1. Purpose
This Policy establishes an effective, accountable, and transparent framework for ensuring compliance with the requirements of various Privacy Laws with Milestone Technologies.
2. Scope
This Policy documents Milestone’s overall approach to managing privacy, which includes but is not limited to information relating to employees, business partners, customers and any third parties etc.
As a US-based company serving clients all across the globe, we comply with the California Consumer Privacy Act, 2018 (‘CCPA’); California Privacy Rights Act, 2020 (‘CPRA’); EU General Data Protection Regulations, 2018 (‘EU GDPR’), United Kingdom General Data Protection Regulation, 2018 (‘UK GDPR’) and UK Data Protection Act, 2018 (‘UK DPA’), India Digital Personal Data Protection Act, 2023 (‘DPDPA’), Singapore Personal Data Protection Act, 2012 (‘PDPA’) and Philippines Data Privacy Act, 2012 (‘PH-DPA’) with jurisdiction-specific requirements addressed in dedicated sections of this Policy.
Applicability
This Policy applies to all collection and processing of Personal Data by Milestone relating to:
- Employees, trainees, interns, and contractors
- Job applicants and candidates
- Customers and client representatives
- Vendors, consultants, and service providers
- Website users and digital platform visitors
- Any identifiable individual whose Personal Data is processed by Milestone
Organizational Scope
This Policy applies to:
- All Milestone business units and subsidiaries
- Third parties processing Personal Data on Milestone’s behalf
- Systems, applications, and platforms operated or managed by Milestone
Territorial Scope
This Policy applies to processing:
- Within India
- Outside India where processing relates to offering goods or services to individuals in India.
Note: The territorial scope set out in Section 2.3 above reflects the specific applicability criteria under India’s DPDPA. For all other jurisdictions referenced in Section 2 (including CCPA/CPRA, EU GDPR, UK GDPR, Singapore PDPA, and Philippines PH-DPA), the applicable territorial scope is determined by the requirements of each respective law. This Policy is to be read and applied accordingly on a jurisdiction-by-jurisdiction basis.
3. Review
The document shall be under the control of the Information Security Team who shall be responsible for updating the Policy to reflect on any updates and amendments as needed. Such updates/amendments/additions shall be approved by the Chief Information Security Officer (CISO) on the recommendation of the CISO. This Policy shall be reviewed at least on an annual basis by the Information Security Team or in case of any major changes.
4. Compliance and Exceptions
4.1 Compliance Measurement
The Information Security Team will verify compliance with this Policy through various methods, including but not limited to, periodic walk-throughs, monitoring business tool reports, internal and external audits, and feedback to the Policy owner.
4.2 Exception
Periodically, technical or business requirements may require an exception to specific requirements within this Policy. The CISO, their appointed designee, can authorize an exception (“Policy Exception”), following an appropriate risk assessment. Any Policy Exception shall include an assessment of potential harm to Data Principals and documentation of mitigation measures.
5. Distribution
This Policy is to be distributed to
- All Milestone business units and subsidiaries
- Third parties processing Personal Data on Milestone’s behalf
- Systems, applications, and platforms operated or managed by Milestone.
6. Non-Compliance
Breach of company Policy may be subject to disciplinary action, up to and including termination of contract or fine or both. This is applicable to all the employees (including contractors, interns, and part-time employees), vendors, and external contractors as well.
7. Policy Statement
Milestone is committed to processing Personal Data only for lawful purposes, with Consent or other permitted grounds under applicable data protection laws, including GDPR and the Digital Personal Data Protection Act, 2023 and in line with the highest standards of ethical conduct. This Policy sets forth the expected behaviors of Milestone employees and third parties in relation to the collection, use, correction, retention, transfer, disclosure, and destruction of any personal data belonging to Milestone or its client’s contact (i.e., the Data Principal and hereafter referred as Milestone contact).
