Effective Date: May 28, 2025
Last Updated: May 28, 2025
Introduction
Akums Drugs & Pharmaceuticals Ltd. ("Akums," "we," "our," or "us") is committed to respecting and safeguarding your privacy. This Privacy Policy ("Policy") outlines the principles and practices governing the collection, processing, use, disclosure, storage, transfer, and protection of personal data in the course of our operations. We recognize the sensitivity of the data entrusted to us, especially in a sector dealing with health, wellness, and human safety, and are fully committed to transparency, accountability, and data protection by design.
Akums complies with applicable data protection legislation, including:
- The Digital Personal Data Protection Act, 2023 (India) ("DPDPA")
- The General Data Protection Regulation (EU Regulation 2016/679) ("GDPR")
- The California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA")
- Sector-specific regulations such as Schedule M (Drugs and Cosmetics Act), GxP guidelines, and global pharmacovigilance protocols
This Policy governs all data collected through offline and online modes and is applicable to all data subjects, regardless of geographic location, unless superseded by local law.
1. Scope and Applicability
This Policy applies to:
- Data Subjects: Employees, job applicants, contractors, patients (in clinical trials or pharmacovigilance), vendors, healthcare professionals, partners, shareholders, clients, and users of our platforms.
- Touchpoints: Corporate websites, mobile applications, clinical trial portals, HRMS tools, email communications, employment records, CCTV, factory IoT systems, and third-party integrations.
- Jurisdictions: India, European Union, United States, and any other region where Akums operates or engages third parties for processing.
2. Categories of Personal Data We Collect
Akums may collect the following categories of personal data:
A. Identification & Contact Information
- Full name, date of birth, gender, nationality
- Personal and official phone numbers and email addresses
- Residential and mailing addresses
- Government-issued IDs (PAN, Aadhaar, Passport, Voter ID)
- Emergency contact details
B. Employment & HR Data
- Education and professional qualifications
- Past employment records, references
- Salary, benefits, and compensation data
- Biometric data (e.g., fingerprints, facial recognition)
- Health and wellness records for occupational safety
C. Sensitive Personal Data
- Medical reports, allergies, vaccination records
- Genetic or biometric identifiers
- Disability and accommodation needs
- Union membership (if applicable)
D. Clinical & Pharmacovigilance Data
- Adverse event reports
- Participant data in clinical studies (de-identified)
- Health outcome assessments
- Trial-related biological samples (subject to consent)
E. Technical and Device Data
- IP address, MAC address, browser type, session logs
- Cookies, device location (with consent), operating system
- Login credentials, file access logs, application usage
F. Financial & Transactional Data
- Bank account details (for salary or reimbursements)
- UAN, EPFO, insurance information
- Invoices, payment records, vendor contracts
G. Marketing & Communication Data
- Subscription preferences
- Open/click data from newsletters or marketing emails
- Event registrations and feedback
H. Vendor & Business Partner Data
- Company name, GSTIN, registration certificates
- Contact person details, supplier ratings, due diligence records
- NDA copies, audit responses
I. Consent Records
- Timestamped consents for employment, clinical studies, health programs, marketing, and third-party disclosures
3. How We Collect Personal Data
We collect personal data through the following methods:
A. Direct Collection
- During onboarding (employment, vendor contracts)
- Medical or clinical documentation
- Website forms, surveys, complaint portals
- Feedback and contact forms
B. Automated Means
- CCTV systems within premises
- IoT devices within laboratories and manufacturing units
- Access control and attendance management systems
- Website cookies, analytics tools, CRM dashboards
C. Third Parties
- Health insurance providers and TPAs
- Background verification and recruitment agencies
- Academic or research institutions
- Regulatory filings and government portals
All third-party transfers are subject to lawful bases and documented via contractual safeguards, including Data Processing Agreements (DPAs).
4. Purposes for Processing
Your personal data may be processed for:
A. Employment Lifecycle Management
- Recruitment, interviews, selection
- Payroll, benefits, leave management
- Grievance redressal, disciplinary actions
- Exit processing and statutory documentation
B. Compliance and Legal Obligations
- Drug regulatory filings (CDSCO, EMA, USFDA, etc.)
