Indus Towers Limited (“ITL” or “the Company”) is committed to ensuring the lawful and transparent processing of personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDPA”). This Privacy Notice sets forth the Company’s approach to the collection, use, disclosure, storage, and protection of personal data processed in the course of its business operations.
This Notice applies to personal data collected by the Company from natural persons, including but not limited to landlords, business partners, service providers, employees, and other stakeholders whose personal data is processed in connection with ITL’s functions, services, or regulatory obligations.
Where-ever personal data is collected indirectly through third parties, such parties shall bear the responsibility of ensuring that all requisite notices have been duly provided to the data principals and that any necessary consents have been lawfully obtained prior to the disclosure of such data. ITL disclaims all liability arising from the failure of any third party to obtain valid authorization or consent. This Privacy notice is applicable to any personal data that data principals may provide to third parties via other sites linked to the company’s website.
This Privacy Notice is limited to the scope of personal data processed by ITL in its capacity as a data fiduciary under the DPDPA and does not extend to anonymized data or data that no longer qualifies as personal data under applicable law. Personal data shall be processed strictly for specified, clear, and lawful purposes, and shall be retained only for as long as is necessary to fulfil such purposes or as required under applicable legal or regulatory obligations.
ITL may engage third-party processors or service providers to act on its behalf in processing personal data. Such processing shall be governed by binding contractual arrangements that impose obligations equivalent to those setforth under this Privacy Notice and the DPDPA.
Requests, complaints, or inquiries concerning the Company’s data processing practices may be directed to the designated Data Protection Officer (DPO) via the communication channels specified herein.
.
Indus Towers Limited (“ITL”) may collect or receive personal data from a range of identifiable natural persons in accordance with the nature of its operational and contractual relationships. The categories of data principals include, but are not limited to, the following:
1. Landlords and prospective landlords.
2. Visitors to ITL premises.
3. Employment candidates and job applicants.
4. Existing and prospective business partners, including vendors and service providers.
5. Employees, associates, and contractors.
Personal data may be processed pursuant to contractual obligations, including the provision of products and services, handling of requests (such as inquiries or complaints), marketing of ITL’s services, business communications, and execution of business activities with partners.
The purpose of collection and use of personal data is directly related to the nature of the data principal’s relationship with ITL and may include, inter alia, the following:
A) For Partners and Third Parties (including prospective parties):
–To evaluate the suitability of partnerships and undertake due diligence assessments.
–To manage communications, task allocation, and operational coordination for service delivery.
–To administer contractual arrangements, including the negotiation, execution, and management of agreements.
–To support onboarding processes and facilitate interactions with relevant personnel.
–To ensure compliance with statutory, regulatory, taxation, and audit-related obligations.
–To enable processing of payments and financial reconciliation linked to contractual engagements.
B) Visitors to any of our premises or events:
–To enable secure access to ITL premises, systems, and facilities in accordance with applicable security protocols.
–To maintain entry and exit logs for security, audit, and incident response purposes.
–To comply with visitor management policies, including identity verification and issuance of access credentials.
–To ensure compliance with applicable health, safety, and regulatory requirements at ITL premises.
–To monitor and secure ITL’s infrastructure using CCTV and related surveillance systems, in accordance with applicable laws.
C) Candidates (including prospective):
–To assess eligibility, suitability, and qualifications for current or future employment opportunities within ITL.
–To verify educational background, professional credentials, references, and prior employment history.
–To communicate regarding recruitment status, scheduling of interviews, and assessment procedures.
–To maintain candidate records in accordance with ITL’s talent acquisition and retention policies.
–To comply with applicable labor laws, equal opportunity, and data protection laws and regulatory obligations.
D) Landlords (including prospective):
–To identify and assess potential sites suitable for tower installation, expansion, or infrastructure deployment.
–To initiate, negotiate, and formalize lease, license, or rental agreements in accordance with applicable property laws.
–To facilitate legal verification and validation of land ownership and related documentation.
–To comply with local authority requirements and to fulfil statutory formalities pertaining to site registration and use.
–To process timely disbursement of rental payments, dues, or applicable tax deductions under relevant contractual arrangements.
–To support ongoing communication related to site maintenance, safety compliance, or infrastructure management.
–To respond to and resolve disputes, complaints, or legal claims associated with site operations or contractual terms.
E) General Purposes
–Ensuring the security of ITL’s systems and infrastructure by preventing unauthorized access, breaches, or fraud.
–Supporting the pursuit or defense of legal claims, regulatory compliance, and fulfillment of audit obligations.
