Data Protection Rights Management Policy

1.Preamble

Pluxee India Private Limited is committed to handling Personal Data in compliance with the Digital Personal Data
Protection Act (DPDPA,2023) and Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and any other applicable law and aims to deal promptly and efficiently with any queries relating to the Pluxee entities’ processing of Personal Data.

In some cases, Pluxee India may act as a Processor on behalf of a client. In this instance the Client is responsible for handling Data Principal Requests relating to compliance with the DPDPA,2023 and the Data principal’s Personal Data.

2.Definitions

You will find hereafter definitions of various technical terms we are using in the following pages. Every time a
technical term is written with a capital letter, its meaning will be clarified in this section.

Client means organizations or corporations that instruct, as Data Fiduciary, Pluxee to perform services and process Personal Data on their behalf for their employees that are the end-users of these services.
Complaint means the complaint lodged by a Data Principal with a Supervisory Authority or a court of justice if the Data Principal considers his or her rights under DPDPA are infringed.
Data Fiduciary means the entity that determines the purposes and means of the Personal Data processing.
Data Principal means an identified or identifiable individual whose Personal Data is concerned by processing within Pluxee, including the Personal Data of Pluxee’s current, past and prospective applicants, employees, clients, consumers/beneficiaries, suppliers/vendors, contractors/subcontractors, shareholders or any third parties.
Group Data Protection Officer means the person appointed to oversee data protection issues at the Pluxee Group level, to define and administer the Pluxee data protection compliance program and good practices relating to data protection and to ensure their implementation.
Local Data Protection Point of Contact means the individual appointed by a Pluxee India, in charge of handling local data protection issues. In some cases, the Local Single Data Protection Point of Contact can be appointed as Local Data Protection Officer where required by applicable data protection law.
Personal Data means any information or pieces of information that could identify you either directly (e.g., your name) or indirectly (e.g., through pseudonymized data such as a unique ID number). This means that personal data includes things like email/home addresses/mobile phone, usernames, profile pictures, personal preferences, user generated content, financial information, and welfare information. It could also include unique numerical identifiers like your computer’s IP address or your mobile device’s MAC address, as well as cookies.
Pluxee entity or Pluxee entities means Pluxee India Private Limited
Processing or Personal Data Processing means in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
Request means one of the mechanisms provided by the applicable regulations to individuals to allow them to exercise their rights (such as the right of access, to rectification, to erasure etc.). An individual may make a Request against any entity which processes its Personal Data.

3.Scope

This policy applies to Pluxee India for all dimensions and activities, in all geographies where we operate, This policy
applies to the Processing of Personal Data collected by Pluxee, directly or indirectly, from all individuals including, but
not limited to Pluxee’s current, past or prospective job applicants, employees, clients, consumers, children, suppliers/vendors, contractors/subcontractors, shareholders or any third parties, with “Personal Data” as defined above. In this policy, “you” and “your” means any covered individual. “We,” “us,” “our” and “Pluxee” means Pluxee India Private Limited.

4.Your rights under DPDPA

Under the DPDPA you are offered various rights that you can exercise under the conditions set out in the regulation. You will find below a table summarizing the different rights you usually own when Pluxee is acting as a Data Fiduciary:

Rights	Description of your rights
Right To Access Information	You have the right to request and obtain from us: A summary of the personal data we process about you and the activities related to such processing. The identities of all other entities (Data Fiduciaries and Data Processors) with whom your personal data has been shared, along with details of the data shared Any other information related to your personal data and its processing, as may be prescribed by applicable law. Please note, sharing personal data with other Data Fiduciaries authorized by law for purposes such as prevention, detection, investigation, prosecution, or punishment of offences or cyber incidents is exempt from this disclosure.
Right To Correction and Updation	You have the right to request correction, completion, updating, or erasure of your personal data for which you have previously given consent, in accordance with applicable laws Upon receiving such a request, we will: Correct any inaccurate or misleading personal data. Complete any incomplete personal data. Update your personal data as requested.
Right To Erasure	Your right to be forgotten entitles you to request the erasure of your Personal Data in cases where: the data is no longer necessary for the purpose for which it was collected. you choose to withdraw your consent. you object to the processing of your Personal Data. your Personal Data has been unlawfully processed. there is a legal obligation to erase your Personal Data. The Company needs to retain the data at least for 10 years under Payment and Settlement Systems Act, 2007 and its Rules and Regulations including Master Directions issued by Reserve Bank of India (the Act). Hence the Right to erasure can be exercised post completion of mandatory period for which the entity needs to retain the data to ensure compliance with the Act.
Right To Nominate	You have the right to nominate an individual who, in the event of your death or incapacity (due to mental unsoundness or physical infirmity), may exercise your rights under the applicable data protection laws on your behalf.
Right To Grievance Redressal	You have the right to access grievance redressal mechanisms provided by us regarding any concerns or complaints related to the processing of your personal data or the exercise of your rights under applicable data protection laws. We will respond to grievances within the prescribed timeframes, and you are encouraged to utilize the mechanisms mentioned below before seeking further legal recourse.