Personal Data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organizations may process Personal Data. Any person or organization that handles Personal Data determines the need and purpose for the data collected, about its use and disposal is known as a Data Fiduciary. Milestone may act as a Data Fiduciary/Controller or Data Processor depending on the context of processing. In each case, Milestone will comply with applicable legal obligations relevant to its role. Non-compliance may expose Milestone to complaints, regulatory action, fines and/or reputational damage. Where Milestone acts as a Data Processor on behalf of a client under a Master Services Agreement or similar engagement, the processing of Personal Data in that context is governed by the specific Data Processing Agreement concluded with that client. In such cases, the client acts as the Data Controller/Data Fiduciary, and Milestone’s obligations and liabilities are defined and limited by the terms of that Data Processing Agreement and MSA. This Policy does not create additional Controller-level obligations for Milestone in respect of Personal Data that it processes solely on client instructions.
Milestone, as a Data Processor, is responsible for ensuring compliance with the requirements of the Data Fiduciary and with the data protection requirements outlined in this Policy. Non-compliance may expose Milestone and the Data Fiduciary to complaints, regulatory action, fines and/or reputational damage.
Sub-Processor Management and Notification. Where Milestone engages sub-processors to assist in the delivery of services involving Personal Data, it shall ensure that sub-processors are bound by data protection obligations at least equivalent to those imposed on Milestone under the applicable Data Processing Agreement and this Policy.
8. Governance
Everyone who works for or with Milestone has some responsibility to ensure that data is collected, stored, and handled appropriately. Each team that handles Personal Data must ensure that it is handled and processed in line with this Policy and data protection principles. The Board of Directors are responsible for ensuring that Milestone meets its legal obligations.
9. Data Protection Officer
To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, Milestone has appointed the Chief Information Security Officer which shall act as the Data Protection Officer (“DPO”) at Milestone. The Data Protection Officer works with the Information Security at Milestone along with members from the Executive Team.
The duties of the Data Protection Officer and Information Security Team include:
- Informing and advising Milestone and its employees who carry out processing pursuant to data protection regulations and laws;
- Ensuring the alignment of this Policy with data protection regulations;
- Providing guidance with regards to conducting Data Protection Impact Assessments (DPIAs);
- Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);
- Determining the need for notifications to one or more DPAs because of Milestone’s current or intended personal data processing activities;
- The establishment and operation of a system providing prompt and appropriate responses to Data Principal requests;
- Informing employees of Milestone of any potential corporate, civil, and criminal penalties which may be levied against Milestone and/or its employees for violation of applicable data protection laws.
10. Data Protection by Design
To ensure that all data protection requirements are identified and addressed when designing new systems or processes or services and/or when reviewing or expanding existing systems or processes or services, each of them must go through an approval process before continuing. Each Milestone service/entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the DPO, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Information Security Team for review and approval. Where applicable, any third-party Information Technology (IT) contractors, as part of Milestone’s IT system and application design review process, will cooperate with the DPO to assess the impact of any new technology uses on the security of Personal Data. Milestone shall publish a Privacy by Design Policy, where required under the DPDPA, describing managerial, organizational, business practices, and technical systems designed to safeguard Personal Data.
11. Compliance Monitoring
To ensure that adequate level of compliance is being achieved by all Milestone services/entities in relation to this Policy, the DPO shall conduct regular data protection compliance audit for all such services/entities. Each audit will, as a minimum, assess:
- Compliance with Policy in relation to the protection of personal data, including:
- The assignment of responsibilities:
- Raising awareness.
- Training of employees.
- The effectiveness of data protection related operational practices, Data Protection Principles.
- Regulatory Requirements to be updated as per legislative changes
Milestone has adopted the following principles to govern its collection, use, correction, retention, transfer, disclosure, and destruction of Personal Data:
- Principle 1: Lawfulness, Fairness and Transparency. Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Principal. This means, Milestone must tell the Data Principal what processing will occur (transparency), the processing must match the description given to the Data Principal (fairness), and it must be for one of the purposes specified in the applicable data protection regulation (lawfulness).
- Principle 2: Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means Milestone must specify exactly what the personal data collected will be used for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
- Principle 3: Data Minimization. Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This means Milestone must not store any personal data beyond what is strictly required.
- Principle 4: Accuracy. Personal data shall be accurate and kept up to date. This means Milestone must have in place processes for identifying and addressing out-of-date, incorrect, and redundant personal data.
