This privacy statement applies to you, if your personal data is processed by us:

• as a supplier, in the course of receiving products, services, or offers from you.
• as a supplier or other individual when you visit one of our websites, online applications or our offices.

Within the different groups, as identified above, we may apply different forms of processing. If such differentiation is applicable and deemed relevant by us, we will mark that out in this privacy statement.

This privacy statement only applies to our suppliers and our online visitors and office visitors. If you are a job applicant or employee, you will be provided with another privacy statement covering how we manage your personal information for that relationship.

As a supplier, you must not provide us with more personal information of yourself, your employees, representatives, clients, or Ultimate Beneficial Owners (UBOs) than we might need for a given purpose.

You must also inform your employees, representatives, clients, or UBOs about your intention to transfer their personal information to us. You may refer them to this privacy statement so that they can learn how and why we process their personal data.

Our contact information is:

DLL Global Business Services Private Limited
B2-708, 7th Floor, ‘B’ Wing,
Boomerang Co-Operative Premises Society Limited,
Saki Naka, Chandivali Farm Road, Near Chandivali Studio, Andheri (East), Mumbai – 400072,
India
+ 91 (0) 22 4619 8936

We are an indirectly wholly owned subsidiary of De Lage Landen International B.V., which is a wholly owned subsidiary of Coöperatieve Rabobank U.A. (“Rabobank” and together with its subsidiaries, the “Rabobank Group”).

A Data Protection Officer (“DPO”) has been appointed for De Lage Landen International B.V. and its subsidiaries (“DLL Group”). The DLL Group DPO can be contacted by email via privacyoffice@dllgroup.com.

“Personal data” is any information directly or indirectly relating to an individual, or any information that can be used to identify an individual.

Personal data is “processed” when any activity is undertaken on your personal data, such as collection, storage, access, use, transfer, disclosure, and deletion.

For supplier relationships, the personal data DLL processes mainly consists of information relating to the supplier’s directors, representatives, and, if applicable, UBOs. This is because DLL predominantly enters into supplier relationships with legal persons (e.g., limited liability companies and corporations), rather than with individuals. But we also process personal data of organizations which are considered to be natural persons (e.g., sole proprietorships and specific partnerships with natural persons participating).

As part of these relationships, we may process the following personal data:

Contact and identification data
Your name, address, telephone number, (business) e-mail address, copy of ID, date of birth, business VAT number (if applicable), and copy of proof of residency.

Contract/agreement data
Contract number, contract duration and bank account details.

Data used to ensure your and our security, to prevent and investigate fraud, and to prevent money laundering and financing of terrorism
Personal data that are processed in the external and internal referral registers of Rabobank and any personal data processed in relation to credit reference agencies and in national and international sanctions lists.

Recorded calls, recordings of video chat and online chat sessions, video surveillance, and documentation of e-mails
Information concerning our conversations via telephone or in online chat sessions, inbound and outbound e-mail communications, and camera images that we record in our offices.

Data related to the use of our websites and online applications
Cookies or similar tracking technologies may collect your IP address, data about the applications and devices you use to visit our website and online applications.

We may collect special categories of personal data which are considered more sensitive, such as information relating to your racial or ethnic origin, criminal history, and health/biometric data. We will only process these special categories of personal data if necessary for the applicable purposes, as further described below.

Race or ethnic background
For tax purposes and for certain anti-terrorism reasons, we are required to record information about your country of birth. We may also have/take/store your photograph or film you on our CCTV (closed-circuit television) if you visit our offices. However, we do not register your race or ethnic background, and we do not use race or ethnic background to make decisions.

Personal data concerning criminal convictions
We may process data related to your criminal record or criminal convictions in the context of anti-money laundering, fraud prevention, and regulatory reporting which may be obtained from open sources (e.g. media searches) or national sanction, fraud and crime prevention databases.

Biometric data
If you have registered your fingerprint for log-in purposes in any electronic application operated by us, we may process your biometric data for this purpose.

Data protection and privacy laws require us to have a lawful ground for processing your personal data. Depending on the purposes for which we process your personal data, the lawful ground may differ.

Consent
You give us your permission to use your data. You are always free to withdraw your consent.

Legal obligation
Legally, we are obliged to process your personal data.

Contractual necessity
We need your personal data to enter into a contract with you and comply with our contractual commitments to you.

