PROTECTING YOUR PRIVACY – OUR COMMITMENT

Effective date: January 1, 2020

Tata Communications respects your privacy and is committed to ensuring that appropriate protections are in place for your personal data. We seek to comply with all currently applicable legislation regarding the protection, security and confidentiality of personal data. In this Privacy Policy (the “Policy”), we describe how we collect, use, disclose and protect personal data. We also outline the rights you may have in respect of your personal data held by us. The Policy relates to your personal data that we may process through your use of the Wi-Fi Hotspot, car connectivity and/or (e)SIM services available in your Jaguar Land Rover ("JLR") vehicle (the "Services").

This Policy is provided in a layered format, so you can click through to the specific areas set out below that may be of most interest to you.

  1. TATA COMMUNICATIONS AND YOUR PRIVACY
    1. Protecting your privacy is important to us and is a responsibility that we take very seriously
    2. Who are we? Tata Communications (Netherlands) B.V. is the controller of and responsible for the Services. References to "we", “our" or "us" in this Policy refer to this company who is responsible for processing, collecting and storing your personal data.
    3. Additional information on our personal data practices may be provided in contractual agreements, supplemental privacy statements, or notices provided to you prior to or at the time of collection of your personal data.
    4. Your use of our Services, and any dispute over privacy, is subject to this Policy, our Terms of Service (which are incorporated by reference into this Policy) and any written contract for services between you and us or any person who provides you with access to our Services.
  2. HOW TO CONTACT US
  3. For any questions about this Policy and our data protection practices or to exercise any rights you may have in relation to your personal data under applicable law, you may use our self-service portal available here.

    Our postal address for any questions is:

    Tata Communications (UK) Limited Legal Compliance – Data Protection and Privacy
    Vintners Place
    68 Upper Thames Street
    London, EC4V3BJ
    United Kingdom

    For Germany, Singapore and India you can contact our Data Protection Officer ("DPO") by using our DPO contact form available [here].