- Principle 5: Storage Limitation. Personal data shall be kept in a form which permits the identification of Data Principals no longer than is necessary for the purposes for which the personal data is processed. This means Milestone must, wherever possible, store personal data in a way that limits or prevents identification of the Data Principal.
- Principle 6: Integrity and Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. Milestone must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data is always maintained.
- Principle 7: Accountability. The Data Fiduciary shall be responsible for and be able to demonstrate compliance. This means Milestone must demonstrate that the six data protection principles (outlined above) are met with all personal data for which it is responsible.
12. Data Collection
12.1 Data Sources
Personal data should be collected only from the Data Principal unless one of the following applies:
- The nature of the business purpose necessitates collection of Personal Data from other persons or bodies. E.g., Benefit Information, job references etc.
- The collection must be conducted under emergency circumstances to protect the vital interests of the Data Principal or to prevent serious loss or injury to another person. E.g., Jobseeker Safeguarding
If Personal Data is collected from someone other than the Data Principal, the Data Principal must be informed of the collection unless one of the following applies:
- The Data Principal has received the required information by other means.
- The information must remain confidential due to professional secrecy obligation
- National law expressly provides for the collection, processing, or transfer of Personal Data.
Where it has been determined that notification to a Data Principal is required, notification should occur promptly, but in no case later than:
- One calendar month from the first collection or recording of Personal Data
- At the time of first communication, if used for communication with the Data Principal
- At the time of disclosure, if disclosed to another recipient.
12.2 Data Collection
We will process the following categories of Personal Data about you:
- Personal contact details including name, address, phone number and personal e-mail address;
- Location of employment or workplace;
- Professional and educational information
- Personal mailing address information
- Recruitment information;
- Employment records;
- Personal e-signature
- Information about your use of our information and communication systems;
We may also collect, store, and use the following categories of Personal Data that may pose higher risk to Data Principals due to their nature or context:
- Information about criminal convictions/offences,
- Health information including any medical condition,
- Genetic information and biometric data.
Processing of Special Categories of Personal Data shall be subject to enhanced safeguards to prevent harm to Data Principals. Where processing involves Special Categories of Personal Data, Milestone implements enhanced safeguards proportionate to the risk.
You may provide us with Personal Data in the course of your employment with us. We also collect Personal Data about you through our application and recruitment processes, either directly from you or sometimes from third parties. The third parties from whom we may have collected your Personal Data include:
- Recruitment or human resource service providers,
- Health professionals,
- Insurers and insurance brokers,
- Nominated referees, and
- Law enforcement agencies.
Personal Data shall be collected only to the extent necessary for the specified purpose and shall not be excessive.
13. Data Principal Consent
Each Milestone service/entity will obtain Personal Data only by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, Milestone is committed to seeking such consent. Consent, where required by applicable law, shall be:
- Free, specific, informed, and unambiguous
- Provided through clear affirmative action
- As easy to withdraw as it is to give
Where Consent is not required, Milestone will rely on other lawful grounds permitted by applicable law.
The Data Protection Officer, in cooperation with other relevant business representatives, shall establish a system for obtaining and documenting Data Principal Consent for the collection, processing, and/or transfer of their personal data. For its Indian customers/residents, Milestone shall appoint a Consent Manager fulfilling all the requirements of the Indian laws to give, manage, review and withdraw the Data Principal’s consent through an accessible, transparent and interoperable platform. Milestone shall maintain auditable records of Consent in a machine-readable format, where required by law.
14. Data Principal Notification
Each Milestone service/entity will, when required by applicable law or contract, or where it considers that it is appropriate to do so, provide Data Principals with information as to the purpose of the processing of their personal data. When the Data Principal is asked to give Consent to the processing of Personal Data and when any Personal Data is collected from the Data Principal, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following applies:
- The Data Principal already has the information;
- A legal exemption applies to the requirements for disclosure and/or Consent. The disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the Data Protection Officer. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure
As per DPDPA, the notice provided to Data Principals shall include:
- Purpose of processing
- Categories of Personal Data processed
- Rights available under the DPDPA
- Grievance redressal mechanism
- Contact details of the Grievance Officer
15. External Privacy Notice
Each external website provided by Milestone will include an online ‘Privacy Statement’ and an online ‘Cookie Notice’, fulfilling the requirements of applicable law(s).
