Ethics Helpline Privacy Notice | Genpact

Ethics Helpline Privacy Notice

We at Genpact and our affiliated companies worldwide (“Genpact”) are a global professional services firm focused on delivering digital transformation for our clients. The Ethics Helpline is Genpact's channel to encourage all employees, officers, directors, contractors, vendors, or other third parties, wherever located, to report concerns related to suspected or actual illegal or unethical conduct, or violations of the Code of Conduct or Company policies to the management.

Concerns can be raised confidentially and anonymously where permitted by law. Reports of violations or suspected violations will be kept confidential to the extent possible, while still allowing the Company to investigate the concern.

If you have any questions or concerns about this privacy notice or your personal data, please contact us at [email protected].

1. Scope

This Privacy Notice describes how Genpact collects and processes your personal data in relation to the Ethics Helpline and investigations of concerns reported to the Helpline. This Privacy Notice applies to the following categories of data subjects (known as data principals in India):

  • The reporter, meaning any person, wherever located, who raises a concern of unethical or illegal conduct or other serious policy violation;
  • The reported individual, meaning any of Genpact’s employees or third parties associated with Genpact, who is alleged to have engaged in the conduct that is reported;
  • Any witnesses or other third parties that may be involved in the Ombuds investigation. Genpact will only process such personal data to the extent that it is necessary as part of the investigation.

Your personal data shall only be collected and processed in accordance with and to the extent permitted by the applicable law, as further described below.

2. Personal data we collect

The personal data collected may—depending on your role in relation to Genpact and applicable law-- include but is not limited to:

  • Identification and contact information namely internal employee code, name, contact details, gender;
  • Employment related information: department or business name, business location, whether you are a people manager, job code, job title, hire date, rehire date, termination date
  • Information collected as part of the investigation, such as statements that may relate to you and have been made or submitted by the reporter and/or witnesses, documents collected as evidence that may include your personal data, or other evidence that may refer to you or include information about you. Genpact does not have the ability to control or limit what personal data may be disclosed in these statements or pieces of evidence collected as part of the investigation. To the extent possible, any information that exceeds the scope of the investigation will be deleted or removed from the case file, or else it will be disregarded by the investigation team.

As a matter of principle, this activity does not imply combining of data sets from several sources or any profiling activities. Personal data collected is processed only to the extent necessary to carry out the investigation.

3. Purposes of processing your personal data and the legal basis for processing

We must process information about you in order to carry out the relevant investigation. Any personal data that we collect will solely be processed for the purpose of carrying out the investigation and informing any decisions that are taken based on the results of the investigation. In some cases, we may disclose your personal data to governmental agencies and bodies, in order to comply with any legal requirements, as per the applicable law, to protect Genpact’s legal interests, or to prevent serious harm to individuals or property. In case Genpact intends to process your personal data for new or different purposes, not included herein, we will provide adequate notice to you and, where necessary, obtain your additional consent.

Our legal basis is LEGAL OBLIGATION.

  • In principle, personal data processed as part of the Ethics Helpline are based Genpact’s legal obligation to investigate any raised potential violations. There are region specific/country specific laws that require companies of a certain number of employees to have a channel of reporting concerns (e.g. EU Whistleblowing Directive). Moreover, there are various related legal provisions that impose certain obligations on companies (e.g. to avoid any discrimination, to have an ethical and inclusive environment, etc.). While companies may choose to have non-hotline channels like email address/ombudspersons/HR/Legal as channels to report, laws across the globe recommend that we have a channel where reports can raise concerns anonymously and confidentially. Using this Helpline is one way Genpact can comply with its statutory obligations and ensure that any misconduct or illegal behaviour can be easily and safely reported by whoever wants.

Sometimes, we also rely on our LEGITIMATE INTEREST to enable employees to report violation.

