EXTERNAL PRIVACY STATEMENT

Effective Date: November 1, 2024

  1. INTRODUCTION.

    Granules India Limited and its global subsidiaries, referred to as “Granules,” “We,” “Our,” or “Us,” or “Organisation” are committed to safeguarding the privacy of personal data entrusted to Us. This Privacy Statement explains how We safeguard your personal information across the information lifecycle (i.e., collect, use, store, process, archive, backup, and dispose) when you visit our websites, interact with our digital platforms, or engage with our services.

  2. WHAT PERSONAL DATA DO WE COLLECT?

    We collect a diverse range of personal data, reflecting the various interactions We have with individuals across our business operations. The types of personal data collected include, but are not limited to:

    Government-Issued Identifiers: This includes sensitive identification numbers such as Permanent Account Numbers (PAN) in India, Aadhar details, Social Security Numbers (SSN) in the United States, and other similar identifiers required by local regulations. These are essential for compliance with financial, tax, and other regulatory obligations.

    Personal Identifiers: We collect basic personal information such as full names, dates of birth, email addresses, and phone numbers. This data is crucial for managing relationships with our users, as well as for verifying identities in various contexts.

    Digital and Visual Data: Photographs and other visual data may be collected for identification, security, marketing, presentations, uses on social media and other purposes. Additionally, data generated through digital interactions, such as IP addresses, device information, and user activity on our websites is collected to enhance user experience.

  3. HOW DO WE COLLECT PERSONAL DATA?

    At Granules We employ a variety of data collection methods tailored to our business needs and regulatory obligations. These methods are designed to capture the necessary personal data while respecting individual privacy and being compliant with applicable regulations. Our data collection methods include the following:

    Websites and Mobile Applications: Personal data is collected when users interact with our websites and mobile applications. This includes data entered into forms, (such as registration forms, contact forms) and surveys. We also collect data related to user behaviour on our websites, including pages visited, time spent on each page, and actions taken (e.g., downloads, clicks), using cookies and similar tracking technologies.

    Email and Digital Communication: Personal data is collected through email interactions, digital communication platforms and social media. For instance, when individuals subscribe to our newsletters, request information, or participate in webinars, We collect their email addresses and any other information they choose to share. Additionally, We may collect and analyse data from social media interactions and public profiles to understand engagement, trends, and preferences. These communications and social media interactions may be tracked to analyse engagement and improve our services.

    Paper Forms and Documents: We collect personal data through paper forms and documents in various contexts, such as job applications and customer feedback surveys. These forms are often used in face-to-face interactions at our offices, research facilities, or during events.

    In-Person Interactions: Personal data is often collected during direct interactions with our users whether in a healthcare setting, at trade shows, during business meetings or during discussions with doctors and medical representatives. This includes exchanging contact details, discussing personal preferences, or obtaining consent for participation in research activities.

    Partner Organizations: We collaborate with healthcare providers, research institutions, and other partner organizations that collect personal data as part of joint initiatives. These partners are contractually bound to adhere to our data protection standards and to collect data in a manner that is compliant with applicable laws.

    Outsourced Services: Certain services, such as customer support, IT management, and data processing, are outsourced to third-party vendors who collect and handle personal data on our behalf.

  4. WHY DO WE COLLECT PERSONAL DATA?

    The personal data We collect serves several vital functions within our organization, all of which are aligned with our business objectives and legal obligations:

    Research and Development: As a pharmaceutical company, research and development are at the core of our business. We use health-related data, among other personal data, to conduct clinical trials, develop new products, and improve existing ones. This data is often collected from participants with their explicit consent and under strict ethical guidelines to protect their rights and safety.

    Marketing and Communication: Personal data enables Us to engage with our users through targeted marketing efforts. This includes sending promotional materials, newsletters, and updates about our products and services. We make sure that marketing communications are relevant to the recipients and that they have the option to opt out of such communications at any time.

