Personal data we collect
We, at Genpact, collect and retain certain personal data and sensitive personal data (by which we mean either special category personal data or data relating to criminal convictions and offences, as permitted under applicable laws) about you.
The personal information collected may include but is not limited to:
- Identification Information including name, gender, age, date of birth, personal and/or business telephone number, personal and/or business email address, home or business address, contact details, government-issued identification numbers such as national identification, social security, or driver’s licence number, photographs, demographic information, citizenship, nationality, marital status;
- Educational and Professional Details including higher/further education, certifications, previous employment history, professional skills;
- Background check reports including educational and employment checks in accordance with applicable law;
- Compensation Information including details of salary, bank account details, tax status, income tax and other levies records relating to holiday and other leave, working time records;
- Information about your performance at work, including references obtained from your previous place of work, as well as opinions expressed by your colleagues, individuals who you manage, supervisors, and clients of Genpact;
- Travel and Expenses Information including passport, visa details, bank account details, expense details, supporting bills;
- Learning and Development Information including training, certifications, attendance and assessment records;
- Information collected as part of Surveillance and Monitoring such as video surveillance data, physical access logs, activity logs from systems and communication channels etc.
- Emergency contact details such as your personal phone number and email address and your approximate location that you may choose to share with us, for us to contact you in case of an emergency or crisis.
- Attendance related information such as time keeping related to log on and log off from Genpact and/or client’s system.
- In the event you need to work remotely, we may collect information about your cloud access security related information such as the Internet Protocol (IP) address of your connected devices used for work purposes;
The sensitive personal data collected may include:
- Information relating to your Health such as physical examination results, accident and injury reports, disability status;
- Accommodation for disabilities – In certain instances, we may receive or request for information related to health such as disability status in order to make any necessary accommodations during your work within Genpact. Genpact shall process such information only based on your explicit consent;
- Information related to racial, ethnic origin or religious beliefs collected as a result of diversity surveys, as permitted under applicable laws;
- Data relating to criminal convictions and offences collected from background checks or CCTV monitoring, as permitted under applicable laws.
- Biometric information: Such as your photograph taken at the time of joining (which serves as your biometric template), facial scans, in order to verify your identity to grant you access to Genpact premises, in case you are not able to present your Genpact access card to enter the premises. Genpact shall process such information only as permitted under applicable laws and based on your explicit consent. You may also choose to validate your identity through alternate means made available to you (e.g. by verifying your identity at the reception desk).
The legal basis for processing sensitive personal data is as defined under the art. 9 para. 2 letter b) of GDPR.
This information will be collected by us in a number of ways through multiple channels while joining our organization and over time during our relationship with you:
- Directly from you (via on-boarding online application (s), telephone, email and in person or in circumstances in which you have been engaged by Genpact or expressed an interest in future engagement related opportunities;
- Through referrals from our employees, contractors and business connects;
- From third-parties (through recruitment agencies and background verification agencies), which may also include public sources such as professional networking platforms.
Purposes of processing your personal data and the legal basis for processing
We, at Genpact, must collect and process information about you for normal staff contracting purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the profile screening, enrolment process, whilst you are working for us, at the time when your contract ends and after you have left. This includes using your personal data to enable us to comply with our contract with you, to comply with any legal requirements, pursue our legitimate interests and protect or defend our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our legal or contractual obligations and we will tell you about the implications of that decision. Some of the key processing activities shall include:
- Attendance – We implement tools to monitor and record your attendance in order to enable us to track your working hours.
- Administration of pay/compensation – The information requested is necessary for the performance of our obligations under your contract. If you do not provide the information requested, we will be unable to pay you the agreed compensation.
- Pay taxes – We are legally obliged to pay certain taxes on your earnings and we will use the information provided by you to meet our legal obligations.
- Background Verification – We engage third-party vendors to carry out background verification checks including identity verification, educational verification, employment verification and criminal verification, as permitted under applicable laws, to pursue the legitimate business interest of the company and to comply with applicable legal requirements and where permissible under local law.
- Staff administration – We keep contractor records in line with industry practice and as permitted under applicable laws, including information relating to work history with Genpact, CV, references, absences and accidents. We keep a copy of your contract and any correspondence with you in the event of termination of your contract. It is our legitimate business interest to process these records.
- Performance and compensation – We may process personal data as part of performance review processes, respectively to provide compensation or benefits as applicable. We also keep learning and development records. It is our legitimate business interest to process such records.
- Travel and Expense – From time to time, we may process personal data and engage travel and immigration vendors to facilitate corporate travel, location transfers, validate expenses and relevant bills/ supporting in line with our Travel, Mobility and Expense policies. It is in our legitimate business interest to process these records, in pursuit of our legitimate business interests to maintain accurate financial records.
