Privacy Notice for Employees

  • Facebook
  • Twitter
  • Linkedin
  • Email

We at Genpact and our affiliated companies worldwide (“Genpact”) are a global professional services firm focused on delivering digital transformation for our clients. As your employer, Genpact will need to process your personal data, and in doing so, we will need to share it with companies in our corporate group in accordance with the provisions set out below. We respect you and are committed to honouring and protecting your privacy, we treat personal data in accordance with data protection laws and the purpose of this notice is to make you aware of what personal data we collect, how we use it and how we protect it. If you have any questions or concerns about this privacy policy or your personal data, please contact us at HR.GDPR@Genpact.com and DPO.Genpact@Genpact.com.

Personal data we collect
We, at Genpact, collect and maintain certain personal data and sensitive personal data (by which we mean either special category personal data or data relating to criminal convictions and offences, as permitted under applicable laws) about you as a result of your employment with Genpact and as part of the administration of general employee records.

The personal data collected may include but is not limited to:

  • Identification Information including name, gender, age, date of birth, personal and/or business email address, personal and/or business telephone number, home address, contact details, government-issued identification numbers such as national identification, social security, or driver’s licence number, photographs, demographic information, citizenship, nationality, marital status;
  • Educational and Professional Details including higher/further education, certifications, previous employment history, professional skills;
  • Background check reports including educational and employment checks in accordance with applicable law;
  • Compensation and Benefits Information including details of salary and benefits, name, family member’s or dependents for benefits enrolment, bank account details, salary reviews, records relating to holiday and other leave, working time records;
  • Child Care Benefits – We provide certain benefits such as payment of child’s tuition to working parents. In order to provide these benefits, we require information related to your child such as name, date of birth, birth certificate, educational institution, tuition fee and bills;
  • Information about your performance at work, including references obtained from your previous place of work, performance evaluations, as well as opinions expressed by your colleagues, individuals who you manage, supervisors, and clients of Genpact;
  • Travel and Expenses Information including passport, visa details, corporate card transactions, expense details, supporting bills;
  • Learning and Development Information including training, certifications, attendance and assessment records;
  • Information collected as part of Surveillance and Monitoring such as video surveillance data, physical access logs, activity, system and transactional logs from applications, systems and communication channels.
  • Feedback from you about your work environment such as your hiring experience, engagement with the HR, manager & co-workers, work assigned, company culture and growth opportunities.
  • Emergency contact details such as your personal phone number and email address and your approximate location that you may choose to share with us, for us to contact you in case of an emergency or crisis.
  • Attendance related information such as time keeping related to log on and log off from Genpact and/or client’s system.
  • In the event you need to work remotely, we may collect information about your cloud access security related information such as the Internet Protocol (IP) address of your connected devices used for work purposes;
  • Information collected during interviews: As part of our interview process we may maintain audio/ video records of the interview (in case of telephone interviews or video enabled interviews) as well as comments noted by our interviewers.

The sensitive personal data collected may include:

  • Information relating to your Health: such as physical examination results, accident and injury reports, disability status;
  • Accommodation for disabilities – In certain instances we may receive or request for information related to health such as disability status in order to make any necessary accommodations during your work within Genpact. Genpact shall process such information only based on your explicit consent;
  • Information related to racial, ethnic origin or religious beliefs collected as a result of diversity surveys, as permitted under applicable laws;
  • Data relating to criminal convictions and offences collected from background checks or CCTV monitoring, as permitted under applicable laws;
  • Biometric information: Such as your photograph taken at the time of joining (which serves as your biometric template), facial scans, in order to verify your identity to grant you access to Genpact premises, in case you are not able to present your Genpact access card to enter the premises. Genpact shall process such information only as permitted under applicable laws and based on your explicit consent. You may also choose to validate your identity through alternate means made available to you (e.g. by verifying your identity at the reception desk).

The legal basis for processing sensitive personal data is as defined under the art. 9 para. 2 letter b) of GDPR.

This information will be collected by us in a number of ways through multiple channels while joining our organization and over time during our relationship with you:

  • Directly from you (when you contact us through HR via on-boarding online application (s), telephone, email and in person);
  • From third parties (through recruitment agencies and background verification agencies), which may also include public sources such as professional networking platforms.