    Compliance and Legal Obligations: We collect certain personal data to comply with legal requirements, such as Know Your Customer (KYC) regulations, anti-money laundering laws, and other industry-specific legal obligations. This allows Us to operate within the legal frameworks of the jurisdictions in which We do business.

  5. HOW DO WE PROTECT PERSONAL DATA?

    We have implemented a security framework designed to protect the confidentiality, integrity, and availability of personal data across all our operations:

    Data Storage Locations: Personal data is stored in both on-premises data centers and cloud environments, depending on the nature of the data and the operational needs. On-premises storage is used for certain data and in regions where local laws require data to be stored within the country. Cloud storage is used for its scalability, accessibility, and resilience, particularly for data that needs to be accessed by multiple offices or teams across different regions.

    Data Protection: All personal data is protected both at rest and in transit using appropriate measures. Protection at rest involves securing data stored in databases, files, and backup systems with encryption and other safeguards to maintain its security even if the storage medium is compromised. Protection in transit includes using encryption, password protection, and secure transmission protocols to safeguard data as it moves across networks, ensuring that it cannot be intercepted or tampered with during transmission. Access to personal data is granted based on the principle of least privilege, meaning that users are granted the minimum level of access necessary to perform their duties. Access logs are maintained and regularly reviewed to detect and respond to unauthorized access attempts.

    Compliance Audits and Assessments:
    Regular security audits and assessments are conducted to identify risks in our systems and processes. These audits include both technical and process assessments. We also conduct regular reviews of our policies and procedures to keep them up to date with the latest security threats and industry best practices.

  6. HOW LONG DO WE KEEP PERSONAL DATA?

    We retain personal data only for as long as necessary to fulfil the purposes outlined in this statement or as required by local law. Data no longer needed is securely deleted or anonymized.

  7. HOW DO WE SHARE PERSONAL DATA?

    To efficiently manage our global operations and deliver our services, We may need to share personal data with third parties. Our approach to data sharing and third-party processing is guided by strict controls and oversight:

    Data Sharing with Third Parties:
    We may share personal data with selected third-party service providers who assist Us in various aspects of our operations, such as IT services, cloud hosting, and marketing. Before engaging any third-party provider, We conduct a thorough due diligence process to assess their data protection practices and verify that they meet our stringent requirements. We require all our third parties including, partners and service providers to adhere to this privacy statement.

    Data Sharing with Group Companies: In some cases, personal data may be shared with affiliated companies within our corporate group to support joint business activities, such as product development, marketing campaigns, or centralized administrative functions. Data shared within the group is subject to the same level of protection as data handled directly by Granules.

    Cross-Border Data Transfers: Given our global operations, personal data may be transferred across borders to jurisdictions where our offices, partners, or service providers are located. We confirm that all cross-border data transfers comply with applicable data protection laws, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) where required by law. If a confidentiality agreement is in place with a third party including, partner and service providers, its terms will take precedence over the requirements set out in this privacy statement.

    To efficiently manage our global operations and deliver our services, We may need to share personal data with third parties. Our approach to data sharing and third-party processing is guided by strict controls and oversight:

  8. USER RIGHTS AND GRIEVANCE MECHANISM.

    Right to Access:
    Individuals have the right to request access to the personal data We hold about them. This includes the right to obtain a copy of the data, understand how it is being used, and verify its accuracy. Requests for access will be responded to within the timeframe specified by applicable law ensuring transparency and openness in our data practices.Right to Correction: If any personal data We hold is inaccurate or incomplete, individuals have the right to request corrections. We will promptly correct any inaccuracies upon verification of the request.

    Right to Deletion: In certain circumstances, individuals have the right to request the deletion of their personal data. This right applies when the data is no longer necessary for the purposes for which it was collected, the individual withdraws consent, or the data has been unlawfully processed. We will assess each deletion request in accordance with legal requirements and, where applicable, delete the data securely.

    Right to Restrict Processing: Individuals have the right to request the restriction of data processing in certain circumstances, such as when they contest the accuracy of the data or when the processing is unlawful, but the individual opposes deletion. We honour such requests by temporarily limiting the use of the data while We address the issue.