16. Data Use
16.1 Data Processing
Milestone uses the personal data of its contacts for the following broad purposes:
- The general running and business administration of Milestone services/entities;
- To provide services to Milestone’s stakeholders;
- The ongoing administration and management of customer services.
The use of a contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object. For example, it would clearly be within a contact’s expectations that their details will be used by Milestone to respond to a contact request for information about the products and services on offer. However, it will not be within their reasonable expectations that Milestone would then provide their details to third parties for marketing purposes.
Vendors, Contractors and other entities which use Milestone collected and processed data will process Personal Data in accordance with all applicable laws and applicable contractual obligations. More specifically, Milestone will not process Personal Data unless at least one of the following requirements are met:
- The Data Principal has given consent to the processing of their personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Principal is party or to take steps at the request of the Data Principal prior to entering a contract;
- Processing is necessary for compliance with a legal obligation to which the Data Fiduciary is subject;
- Processing is necessary to protect the vital interests of the Data Principal or of another natural person;
- Processing is necessary for the performance of a task conducted in the public interest or in the exercise of official authority vested in the Data Fiduciary;
- Processing is necessary for the purposes of the legitimate interests (where permitted by applicable law) and lawful uses permitted under the DPDPA by the Data Fiduciary/Processor or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Principal, where the Data Principal is a child);
- For Indian residents, the Personal Data can be processed without Consent of the Data Principal on any one of the following additional grounds:
- For the specified purpose for which the Data Principal has voluntarily provided his personal data to Milestone, and in respect of which he has not indicated to us that he does not consent to the use of his personal data;
- For fulfilling any legal obligation to disclose any information to the government;
- For compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;
- For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;
- For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;
- For taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order
- For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.
There are some circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When deciding as to the compatibility of the new reason for processing, guidance and approval must be obtained from the Data Protection Officer before any such processing may commence.
In any circumstance where consent has not been gained for the specific processing in question, Milestone will address the following additional conditions to determine the fairness and transparency of any processing beyond the original purpose for which the personal data was collected:
- The Data Principal has given consent to the processing of their personal data for one or more specific purposes;
- The context in which the personal data has been collected, regarding the relationship between Data Principal and the Data Fiduciary;
- The nature of the personal data, whether Special Categories of Personal Data are being processed, or whether personal data related to criminal convictions and offences are being processed;
- The possible consequences of the intended further processing for the Data Principal;
- The existence of appropriate safeguards pertaining to further processing, which may include encryption, anonymization or pseudonymization.
16.2 Special Categories of Data
Milestone will only process Special Categories of Personal Data where the Data Principal expressly consents to such processing or where one of the following conditions apply:
- The processing relates to personal data which has already been made public by the Data Principal;
- The processing is necessary for the establishment, exercise, or defense of legal claims;
- The processing is specifically authorized or required by law;
- The processing is necessary to protect the vital interests of the Data Principal or of another natural person where the Data Principal is physically or legally incapable of giving consent;
- Further conditions, including limitations, based upon national law related to the processing of genetic data, biometric data or data concerning health;
- In any situation where Special Categories of Personal Data are to be processed, prior approval must be obtained from the Data Protection Officer, and the basis for the processing clearly be recorded with the personal data in question. Where special categories of data are being processed, Milestone will adopt additional protection measures.
16.3 Data Quality
Each Milestone service/entity will adopt all necessary measures to ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the Data Principal. The measures adopted by Milestone to ensure data quality include:
- Correcting personal data known to be incorrect, inaccurate, incomplete, ambiguous, misleading, or outdated, even if the Data Principal does not request rectification;
- Keeping personal data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
- The removal of personal data if in violation of any of the data protection principles or if the personal data is no longer required;
- Restriction, rather than deletion of personal data, as far as:
- A law prohibits erasure.
- erasure would impair legitimate interests of the Data Principal.
- The Data Principal disputes that their personal data is correct, and it cannot be clearly ascertained whether their information is correct or incorrect.