–Administering data principal rights and privacy preferences in accordance with applicable data protection laws.
–Conducting audits, risk assessments, and reviews of compliance with corporate policies and applicable law.
ITL may collect personal data through both direct and indirect means, as may be appropriate to the nature of interaction. The collection mechanisms may include the following (but not limited to):
–When individuals engage with ITL’s websites, applications, or online interfaces, including through form submissions, email communications, or interaction with official ITL social media accounts.
–When acquisition or deployment teams initiate contact in connection with tower deployment activities.
–When individuals participate in surveys conducted by or on behalf of ITL.
–When individuals voluntarily subscribe to receive communications, promotional content, or newsletters issued by ITL or its authorized partners.
–When personal data is submitted while making a service request, raising a query, or submitting feedback through official contact channels (e.g., telephone or email).
–When ITL receives personal data in the context of existing or prospective business relationships and contractual arrangements.
As part of its digital operations, Indus Towers Limited (“ITL”) automatically collects certain categories of personal data from individuals who access or interact with its websites, applications, or digital interfaces (“the Platforms”). This data collection is undertaken to enhance platform functionality, optimize user experience, and ensure compliance with security protocols.
The categories of data collected through automated means may include:
1. Web Analytics and Diagnostic Data:
ITL and its authorized affiliates may utilize analytical tools and performance-enhancing technologies to collect information such as IP addresses, browser configurations, operating system specifications, device identifiers, browsing history, language preferences, and other system-level diagnostics. This data is aggregated to assess usage trends, monitor engagement metrics, evaluate the effectiveness of content, and maintain digital security and stability.
2. Cookies and Related Technologies:
ITL’s Platforms may deploy cookies and similar tracking technologies in accordance with browser settings. Cookies are small text files stored on a user’s device to support navigation, retain preferences, and deliver tailored functionality. These may include session cookies (which expire upon termination of the session) and persistent cookies (which remain until manually deleted or expired).
Functional and analytical cookies may also be employed to personalize content delivery and measure the effectiveness of digital services. Detailed cookie preferences can be managed through browser settings, and additional information regarding ITL’s cookie practices is provided in the relevant Cookie Notice.
3. Third-Party Cookie Integration:
ITL may permit the use of cookies placed by approved third-party service providers, such as those used for web analytics, behavioral insights, or marketing optimization. These third-party cookies are governed by their respective privacy notices, and ITL shall ensure that such integrations are subject to appropriate contractual safeguards and are consistent with applicable data protection requirements.
Individuals accessing ITL’s digital Platforms are deemed to have acknowledged the use of such technologies in accordance with applicable consent mechanisms and as prescribed under prevailing data protection laws.
Personal data may be shared internally within Indus Towers Limited (“ITL”) where such sharing is necessary for the continuity of business operations, provision of services, or to meet compliance requirements.
To facilitate the delivery of services and to enhance operational efficiency, ITL may engage external service providers, vendors, and business associates who may be required to process personal data on behalf of ITL. Any such engagement shall be subject to formal contractual arrangements mandating that the third party implements appropriate technical and organizational security measures to ensure confidentiality, integrity, and availability of the data and to prevent unauthorized access, alteration, disclosure, or destruction.
ITL ensures that such third parties process personal data strictly for the purposes specified in the contract and in accordance with applicable data protection laws. No personal data shall be sold or disclosed to third parties for marketing or unrelated commercial purposes
ITL is committed to maintaining the security of personal data and ensures that it is stored and processed in secure environments, whether on ITL’s own infrastructure or within third-party facilities under ITL’s contractual agreement. Depending on the nature of the data, storage may occur within encrypted systems, databases, document repositories, email archives, external hard drives, or cloud-based environments, subject to relevant technical controls.
Robust physical, administrative, and technical safeguards will be implemented to prevent unauthorized or unlawful processing, accidental loss, destruction, or alteration of personal data. These measures include (but are not limited to):
Indus Towers Limited (“ITL”) shall retain personal data only for the duration necessary to fulfil the specific purposes for which such data was originally collected, or as required to comply with applicable legal, regulatory, or contractual obligations.
The applicable retention period may vary depending on statutory requirements or legitimate business needs. In certain cases, ITL may be legally obligated to retain personal data for extended periods, particularly where necessary to establish, exercise, or defend legal claims, or to comply with audit, tax, or other regulatory mandates.