- Monitoring and Surveillance – We monitor and record computer use and in certain cases as permitted under applicable laws, corporate telephone use as detailed in our Information Security Policy. We also carry out CCTV monitoring of key areas, as detailed in our Interception and Surveillance policy. We also keep records of your hours of work by way of our access control system, as mentioned in our Interception and Surveillance policy. It is our legitimate business interest to process such records, for the safety and security of the company, including its assets and its staff and in some cases we will be legally required to do so.
- Audit Compliance – We may process personal data as part of our audit processes and engage third-party auditors, from time to time, in pursuit of our legitimate business interests to keep accurate records. We have ensured that only personal data absolutely necessary is processed during such audits in order to comply with applicable laws.
- New engagement opportunities – We may retain relevant documents containing your personal data for future engagement related opportunities, in pursuit of our legitimate business interests.
- Disclosure of business contacts, CV and background screening information to clients – Where required by clients as data controllers.
- Prevention of fraud – We may process your personal data for the purpose of fraud prevention in pursuit of the legitimate business interests of the company.
- Reporting potential crimes – We may process your personal data for the purpose of detecting and reporting potential crimes where permissible or required under national law.
- Documents produced by contractors – We may store documents and records that are produced by you and your colleagues which contain your personal data, for example your name, details of your role and your CV, as permitted under applicable laws, and these may be shared with clients in the course of carrying out your duties and the business of the company, in pursuit of our legitimate business interests.
- Health and safety and occupational health – Where necessary, we may process sensitive personal data relating to your health in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your assignment and whether any adjustments to your assignment might be appropriate. We may also need this data to administer and manage any compensation or benefits, if applicable. Genpact, will process such information only based on your explicit consent or as otherwise legally permitted, to protect your vital interests, for the establishment or defence of legal claims, to facilitate medical diagnosis/ assistance/ treatment and/or for the assessment of your working capacity.
- Equal opportunity or treatment – We may process sensitive personal data relating to your racial or ethnic origin, religious beliefs in each case, as permitted under applicable laws, for the purposes of monitoring the existence or absence of equality of opportunity or treatment between groups of individuals. Such processing will only be carried out based on your explicit consent and you have the right to withdraw that consent at any time.
- Biometric based access to premises: Genpact may process biometric information about you, such as your photograph taken at the time of joining (which serves as your biometric template) and facial scans to verify your identity for the purposes of granting you access to Genpact premises, in case you are not able to present your Genpact access card to enter the premises. Such processing will only be carried out based on your explicit consent and you have the right to withdraw that consent at any time. In case you don’t consent to such processing, you may choose to validate your identity through alternative means made available to you (e.g. by verifying your identity at the reception desk).
- Emergency communication: During emergency situations, such as Covid-19 pandemic, we may need to process personal data in order to send important company communication. We may ask you to confirm your well-being and your whereabouts in such emergency situations, as permitted under applicable laws, in order for us to monitor your health and safety. It is our legitimate business interest to process such records, for the safety and security of the company and its staff. Where required by the law such processing will be carried out based on your explicit consent.
Monitoring for security purposes
We have implemented industry standard security measures to assist us to keep our systems and premises safe and secure. The security measures implemented for the processing of personal data either routinely or occasionally (as appropriate), include:
- Email security – We have email security measures in place that involve automated scanning of incoming and outgoing emails for potential threats. Threats, such as phishing emails or malware may be escalated to IT for consideration.
- Activity logs – We have audit trail capabilities as part of our automated systems to track who accesses and amends data. This means that we have access to information about your usage of login credentials, websites and applications which may be referred to in the event of an issue.
- CCTV – We operate CCTV to help keep our premises secure. Images of you may be captured as part of the CCTV operation, however, we only view images where an incident has occurred.
- Multi factor authentication (MFA) – If we provide you access to Genpact IT resources, we may additionally require you to enable multi factor authentication by requiring you to install an application on your business or personal mobile device which will be used to verify your identity using a second factor (such as push notification), in addition to verification by password. MFA is an industry best practice to enhance security and verify user identity. As per Genpact’s current implementation, the application, provided by a third party partner (as detailed below), does not capture or store any personal information associated with your mobile device such as mobile number, device location, contacts, or messages other than general details such as operating system type & version, as well as a unique device ID which will be used to associate your device with your account. Device and device ID data is not used in any way other than to send you a verification request on your unique device and grant you access to Genpact IT resources.
This processing is necessary for the purposes of the legitimate interests pursued by us to keep our business data and your personal data secure and confidential and in some cases to protect or defend our legal rights.