17. Change of Purpose
We will only use your Personal Data for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Where processing for a new purpose is materially different from the original purpose, Milestone shall obtain fresh Consent from the Data Principal unless otherwise permitted by law.
Please note that we may process your Personal Data without your knowledge or Consent, in compliance with the above rules, where this is required or permitted by law.
18. Profiling and Automated Decision Making
Milestone will only engage in profiling and automated decision-making where it is necessary to enter, or to perform, a contract with the Data Principal or where it is authorized by law. Where a Milestone service/entity utilizes profiling and automated decision-making, this will be disclosed to the relevant Data Principals. In such cases the Data Principal will be given the opportunity to:
Milestone’s automated decision-making practices are designed to align with emerging regulatory standards, including the obligations relevant to high-risk AI systems under relevant laws and equivalent frameworks, as applicable. Any automated or algorithmic decision that produces a legal or similarly significant effect on a Data Principal shall be subject to the safeguards set out in the list below.
- Express their point of view;
- Obtain an explanation for the automated decision, including the right to a meaningful explanation of the logic, significance, and envisaged consequences of such processing, particularly where the decision impacts the Data Principal’s legal status, professional standing, or access to services;
- Review the logic used by the automated system;
- Supplement the automated system with additional data;
- Have a human conduct a review of the automated decision;
- Contest the automated decision;
- Object to the automated decision-making being conducted. Each Milestone service/entity must also ensure that all profiling and automated decision-making relating to a Data Principal is based on accurate data.
19. Digital Marketing
As a rule, Milestone will not send promotional or direct marketing material to any Milestone contact through digital channels such as mobile phones, email, and the Internet, without obtaining explicit Consent of Data Principals. Any Milestone service/entity wishing to conduct a digital marketing campaign without obtaining prior Consent from the Data Principal must first have it approved by the Data Protection Officer. Where personal data (e.g., case studies or photographs) processing is approved for digital marketing purposes, the Data Principal must be informed at the point of first contact that they have the right to object, at any stage, to having their data processed for such purposes. If the Data Principal puts forward an objection, digital marketing related processing of their personal data must cease immediately, and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted. It should be noted that where digital marketing is conducted in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to conduct digital marketing to individuals if they are given the opportunity to opt-out. Data Principals shall be provided with a clear and accessible mechanism to opt out of marketing communications at any time.
20. Data Retention
To ensure fair processing, personal data will not be retained by Milestone for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. The length of time for which Milestone services/entities need to retain personal data is set out in Milestone’s ‘Data Retention Policy.’ This considers the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it. Personal data shall be deleted upon the earlier of: (a) the completion of the purpose for which it was collected or further processed; or (b) the expiration of any applicable legal or statutory holding period (including, without limitation, financial records required for tax audit purposes and employment records required by applicable labour law, which may require retention for up to seven (7) years or such longer period as prescribed by law). Where a Data Principal exercises a right to erasure and a statutory retention obligation applies, Milestone will restrict processing of the relevant data to compliance purposes only and delete it upon expiry of the mandatory holding period, notifying the Data Principal accordingly.
21. Data Protection
Each Milestone service/entity will adopt physical, technical, and organizational measures to ensure the security of personal data. Security safeguards shall be proportionate to the risk of harm to Data Principals arising from unauthorized processing or data breaches. This includes the prevention of loss or damage, unauthorized alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the personal data related to security measures is provided below:
- Prevent unauthorized people from gaining access to data processing systems in which personal data are processed;
- Prevent people entitled to use a data processing system from accessing personal data beyond their needs and authorizations;
- Ensure that personal data during electronic transmission during transport cannot be read, copied, modified, or removed without authorization;
- Ensure that access logs are in place to establish whether, and by whom, the personal data was entered, modified on or removed from a data processing system;
- Ensure that in the case where processing is conducted by a Data Processor, the data can be processed only in accordance with the instructions of the Data Fiduciary;
- Ensure that personal data is protected against undesired destruction or loss;
- Ensure that personal data collected for different purposes can and is processed separately;
- Ensure that personal data is not kept longer than necessary.
22. Data Principal Rights
Milestone Technologies has a system in place to enable and facilitate the exercise of Data Principal rights related to:
22.1 Rights Pertaining to EU and UK Residents
- Right to access – You have a right to and are allowed access to your Personal Data that is processed.