Upon expiry of the retention period, or once the data is no longer required for the stated purposes, ITL shall take appropriate steps to securely delete, anonymize, or destroy the data. This obligation also extends to data processed by third-party processors acting on behalf of ITL, ensuring such data is not retained beyond the authorized duration.
In accordance with the Digital Personal Data Protection Act, 2023, individuals whose personal data is collected and processed by ITL (“data principals”) are entitled to exercise specific rights with respect to their personal data. These rights are subject to applicable exemptions and procedural validations as prescribed under the law.
1. Right to Access Information
Data principals have the right to request access to personal data processed by ITL, including:
A summary of the categories of personal data undergoing processing, along with a description of the nature and purpose of such processing activities.
A list of other data fiduciaries or data processors with whom the personal data has been shared, along with the nature of such disclosures.
Relevant information pertaining to the lawful basis, retention schedule, and mechanisms safeguarding the data in accordance with applicable regulations.
2. Right to Correction and Erasure
Data principals have the right to request correction or deletion of their personal data in the following scenarios:
Rectification of inaccurate, misleading, or outdated personal data.
Completion of incomplete or partially recorded personal data entries.
Erasure or removal of personal data that is no longer necessary for the purpose for which it was collected, or where continued processing is unlawful under applicable regulations.
3. Right to withdraw consent
Data principals shall have the right to withdraw their consent at any time with respect to any processing activity previously authorized. Upon such withdrawal, ITL shall cease the processing of the relevant personal data, unless such processing is required to comply with legal or contractual obligations. Withdrawal of consent shall not affect the lawfulness of processing undertaken prior to such withdrawal.
4. Right of grievance redressal
Data principals shall have access to designated grievance redressal mechanisms established by ITL for the resolution of complaints arising from any act or omission relating to personal data processing or the exercise of data rights under this Policy. Grievances must be submitted in good faith, supported by relevant facts and documentation, and must not be frivolous or malicious in nature.
ITL shall acknowledge the grievance within the timelines prescribed under applicable laws and shall make reasonable efforts to address and resolve such grievances in a prompt and effective manner. In the event that a grievance remains unresolved to the satisfaction of the data principal, the individual may escalate the matter to the appropriate regulatory authority.
5. Right to nominate
A data principal shall have the right to nominate an alternate individual to exercise data protection rights on their behalf in the event of incapacitation or death. Such nomination shall be made in the manner prescribed by law and shall be recorded by ITL subject to verification of the nominee’s identity and authority.
To exercise the rights outlined under this Privacy Notice, including access, correction, erasure, consent withdrawal, nomination, and grievance redressal, data principals may submit a formal request using the Data Principal Rights Request Form available on ITL’s official website. The form shall require the individual to provide accurate identification details, specify the right being exercised, and include any supporting documents as necessary to enable verification and processing.
ITL shall acknowledge receipt of such requests within the prescribed legal timeframe and shall make reasonable efforts to respond substantively in accordance with applicable regulatory requirements. All responses shall include a summary of the actions taken or the reasons for any delay or rejection, as permitted under law.
For any questions related to the exercise of rights under this Privacy Notice, or for concerns regarding the manner in which personal data is handled by ITL, data principals may contact the Company’s designated Data Protection Officer (DPO) at: compliance.officer@industowers.com
In the event that a data principal believes their request has not been addressed satisfactorily, they may escalate the matter to the appropriate Data Protection Board or regulatory authority in accordance with the provisions of the DPDPA.
ITL reserves the right to modify, update, or amend this Privacy Notice at its discretion, in order to reflect changes in applicable law, regulatory guidance, or operational practices. Any material changes shall be duly notified, and the revised version shall be published on ITL’s official website.
The most recent and publicly available version of this Privacy Notice shall be deemed authoritative and shall supersede all prior versions. Data principals are encouraged to review this Notice periodically to remain informed of any updates affecting the handling of their personal data.
Indus Towers Limited (“ITL”) is committed to protecting personal data by following industry best practices and applying reasonable security measures. However, due to the nature of the Internet and digital systems, it is important to understand that no system can be completely secure.
While ITL takes all necessary steps to keep your personal data safe, it cannot guarantee protection against every possible risk, such as cyberattacks or incidents beyond our control. ITL shall not be held responsible for any unauthorized access that occurs due to reasons outside its control, including any negligence on the part of the individual sharing the data.
ITL appreciates your cooperation in keeping information secure and acting responsibly when handling personal data.
Any queries or requests relating to the contents of this Privacy Notice or the processing of personal data may be addressed at: compliance.officer@industowers.com