- Taxation (Income Tax Act, GST filings)
- Health, Safety & Environment (HSE) compliance
- Litigation, dispute management, whistleblower protection
C. Manufacturing and Operational Oversight
- Quality control and assurance (Batch-wise audit trails)
- Vendor assessments, logistics planning
- License and permit applications
D. Clinical Research and R&D
- Ethics Committee approvals
- Trial subject coordination
- Data archiving and results publication
E. Information Security and Asset Protection
- Access restriction, surveillance, intrusion detection
- Data Loss Prevention (DLP) mechanisms
F. Marketing and Stakeholder Communication
- Regulatory disclosures, press releases
- Investor communications, newsletters
- Event participation records (e.g., CPhI, BIO Asia)
5. Legal Bases for Processing
- Consent: Where required by law or voluntary participation
- Contractual Necessity: For employment and service delivery
- Legal Obligation: Statutory filings and audits
- Legitimate Interest: Enhancing security, improving performance, direct communication (if not overridden by rights)
- Vital Interest: Emergencies (e.g., medical evacuations)
6. Data Sharing and Disclosures
- Intra-group entities for global HR and operations
- Service providers (e.g., cloud, payroll, background verification)
- Clinical research organizations (CROs) and ethics boards
- Public authorities upon legal demand
- Auditors and legal counsel
We ensure third parties are bound by written contracts, maintain confidentiality, and adopt appropriate technical and organizational measures (TOMs).
7. Cross-Border Data Transfers
- SCCs or equivalent safeguards are in place
- The transfer is necessary for contractual or compliance purposes
- The data is pseudonymized or anonymized where possible
- Consent is obtained (where required)
We monitor the data transfer landscape and comply with emerging rules under DPDPA and global adequacy decisions.
8. Data Security Measures
- ISO 27001-certified data centres
- Physical access restrictions at manufacturing facilities
- Role-based access control (RBAC)
- Two-factor authentication and encrypted data backups
- Logging and incident response systems
- Biannual penetration testing and red-teaming
9. Data Retention and Deletion
- Employment records: 7 years post separation
- Financial and tax data: 8 years (or longer for audits)
- Clinical trial data: 15–25 years per ICH-GCP
- CCTV: 90 days (unless required longer for investigation)
Upon expiry, data is securely wiped, anonymized, or archived per internal SOPs.
10. Rights of Data Subjects
Under DPDPA, GDPR, and CCPA, you have the right to:
- Access and review your personal data
- Correct inaccurate or incomplete data
- Request deletion or restrict processing
- Object to processing (where applicable)
- Data portability (where feasible)
- Withdraw consent (for non-essential processing)
- Lodge complaints with a supervisory authority (e.g., DPD Board, EU DPA)
Requests may be sent to the DPO at privacy@akums.in. We may verify your identity before processing such requests.
11. Children’s Data
We do not knowingly collect data of individuals under 18 without appropriate parental/guardian consent. Child participants in research or apprenticeships are managed in line with COPPA, DPDPA Rules, and GCP guidelines.
12. Policy Updates
This Policy may be revised:
- To comply with legislative updates
- In response to regulatory guidance
- Based on internal audit outcomes or technology upgrades
Updates will be posted on our website and, where material, communicated through official circulars or consent renewal prompts.
13. Data Minimization and Purpose Limitation
We only collect data that is relevant and necessary for the purposes outlined in this Policy. Any personal data collected is retained only as long as required and is not repurposed for unrelated secondary activities unless we obtain explicit consent or are permitted by law. We routinely review our data collection forms, internal databases, and logs to ensure compliance with the principles of data minimization and purpose limitation.
14. Record of Processing Activities (ROPA)
As part of our accountability framework, Akums maintains a comprehensive Record of Processing Activities (ROPA) in accordance with Article 30 of the GDPR and relevant Indian compliance standards. This document:
- Lists processing purposes
- Identifies categories of data and data subjects
- Maps data transfers (domestic and international)
- Outlines retention periods and security measures
ROPA is reviewed annually and updated following major organizational or legal changes.
15. Data Protection Impact Assessments (DPIAs)
For high-risk processing operations—especially involving sensitive personal data, AI-driven analytics, or cross-border transfers—we conduct Data Protection Impact Assessments (DPIAs). These are overseen by the DPO and involve:
- Identifying risks to rights and freedoms
- Evaluating the necessity and proportionality of processing
- Proposing safeguards, including encryption, anonymization, or pseudonymization
- Consulting with relevant supervisory authorities where required
16. Anonymization and Pseudonymization
Where feasible, Akums implements de-identification techniques such as anonymization and pseudonymization to protect personal data, particularly in research, clinical trials, or analytics. These measures ensure that individuals cannot be identified without the use of additional information, which is stored separately under secure conditions.