  • In addition, in jurisdictions that do not have a legal requirement to implement a hotline, Genpact will rely on its legitimate interest in putting in place appropriate procedures enabling employees to report irregularities and questionable practices, which would be in violation of the internal policies and Genpact’s legal obligations. Any investigations carried out in this respect are proportionate and necessary to establish the facts and take corresponding measures. While an investigation could have a negative consequence on the reported person, Genpact has put in place controls to ensure that consequences will only follow factual evidence of a violation, by that person, of Genpact’s policies and procedures. As for the reporter, such mechanisms have been put in place to protect their interest, rights, and freedoms.

Where relevant under applicable law, we rely on CONSENT.

  • Only where consent is required by applicable law or regulation, Genpact relies on the data subject’s consent, as reflected in the reporter’s agreement to the Terms and Conditions posted at www.genpact.com/speakup or collected through other valid means.

4. Who we may share your personal data with (the recipients or categories of recipients of personal data)

In order to ensure that the Ethics Helpline is adequately implemented, we may disclose data to:

  • OneTrust, who provides the Convercent Platform: As part of Genpact’s investigation of reported concerns, your data will be shared with OneTrust, who is our vendor providing the Ethics Helpline platform, which is called Convercent, as well as its sub processor, Microsoft Azure, for storage purposes. We note that OneTrust is ISO27001:2013, HITRUST CSF, and SOC 2 Certified and has a fully documented set of policies, procedures, and controls that include but are not limited to the system, physical site, and personnel. OneTrust is a cloud-based SaaS application. OneTrust partners with Microsoft Azure for Data Hosting. For Genpact, data is hosted in EMEA.
  • Other Genpact group companies: We have offices and operations in several international locations, and we may share information between our group companies for the purpose of carrying out the investigation. Please visit https://www.genpact.com/locations to see a list of the locations within our corporate group. We have managed the data privacy and protection requirements of transfers within the corporate group by entering into intragroup agreements. Our intragroup agreements are based on the standard contractual clauses adopted by the European Commission or, to the extent that other laws apply, as permitted under applicable data protection laws.
  • Auditors or regulators: Where required or permitted by law, information may be provided to others, such as internal/external auditor, regulators and law enforcement agencies in order to comply with valid legal processes, including any potential search warrants, subpoenas, or court orders.

When we disclose your personal information to comply with a legal obligation, we will take reasonable steps to ensure that we only disclose the minimum personal information necessary for the specific purpose and circumstances.

Where your personal data is shared it will only be shared on a strictly necessary basis and only for as long as it is necessary in accordance with applicable data protection laws.

From time to time, we may consider corporate transactions such as a merger, acquisition, reorganisation, asset sale, or similar. In these instances, we may transfer or allow access to information to enable the assessment and undertaking of that transaction. If we buy or sell any business or assets, personal data may be transferred to a third parties involved in the transaction.

5. Security

We have implemented industry standard and reasonable security measures to keep your personal data secure and confidential, including and not limited to:

  • Limiting access to your personal data, to those Genpact employees strictly on a need-to-know basis, such as to respond to your inquiry or request, or to investigate a report.
  • Implemented physical, electronic, administrative, technical and organisational measures and procedural safeguards that comply with all applicable laws and regulations to protect your personal data from unauthorized or inappropriate access, alteration, disclosure and destruction.
  • Genpact employees who misuse personal data are subject to strict disciplinary action as per the laid down procedures and policies, as it is a violation of the Genpact Code of Conduct.

6. International and group company transfers of personal data

We are part of an international group of companies and, as such, we may transfer personal data concerning you to countries where Genpact has an establishment. Any transfers of personal data outside of the country of origin will be carried out in accordance with the applicable law and ensuring that the same level of protection and confidentiality is maintained.

We transfer personal data between our group companies and data centres for the purposes described above. We may also transfer personal data to our third-party vendors as described above.

