AIEGS INDIA PRIVATE LIMITED
Effective Date: 5 July 2025 Review Cycle: Every six (6) months, last review: 5 Jan 2026
1. OBJECTIVE
To govern the generation, collection, classification, retention, usage, protection, disclosure, and disposal of metadata across all digital platforms and systems of AIEGS India Pvt Ltd (“Company”), in compliance with applicable laws and regulations of India.
2. APPLICABILITY
This Policy applies to all employees, contractors, affiliates, and third-party service providers engaged in processing metadata through Company’s digital assets, including but not limited to: website, mobile/desktop applications, internal systems, and cloud services.
3. LEGAL FRAMEWORK
This Policy implements obligations under:
| Statute / Rule | Applicable Provisions |
| Digital Personal Data Protection Act, 2023 (DPDP Act)– §§4–6 (Consent, Purpose Limitation)– §7 (Grounds of Processing)– §§8–10 (Duties, Security, Children’s Data)– §18 (Data Protection Board)– §32 (Consent Manager)– §§53–54 (Breach Notification)– Schedule I (Fines up to ₹250 Cr) (en.wikipedia.org) | |
| Information Technology Act, 2000 and SPDI Rules, 2011– Clauses on “reasonable security practices” and “sensitive personal data” | |
| CERT-In Directions 2022 under Section 70B, IT Act 2000– Mandatory log retention; incident reporting | |
| Intermediary Guidelines & Digital Media Ethics Code Rules, 2021– Appointment of Grievance Officer; record-keeping obligations |
4. DEFINITIONS
Metadata – any data providing descriptive, structural or administrative information about digital assets (e.g., timestamps, version history, IP addresses, access logs).
Data Principal/Fiduciary/Processor – as defined under the DPDP Act .
Significant Data Fiduciary – fiduciaries required to appoint a DPO and conduct DPIAs per DPDP Act §§9–10.
5. PRINCIPLES
- Lawfulness, Fairness & Transparency: Process metadata in accordance with DPDP Act §§4–7, ensuring informed consent for personal metadata.
- Purpose Limitation: Metadata used only for specified, documented purposes.
- Data Minimisation & Accuracy: Restrict metadata collection to necessity and maintain it accurately.
- Storage Limitation & Retention: Retain metadata no longer than required (max 3 years, unless longer retention is mandated) (reddit.com, taxmann.com).
- Security: Apply encryption, access controls, audit trails—comply with SPDI Act & CERT-In guidelines (reddit.com).
- Accountability & Oversight: Maintain documentation of policies, registers, audits, DPIAs, breaches, and approvals.
6. ROLES & RESPONSIBILITIES
- Metadata Governance Lead: Overall compliance responsibility.
- Data Protection Officer (if applicable): Required for Significant Data Fiduciaries under DPDP Act.
- Grievance Officer: Per Intermediary Guidelines, acts on user complaints within stipulated timelines.
- IT & Security Team: Technical implementation and audit adherence.
- Business Heads: Assign metadata owners with classification and retention duties.
7. METADATA PRACTICES
- Maintain records of creation date, last modified, created/modifying user, classification, and retention schedule for each asset.
- Classify metadata as: Public / Internal / Confidential / Personal.
- Conduct DPIAs: annually or upon significant system/process changes involving personal metadata.
- Processors must contractually commit to metadata policies, security standards, and auditing rights.
8. INCIDENTS & BREACHES
- Within 72 hours, report metadata breaches to Data Protection Board and Data Principals, per DPDP §§8(6), 53–54 (lawrbit.com).
- Record incident details, remediation steps, and audits in incident tracker.
- CERT-In obligations followed: log centralization, forensic readiness, and reporting under IT Act §70B (spiceroutelegal.com).
9. ENFORCEMENT
- Audit: Quarterly internal, and annual external audits to ensure compliance.
- Training: Mandatory metadata compliance and certification for all relevant personnel.
- Non-compliance: Reviewed by Governance Lead; may result in disciplinary and legal action.
- Fines: Violation penalties range ₹10,000–₹250 Crores as per DPDP schedule (reddit.com, lawrbit.com).
10. GRIEVANCE & REDRESSAL
Individuals may file metadata-related grievances via the Grievance Officer.
Escalation to the Data Protection Board is available if unresolved, per DPDP Act §18 and Chapter V.
11. AMENDMENTS & REVIEW
Updated within six (6) months of any legislative change or significant business update.
Record all amendments with dates and approvers.