These Data Processing Clauses reflect the obligations of each Vendor of the Infosys Group when and to the extent a Vendor Processes Personal Data as a Data Processor of an Infosys Controller Entity as part of services provided under any Vendor Service Agreement.

Scope

These Data Processing Clauses apply to all Vendors Processing Personal Data on behalf of an Infosys Controller Entity as a Data Processor.

These Clauses do not apply where a Vendor processes Personal Data acting as an independent controller entity that alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In such scenarios, both the Infosys Controller Entity and the Vendor shall comply with their respective obligations under applicable Data Protection Laws and Regulations. Nothing shall be deemed to prevent the Parties from taking steps it reasonably deems necessary to comply with the Data Protection Laws and Regulations.

These Data Processing Clauses shall be an integral part of any Vendor Service Agreement obliging all parties to the relevant Vendor Service Agreement to abide by these Data Processing Clauses.

In the absence of a Vendor Service Agreement (e. g. where a Vendor solely agrees to Infosys Group’s supplier code of conduct, these Data Processing Clauses shall apply as well.

Definitions

Data Subject (also referred to as “individual” or “individuals”) means any individual from whom Infosys collects, uses and/or processes Personal Data for their business purpose. Explanation: list includes employees, clients, client customers, agents, contractors. It includes, under California laws, the term is more fully referred to as “consumer.”

Data Protection Laws and Regulations shall mean all laws and regulations, including but not limited to laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, India, Brazil, South Africa applicable to the Processing of Personal Data under the Data Processing Clauses as amended from time to time.

Data Processor means a Vendor Processing Personal Data on behalf of any Infosys Controller Entity.

EU Model Contractual Clauses means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

EEA means the European Economic Area;

Infosys Controller Entity or Infosys means either Infosys Limited or its subsidiaries or branch operations depending on (i) which Infosys entity is a party to the commercial agreement with the Vendor and which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and is considered a data controller under applicable Data Protection Laws. Infosys Group means collectively all affiliated Infosys group companies.

Personal Data also includes “Personal Information” and “Covered Business Information” under California laws (includes California Consumer Protection Act, Consumer Privacy Rights Act, and other regulations, including amendment, repeal), which means and includes any information Processed by Supplier on behalf of Infosys and/or its affiliates, that alone, or in combination with other information, relates to an identified or identifiable individual, or otherwise identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. This includes Sensitive Personal Data.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, structuring, restriction, or otherwise making available, alignment or combination, blocking or erasure, or destruction.

Sensitive Personal Data is a subset of Personal Data which due to its nature is classified by applicable Data Protection Laws or by Infosys policy as deserving additional privacy and security protections and includes, but is not limited to information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Technical and Organizational Security Measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Vendor means any person or company that sells goods or services to the Infosys Group including suppliers and their subcontractors.

Vendor Service Agreement means any commercial agreement including purchase orders and relevant purchase order renewal forms between a Vendor and the Infosys Controller Entity under which the Vendor provides services to the Infosys Controller Entity.

Notwithstanding anything to the contrary mentioned in these Data Processing Clauses, Vendor shall comply with all applicable requirements applicable under Data Protection Laws and Regulations. The terms and conditions agreed further in this document are in addition to, and do not relieve, remove, or replace, a party's obligations under applicable Data Protection Laws and Regulations.

