals can also file a complaint with the ICO at https://ico.org.uk/make-a-complaint/uk-extension-to-the-eu-us-data-privacy-framework-complaints-tool/

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

Changes to this Policy

We reserve the right to amend this Policy from time to time consistent with the requirements of the EU-US Data Privacy Framework.

Last updated on: 23 February 2024