- Right to erasure – You may request erasure of your Personal Data only under certain circumstances which include but are not limited to unlawful processing of your data, if your Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, if you withdraw your Consent etc. Please note, however, that we may need to retain certain information to comply with our legal obligations.
- Right to rectification – You may at any time request for rectification of your Personal Data that we process. You may also complete Personal Data if it is incomplete.
- Right to restriction of processing – You have a right to restrict the processing of Personal Data if you contest the accuracy of the data, lawfulness of processing and or if you have objected to processing of data or if the data is no longer needed for the purpose of processing. We will inform you when such restrictions are lifted.
- Right to data portability – You have a right to receive the Personal Data you have provided to us in a structured, commonly used, and machine-readable format. You are also entitled to the right to transmit your Personal Data to another controller where it is technically feasible.
- Right to object – You have a right to object to the processing of your Personal Data. You have a right to object where your Personal Data is processed for marketing purposes.
22.2 Rights Pertaining to California Residents
- Right to access – You have a right to and are allowed access to the data that we collect and process.
- Right to deletion – You have a right to request the deletion of your Personal Data. This right is a subjective right, we may not comply with a data deletion request if we are permitted and/or required under the law.
- Right to disclosure – You have a right to request us to disclose the categories of Personal Data collected, sources from which Personal Data is collected, the purpose of collecting Personal Data, and categories of third parties with whom Personal Data is shared.
- Right to Correct Inaccurate Personal Information – You have the right to request changes and alterations to the personal information collected by the business that has since become outdated/incorrect/obsolete.
- Right to Opt-Out – You have the right to opt-out of having any of your collected data or information being sold/shared by a business.
- Right to Limit Use and Disclosure of Sensitive Personal Information (SPI) – You have the right to restrict the usage of the sensitive personal information collected.
- Right to Withdraw Consent - The Data Principal shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the Data Principal shall be informed thereof. It shall be as easy to withdraw as to give consent.
- Right of No Retaliation Following Opt-Out or Exercise of Other Right - You have a right not to be discriminated against for exercising certain rights under California law.
While California residents have the right to opt out of the sale of their personal information under CCPA, we do not sell personal information to any third parties, and therefore, we have not included a “Do Not Sell My Personal Information” link on our Site. If our practices change, we will update this Privacy Policy and take any other necessary action to comply with applicable law.
If you are a California resident and you want to exercise any of your rights as set forth above, please contact us at privacy@milestone.tech For all requests, it is helpful to put the statement “California Privacy Rights” in the body of your request, describe the nature of your request, and provide your name, street address, city, state, and zip code. In your request, you need to attest to the fact that you are a California resident and provide a current California address for our response.
22.3 Rights Pertaining to Singapore Residents
- You shall, to the extent that the applicable law allows, have the right to request access to your Personal Data held by us.
- You have a right to request correction/ rectification of your Personal Data entrusted to us or update your Personal Data held by us.
- You have a right to request us at any time to limit the processing and use of your Personal Data.
- You may by giving notice, withdraw any Consent given to us for the collection, use or disclosure of your Personal Data.
- You have the right to seek for private action if your personal data is not processed in accordance with the legislation.
- You have the right to request the Data Fiduciary, to collect, use, process the data accurately.
22.4 Rights Pertaining to Philippines Residents
- You have the right to be informed when your data is being collected by Milestone.
- You have the right to access the data that is being collected and processed by Milestone.
- You have the right to request for deletion of the data processed.
- You have the right to request for correction of inaccurate data
- You have the right to object to the processing of data by Milestone
- Data Principals have the right to claim damages sustained by the Data Principal due to processing of personal data that is not in compliance with the law.
22.5 Rights pertaining to Indian Residents
Under DPDPA, Milestone shall respond to Data Principal requests within timelines prescribed under applicable law. The Data Principals have the following rights:
- You shall have a right to access information about your personal data.
- You have a right to the correction and erasure of your personal data
- You have the right to grievance redressal
- You have the right to nominate
- Apart from the above-mentioned rights, you have the option to withdraw consent.