Permitted Processing

  • Vendor shall process Personal Data only on the written instructions of the Infosys Controller Entity and in accordance with applicable Data Protection Laws and Regulations, including with regard to transfers of Personal Data to a third country or an international organization, unless otherwise either required or permitted by applicable Data Protection Laws and Regulations. Where the Vendor is relying on such compliance with local laws of the land, before performing such processing it shall notify the Infosys Controller Entity unless those local law of the land prohibit the Vendor from so notifying the Infosys Controller Entity.
  • Vendor shall immediately inform the Infosys Controller Entity if in its opinion an instruction given by Infosys violates any applicable Data Protection Laws and Regulations.
  • Vendor shall only process Personal Data in accordance with the instructions of a Infosys Controller Entity and only for the specific purpose(s) of the Processing, as set out by the relevant Infosys Controller Entity, unless it receives further instructions from the Infosys Controller Entity.
  • Vendor shall only process to disclose the personal data to a third party on documented instructions from an Infosys Controller Entity. In addition, the Personal Data may only be disclosed to a third party located outside to an entity located in another country, only if the entity in the destination agrees to be bound by these clauses in the Data Processing Clauses including any adequacy decisions, and/or ensuring appropriate safeguards, in particular to the processing for the purpose agreed under one of the below.
    • For the purposes where personal data is shared with Vendor acting as an independent data controller, and located outside EU, the following EU Model Contractual Clauses shall additionally apply.
    • For the purposes where personal data belong to EU, UK and Switzerland is shared with Vendor acting as a Data Processor, located outside in a third country, the following EU Model Contractual Clauses shall additionally apply.
    • For the purposes where personal data belong only to EU residents, and shared with Vendor acting as a Data Processor, located outside in a third country, the following EU Model Contractual Clauses shall additionally apply.
  • Vendor understands and agrees that it will not sell, retain, use, rent, lease, disseminate, disclose, make available, transfer Personal Data, unless limited to the purposes set forth under written instructions.
  • Vendor shall not sell any Personal Data to another business or third party without prior written consent of the Infosys Controller Entity. Vendor’s receipt of Personal Data shall not constitute a sale under any Data Protection Laws or Regulations.
  • Vendor shall ensure that any of its affiliates that also is a Data Processor for an Infosys Controller Entity commits to and adheres to these Data Processing Clauses if and to the extent required under applicable Data Protection Laws and Regulations.

Sub-processing

  • Sub-processing shall be authorized in advance by the Infosys Controller Entity through either a general or a specific written authorization, including any sub-contractors working on behalf of the Vendor.
  • Vendor shall remain fully liable to the Infosys Controller Entity for any failure by their employees, consultants, staffs, including their suppliers and 3rd parties in relation to processing of any Personal Data, in accordance with this clause.
  • Vendor must ensure that the contract between Vendor and its suppliers ensure the same obligations as set out in these Data Processing Clauses, mandating legal mechanism to ensure an adequate level of protection of the Personal Data transferred, including, where applicable, execution of EU Model Contractual Clauses prior to any such processing.
  • In case the Infosys Controller Entity grants a general authorization to sub-processing Personal Data, the Vendor shall inform the Infosys Controller Entity of any intended change concerning the addition or replacement of sub-Vendors, giving the Infosys Controller Entity the opportunity to object to such change.

Confidentiality

Where Personal Data is processed by the Vendor, its agents, sub-contractors or employees, the Vendor shall, and shall procure its agents, sub-contractors, and employees to:

  • take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary to perform the services in the context of that individual's duties to the Vendor, ensuring that all such individuals
  • are informed of the confidential nature of the Personal Data
  • have undertaken appropriate training in relation to the protection of Personal Data
  • are subject to confidentiality undertakings or professional or statutory obligations of confidentiality
  • are aware of the Vendor's obligations in relation to data protection under these Data Processing Clauses.

Security

  • Vendor, including its employees, agents, sub-contractors shall implement appropriate Technical and Organizational Security Measures, to ensure a level of security commensurate with the risks associated with the processing, such measures to be appropriate in particular to protect against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to the Personal Data as required under applicable Data Protection Laws and Regulations.
  • Vendor shall conduct necessary due diligence and provide Infosys with annual reports of their compliance to implementation of adequate safeguards, including completing any assessments, including supporting of audits that Infosys will conduct as applicable.

Data Subjects Rights

  • Unless expressly authorized by the Vendor, Vendor shall promptly notify Infosys without any unreasonable delay to the Infosys Controller Entity upon any request received directly from a Data Subject and assist Infosys Controller Entity with requests to exercise Data Subject Rights, including but not limited to the right to access and the right to erasure.
  • Vendor shall provide all necessary support the Infosys Controller Entity requires in case a Infosys Controller Entity is obliged by virtue of the Data Protection Laws and Regulations to comply, including the scope and extent of such measures, and appropriate safeguards in place related to processing Vendor as part of the Services.