Monitoring for productivity, engagement and performance
Business intelligence and analytics:
We may use workplace analytics tools to monitor at individual and aggregate level, as permitted under applicable laws, your level of engagement and key performance indicators of the services Genpact provides to its clients. In Europe, access to individual data is restricted to authorized personnel and, where required, available only on specific requests subject to approval by Genpact Data Protection Officer and Genpact Data Privacy and Protection Office. The data we receive shall be used for understanding the productivity of the team or function you are a member of and other performance indicators, such as accuracy of processing, and ultimately to serve our clients better. It is our legitimate business interest to conduct such analysis, gather business intelligence and manage productivity and performance.
Monitoring through email analytics: We use carefully selected third-party email analytics tools in order to understand the ability of our contractors across the company to come together in engaging in different projects, as permitted under applicable laws The data we receive through email analytics shall be used to monitor engagement and collaboration patterns of employees and contractors, based on various parameters, such as team members they work with and projects they work on. It is our legitimate business interest to conduct such analysis to help improve employee and contractor productivity.
We also send targeted and relevant emails to employees and contractors to effectively distribute organisational information and leadership messages. In order to assess the effectiveness of organisational information and leadership messages we gather metrics, such email open rate, read rate and time spent on reading such emails, to understand and improve our staff’s engagement with such emails.
In the future, if we intend to process your personal data for a purpose other than that mentioned above, we will provide you with relevant information and obtain your consent if necessary to do so.
Who we may share your personal data with (the recipients or categories of recipients of the personal data)
- We may use carefully selected third-parties to carry out certain activities to help us to run our business (such as payment processing, cloud service providers, IT support vendors), to facilitate your corporate travel and expense (corporate card vendors, travel and immigration vendors), to carry out background verification (background verification agencies) and to facilitate audits (third-party auditors). For information on the third-party vendors partnered with Genpact, please visit https://www.genpact.com/downloadable-content/genpact-list-of-associated-partners-and-suppliers.pdf
- We have offices and operations in a number of international locations and we share information between our group companies for business and administrative purposes. Your information may be shared with our internal staff for management and administrative purposes as outlined above. Please visit https://www.genpact.com/about-us/regions to see a list of the locations within our corporate group.
- Where required or permitted by law, information may be provided to others, such as regulators and law enforcement agencies.
- We may share personal data with our clients / their third-party vendors, as detailed below:
- Where required for your role, your business contact details may be shared with our clients and suppliers.
- During the course of your engagement on certain clients’ accounts, we may be required to share your personal data with our clients and/or their third-party vendors. We may share your personal data with the respective client for its legitimate interest or its legitimate business reasons, such as, for example, for the prevention and detection of fraud, or to enable access to client systems. On a case-by-case basis, it may be necessary to share personal data such as your name, home address, date of birth, nationality and citizenship, passport, national identification, social security, or driver’s license number to perform our services for the respective client/third-party vendor.
- We may also be required to share your personal data with our clients or their third-party vendors to enable remote working for you in the context of emergency situations, such as Covid-19 pandemic or a business continuity plan. On a case-by-case basis, as permitted by applicable laws, it may be necessary to share personal data such as:
- your name and personal mobile phone number for the purposes of re-routing the incoming calls to your personal mobile phone;
- your name and home / domicile address for the purposes of enabling the respective client to deliver to you the equipment necessary for performing the daily working tasks remotely (e.g. laptops), based on the hand-over protocols signed by the you directly with the respective client;
- your name and personal email address and/or cloud security related information (e.g. IP address), where necessary and/or required by the client, for the purposes of ensuring effective communication in case of emergency situations.
- We may also be required to share your personal data with our clients or their thirdparty vendors to enable remote working for you in the course of our normal engagement with our clients in accordance with the agreed contractual terms.
- Where your personal data is shared it will only be shared on a strictly necessary basis and only for as long as it is necessary in accordance with applicable data protection laws. A client in certain circumstances may need to fulfil its legal and regulatory obligations in certain sectors and require personal data to confirm your identity and to assess your fitness and suitability to provide services to the client. For example, clients operating in the financial services sector may be legally obligated to carry out or keep a record of identity checks of users who have access to confidential data. This is in accordance with the checks performed on staff employed or engaged directly by the client.
- We may also share your CV’s and background verification status to our clients, upon request, to comply with our contractual obligations, as permitted under applicable laws.
- From time to time, we may consider corporate transactions such as a merger, acquisition, reorganisation, asset sale, or similar. In these instances, we may transfer or allow access to information to enable the assessment and undertaking of that transaction. If we buy or sell any business or assets, personal data may be transferred to a third-party involved in the transaction.