We shall upon receipt of such notice inform you of the repercussions of withdrawing your consent. We may not allow withdrawal of consent in circumstances where it is required or authorized under this Act or any other written law. It is essential to note that your withdrawal of consent could result in legal consequences arising from such withdrawal.
Milestone will consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. Data Principals are entitled to make such request, made in writing or sending email to the Information Security Team at privacy@milestone.tech.
*Rights under other applicable relevant laws can be referred to from the DSR Manual.
23. Law Enforcement Requests and Disclosures
In certain circumstances, it is permitted that personal data be shared without the knowledge or consent of a Data Principal. This is the case where the disclosure of personal data is necessary for any of the following purposes:
- The prevention or detection of crime.
- The apprehension or prosecution of offenders.
- The assessment or collection of a tax or duty.
- By the order of a court or by any rule of law.
If a Milestone service/entity processes personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this Policy but only to the extent that not doing so would be likely to prejudice the case in question. If any Milestone service/entity receives a request from a court or any regulatory or law enforcement authority for information relating to a Milestone contact, you must immediately notify the Data Protection Officer who will provide comprehensive guidance and assistance.
24. Data Protection Training
All Milestone employees that have access to personal data will have their responsibilities under this Policy outlined to them as part of their staff induction training. In addition, each Milestone service/entity will receive regular Data Protection training and procedural guidance. All trainings will be recorded and can be always accessed by employees.
25. Data Transfers
- The Data Principal has given Consent to the proposed transfer;
- The transfer is necessary for the performance of a contract with the Data Principal;
- The transfer is necessary for the implementation of pre-contractual measures taken in response to the Data Principal’s request;
- The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the Data Principal;
- The transfer is legally required on important grounds of public interest;
- The transfer is necessary for the establishment, exercise, or defense of legal claims;
- The transfer is necessary to protect the vital interests of the Data Principal;
In the case of Indian residents, the transfer of Personal Data to any other person or body corporate whether in India or outside India is permitted if that person or body corporate has the same level of protection that is provided under the Digital Personal Data Protection Act, 2023 (DPDPA), the applicable rules, and that the transfer is not restricted by the Central Government, subject to compliance with any conditions notified under the DPDPA. Milestone shall monitor notifications issued by the Government of India identifying restricted jurisdictions.
26. Complaint Handling
Data Principals with a complaint about the processing of their personal data, should put forward the matter in writing to the Data Protection Officer (DPO). Data Principals can use the email address privacy@milestone.tech, or the phone number and postal address provided on Milestone’s website privacy statement, to reach out to the DPO.
27. Data Breach
- Unauthorized disclosure of Personal Data.
- Loss or theft of confidential or sensitive data.
- Loss or theft of equipment on which Personal Data is stored (e.g., loss of a laptop, USB stick, iPad/tablet device, or paper record).
- Unauthorized use of access to or modification of IT, data, or information systems (e.g., via a hacking attack), and
- Attempts (failed or successful) to gain unauthorized access to IT, data, or information systems.
If any member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported to Information Security Team via mail at privacy@milestone.tech. The report should include as many details of the incident as possible, including date and time of the breach (if known), the nature of the information concerned, and how many individuals are involved.
The Information Security Team will perform incident management and take appropriate remedial measures in a timely manner. Staff shall report any Data Breach as soon as they become aware of such breach.
- nature of personal data which is the subject-matter of the breach
- volume of Data Principals affected by the breach
- potential consequences of the said data breach and,
- action taken report and root cause analysis conducted by Milestone to remediate the data breach.
The above notice shall be made by Milestone to the Authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required by applicable law. This timeline takes into account any time required to adopt urgent measures to remedy the breach or mitigate any immediate harm. Milestone shall provide such information to the Authority in phases if it is not possible to provide all the information specified above, without undue delay. Upon receipt of a notice, the Authority shall determine whether a such breach should be reported to the respective Data Principals by Milestone, considering the severity of the harm that may be caused to such Data Principals or whether some action is required on the part of the Data Principal to mitigate such harm. The Authority may, in addition, also post the details of the personal data breach on its website.