Legitimate interest
We have a legitimate interest in processing your personal data, which is not outweighed by your interests, fundamental rights, and freedoms. For example, DLL has a legitimate interest in processing your personal data when requesting you to complete a survey on how we can improve our services.

When we establish a new relationship with you as a supplier
If we establish a new supplier relationship, then we will process the personal data of the relevant employees and the representatives of that supplier in the administration of the new relationship and as part of our due diligence checks.
Lawful ground: Contractual necessity / Legitimate interest

We also undertake credit checks on suppliers to manage the financial risk of our business.
Lawful ground: Contractual necessity / Legitimate interest

Account management and contract management for suppliers
We process your personal data to establish and maintain our business relationship with you.
Lawful ground: Contractual necessity

When we ask you for feedback
We may ask you to rate our services whenever we interact with you by email, or we may send you separate feedback requests (e.g., a feedback questionnaire) so that we can understand where we can make improvements.
Lawful ground: Legitimate interest / Consent

If we send you mail
If we need to send you hard copy documents via a postal service, we will share your name and contact details with the postal service provider.
Lawful ground: Legitimate interest / Contractual necessity

When we build business relationships with new suppliers
We may obtain your contact and company details via our relationship with an intermediary with whom you have or had a business relationship, via Rabobank Group or via internet searches of publicly available information.
Lawful ground: Legitimate interest

If a company merger, acquisition, or divestment takes place
If we acquire, merge, or divest one of our business entities, we will process your personal data to transfer your contract to the relevant entity.  
Lawful ground: Contractual necessity

We process the personal data of visitors of our websites, online applications (e.g. portals, mobile apps) and offices for a variety of purposes.

When you visit our websites
We operate cookies or similar tracking technologies on our websites to ensure they function correctly. You can read more about how we use cookies or similar tracking technologies in our Cookie Statement.
Lawful ground: Consent / Legitimate interest

To manage our facilities
If you visit a DLL office, we operate CCTV and ensure access to offices is managed securely. Your image is captured by our CCTV systems and your contact details are recorded to provide you access to our offices via a secure pass.
Lawful ground: Legitimate interests / Legal obligation

In addition, we may process the personal data of anyone who interacts with us for legal, compliance and business improvement purposes

To develop and improve our systems and processes
We may process personal data to develop and improve our systems and processes. When we test new systems, we will aggregate, anonymize, or scramble data so that it is no longer identifiable.
Lawful ground: Legitimate interest

To manage and evidence our compliance with data protection and privacy laws
If you exercise any of your rights under data protection and privacy law, we will process your data to manage your request. If we experience a data breach, we will process the data of impacted individuals as required to mitigate risk and inform you of a breach where it is required.
Lawful ground: Legal obligation

If you make a complaint
We will process your contact details and any supporting information to administer, investigate, and respond to your complaint.
Lawful ground: Legal obligation / Consent

When we make or receive a legal claim
We will process personal data if we make or receive a legal claim in respect of the contract we have with you. We may share your personal data with legal specialists for the purpose of defending our legal rights.
Lawful ground: Legal obligation

For legal and regulatory compliance purposes
In some cases, we may be instructed by relevant government or supervisory authorities to process or share your personal data to comply with a regulatory requirement, court order or assist with an investigation.
Lawful ground: Legal obligation

DLL is subject to the Rabobank Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”). This means we must meet minimum standards in the collection and processing of personal data.

DLL is committed to taking the necessary organizational and technical measures to protect your personal data when we process it and share it with third parties. These include:

• All our employees are subject to confidentiality obligations to ensure the adequate protection of your personal data.
• We use appropriate security measures to ensure the confidentiality, integrity, and availability of your data, as well as certifying systems and services which are resilient and are able to restore data in the event of a data loss.
• Where possible, we aim to secure your personal data by lessening or removing personally identifying elements.
• We regularly evaluate the effectiveness of our technical and organizational measures to ensure continuous improvement in the security of processing personal data.
• We usually only process your personal data for the purposes for which these were originally collected. Personal data may also be processed for a legitimate business purpose different from the original purpose (secondary purpose), but only if the secondary purpose closely relates to the original purpose.
• When we share your data with third parties outside of the Rabobank Group, we perform due diligence and thorough assessments of those parties and verify the secure processing of your personal data by way of contractual terms and conditions.

The Rabobank Privacy Codes are available on our website

Sometimes we may have a clear and legitimate reason to share your data with other parties.