Purposes of processing your personal data and the legal basis for processing
We, at Genpact, must keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative uses only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using your personal data to enable us to comply with your employment contract, to comply with any legal requirements, pursue our legitimate business interests and protect or defend our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our legal obligations or fulfil our contractual obligations with you and we will tell you about the implications of that decision. Some of the key processing activities shall include:

  • Attendance – We implement tools to monitor and record your attendance in order to enable us to track your working hours.
  • Pay your salary and register you for benefits – The information requested is necessary for the performance of our obligations under your employment contract. If you do not provide the information requested, we will be unable to pay your salary, provide or register you for benefits or to facilitate claims for benefits.
  • Child Care Benefits – In the event you avail child care benefits, we need to process the personal data of your child, as mentioned in the above section, for the performance of our obligations under your employment contract. If you do not provide the information requested, we will be unable to provide or register you for benefits or to enable payment of claims for benefits.
  • Pay taxes – We are legally obliged to pay certain taxes on your earnings and we will use the information provided by you to meet our legal obligations.
  • Background Verification – We engage third-party vendors to carry out background verification checks including identity verification, educational verification and employment verification and criminal verification, as permitted under applicable laws, to pursue the legitimate business interest of the company and to comply with applicable legal requirements and where permissible under local law.
  • Note your expression of wish for death benefits – By completing and returning your expression of wish you consent to us storing your expression of wish and referring to it in the event of your death in service. If you do not provide the information requested, we will not have an indication of your wishes in the event of your death in service.
  • Staff administration – We keep employment records in line with industry practice and as permitted under applicable laws, including information relating to employment history, CV, references, absences (for example, annual leave and sickness or injury), accidents and equal opportunities monitoring. We keep a copy of your employment contract and any correspondence with you in the event of your termination of employment. It is in our legitimate business interests and/or necessary for the performance of our obligations under employment law to process these records.
  • Performance and compensation – We process personal data as part of performance review processes and in relation to compensation, reward and benefits. We also keep employee learning and development records. It is in our legitimate business interest to process these records.
  • Travel and Expense – From time to time, we may process personal data and engage travel and immigration vendors to facilitate corporate travel, location transfers, validate corporate card expenses and relevant supporting activities in line with our Travel, Mobility and Expense policies. It is in our legitimate business interest to process these records.
  • Discipline, grievance and dismissal – From time to time, we may need to process personal data in connection with disciplinary, grievance and dismissal processes. It is our legitimate business interest to process these records.
  • Monitoring and Surveillance – We monitor and record computer use and in certain cases, as permitted under the applicable laws, corporate telephone use as detailed in our Information Security Policy. We also carry out CCTV monitoring of key areas, as detailed in our Interception and Surveillance policy. We also keep records of your hours of work by way of our access control system, as mentioned in our Interception and Surveillance policy. It is our legitimate business interest to process such records, for the safety and security of the company, including its assets and its staff and in some cases we will be legally required to do so.
  • Audit Compliance – We may process personal data as part of our audit processes and engage third-party auditors, from time to time. We have ensured that only personal data absolutely necessary is processed during such audits in order to comply with applicable laws and to satisfy our legitimate business interests.
  • New employment opportunities – If you have expressed an interest in working for us in the future (e.g., under a temporary contract) we may retain your employment records and related documents containing your personal data for future employment related opportunities, in pursuit of our legitimate business interests.
  • Prevention of fraud – We may process your personal data for the purpose of fraud prevention in pursuit of the legitimate business interests of the company.
  • Verifying compliance with Genpact policies – We may process your personal data for the purpose of assessing and ensuring employee compliance with the various internal Genpact policies in pursuit of the legitimate business interests of the company.
  • Reporting potential crimes – We may process your personal data for the purpose of detecting and reporting potential crimes where permissible or required under national law.
  • Documents produced by employees – We may store documents and records that are produced by you and your colleagues which contain your personal data, for example your name, details of your role and your CV, as permitted under applicable laws, and these may be shared with clients in the course of carrying out your duties and the business of the company, in pursuit of our legitimate business interests. Additionally, from time to time Genpact publishes whitepapers, reports, research material and articles on industry topics which may be shared internally or externally, such as on Genpact website. If you contribute as an author or expert, it may contain your personal data, for example your name, designation and Genpact email address.
  • Health and safety and occupational health – Where necessary, we may process sensitive personal data relating to your health in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay, health insurance or life insurance benefits. Genpact, will process such information only based on your explicit consent or as otherwise legally permitted, for example, where it is necessary for carrying out obligations or exercising rights under employment law, to protect your vital interests, for the establishment or defence of legal claims, to facilitate medical diagnosis/ assistance/ treatment and/or for the assessment of your working capacity.
  • Equal opportunity or treatment – We may process sensitive personal data relating to your racial or ethnic origin, religious beliefs in each case, as permitted under applicable laws for the purposes of monitoring the existence or absence of equality of opportunity or treatment between groups of individuals. Such processing will only be carried out based on your explicit consent and you have the right to withdraw that consent at any time.
  • Employee engagement and feedback: Genpact may, as permitted under applicable laws, engage carefully selected third-party vendors or applications to obtain and understand your feedback about the organisation and your work environment in order to improve employee satisfaction, well-being and overall work experience.
  • Leadership development programs and talent assessment: In the event you are nominated for select leadership development programs at Genpact, we may ask you to take additional aptitude and leadership assessments to evaluate your suitability for such programs. Results of such assessments are utilized only for purposes of selection to the program. For talent assessment, we may ask you to upload video of yourself and/or appear for an online video interview. It is our legitimate business interest to conduct such assessment / interview to evaluate your suitability for the program and / or next role.
  • Biometric based access to premises: Genpact may process biometric information about you, such as your photograph taken at the time of joining (which serves as your biometric template) and facial scans to verify your identity for the purposes of granting you access to Genpact premises, in case you are not able to present your Genpact access card to enter the premises. Such processing will only be carried out based on your explicit consent and you have the right to withdraw that consent at any time. In case you don’t consent to such processing, you may choose to validate your identity through alternative means made available to you (e.g. by verifying your identity at the reception desk).
  • Emergency communication: During emergency situations, such as Covid-19 pandemic, we may need to process personal data in order to send important company communication. We may ask you to confirm your well-being and your whereabouts in such emergency situations, as permitted under applicable laws, in order for us to monitor your health and safety. It is our legitimate business interest to process such records, for the safety and security of the company and its staff. Where required by the law such processing will be carried out based on your explicit consent.