Where personal data is transferred to third-party vendors, Genpact shall ensure that adequate contractual provisions are in place to ensure that your personal data is adequately protected. Where we transfer personal data outside of the country in which Genpact is established, we either transfer personal data to countries that provide an adequate level of protection (e.g., as determined by the European Commission or the applicable data protection legislation) or we have appropriate safeguards in place. Appropriate safeguards to cover these transfers are in the form of standard contractual/data protection clauses, such as the clauses adopted by the European Commission or otherwise as permitted under the applicable data protection law. For example, please visit https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF to know more about standard contractual/data protection clauses.

If you would like more information on the any of the data transfer mechanisms on which we rely please contact our Data Protection Officer, whose contact information is listed below.

7. Period for which the personal data will be stored

The data will be actively processed until the conclusion and closure of the concern. Concerns may be re-opened in some scenarios after closure, if supported by new evidence. After completion of an investigation, Genpact will retain your data in Convercent to support its internal reporting obligations and for other audit purposes or regulatory requirements. As such, your personal data will be stored for as long as required under the applicable legislation and in accordance with our Information Governance Policy. At the end of this period your data will be securely deleted/destroyed in accordance with our internal policies and procedures.

8. Your rights

In accordance with applicable law, you may have certain data protection rights. You may find specific details on the rights that are applicable to you in the ‘Jurisdiction specific requirements’ section below. Please see the end of the page for information specific to the jurisdictions listed below. In case your jurisdiction is not listed below, for more information on your data protection rights, please contact us at [email protected].

EEA and UK

Mexico

India

South Africa

Brazil

Philippines

Egypt

Guatemala

Japan

Israel

Costa Rica

China

United States

Australia

Canada

Malaysia

Argentina

Singapore

Thailand

To exercise the rights outlined below in respect of your personal data you may submit a data subject request on our portal https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2. In case you face any issues in accessing our portal, you may also write to us at [email protected].

9. Changes to this privacy notice

This Privacy Notice was last updated in March 2024. We will notify you of changes we may make to this privacy notice, where required. However, we would recommend that you look back at this notice from time to time to check for any updates.

10. Contact

Genpact is the controller of data for the purposes of GDPR and has an equivalent role under other data privacy statutes and regulations. For more information about Genpact, please visit our website at www.genpact.com.

If you have any concerns as to how your data is processed, you can contact our Data Protection Officer by writing to [email protected] or submit a data subject request on our portal https://app-eu.onetrust.com/app/#/webform/6f529743-657b-472f-9f18-b4a49d9cd6a2

JURISDICTION SPECIFIC REQUIREMENTS

Applicable data protection law

The term ‘applicable law’ throughout this Privacy Notice shall refer primarily to data protection laws detailed below which may apply depending on your employment and/or residence.

Please note that this is not and exhaustive list and does not exclude the applicability of any other laws, regulations, and decisions issued by competent authorities, which may apply depending on the specific context.

Place of employment and/or residence

Most important data protection legislation

EEA

General Data Protection Regulation, supplemented by any local implementation law, if applicable.

Argentina

Personal Data Privacy Act 25.326 (PDPA), the Argentina Personal Data Privacy Act Principles

Australia

Privacy Act 1988 (Cth), the Australian Privacy Principles and any guidelines and directions issued by the Office of the Australian Information Commissioner

Brazil

Lei Geral de Proteção de Dados Pessoais (LGPD)

Canada

Federal: Personal Information Protection and Electronic Documents Act of 2000 ("PIPEDA"); Alberta: Personal Information Protection Act, SA 2003 c P-6.5 (“AB PIPA”); British Columbia: Personal Information Protection Act, SBC 2003 c 63 (“BC PIPA”); Quebec: Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 (“Quebec Private Sector Act”)

China

China Personal Information Protection Law

Costa Rica

Law No. 8968, Protection in the Handling of the Personal Data of Individuals of Costa Rica

Egypt

Law on the Protection of Personal Data (“the Data Protection Law”) issued under Resolution No. 151 of 2020

Guatemala

Constitutional of Guatemala

India

Information Technology Act, 2000 and The Rules made therein including but not limited to Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Digital Personal Data Protection Act, 2023 (as and when enforced)