  4. INFORMATION WE COLLECT ABOUT YOU AND HOW WE COLLECT IT
    1. We may collect or receive from JLR different types of personal data based on your use of our Services. The following is an overview of the categories of information that we might collect or receive:
      1. Account Information:
        1. Contact Information that allows us to communicate with you. We obtain this information when you order or register to receive any of our Services. We collect or receive information from you when you sign up for our Services, create an online account, make a purchase, request details or a call back, submit a technical, customer or billing support request, participate in a contest or survey, provide us with feedback or otherwise contact us. The type of information that we collect depends on your interaction with us or JLR, but may include, your name, address, telephone number (business or personal), email address, postal/billing address (business or residential), date of birth, device/vehicle identification number, date of service commencement, and any other relevant information such as proof of ID or residence. Your provision of such data is conditional for us to enter into a contract with you.
        2. Billing Information related to your commercial and financial relationship such as the services we provide to you, the telephone numbers you call and text, your Internet usage, time stamps or other metadata of your usage of our service, your payment history, your credit history, your credit card numbers, social security number (where permitted by law), security codes and your service history.
      2. Technical & Usage Information related to the Services we provide to you, including information about how you use our Services. Some examples include:
        1. Equipment Data: Information that relates to and identifies the equipment on our networks that you may use or interface with. Information might include such as equipment type, device identifiers, device status, serial numbers, settings, configuration and software type.
        2. Network Performance & Usage: Information about the operation of the equipment, services and applications you use on our networks. Examples of this might include wireless device location (for roaming purposes) and type, where an emergency or breakdown assistance call was made from and to as well as: its date, time, duration and cost, voice minutes used, calling records, bandwidth used. We also collect information like transmission rates and delays, data associated with remote monitoring services and security characteristics, and information about your use of our interconnected voice over internet protocol (VoIP) services (including services purchased offline).
    2. We may collect the above personal data in the course of providing Services to you or to someone who has provided you with access to our Services. We may obtain this information in a number of ways, for example:
      1. directly from you: for example, when you provide your details in order to subscribe to our Services or contact us for a technical enquiry.
      2. automatically: when personal data is generated through your use of our Services.
      3. from third party sources: we sometimes collect the above categories of personal data about you from trusted third parties, in connection with Services that we provide to you or propose to provide to you, where appropriate and to the extent we have a justified basis to do so. These include, JLR as your vehicle manufacturer, KYC/fraud-prevention agencies, business directories, credit check and KYC reference/vetting agencies and connected network providers.
  5. HOW DO WE USE THE PERSONAL DATA WE COLLECT?
    1. We set out below some of the ways in which we process personal data:
      1. Giving you access to the Services: Manage your application and determine your eligibility to be given access to our Services. This includes taking action regarding illegal activities, KYC/fraud, threats to our property or personnel and violations of our Terms of Service and/or applicable law and also to meet our legal and regulatory obligations.
      2. Providing you the requested Services: This includes communicating with you and providing you with the Services requested.
      3. Manage accounts and help you managing your account: This includes communicating with you about your use of our Services, responding to your inquiries, providing any information that you request, addressing technical support tickets, and providing customer service support.
      4. Processing payments & invoicing: Obtain and process payments, this includes taking action against fraudulent activities and complying with our legal and regulatory obligations.
      5. Protecting the integrity of our network: Keep things secure, protect your personal data against any loss, damage, theft or unauthorized access, prevent crime and fraud, prosecute offenders and protect national security.
      6. Managing our network: Manage our network and your use of our network. This includes managing the flows of data going through our network to ensure the best possible quality of Service is available to you.
      7. Research and developments of our Services: Improve our (and third-party partner) Services and develop new ones with the help of statistics on the usage of our Services.
      8. Marketing related activities: Send you information about our Services, unless you instruct us not to. Where we are required to obtain your consent for these activities, you have the right to withdraw such consent at any time by contacting us at the contact details set out in this Policy.
      9. Compliance with legal requirements: Collect and retain data about you where this is required under applicable law, for example identification data.
      10. Respond to request from relevant authorities and regulatory requirements: We can use your personal data to respond to requests from law enforcement authorities or other public authorities. This may require us to disclose your contact details and/or information about your usage of our Services to such authorities or to block, intercept or otherwise interfere with your use of our Services and any personal data generated by the usage.
  6. WHAT IS THE JUSTIFICATION FOR THIS USE?
    1. In the EU, our justification (or legal basis) for processing your personal data will vary depending on the information itself, our relationship with the subject of the personal data, the Service being provided, the specific legal and regulatory requirements of the country in which the Services is being provided or the personal data processed as well as many other factors. Subject to modifications in specific countries, the legal bases for the processing are as follows:
      1. In order to engage in transactions with you, suppliers and business partners, to communicate with you and to process payments and to give you access to the Services, we need to process information about you as necessary to enter into or perform a contract with you.