Monitoring

Monitoring for security purposes
We have implemented industry standard security measures to assist us to keep our systems and premises secure. These security measures are primarily focused on ensuring we can detect, block and respond to malicious software (malware) and intrusion attempts, and also to ensure we keep our business data and your personal data secure and confidential. The security measures implemented include:

  • System security – We have security measures in place that involve automated scanning of incoming and outgoing emails, workstations, applications and our networks owned/ managed by Genpact for potential threats. Threats, such as phishing emails, data leakage, presence of malware, noncompliance to Genpact policies, or other unusual activity will be escalated to our Information Security and IT Teams for review and response.
  • Logs and Audit Trails – We have enabled logging and audit trail capabilities on all Genpact owned/ managed systems accessed by you. We have implemented automated tools to record and monitor information about your usage of login credentials, access to applications and websites and other activities carried out by you while using Genpact owned/ managed systems. The automated tools have been configured to protect confidential information (including personal data) and to ensure Genpact owned/ managed systems are protected against malware and other threats, as mentioned in the paragraph above. These tools will also alert our Information Security and IT teams of such threats and of any potential non-compliances to Genpact policies. Given most of Web Traffic over Genpact systems is encrypted, the automated tools that monitor for malware and data leakage may also decrypt this traffic to ensure the continued effectiveness of these controls. Additionally, activities of users who have privileged access to Genpact owned/ managed systems might be subject to a higher level of monitoring by automated tools, given higher potential business impact in case of compromise / misuse of such credentials.
    From time to time we may also share the audit logs containing information about the activities performed by users on Genpact owned/ managed systems to third parties who provide information security related services to Genpact in order to investigate any system issues or data breaches.
  • CCTV – We operate CCTV to help keep our premises secure. Images of you may be captured as part of the CCTV operation, however, we only view images where an incident has occurred.
  • Multi factor authentication (MFA) – We may require you to enable multi factor authentication by requiring you to install an additional application on your business or personal mobile device which will be used to verify your identity using a second factor (such as push notification), in addition to verification by password. MFA is an industry best practice to enhance security and verify user identity. As per Genpact’s current implementation, the application, provided by a third party partner (as detailed below), does not capture or store any personal information associated with your mobile device such as mobile number, device location, contacts, or messages other than general details such as operating system type & version, as well as a unique device ID which will be used to associate your device with your account. Device and device ID data is not used in any way other than to send you a verification request on your unique device and grant you access to Genpact IT resources. 

This processing is necessary for the purposes of the legitimate interests pursued by us to keep our business data and your personal data secure and confidential and in some cases to protect or defend our legal rights.

Monitoring for productivity, engagement and performance
Business intelligence and analytics: We may use workplace analytics tools to monitor at individual and aggregate level, as permitted under applicable laws, your level of engagement and key performance indicators of the services Genpact provides to its clients. In Europe, access to individual data is restricted to authorized personnel and, where required, available only on specific requests subject to approval by Genpact Data Protection Officer and Genpact Data Privacy and Protection Office. The data we receive shall be used for understanding the productivity of the team or function you are a member of and other performance indicators, such as accuracy of processing, and ultimately to serve our clients better. It is our legitimate business interest to conduct such analysis, gather business intelligence and manage productivity and performance.

