4.1 Notice

Rumsan shall provide data subjects with a notice about how it collects, uses, retains, and discloses personal information about them. Notice shall be made readily accessible and available to data subjects before or at the time of collection of personal information or otherwise, notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided online (e.g., by posting it on the intranet portal, website, sending emails, newsletters, etc.) and/or offline methods (e.g., through posts, couriers, etc.). All the websites (including Intranet portals), and any product or service that collects personal information internally shall have a privacy notice. In case of any cross-border transfer of personal information, the data subjects shall be informed by a notice sufficiently prior to the transfer. Privacy notices may include:

• the organization's operating jurisdictions; Third Parties involved; business segments and affiliates; lines of business; locations
• types of personal information collected; sources of information; who is collecting the personal information, including contact information;
• The purpose of collecting the personal information.
• assurance that the personal information will be used only for the purpose identified in the notice and only if the implicit and/or explicit consent is provided, unless a law or regulation specifically requires otherwise;
• any choices the data subject has regarding the use or disclosure of the information; the process and data subject shall follow to exercise the choices;
• The process for a data subject to change contact preferences and the ways in which the consent is obtained.
• collection process and how the information is collected; how the information is used, including any onward transfer to Third Parties;
• retention and disposal process for personal information; assurance that the personal information to be retained only as long as necessary to fulfill the stated purposes, or for a period specifically required by law or regulation, and will be disposed of securely or made anonymous post the identified purpose is completed;
• process of accessing personal information; the costs associated with accessing personal information (if any); process to update/correct the personal information; the resolution of disagreements related to personal information; how the information is protected from unauthorized access or use;
• How users will be notified of any changes made tothe privacy notice;
• disclosure process for Third Parties; the assurance that the personal information is disclosed to Third Parties only for the purpose identified; the remedial actions in place for any misuse of personal information by the Third Parties;
• security measures in place to protect the personal information; ways of maintaining the quality of personal information;
• monitoring and enforcement mechanisms in place; description of the complaint channels available to data subjects; how the internal personnel, key stakeholders, and customers can contact the Company related to any privacy complaints or breaches; relevant contact information and/or other reporting methods through which the complaints and/or breaches could be registered;
• Consequences of not providing the requested information.

4.2 Choice and Consent

Rumsan shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.

• Rumsan shall establish systems for the collection and documentation of data subject consents to the collection, processing, and/or transfer of personal data.
• Data subjects shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.
• Consent shall be obtained (in writing or electronically) from the data subjects before or at the time of collecting personal information or as soon as practicable thereafter.
• The changes to a data subject's preferences shall be managed and documented. Consent or withdrawal of consent shall be documented appropriately.
• The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the notice / SoW/contract agreements at the time of collection, the new purpose shall be documented, the data subject shall be notified, and consent shall be obtained prior to such new use or purpose.
• The data subject shall be notified if the data collected is used for marketing purposes, advertisements, etc.
• Rumsan shall review the privacy policies of the Third Parties and types of the consent of Third Parties before accepting personal information from Third-Party data sources.

4.3 Collection of Personal Information

Rumsan shall collect personal information from data subjects only for the purposes identified in the privacy notice / SoW/contractor agreements and only to provide the requested product or service. Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.

Personal information shall not be collected unless either of the following is fulfilled:

• the data subject has provided valid, informed, and free consent;
• processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with the organization's legal obligation;
• processing is necessary in order to protect the vital interests of the data subject; or
• processing is necessary for the performance of a task carried out in the public interest.

The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.

Rumsan shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources

4.4 Use, Retention, and Disposal

Rumsan shall only use personal information that has been collected for the purposes identified in the privacy notice / SoW/contract agreements and in accordance with the consent that the data subject shall provide. Rumsan shall not retain personal information longer than is necessary to fulfill the purposes for which it was collected and to maintain reasonable business records. Rumsan shall dispose of the personal information once it has served its intended purpose or as specified by the data subject.

4.5 Access

Rumsan shall allow data subjects to make inquiries regarding the personal information about them, that Rumsan shall hold and, when appropriate, shall provide access to their personal information for review, and/or update. Rumsan shall establish a mechanism to enable and facilitate the exercise of the data subject's rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.

Data subjects shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing

Rumsan shall review and shall provide personal information to the data subjects in a plain simple format that is understandable (not in any code format).

4.6 Disclosure to Third Parties

Rumsan shall disclose personal information to Third Parties/partner firms only for purposes identified in the privacy notice / SoW/contract agreements. Rumsan shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws, and other segments, and, where needed, with the consent of the data subject.

• Data Subject shall be informed in the privacy notice / SoW/contract agreement if personal information shall be disclosed to Third Parties/partner firms, and it shall be disclosed only for the purposes described in the privacy notice / SoW/contract agreements and for which the data subject has provided consent.
• Rumsan shall notify the data subjects prior to disclosing personal information to Third Parties/partner firms for purposes not previously identified in the notice / SoW/contract agreements.
• Rumsan shall communicate the privacy practices, procedures, and requirements for data privacy and protection to the Third Parties/partner firms.
• The Third Parties shall sign an NDA (Non-Disclosure Agreement) with Rumsan before any personal information is disclosed to the Third Parties' partner firms. The NDA shall include the terms on non-disclosure of customer information.

4.7 Security for Privacy

Rumsan shall protect personal information from unauthorized access, data leakage, and misuse. Individuals noticing or becoming aware of any breach of personal data shall notify the COO (by emailing [email protected])

4.8 Monitoring and Enforcement

Rumsan shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints, and disputes based on Rumsan Incident Reporting Guidelines.

4.9 Dispute Resolution and Escalation Process for Employees

Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the HR manager. ([email protected])

4.10 Dispute Resolution and Escalation Process for Customer / Third Party

Customers / Third Parties with inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the Point of Contact and copy to the COO ([email protected]) in writing. Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.