28. Children's Personal Data
29. Annexure 1: Definitions
- Adjudicating Authority shall mean and include the following:
- The primary supervisory authorities for GDPR compliance are the Data Protection Authorities (DPAs) of each EU member state. Individuals can lodge complaints with their respective national DPAs, which oversees enforcement within that jurisdiction.
- The Data Protection Board of India (DPBI) serves as the adjudicating authority under the DPDPA, responsible for addressing grievances, investigating breaches, and enforcing compliance with the law.
- The Personal Data Protection Commission (PDPC) is the regulatory authority under Singapore’s Personal Data Protection Act (PDPA). It is responsible for enforcing compliance, investigating breaches, addressing complaints, and issuing guidelines to support organizations in adhering to data protection requirements.
- Under the UK GDPR and UK DPA, the Information Commissioner’s Office (ICO) serves as the regulatory authority. It is responsible for overseeing compliance, investigating data breaches, addressing complaints, and enforcing data protection laws.
- The National Privacy Commission (NPC) is the regulatory authority under the Philippines’ Data Privacy Act (PH-DPA). It is responsible for enforcing compliance, investigating data breaches, addressing complaints, and issuing guidelines to ensure the protection of personal data.
- The California Attorney General’s Office serves as the primary adjudicating authority under the CCPA. In addition, the California Privacy Protection Agency (CPPA) has enforcement powers to ensure businesses comply with the CCPA.
- Binding Corporate Rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
- Consent means the Data Principal's Consent that is granted by a person with full legal capacity; the same shall be written, explicit, clear, and specific to the Processing of certain data; and shall be freely given by the Data Principal after being advised of the intended purpose or purposes of the Processing, together with, where the particular circumstances so require, of the consequences of refusing Consent.
- Cross Border Data Transfer means transfer of data out of physical perimeters of the host country
- Data Fiduciary/Controller is any entity or individual who determines the purposes and means of the Processing of Personal Data. The Data Fiduciary is responsible for ensuring that Personal Data is processed in compliance with applicable laws and regulations, and for implementing appropriate technical and organizational measures to protect the Data Principal's rights and freedoms.
- Data Processor means natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Data Principal means the person or individual subject of data, e.g., Customer, etc.
- Direct Marketing means the communication, by whatever means, of any marketing material or advertisement which is directed to a particular person.
- Legal Basis for Processing: In order to process personal data, you must have a legal basis to do so. The legal bases (or justifications) for processing personal data are set out in all the applicable regulations. These are: the consent of the individual or where it is necessary for; performance of a contract; compliance with a legal obligation; protection the vital interests of a person; the performance of a task carried out in the public interest; or in pursuit of the legitimate interests of the company/organisation or another (except where those interests are overridden by the interests or rights and freedoms of the Data Principal).
- Legitimate Interest is a legal basis for Processing Personal Data under data protection laws. It refers to a justified and lawful reason for Processing Personal Data that is necessary for the interests of the Company, provided it does not override the rights and freedoms of the individual.
- Personal Data means any information in any form concerning an identified individual, or an individual who can, directly or indirectly, be identified by reference, in particular, to his or her personal identification number, or by reference to one or more factors specific to his or her physical, physiological, intellectual, cultural, economic, or social identity. In determining whether an individual is identifiable, all the means that the Data Fiduciary or any other person uses or may have access should be taken into consideration.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
- Privacy Notice is a statement or document provided to individuals that explains how an organization collects, uses, discloses, and protects their Personal Data. It ensures transparency and informs individuals about their rights and data handling practices of Milestone Technologies.
- Processing means any operation carried out on Personal Data by any means, whether manual or automated, including collecting, recording, saving, indexing, organizing, formatting, storing, modifying, updating, consolidating, retrieving, using, disclosing, transmitting, publishing, sharing, linking, blocking, erasing and destroying data.
- Services means refers to all services, features, applications, information, and other offerings provided by Milestone Technologies through our website, and other platforms, user account management, and customer support.
- Standard Contractual Clauses means contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries.
- Vendor/Third Party means a natural or legal person, public authority, agency, or body other than the Data Principal, Data Fiduciary, Data Processor, and persons who, under the direct authority of the Data Fiduciary or Data Processor, are authorized to process Personal Data.