Monitoring through email analytics: We use carefully selected third-party email analytics tools in order to understand the ability of our employees across the company to come together in engaging in different projects, as permitted under applicable laws. The data we receive through email analytics shall be used to monitor engagement and collaboration patterns of employees, based on various parameters, such as team members they work with and projects they work on. It is our legitimate business interest to conduct such analysis to help improve employee productivity.

We also send targeted and relevant emails to employees to effectively distribute organisational information and leadership messages. In order to assess the effectiveness of organisational information and leadership messages we gather metrics, such as email open rate, read rate and time spent on reading such emails, to understand and improve employee's engagement with such emails.

In the future, if we intend to process your personal data for a purpose other than that mentioned above, we will provide you with all relevant information and obtain your consent where it is necessary to do so.

Who we may share your personal data with (the recipients or categories of recipients of the personal data)

  • We may use carefully selected third parties to carry out certain activities to help us to run our business (such as payroll processing, cloud service providers, IT support vendors, information security support vendors), to provide you with certain benefits (such as pension or health insurance schemes), to facilitate your corporate travel and expenses (corporate card vendors, travel and immigration vendors), to carry out background verification (background verification agencies) and to facilitate audits (third-party auditors). For information on the third-party vendors partnered with Genpact, please visit https://www.genpact.com/downloadable-content/genpact-list-of-associated-partners-and-suppliers.pdf.
  • We have offices and operations in a number of international locations and we share information between our group companies for business and administrative purposes. Your information may be shared with our internal staff for management and administrative purposes as outlined above. Please visit https://www.genpact.com/about-us/regions to see a list of the locations within our corporate group.
  • Where required or permitted by law, information may be provided to others, such as regulators and law enforcement agencies.
  • We may share personal data with our clients / their third-party vendors, as detailed below:
    • Where required for your role, your business contact details may be shared with our clients, contractors and vendors.
    • During the course of your employment on certain clients’ accounts, we may be required to share your personal data with our clients and/or their third-party vendors. We may share your personal data with the respective client for its legitimate interest or for its legitimate business reasons, such as, for example, for the prevention and detection of fraud, or to enable access to client systems. On a case-by-case basis, it may be necessary to share personal data such as your name, home address, date of birth, nationality and citizenship, passport, national identification, social security, or driver’s license number to perform our services for the respective client/third-party vendor.
    • We may also be required to share your personal data with our clients or their third-party vendors to enable remote working for you in the context of emergency situations, such as Covid-19 pandemic or a business continuity plan. On a case-by-case basis, as permitted by applicable laws, it may be necessary to share personal data such as: - your name and personal mobile phone number for the purposes of re-routing the incoming calls to your personal mobile phone;
      - your name and home / domicile address for the purposes of enabling the respective client to deliver to you the equipment necessary for performing the daily working tasks remotely (e.g. laptops), based on the hand-over protocols signed by the you directly with the respective client;
      - your name and personal email address and/or cloud security related information (e.g. IP address), where necessary and/or required by the client, for the purposes of ensuring effective communication in case of emergency situations.
    • We may also be required to share your personal data with our clients or their third-party vendors to enable remote working for you in the course of our normal engagement with our clients in accordance with the agreed contractual terms.
  • Where your personal data is shared it will only be shared on a strictly necessary basis and only for as long as it is necessary in accordance with applicable data protection laws. A client in certain circumstances may need to fulfil its legal and regulatory obligations in certain sectors and require personal data to confirm your identity and to assess your fitness and suitability to provide services to the client. For example, clients operating in the financial services sector may be legally obligated to carry out or keep a record of identity checks of users who have access to confidential data. This is in accordance with the checks performed on staff employed directly by the client.
  • We may also share your CV’s and background verification status to clients, upon request, to comply with our contractual obligations, as permitted under applicable laws.
  • From time to time, we may consider corporate transactions such as a merger, acquisition, reorganisation, asset sale, or similar. In these instances, we may transfer or allow access to information to enable the assessment and undertaking of that transaction. If we buy or sell any business or assets, personal data may be transferred to a third parties involved in the transaction.