Israel

Protection of Privacy Law, 5741-1981 (“the Privacy Law”)

Japan

Act on the Protection of Personal Information (Act no. 57 from 2003)

Malaysia

Malaysia Personal Data Protection Act

Mexico

Mexican Federal Law on the Protection of Personal Data in Possession of Private Parties

Philippines

Republic Act No. 10173, otherwise known as the Philippines Data Privacy Act of 2012 including its Implementing Rules and Regulations (IRR) and other issuances of the National Privacy Commission (NPC)

Singapore

The Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')

South Africa

Protection of Personal Information Act

Thailand

Personal Data Protection Act, B.E. 2562 (2019)

United States (California)

California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”)

Jurisdiction Specific Requirements

The provisions of this section shall apply as a supplement to the above Privacy Notice. In case of a conflict between the Privacy Notice and the country specific local requirements, the latter will prevail.

EEA and UK

Your rights

If you are a data subject from the European Union, you have the following data protection rights:

  • Request access to your personal data and request details of the processing activities conducted by Genpact and, to extent applicable, by third parties, within a reasonable time and at a prescribed fee, if any. You may also receive a copy of your personal data in a structured, commonly used and machine-readable format in certain circumstances
  • Request that your personal data is rectified if it is inaccurate or incomplete and, to the extent applicable, irrelevant, excessive, out of date, misleading or obtained unlawfully.
  • Request erasure of your personal data in certain circumstances.
  • Request restriction of the processing of your personal data by Genpact in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • The right to data portability.
  • Lodge a complaint with the relevant supervisory authority.
  • Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • Be informed that your personal data will be, are being, or were collected and processed

Argentina

Your rights

If you are a data subject from Argentina, you have the following data protection rights:

  • Be informed that your personal data are being, will be, or were collected and processed.
  • Personal data cannot be used or transferred without prior consent.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request that your personal data be deleted under specific circumstances.
  • Personal data must be kept safe and confidential.
  • Request what personal info has been submitted to a data bank.
  • To bring a legal action to review, rectify, supress or update personal data.

Australia

Your rights

If you are a data subject from Australia, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Object to the processing of your personal data in certain circumstances.
  • Be informed that your personal data will be, are being, or were collected and processed.
  • The right to not identify oneself when dealing with an Australian Privacy Principles entity (i.e. deal anonymously), unless impracticable or required by law

Brazil

Your rights

If you are a data subject from Brazil, you have the following data protection rights:

  • Confirmation of the existence of processing;
  • Access to data;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymisation, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
  • Portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the regulator, and subject to commercial and industrial secrecy;
  • Elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
  • Information on the public and private entities with which the controller has shared data;
  • Information on the possibility of not providing consent and on the consequences of such denial;
  • Revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
  • Review of decisions based on processing of personal data carried out exclusively by automated means.

Canada

Your Rights

If you are a data subject from Canada, you have the following data protection rights:

  • The right to request access to your personal data.
  • The right to request that your personal data be rectified if it is inaccurate or incomplete.
  • The right to request erasure of your personal data in certain circumstances.
  • The right to withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • The right to be informed that your personal data will be, is being, or was collected and processed.

China

Your rights

If you are a data subject from China, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Request restriction of the processing of your personal data by Genpact in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • The right to data portability.
  • Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Be informed that your personal data will be, are being, or were collected and processed

Costa Rica

Your rights

If you are a data subject from Costa Rica, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.

Egypt

Your rights

If you are a data subject from Egypt, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Be informed that your personal data will be, are being, or were collected and processed
  • Right to limit the purpose of processing personal data to a specific scope.