Personal Data Breach

  • Vendors shall notify the Infosys Controller Entity without undue delay and in any case not later than 48 hours upon becoming aware of a Personal Data Breach affecting Personal Data belonging to Infosys Controller Entity and provide the Infosys Controller Entity with sufficient information to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
  • Vendor shall co-operate with the Infosys Controller Entity or its affiliates, subsidiaries and take such reasonable steps as are directed by the Infosys Controller Entity to assist in the investigation, mitigation, and remediation of each such Personal Data Breach
  • Any Personal Data Breaches shall be reported to vendorincident@infosys.com, describing the Personal Data Breach in terms of who and how many Data Subjects are affected, where, and when and how it occurred, and which measures have already been taken to stop the breach and mitigate its effects.

Assistance under Data Protection Laws and Regulations

  • Considering the nature of processing and information available to Vendor, Vendor shall assist the Infosys Controller Entity when a data protection impact assessment shall be carried out, wherever applicable.
  • Where applicable, Vendor is required to cooperate, upon Infosys Controller Entity’s request with appropriate data protection authorities (Art. 36, GDPR or other applicable Data Protection Laws and Regulations) in the performance of Infosys Controller Entity’s tasks at its own costs.

Availability of Information

  • Upon written request of the Infosys Controller Entity, the Vendor will undertake its commercially reasonable efforts to make available to Infosys Controller Entity all information necessary to demonstrate compliance with its obligations regarding data protection as explicitly set out in this Agreement or by applicable Data Protection Laws and Regulations and allow for and contribute to audits, including inspections, conducted by the Infosys Controller Entity or another auditor mandated by the Infosys Controller Entity.
  • Vendor agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority, where the Personal Data originated from Infosys Controller Entity, in any procedures or enquiries, and agrees to support compliance adopted, including remedial and compensatory measures.
  • Vendor shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject and related to any processing carried on behalf of Infosys Controller Entity, will notify within reasonable time.
  • Vendor agrees to notify Infosys Controller Entity without unreasonable delay when it receives a legally binding request from government, or public authority including judicial authorities, under the laws of land in the destination country for the disclosure of personal data transferred, including the reasonable basis of such legal request and response, unless Vendor is prohibited from notifying under the local laws, in which case Vendor agrees to use its best efforts to obtain a waiver of prohibition, including minimization of information to be disclosed to the extent possible and document the same for availability to Infosys Controller Entity when requested.

Deletion of Existing Personal Data

  • Where Personal Data is processed by the Vendor, its agents, sub-contractors or employees, the Vendor shall, and shall procure its agents, subcontractors, and employees to either immediately delete the processed Personal Data once the purpose of processing is complete or upon termination of the main agreement, whichever is earlier, unless permitted by law.
  • Personal data that has been transferred prior to any termination of the Data Processing Clauses shall at the choice of Infosys Controller Entity immediately be returned to Infosys Controller Entity or deleted in its entirety. The same shall apply to any copies of the data. Vendor shall certify the deletion of the data to Infosys Controller Entity. Until the data is deleted or returned, Vendor shall continue to ensure compliance with these Clauses. In case of local laws applicable to Vendor that prohibit the return or deletion of the transferred personal data, Vendor warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. Such deletion shall include measures ensuring that any IT systems used in the context of performance of the main agreement or these Data Processing Clauses, to include any backup systems, and also allow for the erasure or deletion of specific Personal Data and put in place measures to fully implement any erasure or deletion request within the timeframe required by Infosys Controller Entity.

How to contact Infosys Data Privacy Office?

If you need to reach out to Infosys, you may write to the mailing address:

Srinivas Poosarla, SVP, Chief Privacy Officer, Infosys Group
#44, Hosur Road,
Electronic City Phase I,
Bangalore 560 100,
Karnataka, INDIA
Mail ID: privacy@infosys.com

Descriptions of Data Subjects and Categories of Personal Data

Data subjects

Data subjects include, but not limited to Infosys entity who may elect to include personal data from any of the following types of data subjects in the personal data:

  • Candidates
  • Employees, (former and current and future)
  • Dependent of employees
  • contractors and freelancers (current, former, prospective) of Infosys
  • Users, including online guest users, visitors, clients, including current and prospective
  • Client employees, customers, their agents, suppliers
  • Partners, stakeholders, or individuals who actively collaborate, communicate with Infosys

Categories of data

The personal data that is included in e-mail, documents, and other data in an electronic form in the context of the services agreed under written instructions with Vendor. By Infosys. Vendor acknowledges that, depending on Infosys’s use of the Services, Infosys may elect to include personal data from any of the following categories in the personal data:

  • Basic personal data of data subject, including basic personal data about family members and children
  • Contact information (for example addresses, email, phone numbers, social media identifiers, emergency contact details)
  • Recruitment Data, including profiles shared with education and previous work experiences and compensation offered
  • Certification and skill development training
  • Background checks to include employment history, education history, personal data details
  • HR data including status of employment, date of joining, Unit details, salary details, including worked hours, Leave, assessments and salary, work permit details, terms of employments, payment details, insurance, tax contributions, locations, including any corporate travel.
  • Photos, videos, and audio
  • Authentication data, Active Directory details
  • National Identification, Passport, and visa related information (e.g., date of application, dates of validity, emigration check requirement, address, place of issue, Social Security Number or equivalent etc.)
  • ID card number, IP addresses, employee number, unique identifier in tracking cookies or similar technology)
  • Financial and insurance information, including Bank Account numbers, Social Security Benefit accounts
  • Surveys
  • Grievance handling and disciplinary processes
  • Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities)
  • Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit)
  • Stock Options
  • Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority
  • Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
  • Any other personal data identified as per applicable Data Protection Laws and Regulations.

Nature & Purpose of Processing

Personal Data that is included in e-mail, documents, and other data in an electronic form in the context of the services, which shall include but not limited to following:

  • Recruitment and Onboarding to Infosys
  • Client onboarding
  • Internal compliances, secretarial, and audits
  • Background checks and screening
  • Processing Payroll
  • Immigration, Visa and Travel support
  • Mergers & Acquisition
  • Managing rewards and benefits, including stock options management
  • IT Infrastructure and support
  • Performance Evaluations
  • Social Security and Welfare benefits
  • Legal consultation matters (including consultation for tax, and actuarial support), including litigation support
  • Insurance
  • Trainings and skill development
  • Storage of data on On-Prem servers and cloud servers
  • Surveys
  • To provide services to the Clients as part of the written instructions agreed between the Client, Infosys and the Vendor offering services, including reselling arrangements
  • Obligations under applicable local laws and regulations

Technical and Organizational Security Measures

Where applicable, depending on the nature, subject and scope of Personal Data are processed or used automatically, Vendor is obligated to arrange its policies and practices to be arranged in such a way that it meets the specific requirements of compliance with Data Protection Laws and Regulations. In particular, measures suited to the type of Personal Data or data categories to be protected shall be taken, to include but not limited to below controls:

  • to prevent unauthorized persons from gaining access to data processing systems with which Personal Data are processed or used (admission control),
  • to prevent data processing systems from being used without authorization (entry control),
  • to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage (access control),
  • to prevent the unauthorized use of automated processing systems by means for data transmission (user control),
  • to prevent unauthorized reading, copying, modification or removal of data media (data media control),
  • to ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control),
  • to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems, modified or removed (input control),
  • to prevent unauthorized persons to enter Personal Data as well as unauthorized inspection, modification or deletion of stored Personal Data (storage control),
  • to ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal (order control),
  • to ensure that personal data are protected against accidental destruction or loss and therefore are always available for the Controller (availability control),
  • to ensure that data collected for different purposes can be processed separately (separation control),
  • to ensure that the Controller is able to review the documentation of all essential processing steps of the data processing systems, and trace whether Personal Data provided by the Controller have only been processed in compliance with the instructions of the Controller (documentation control),
  • to ensure that data processing systems used can be recovered in case of trouble (recovery control),
  • to ensure that all functions of the data processing system are available and occurring malfunctions are notified (reliability),
  • to ensure that stored Personal Data cannot get damaged by malfunctions of the system (data integrity),
  • to ensure appropriate Pseudonymization and Encryption,
  • to ensure a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.