Security
We have implemented industry standard security measures to keep your personal data secure and confidential, including and not limited to:

  • Limiting access to your personal data, to those Genpact employees strictly on a need to know basis, such as to respond to your inquiry or request.
  • Implemented physical, electronic, administrative, technical and procedural safeguards that comply with all applicable laws and regulations to protect your personal data from unauthorized or inappropriate access, alteration, disclosure and destruction. It is important for you to protect against unauthorized access to your password and to your computer.
  • Genpact employees who misuse personal data are subject to strict disciplinary action, as it is a violation of the Integrity Policy of Genpact.

International and group company transfers of personal data   

We are part of an international group of companies and, as such, transfer personal data concerning you to countries outside the European Union (EU). Please visit https://www.genpact.com/about-us/regions to see a list of the locations within our corporate group.

We transfer personal data between our group companies and data centres for the purposes described above. We may also transfer personal data to our third-party vendors outside of the EU as described above. Your personal data may be stored in databases located outside of the EU including in India. The database is controlled by our administrative staff located outside of the EU including in India and can be accessed electronically.

Where we transfer personal data outside of EU, we either transfer personal data to countries that provide an adequate level of protection (as determined by the European Commission) or we have appropriate safeguards in place. Appropriate safeguards to cover these transfers are in the form of standard contractual/data protection clauses adopted by the European Commission. Please visit https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF to know more about standard contractual/data protection clauses. 

Where we transfer personal data between our group companies we have covered these transfers by entering into standard contractual clauses adopted by the European Commission. If you would like more information on the any of the data transfer mechanisms on which we rely please contact our Data Protection Officer, details available in the contact section below.

Period for which the personal data will be stored
We store personal data in line with legal, regulatory, financial and best-practice business requirements. Your personal data will be collected, stored and processed by us while you are an employee. In the event that you stop being our employee, we will securely delete/destroy your employment records and related documents containing your personal data as soon as practicable and in line with our Data Retention policies, and any legal or regulatory requirements.

If you have expressed an interest in working for us in the future (e.g. under a temporary or permanent contract) we will retain relevant records and documents containing your personal data, for future employment related opportunities, for example for references, for an appropriate period of time. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our Data Protection Officer, details available in the contact section below.

Existence of Automated Profiling and Decision Making
We use automated profiling, in limited circumstances as explained below:

  • We utilise a Genpact managed tool that analyses parameters such as inputs by managers, number of years spent in a role, last salary increase, performance ratings, performance bonus, trainings attended. The tool helps us predict potential attrition risk of certain employees.
  • We use carefully selected third-party email analytics tools that analyses, as permitted under applicable laws, parameters such as email header information (e.g. From, To, Subject) to determine engagement pattern of employees. The insights of such profiling are utilised by our HR team pursuant to our legitimate business interest in order to help us with our employee retention strategies or to make any adjustments that may foster motivation towards your job/ role.

You may in some circumstances have the right to obtain human intervention where automated profiling has taken place and a right to express your views.

Your rights
You have a right to:

  • Request access to your personal data and request details of the processing activities conducted by Genpact.
  • Request that your personal data is rectified if it is inaccurate or incomplete
  • Request erasure of your personal data in certain circumstances.
  • Request restriction of the processing of your personal data by Genpact in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
  • Lodge a complaint with the relevant supervisory authority.
  • Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Withdraw any consent you have provided to us at any time by contacting us.

To exercise the rights outlined above in respect of your personal data you may submit a data subject request on our portal – https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2. In case you face any issues in accessing our portal, you may also write to us at DPO.Genpact@Genpact.com.

Data subjects may also exercise their rights through Genpact Ombuds Hotline, implemented by Navex reporting tool. Genpact has a mechanism for investigating and determining the actions to be taken for failing to comply with Genpact Policies. This is supported by the Genpact Ombuds Hotline mechanism, implemented by the Navex reporting tool, which is Genpact’s process for reporting and dealing with complaints and any non-compliance with Genpact Policies. Any member of the Genpact workforce will be able to visit https://genpactombuds.ethicspoint.com to raise any integrity concern, with the option of remaining anonymous if they choose to. There is also a staffed telephone hotline.

Changes to this privacy notice
This privacy notice was last updated in JULY 2020. We will notify you of changes we may make to this privacy notice, where required. However, we would recommend that you look back at this notice from time to time to check for any updates.

Contact
Genpact is the controller of data for the purposes of GDPR. For more information about Genpact, please visit our website at www.genpact.com and for a complete list of the locations within our corporate group please visit https://www.genpact.com/about-us/regions.

If you have any concerns as to how your data is processed, you can contact our Data Protection Officer by writing to DPO.Genpact@genpact.com or write us at HR.GDPR@Genpact.com or submit a data subject request on our portal – https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2.