Privacy policy

1. Objective

Privacy is a fundamental right under the Constitution of India and we at CRIF High Mark Credit Information Services Private Limited (subsequently referred to as CRIF HM), are committed to protecting personal information. This policy is in accordance with the principles of Credit Information Companies Regulations Act (“CICRA Act”), the Information Technology Act, 2000 and the various rules and regulations issue thereunder and aims to comply with the proposed Digital Personal Data Protection Bill (“DPDPB, 2022”) that has been tabled in Indian Parliament.

2. Purpose

At CRIF HM we are mindful to collect individuals’ personal information in a transparent and lawful manner limited to the scope of the processing activity and within the premises of applicable laws. In our everyday credit bureau business & operations, CRIF HM makes use of a variety of data about identifiable individuals (‘natural persons’), including data about:

• Current and past members submitting the credit data and their users accessing the credit data
• Borrower and guarantor data shared by the members
• Prospective borrower / guarantor data being queried by the members
• Current and past external visitors (e.g., auditors)
• Current, past and prospective employees & consultants of CRIF HM
• User of its websites
• Other relevant stakeholders

This policy shall form the base for other policies developed to ensure effective protection of various forms of personal data collected and handled by CRIF HM in its everyday operations.

3. Scope

This policy applies to all CRIF HM employees, contractors, vendors, interns, associates, customers, and business partners who receive personal information from CRIF HM, who have access to personal information collected or processed by CRIF HM, or who provide information to CRIF HM, regardless of their geographic location.

All employees of CRIF HM are expected to support the privacy policy and associated privacy principles when they collect and / or handle personal information or are involved in the process of maintaining or disposing of personal information. This policy shall apply to all systems, people and processes that constitute CRIF HM’s information systems and who have access to CRIF HM’s systems.

All partner firms and any third-party working with or for CRIF HM, and who have or may have access to personal information, will be expected to read, understand, and comply with this policy within the scope of relevant applicable laws. No third party may access personal information held by CRIF HM without having first entered into a confidentiality agreement.

4. Responsibility

The Data Privacy Office (DPO Office) shall be responsible for implementation, maintenance, and accuracy of this policy. Any queries regarding the implementation of this Policy shall be directed to the Data Protection Officer. The Board of Directors shall designate a senior official as Data Protection Officer of the Company.

5. Deviation

The CEO and Whole-Time Director/Managing Director may approve deviation from the parameters listed in this policy document.

6. General Policy

This Policy describes privacy principles for the protection and appropriate use of personal information at CRIF HM. These principles shall govern the use, collection, retention, disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws. These principles shall be revisited for the applicability at CRIF HM during the course of implementation of the data protection project and the applicable policies will be tested for compliance once the implementation is completed.