Guatemala

Your rights

If you are a data subject from Guatemala, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Be informed that your personal data are being, will be, or were collected and processed

India

Your rights

If you are a data subject/data principal from India, you have the following data protection rights:

  • Request summary of personal data, including processing activities, shared data, and other relevant information as may be prescribed by applicable law.
  • Request correction of inaccurate data, completion of incomplete data, update of relevant data, or erasure of unnecessary data, except where retention is required by law .
  • To express grievances relating to processing of your data or your rights, in accordance with the prescribed mechanism under applicable law.
  • To nominate another person to exercise your rights in case of death or incapacity, subject to prescribed procedures.
  • Withdraw the consent you have provided to us at any time by contacting us, in which case , we will not be able to process your data for Ethics Helpline and related activities.

Israel

Your rights

If you are a data subject from Israel, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Be informed that your personal data will be, are being, or were collected and processed.

Japan

Your rights

If you are a data subject from Japan, you have the following data protection rights:

  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Be informed that your personal data will be, are being, or were collected and processed

Malaysia

Your rights

If you are a data subject from Malaysia, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Be informed that your personal data will be, are being, or were collected and processed
  • Withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • Right to prevent processing where likely to cause damage or distress.

Mexico

If you are a data subject from Mexico, the Employee Privacy Notice shall be supplemented as follows:

Purposes of processing your personal data and the legal basis for processing

Genpact may process your personal data for the purpose of regulatory compliance, to fulfil obligations of continuous reporting to government agencies such as Tax, Social Security and Workers’ National Housing Fund Institute in connection with rendered specialized services to clients.

Your rights

In accordance with the Mexican Federal Law on the Protection of Personal Data in Possession of Private Parties, you may access, rectify, and cancel your personal data, as well as oppose their disclosure, through the procedures that Genpact has implemented. For a better understanding, the ARCO rights are explained below:

Access:

You have the right to know what personal data we have about you, what we will use it for, as well as the generalities of said treatment.

Rectification:

It is your right to request the correction of your personal information if it is incorrect, out of date or incomplete.

Cancelation:

You have the right to have your information deleted from our records or databases, when you consider that it is not being used in accordance with the principles, duties and obligations provided in the applicable legislation.

Opposition:

You can object or request the cessation of the use of your personal data for specific purposes.

For the exercise of any of the ARCO rights or the revocation of the consent granted to Genpact for such purposes, you must send an email to [email protected], in which we will attend and resolve your request in accordance with the provisions of the Law.

In compliance with the provisions of article 29 of the Mexican Federal Law on the Protection of Personal Data in Possession of Private Parties, the ARCO request that you present must contain and accompany, at least the following:

  • Name, address of the owner, and means to communicate the response to your request;
  • The documents that prove your identity or, where appropriate, the legal representation of the owner;
  • The clear and precise description of the personal data with respect to which one seeks to exercise any of the ARCO rights (reason for the request);
  • In the case of rectification of any of your personal data, you must indicate the modifications to be made and provide the documentation that supports your request;
  • Any other element or document that facilitates the location of personal data, as well as any other document required by law at the time of submitting the request.

In the event that a third party presents said document on their behalf, the legal representation must be accredited, by means of a power of attorney signed before two witnesses or public instrument, attaching identification of the owner of the personal data and the legal representative.

Genpact will notify the owner the determination adopted within a maximum period of 20 (twenty) business days upon the date the request was received, so that, if appropriate, it becomes effective within 15 (fifteen) business days following the date on which the response is communicated.

Genpact may deny the exercise of ARCO rights, in the following cases:

  • When you are not the owner of the personal data or, you have not duly accredited the representation of the owner
  • When your personal data is not in our database(s);
  • When the rights of a third party are infringed;
  • When there is a legal impediment or the resolution of a competent authority that restricts your ARCO rights;
  • When the rectification, cancellation or opposition has been previously made.

The answer could be partially negative, in which case, Genpact will respond to the request in the appropriate part. Likewise, not in all cases, your request may be answered, or the use of your information terminated immediately, since it is possible that due to some legal obligation Genpact may need to continue processing your personal data.

You should consider that, for certain purposes, the revocation of your consent will imply that Genpact can no longer provide the services or maintain the relationship with you.