    Right to Restrict Processing: Individuals have the right to request the restriction of data processing in certain circumstances, such as when they contest the accuracy of the data or when the processing is unlawful, but the individual opposes deletion. We honour such requests by temporarily limiting the use of the data while We address the issue.

    Right to Data Portability: Under GDPR, individuals have the right to request a copy of their personal data in a structured, commonly used, and machine-readable format. This right applies to data that has been provided to Us by the individual and is processed based on consent or for the performance of a contract. We facilitate the transfer of this data to another service provider if requested by the individual.

    Right to Object: Individuals have the right to object to certain types of data processing, such as processing for direct marketing purposes. We will respect objections unless We can demonstrate compelling legitimate grounds for the processing that override the individual’s interests, rights, and freedoms.

    Grievance Mechanism: We are committed to addressing any concerns or grievances related to our data processing practices. Individuals can raise grievances by contacting our designated grievance officer via Contact Us. We have established a clear process for handling grievances, which includes logging the complaint, conducting a thorough investigation, and providing a response within a reasonable timeframe. If the grievance is not resolved to the individual’s satisfaction, they have the right to escalate the matter to the relevant data protection authority.

  9. USER RESPONSIBILITIES.

    To assist Us in maintaining the accuracy and security of your personal data, please:

    Provide Accurate Information: Verify that the personal data you share with Us is correct and up to date. Contact Us for any changes to your information.

    Manage Preferences: Update your communication preferences and opt out of marketing communications if desired.

    Follow Terms: Adhere to our terms and conditions and comply with applicable data protection laws in your jurisdiction.

    Respond to Requests: Cooperate with Us when We request additional information to process your user rights requests. Report Data Breaches: If you observe any data breaches or suspect that your personal data has been compromised, please report it immediately through Contact Us. Your prompt reporting helps Us address and mitigate potential issues effectively.

    Report Data Breaches: If you observe any data breaches or suspect that your personal data has been compromised, please report it immediately through Contact Us. Your prompt reporting helps Us address and mitigate potential issues effectively.

  10. COOKIES AND WEBSITE USAGE.

    Our websites use cookies and similar technologies to enhance user experience and analyse traffic. We inform visitors about our use of cookies through a clear notice and provide options to manage cookie preferences. Users can opt-out of non-essential cookies in accordance with our cookie management policy.

  11. HOW DO WE HANDLE DATA BREACHES?

    In the event of a data breach, Granules is committed to taking immediate and effective action to mitigate the impact and comply with legal obligations:

    Notification to Authorities: If a breach involving personal data occurs, We will promptly notify the relevant supervisory authorities in accordance with the applicable laws. In the case of a breach that poses a high risk to individuals’ rights and freedoms, We will notify the affected individuals without undue delay.Containment and Mitigation: We take immediate steps to contain the breach, prevent further data loss, and mitigate the potential impact on individuals. This may involve isolating affected systems, resetting access credentials, or implementing additional security measures.

    Investigation and Analysis: We conduct a thorough investigation to determine the cause of the breach, the extent of the data loss, and the potential impact on individuals. The findings of the investigation inform our response and any corrective actions needed to prevent future breaches.

    Communication and Support: We communicate transparently with affected individuals, providing them with information about the breach, the steps We have taken to mitigate the impact, and any actions they can take to protect themselves. We also offer support to help individuals navigate the situation and minimize any harm.

  12. HOW DO WE PROTECT CHILDREN’S DATA?

    We do not knowingly collect personal data from children without parental consent. If We become aware that We have collected personal data from a child without verification of parental consent, We will take steps to delete the information promptly. Parents and guardians can contact Us to review or request deletion of their child’s data.

  13. UPDATES TO THIS PRIVACY STATEMENT.

    We may update this Privacy Statement from time to time. Any changes will be posted on our website with an updated effective date.

  14. CONTACT US.

    If you have any questions or concerns about this Privacy Statement or how We handle your personal data, please contact Us at grievanceofficer@granulesIndia.com or at +91-40-69043711.