We have implemented industry standard security measures to keep your personal data secure and confidential, including and not limited to:
- Limiting access to any personal data that may be submitted by you, to those Genpact employees and contractors strictly on a need to know basis, such as to respond to your inquiry or request.
- Implemented physical, electronic, administrative, technical and procedural safeguards that comply with all applicable laws and regulations to protect your personal data from unauthorized or inappropriate access, alteration, disclosure and destruction. It is important for you to protect against unauthorized access to your password and to your computer.
- Genpact employees and contractors who misuse personal data are subject to measures which may lead to the termination of engagement, as it is a violation of the Integrity Policy of Genpact.
International and group company transfers of personal data
We are part of an international group of companies and, as such, transfer personal data concerning you to countries outside the European Union (EU). Please visit https://www.genpact.com/about-us/regions to see a list of the locations within our corporate group.
We transfer personal data between our group companies and data centres for the purposes described above. We may also transfer personal data to our third-party vendors outside of the EU as described above. Your personal data may be stored in databases located outside of the EU including in India. The database is controlled by our administrative staff located outside of the EU including in India and can be accessed electronically.
Where we transfer personal data outside of EU, we either transfer personal data to countries that provide an adequate level of protection (as determined by the European Commission) or we have appropriate safeguards in place. Appropriate safeguards to cover these transfers are in the form of standard contractual/data protection clauses adopted by the European Commission. Please visit https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF to know more about standard contractual/data protection clauses.
Where we transfer personal data between our group companies we have covered these transfers by entering into standard contractual clauses adopted by the European Commission. If you would like more information on the any of the data transfer mechanisms on which we rely please contact our Data Protection Officer, details available in the contact section below.
Period for which the personal data will be stored
We store personal data in line with legal, regulatory, financial and best-practice business requirements. Your personal data will be collected, stored and processed by us while you are engaged with us. At the end of your contract, we will securely delete/destroy your records and related documents containing your personal data as soon as practicable and in line with our Data Retention policies, and any legal or regulatory requirements.
If you have expressed an interest in working for us in the future (e.g. under a temporary or permanent contract) we will retain relevant records and documents containing your personal data, for future engagement related opportunities, for example for references, for an appropriate period of time. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our Data Protection Officer, details available in the contact section below.
Existence of Automated Profiling and Decision Making
We use automated profiling, in limited circumstances as explained below:
- While shortlisting individuals for entry level positions, we utilise a Genpact managed web-based tool to facilitate the interview & recruitment process. The tool maintains video records of the interview process to create a Big Five psychology profile of candidate through voice & movement & vocabulary analysis. The Big Five psychology profile provides the analysis under 5 key personality traits such as ‘openness to experience’, ‘conscientiousness’, ‘extraversion’, ‘agreeableness’, and ‘neuroticism’. The insights of the profiling are utilised by the hiring team pursuant to our legitimate business interest in order to help us take informed decisions while shortlisting our candidates.
You may in some circumstances have the right to obtain human intervention where automated profiling has taken place and a right to express your views.
You have a right to:
- Request access to your personal data and request details of the processing activities conducted by Genpact.
- Request that your personal data is rectified if it is inaccurate or incomplete.
- Request erasure of your personal data in certain circumstances.
- Request restriction of the processing of your personal data by Genpact in certain circumstances.
- Object to the processing of your personal data in certain circumstances.
- Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
- Lodge a complaint with the relevant supervisory authority.
- Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
- Withdraw any consent you have provided to us at any time by contacting us.
To exercise the rights outlined above in respect of your personal data you may submit a data subject request on our portal https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2. In case you face any issues in accessing our portal, you may also write to us at [email protected].
Data subjects may also exercise their rights through Genpact Ombuds Hotline, implemented by Navex reporting tool. Genpact has a mechanism for investigating and determining the actions to be taken for failing to comply with Genpact Policies. This is supported by the Genpact Ombuds Hotline mechanism, implemented by the Navex reporting tool, which is Genpact’s process for reporting and dealing with complaints and any non-compliance with Genpact Policies. Any member of the Genpact workforce will be able to visit https://genpactombuds.ethicspoint.com to raise any integrity concern, with the option of remaining anonymous if they choose to. There is also a staffed telephone hotline.
Changes to this privacy notice
This privacy notice was last updated in July 2020. We will notify you of changes we may make to this privacy notice where required. However, we would recommend that you look back at this notice from time to time to check for any updates.
Genpact is the controller of data for the purposes of GDPR. For more information about Genpact, please visit our website at www.genpact.com and for a complete list of the locations within our corporate group please visit https://www.genpact.com/about-us/regions.
If you have any concerns as to how your data is processed, you can contact our Data Protection Officer by writing to [email protected] or submit a data subject request on our portal - https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2.