• Data Security: Personal data shall be secured with suitable technical and organizational measures to prevent unauthorized access, illegal distribution, accidental loss, modification, or destruction in collaboration with the Information Security Team (Infosec), Information Technology Infrastructure team (IT Infra), and the Human Resource team (HR) with guidance from the DPO Office and the legal team. CRIF HM shall build process and procedures to deal with any suspected personal data breach and shall notify the impacted data principal and any applicable regulator(s) of a breach wherever legally required to do so and in line with CRIF HM’s ISMS Incident Management Procedure. Additionally, CRIF HM shall arrange for all its employees to sign a suitable declaration for fidelity and secrecy as a part of data security and secrecy principle.
• Use of personal data: CRIF HM shall implement measures to ensure adequate transparency for collection, storage, transfer, and use of personal data in line with the purpose of processing for which consent was collected from the data principals directly. If personal information is to be used for purposes not identified in the privacy notice / contractual agreements at the time of collection, the same shall be updated to reflect said purpose. CRIF HM shall also implement relevant contractual safeguards, wherever it processes personal data as a sub-processor for credit institutions.
• Rights of the data principal: CRIF HM will evaluate and service the requests from data principals within any such specified period as is required by law, on the right to access, correct, erasure of their personal data, grievance redressal, withdraw consent, or nominate any other individual in the event of death or incapacity, based on the legitimacy of the requests and applicable laws governing credit information company. CRIF HM will publish the applicability of such rights as a part of the privacy notice on its website. To exercise any of the rights stated above, concerned data principals may write to dpo@crifhighmark.com.
• Disclosure to Third Parties: CRIF HM shall disclose personal information to third parties / partner firms only for purposes identified in the privacy notice / contractual agreements. CRIF HM shall disclose personal information in a secure manner, with assurances of protection by those parties, in accordance with the contracts and applicable laws. To discharge its legal obligations, CRIF HM shall disclose personal information to relevant regulatory, government and law enforcement authorities, courts, and to advisors such as law firms and audit firms while responding to request from such authorities received in writing, clearly stating the purpose of seeking such information. However, such information shall be furnished in consultation with the legal team.
• Data Retention: Information will be retained for as long as necessary or any such period as required by law, to fulfil the purposes for which it was provided, including for the purposes of satisfying any legal, accounting, or reporting obligations, to resolve disputes, to enforce agreements and for such other purposes as are permitted under applicable law and aligned with CRIF HM’s Data Preservation and Destruction Policy.
• Privacy Notice: CRIF HM shall establish mechanisms to inform data principals, wherever it directly collects personal data from data principals, about the type of personal data it collects, how it collects, uses, retains, discloses their personal information by ensuring notices are readily accessible to the data principal, as soon as is reasonably practicable through relevant communication channels, as required under relevant applicable laws.
• Privacy by Design: Processes, procedures, and systems at CRIF HM shall be aligned to ensure that existing functions and any proposed data actions consider the impact of each of the following:
  • Principles listed in Privacy by Design and work with relevant stakeholders from Infosec, IT Infra, Legal, Human Resources and other teams across functions under the guidance of DPO office to ensure protection posture around personal data is adequate.
  • Appropriate assessment of confidentiality, privacy and security needs and obligations in relation to a proposed data action
  • Appropriate steps to meet the above needs and obligations and closure of open identified issues in a time bound manner
  • CRIF HM shall implement a mechanism to perform a periodic review of any incidents, breach or exposure related to personal data to ensure that procedures are in place to notify the applicable regulatory authority and concerned data principals as per applicable laws
  • CRIF HM shall ensure necessary awareness measures are in place for all employees involved in handling personal data by conducting such awareness sessions every six months so that they can understand their responsibilities in following data protection practices
• Monitoring and Enforcement: CRIF HM shall monitor compliance with its privacy policies by conducting annual reviews.

7. Review and Record Maintenance

• This policy shall be maintained and reviewed by the DPO on an annual basis and shall also be updated in line with any major changes to the organization’s operating environment or any relevant applicable laws and on recommendation provided by internal / external auditors.
• The Data Protection Officer along with Data Protection Champions shall coordinate efforts and work on the recommendations for improvement of the privacy posture.
• Any changes made to the policies as approved by the Board of Directors based on the recommendations of DPO.

8. Terms and Terminologies

• Natural Person – Is a data principals/principal who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, physical or postal address, telephone number, email address or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Personal Data – means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
• Sensitive Personal Data – Is a subset of personal data that includes passwords, financial information such as Bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information.
• Privacy – Privacy deals with information about individuals, and to an extent their activities and how they use things (such as applications). Privacy laws and end user expectations of the privacy often come down to the ability of the end user to control the use and disclosure of personal data, and cover personal, behavioural and identifier data.
• Processing – in relation to personal data means a set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
• Security – Deals with protection of information and information systems through administrative, technical, and physical safeguards, which help ensure the confidentiality, integrity and availability of data.
• Financial Data - Any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a natural person or any personal data regarding the relationship between a financial institution and a natural person including financial status and credit history.
• Data Principal – means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.

9. Escalation Matrix

10. Conflict in Policy

In the event of any conflict between this Policy and the provisions contained in the regulations, the regulations shall prevail. Any subsequent amendment / modification in the Regulations, in this regard shall automatically apply to this policy.

Last Updated Date: 17 December 2025
This Policy is approved by the Board of Directors