Please refer to our Pluxee India Protection Statement for more details on the legal basis applying to the data processing activities carried out by Pluxee India Private Limited. You may also consult the local and/or service-related privacy policies or notices brought to your attention prior to the collection of your data to have more specific information on specific and/or local data processing activities

Where Pluxee processes Personal Data on behalf of a client, the latter will usually provide you with the required
information on your rights, how you might exercise your rights and the way your Requests will be processed by the Client.

5.How to submit a Request?

To help us to deal with your Request, please provide a full written explanation of your query by completing the Request Form in Annex or by completing the Request webform.

You can also raise queries or complaints with the Pluxee India Data Protection Officer, by email to
privacy.in@pluxeegroup.com
Please note that these request forms exist to facilitate the filing of your Request and its processing by our teams, but their use is not mandatory. You can also raise your queries or complaints orally or in writing with no defined form.

If Pluxee receives a Request from a Data Principal. while acting as a processor on behalf of a Client, the Request will be notified to the Client in accordance with the agreed timeframe. The Client will be in charge of handling such Request. However, Pluxee will cooperate and provide the Client with assistance in relation to the request, to the extent legally permitted.

Pluxee will directly handle Requests only when it is agreed with the Client or if the Client disappeared or cease to exist in law or became insolvent.

6.How will your Request be handled?

Our approach is to engage positively and resolve your Request in a satisfactory manner. This is why we have put in place internal processes that enable our teams to handle your requests in the best possible way.

Once you have drafted and notified your Request to us, to Pluxee will deal promptly with your Request in the most efficient manner, as follows:

STEP 1: Your Request will be treated confidentially and fully investigated where necessary. During this process, you may receive communication from the relevant Pluxee India Data Protection Office to investigate your concern. If we need additional information to address your Request, we will let you know what further elements are needed. At this stage, if you did not provide us with all the mandatory information elements in the initial Request and/or in response to our communication we might not or not sufficiently be able to deal with you Request.

STEP 2: Once the information related to your Request is complete, we will contact you within thirty (30) days to provide you with an answer. This deadline may be extended in certain circumstances, depending on the nature of the Request. At this stage, the ball is in our camp, and no action is required from your side.

STEP 3: If you have any queries with the Processing of your Personal Data or consider that your Request has not been processed in a satisfactory manner by us, you should not hesitate to raise your query to Pluxee DPO at privacy.in@pluxeegroup.com. We will get back to you as soon as possible. Please note that you can also choose to lodge a Complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages.

You have also the right to lodge your Complaint before the courts where the Pluxee entity has an establishment or where you have your habitual residence.

REQUEST FORM

[To be sent by email to the generic email address as indicated in the information notices and/or the privacy policies
provided to you at the time of the collection of your Personal Data and/or to the Local Data Protection Office at
privacy.in@pluxeegroup.com or Global Data Protection Office at the following email address: dpo@pluxeegroup.com]

Contact Information:
(Name (Last, First))............................................................................................................................................................

(Telephone number)............................................................................................................................................................

(Email address)............................................................................................................................................................

(Postal address)............................................................................................................................................................

Please indicate your preferred method of contact by ticking the box to the right.
If your preferred method of contact is the postal address, please indicate where you would like our response to be sent:
Home Address or Business Address
If business address, please provide company name: .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

To help us identify systems that may contain information about you, please check the boxes below that describe your
relationship with Pluxee:

Job applicant
Former employee or contractor
Current employee of Pluxee
Employee family member, dependent, beneficiary or emergency contact
Employee of Pluxee Client or business partner
Employee of a Pluxee supplier or vendor
Individual – Consumer
Other – please describe.

............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If your information may be under another name, please provide that name and reason for the change:
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

We may request from you a certified copy of valid official identification documentation to allow us to verify your name and
address (e.g. valid passport or identity card).
If you request to access your Personal Data or request data portability, please specify the Personal Data or the categories of Personal Data which is subject to the request and confirm that they may be sent by email to the address above or, if technically feasible, to the address of a new Controller as set out below, for the data portability request:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If you request rectification of your Personal Data, please specify below the data to be rectified, and provide the justification for such request:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If you request that the Processing of your Personal Data is restricted, please specify the processing in issue, and provide the justification for such request:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If you request the erasure of your Personal Data, please specify below the Personal Data to be deleted and provide the
justification for such request:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If you object to the processing of your Personal Data, please specify below the Personal Data you object to us processing and provide the justification for such objection:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

If you believe that your data protection rights may have been breached, you have the right to lodge a Complaint with the applicable supervisory authority, or to seek a remedy through the courts. You can also contact us if you have any queries or concerns. In such a case you can detail your query or concern here:
............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

The information collected in this form is intended to enable the relevant Local Data Protection Point of Contact and/or the Global Data Protection Office to respond to your Request. This information will be archived after the Request has been treated for timelines defined as per privacy policy and then deleted. For any question related to this Request Form, please send your request at the following email address: privacy.in@pluxeegroup.com.