      2. We process personal data for marketing and sales activities based on your consent where required and so indicated on our sites or at the time your personal data is collected, or further to our legitimate interest to market and promote our products and services or to improve or develop them.
      3. We rely on our legitimate interests to process information in order to analyse, develop, improve and optimise our Services, and to maintain the security and integrity of our network and systems. We also have a legitimate interest in using your personal data in connection with legal claims, compliance, regulatory and investigative purposes as necessary.
      4. Because applicable laws (including telecommunications laws), regulations or the public interest require us to, such as to comply with legal processes, law enforcement or regulatory authorities or to assist in the prevention, detection or prosecution of crime.
      5. If you withhold any information requested, we may not be able to provide you with certain services or functionality.
    2. Relying on our legitimate interests: We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out in this Policy.
    3. In all other countries (except in the EU or in jurisdictions where similar EU flavoured requirements exist), our justification for processing your personal data will be based on your consent and acceptance of the Terms of Service and this Policy.
  7. WHEN DO WE SHARE THE PERSONAL DATA WE COLLECT
    1. Subject to obtaining your consent as may be required in some jurisdictions, we may share or disclose your personal data as necessary for the purposes described above and as further detailed below:
      1. Affiliates. We may disclose the information we collect from you to our affiliates. Where permitted by law and with your consent where required, our affiliates may use your information for the purposes indicated in this document, including, marketing their products and services to you. In processing your personal data, our affiliates follow practices at least as protective as those described on this Policy. A list of our affiliates is available <here>.
      2. Integration of our services.Our Services are offered through JLR. Therefore, we will need to share your personal data with them to assist us in providing the Services to you. We also may share your personal data with companies that are system integrators, JLR retailers, network partners, in order to provide you with the Services.
      3. Third-Party Service Providers.We employ other companies and individuals to perform functions that are necessary for the provision of the Services or for the purposes described above. Examples include: sending communications, processing payments, assessing credit and compliance risks to give you access to our Services, analysing data, conducting customer relationship management, and engaging network partners, contractors or agents, who perform functions on our behalf. These third parties include other carriers or providers that we may disclose personal data to where necessary to provide our Services or fulfil your requests or orders, service/order fulfilment, customer service, and effecting payment, among others. These third-party service providers have access to personal data needed to perform their functions but may not use it for other purposes where they process your personal data on our behalf. Whenever we share personal data with third parties, we take steps to ensure that third party contracts contain appropriate protections for your personal data.
      4. Business Transfers. If we are acquired by or merge with another company, or if substantially all of our assets are transferred to another company (which may occur as part of bankruptcy proceedings), we may transfer your personal data to the other company. We may also need to disclose your personal data before any such acquisition or merger, for example to our advisers and any prospective purchaser's adviser.
      5. Legal Protection and in Response to Legal Process. We may disclose the information we collect from you in order to (i) comply with applicable law, judicial proceedings, court orders or other legal requirements or, (ii) when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests, including government authorities outside of your country of residence, for national security and/or law enforcement purposes. As noted above, the personal data we collect from you may be shared with government authorities or law enforcement officials for the purposes above if we believe, in good faith, that we are obliged to do so, if there are compelling reasons of public interest for us to do so or if required for the legal protection of our commercial, financial, legal, reputational or other legitimate interests in compliance with the applicable laws.
      6. Sharing Aggregated and De-Identified Information. We may use your personal data to create aggregated and anonymised information which we may share with third parties. Nobody can identify you from that anonymised information. In other circumstances we may pseudonymise your personal data before sharing it with a third party so that we can reassociate you with the information once it has been processed and returned to us. Whilst the third party will not be able to identify you from the pseudonymised information, we will still be able to do so. We treat pseudonymised data as though it were personal data and ensure the same level of protection for it when sharing with third parties.
      7. For relevant jurisdictions only (e.g. Japan or China): you hereby consent to us sharing your data with the third parties or categories of third parties listed in this clause.
  8. INTERNATIONAL TRANSFER OF PERSONAL DATA
    1. Subject to obtaining your consent as required in some jurisdictions, Tata Communications may transfer personal data across national borders. In doing so, your personal data may be transferred to and processed by other Tata Communications entities and/or unrelated third parties.
    2. All Tata Communications entities have signed an intra-group agreement applicable to transfer of personal data outside of the EU or to jurisdictions which do not provide adequate levels of protection according to the applicable law. A list of our affiliates and their location is available <here>.This agreement is based on the EU Commission standard contractual clauses (and which therefore contractually impose a standard of protection for the personal data that is equivalent to that offered within the EU). This way we ensure that adequate protections are in place for the security of your personal data when we transfer it to one of our affiliates, wherever they may be located in the world. You can obtain a copy of these clauses by contacting us.