Sharing data within the DLL Group
As a global organization personal data may be transferred to other entities in the DLL Group who provide operational support enabling the delivery of better customer services. We also provide products and services to global partners and customers and collaborate across the various DLL entities to deliver global solutions.

Sharing data within the Rabobank Group
DLL is a wholly owned subsidiary of Coöperatieve Rabobank U.A., a Dutch Bank with registered office in Amsterdam, the Netherlands (“Rabobank”). The “Rabobank Group” consists of Rabobank plus all its subsidiaries. There may be times when we share personal data with Rabobank or other Rabobank Group entities. For instance, you may be a customer of Rabobank and DLL, respectively, and we might share your data internally to avoid a duplication of your efforts. Alternatively, we may share your data with Rabobank (or vice versa) if we think they might have a financial product that might be of interest to you.

Sharing data outside the Group
Like any other company, we rely on the services of third parties.

When we engage specialist suppliers, consultants, or contractors to assist us in running our business, we may share your personal data with them where it is necessary for the service they provide to us. For instance, we may use a third party to perform a background screening or credit checks on our behalf or use services hosted in a third party cloud environment.

Any third party that we employ is checked to ensure they are reliable, and we only engage them where they enter into a proper contract with us and implement appropriate security and other measures to guarantee that your personal data remains confidential.

When legally obligated to do so, we will share your personal data with government authorities, regulators or supervisory authorities, and law enforcement agencies.

Transfers within the Rabobank Group
When we share your data with other entities of the Rabobank Group that are in countries other than the country in which your personal data was originally collected, we rely on the Rabobank’s Privacy Codes. The Rabobank Privacy Codes apply as “Binding Corporate Rules” (“BCRs”) which are a set of rules that all Rabobank Group entities must comply with to ensure an adequate level of protection for your personal data. Because of these codes, the same rules apply to all entities of the Rabobank Group, permitting us to share data within the Rabobank Group. The Rabobank Privacy Codes are available on our website.

We do not store your personal data for longer than we need to achieve the purposes for which we have collected it or for the secondary purposes for which we reuse it.

We have a retention policy which specifies how long we store data. In most cases, this is Ten years after the end of the contract or your relationship with DLL. Sometimes this period is longer, for example, if a supervisory authority asks us to do so, if you have filed a complaint that makes it necessary to keep the underlying personal data for a longer period, or in specific cases for archiving or legal proceedings. Sometimes we use shorter retention periods, for example for telephone call and camera recordings.

We have implemented appropriate technical and organizational measures to ensure that only people that have a right to access your information can access it.

We will delete personal data at an earlier time if you request us to delete your personal data, unless another law prevails.

Global data protection and privacy laws differ when it comes to individual rights regarding personal data. DLL, however, offers all individuals the following rights concerning the processing of their personal data:

Access and Rectification
You can ask us to access the personal data we hold about you. Where you believe that your personal data is incorrect or incomplete, you can ask us to correct or add more detail to your personal data.

Erasure
You can ask us to erase your personal data processed by us. If we do not have any legal obligations or legitimate business reasons to retain your personal data, we will fulfill your request.

Restriction
You can ask us to limit the personal data we hold about you. We may refuse this type of request if we have a lawful reason to continue holding your personal data (e.g., the exercise of a contract, a legal archiving duty, or the establishment, exercise, or defense of legal claims).

Portability
You have the right to ask us to provide to you a copy of your personal data in a structured and machine-readable format or to transfer your personal data on your behalf to a third party. Transfer of personal data directly to a third party can only be done if it is technically possible.

Objection
You have the right to object to the processing of your personal data. If you object to our processing of your information, we will stop the processing where there is no overriding legal or regulatory requirement. If an overriding requirement exists, we will inform you of this.

Consent withdrawal
If you have given your consent to us to process your personal data, you can withdraw your consent at any time. We will stop any processing allowed solely by consent within 30 days of receiving your request.

For questions related to this privacy statement, please contact our local privacy officer or local compliance officer via: bhusan.gupta@dllgroup.com.

If you would like to exercise any of your rights, please do so by completing this form:

We will respond within one month after we have received your request. In some cases, however, we may need to extend this period for up to another 2 months. We may need to ask you for some additional details to clarify your request or provide verification of your identity.

We will do our best to handle your request, question, or complaint quickly and efficiently.

This privacy statement will be updated from time to time in case of additional legal requirements or if we process personal data for new purposes.