17. Employee Confidentiality and Training
All employees handling personal data sign confidentiality agreements at the time of joining. Akums also ensures:
- Annual data protection and cybersecurity training
- Role-specific workshops for HR, Legal, R&D, and IT teams
- Simulated breach drills and incident response exercises
- Real-time awareness through newsletters and policy updates
18. Vendor Due Diligence and Onboarding
Before engaging any third-party vendor or processor, Akums conducts robust due diligence that includes:
- Security and compliance certifications (ISO 27001, HIPAA, etc.)
- Data protection policy audits
- Review of processing purposes, access controls, and sub-processing chains
Only vendors with adequate safeguards are onboarded, and they are contractually bound via Data Processing Agreements (DPAs).
19. Sub-Processor Disclosures
Where vendors engage sub-processors, Akums ensures:
- Transparency through a maintained sub-processor registry
- Flow-down obligations matching those in the principal agreement
- Right to audit or object to certain sub-processors
- Incident notification timelines and breach cooperation clauses
20. Incident and Breach Response Framework
Akums has a documented Incident Response Plan that ensures:
- Prompt detection and containment of breaches
- Notification to affected individuals within 72 hours (where required)
- Cooperation with regulators and law enforcement
- Root cause analysis and corrective action implementation
- Maintenance of an incident register reviewed by the DPO quarterly
21. Cookies and Tracking Technologies
Akums websites use cookies for:
- Session management
- Traffic analytics (e.g., Google Analytics)
- Preference storage
Visitors are notified via a Cookie Banner and may manage preferences through a Cookie Consent Manager. Usage of non-essential cookies is contingent on opt-in consent under applicable laws.
22. Privacy by Design and Default
All new projects, technologies, or processes involving personal data are subject to privacy risk reviews. Akums integrates data protection features (e.g., minimization, access control, encryption) by design and enforces default settings that limit data exposure to what is strictly necessary.
23. Internal Audit and Compliance Monitoring
The Compliance Office conducts periodic privacy audits covering:
- Policy adherence
- Departmental compliance
- Third-party agreements
- Incident handling procedures
Non-compliance is documented, and corrective actions are tracked with deadlines.
24. Data Localization Requirements
For certain classes of sensitive data (e.g., clinical trial participant records, medical data), Akums adheres to local data localization mandates, including:
- Hosting on servers within India or other approved jurisdictions
- Avoiding cross-border transfers unless mandated by international regulatory obligations or approved under SCCs
- Flagging and classifying datasets that fall under localization obligations
25. Dispute Resolution and Grievance Redressal
Data subjects may raise privacy-related grievances by:
- Emailing the DPO
- Writing to our Grievance Officer (nominated under DPDPA)
Complaints will be acknowledged within 48 hours and resolved within 15 working days. Appeals can be escalated to the Data Protection Board of India or other competent supervisory authority.
26. Special Provisions for Health and Research Data
Health data collected under wellness programs or clinical trials is:
- Stored separately from general employment records
- Accessed only by authorized medical or research personnel
- Subject to audit logs and purpose-specific access controls
Clinical trial subjects receive detailed participant information sheets and consent forms, in compliance with GCP guidelines and local ethics approvals.
27. Whistleblower Confidentiality
Akums maintains a Whistleblower Policy under which employees and stakeholders may report unethical conduct, including data misuse, anonymously. All such disclosures are:
- Logged by the Ethics Committee
- Investigated discreetly
- Protected under our Non-Retaliation Policy
28. Enforcement and Disciplinary Action
Any violation of this Privacy Policy by an employee, contractor, or partner may result in:
- Verbal or written warnings
- Suspension of access rights
- Termination of employment or contract
- Legal proceedings under applicable civil/criminal laws
29. Interpretation and Governing Law
This Policy shall be interpreted in accordance with the laws of India. In the event of a conflict with foreign laws, the stricter standard will apply. Any disputes shall be subject to the exclusive jurisdiction of the courts at Delhi, India, unless otherwise required under mandatory applicable law.
30. Contact Us
Data Protection Officer (DPO): Akums Drugs & Pharmaceuticals Ltd.
Email: dpo@akums.net