    3. When we share your personal data with third parties unrelated to the Tata Communications Group, we require all such third parties to respect the security of that personal data and to treat it in accordance with applicable data protection laws. [For India only: We also ensure that at the very least, the same level of data protection is adhered to by the third parties, as is provided to you by us.] Where we engage third-party service providers to process your personal data on our behalf, we do not allow them to use that personal data for their own purposes and only permit them to process it for our own specified purposes and in accordance with our instructions. When initiating such processor relationships, we will ensure that adequate safeguards are in place for your personal data using the data transfer mechanism most appropriate to the personal data and the countries within or to which the personal data may be transferred. Where permitted by law, this mechanism may include: the use of the EU approved contractual clauses; ensuring that the recipient has implemented EU approved Binding Corporate Rules governing transfer or personal data; or (in the US) is Privacy Shield Certified (EU and Swiss Privacy Shield); or confirming that the country in which the recipient is located has been formally confirmed as providing adequate protections for personal data by the EU. 
    4. For relevant jurisdictions only (e.g. Mexico, Russia, China and Argentina): By using the Services, you expressly agree to the transfers of personal data to third countries where this requires your consent.
  9. WHAT RIGHTS DO I HAVE IN RELATION TO MY PERSONAL DATA?
    1. Under the law of many countries, you have certain rights in relation to your personal data that is held by us and we respect and observe these rights. Such rights may include the rights to: ask us to confirm that we are processing your personal data, ask us for a copy of your personal data (including information regarding who we share your data with) ; to correct, delete or restrict (stop any active) processing of your personal data; to limit the use and disclosure of your personal data; and to, and to ask us to share (port) your personal data to another person, such as another provider of telecommunications services (where this right is included under applicable law).
    2. In addition, in certain countries, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing). Where applicable, you can also withdraw the consent you have given us to process your personal data and request information on the consequences of not providing such consent.
    3. These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping
    4. To exercise any of these rights, to raise any concerns about our privacy practices, or to obtain other information, you can get in touch with us, see our contact details above. For Australia only: We will consider your communication carefully and will respond to you within 30 days of your communication with us.
    5. If you have unresolved concerns, you may have the right to complain to your relevant national data protection authority. Please do contact us before making such a complaint however as we would appreciate the opportunity to investigate and address your concerns first.
  10. HOW LONG WILL YOU RETAIN MY PERSONAL DATA
    1. We retain personal data for as long as and/or for no longer than we are permitted to do by applicable law, regulation, tax or accounting practice or the terms of any governmental telecoms licenses to which we may be subject. We also delete or anonymise personal data in accordance with any obligations that we may be subject to.
    2. Where maximum or minimum data retention periods are not otherwise stipulated, we determine an appropriate retention period for the personal data by considering: the amount, nature and sensitivity of the personal data contained in the records; the potential risk of harm from unauthorized use or disclosure of personal data; the purposes for which we process the personal data and whether we may be able achieve those purposes through other means.
    3. For China only: your personal data may be stored in countries in which we transfer personal data as per clause 7 above.
  11. DATA SECURITY
    1. We will use all reasonable endeavours to maintain the security of all your personal data and to protect such personal data from misuse, interference and loss and against unauthorised collection, copying, access, modification or disclosure.
    2. We have put in place reasonable controls (including physical, technological and administrative measures) designed to help safeguard the personal data that we collect via the sites. No security measures are perfect, however, and so we cannot assure you that personal data that we collect will never be accessed or used in an unauthorised way, which may happen due to circumstances beyond our reasonable control. We have put in place procedures to deal with a suspected personal data breach, and we shall notify you and any applicable regulator of a breach where we are legally required to do so.
    3. The measures that we put in place to secure your personal data are as follows:
      1. Physical measures, including: restricted access to computer centers and data storage facilities;
      2. Administrative measures, including: execution of internal data security plan and periodic staff training sessions;
      3. Technological measures, including: control of access to personal data processing system and installation of access control system, and security programs;
      4. All access to system components and personal data shall be limited to those individuals that have a business need-to-know;
      5. Access rights for individual users shall be restricted to the least privileges necessary to perform the job. They shall be based on job classification and function;
      6. All access privileges have to be approved by authorized parties specifying the required privileges before any access is granted; and
      7. All users shall be assigned an unique identification before they are allowed any access to system components, personal data or other sensitive data. Additionally, all users are to be authenticated by a password at a minimum.
  12. CHANGES TO THIS POLICY

    To ensure that you are always aware of how we use your personal data we will update the online version of this Policy from time to time to reflect any changes to our use of your personal data. We may also make changes to comply with changes in applicable law or regulatory requirements. Where it is practicable, we will notify you by other means prior to changes materially affecting you such as by posting a notice on our sites or sending you a notification. To the extent required by applicable laws, we will obtain your consent before implementing such changes. However, we encourage you to review this Policy periodically to be informed of any changes to how we use your personal data.