Philippines

Your rights

If you are a Philippines data subject, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Request restriction of the processing of your personal data by Genpact in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • The right to data portability.
  • Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • Be informed that your personal data will be, are being, or were collected and processed
  • Compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject.

Singapore

Your rights

If you are a data subject from Singapore, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • Be informed that your personal data will be, are being, or were collected and processed.

South Africa

Your rights

If you are a data subject from South Africa, you have the following data protection rights:

  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Object to the processing of your personal data in certain circumstances.
  • Object to, and not to be subject to a decision based solely on, automated processing (including profiling), which produces legal effects or significantly affects you.
  • Withdraw any consent you have provided to us at any time by contacting us, subject to any legal or contractual restrictions on withdrawing consent.
  • Be informed that your personal data will be, are being, or were collected and processed.

Thailand

Your rights

If you are a data subject from Thailand, you have the following data protection rights:

  • Be informed about the processing of your personal data.
  • Request access to your personal data.
  • Request that your personal data is rectified if it is inaccurate or incomplete.
  • Request erasure of your personal data in certain circumstances.
  • Restrict the processing of your personal data.
  • Object or opt-out from the processing of your personal data.
  • Right to data portability.
  • Right Not to be Subject to Automated Decision-Making.

United States

For data subjects Who Are California Residents

Sale / Sharing of Personal Information

Genpact does not “sell” “personal information,” nor do we “share” such information for purposes of “cross-context behavioral advertising” (as those terms are defined in section 1798.140 of the CPRA). Unless specified, the terms in this section have meanings given to them in the CPRA.

Genpact also does not sell or share the personal information of children under 16 years of age.

Genpact does not reidentify any deidentified data that it may receive.

If you are a resident of California, you have the following rights, subject to any exemptions or exceptions in applicable law:

  • The right to know what information the business collects, discloses, and, if applicable, sells about you.
  • The right to access what personal information has been collected about you by making a proper Verifiable Consumer Request (“VCR”). Through a VCR, you may request:
    1. The categories of personal information collected about you in the preceding 12 months;
    2. The categories of sources from which personal information is collected;
    3. The business or commercial purpose for collecting personal information;
    4. The categories of third parties with whom Genpact shares personal information; and
    5. A copy of the specific pieces of personal information collected about you.
  • If the business has “sold” or disclosed your personal information for a “business purpose,” you have the right to request an itemized list of the categories of personal information:
    1. Collected about you
    2. Sold about you (this includes categories of third parties to whom information was sold and what categories of personal information for each third party); and
    3. Disclosed about you for a business purpose.
  • The right to opt-out of the sale, if applicable, of your personal information to a third party at any time.
  • The right to request deletion of personal information that has been collected about you, subject to certain exceptions.
  • The right to request that your personal information be transferred to a third party.
  • The right to correct inaccurate personal information, considering the nature of the personal data and the purposes of processing it.
  • The right, if applicable, to opt-out of sharing personal information for cross-context behavioral advertising purposes.
  • The right, if applicable, to restrict sensitive personal information processing.
  • The right to non-discrimination against you for exercising any of the rights listed above.

If you are a California resident, you may exercise your rights with respect to your personal information by submitting a VCR on Genpact’s request portal here. You may also submit a request by calling 1 (888) 914-9661 and entering in the following ID: 112797. We will use reasonable methods to verify your identity when receiving a request by matching the information provided by you with the information that we have in our records. If collecting new information is necessary to verify your identity, it will only be used for identity verification purposes, and it will be deleted as soon as practical after processing the request and to comply with recordkeeping obligations.

You may designate an authorized agent to make a request on your behalf if necessary. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf.

For issues accessing Genpact’s portal, please contact [email protected].

Genpact will respond to a VCR within 45 days. Should we require more time, Genpact will notify you of the extension period and the reason for the extension in writing. To the extent possible, we will provide you with your personal information in a format that you can share with other businesses.

March 2024