Privacy Notice Pursuant to the Digital Personal Data Protection Act, 2023
Our Commitment to Protecting Your Personal Data
Tata Motors Global Services Limited and its business units (hereinafter referred to as “TMGSL”, “we”, “us”, “our”, or the “Company”) respect the privacy of individuals and are committed to safeguarding the personal data entrusted to us. This Privacy Notice describes how TMGSL collects, uses, stores, shares, and protects personal data in the course of interactions through our digital platforms.
In accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), TMGSL processes personal data in a lawful, fair, and responsible manner and implements appropriate technical and organizational measures to ensure its security. We are committed to transparency in our data processing practices and to enabling individuals to exercise their rights and retain meaningful control over their personal data. This Privacy Notice applies to personal data processed through TMGSL’s digital platforms, including websites and applications, as well as through physical channels used in the conduct of our business activities.
Scope
This Notice applies to:
- Personal data collected within India.
- Personal data processed outside India for the purpose of offering goods or services to individuals in India, in digital form or in non-digital form that is subsequently digitized.
This Notice is effective from the date of publication as below which governs the processing of your personal data from that date onwards, in accordance with the Digital Personal Data Protection Act, 2023.
Purpose and Lawful Basis for Processing Personal Data
TMGSL collects and processes your personal data either:
- With your explicit consent, or
- Under legitimate uses permitted by Section 7 of the DPDP Act.
TMGSL collects personal data either directly from individuals or through their interactions with TMGSL’s services, digital platforms, websites, and authorized clients, vendors, and business partners. Such personal data may be processed as part of TMGSL’s business operations, including the provision of payroll and HR services, accounts payable and receivable management, insurance administration, workforce and vendor onboarding, business partnerships, query handling, and other professional and support services delivered by TMGSL.
Personal Data Collected via TMGSL Systems
Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), personal data refers to any data about an individual who is identifiable by or in relation to such data. When you interact with company’s websites, applications, or services, we may collect personal data that can identify, contact, or locate you. This includes information such as your name, age, gender, address, phone number, email ID, IP address, location data, and device-related information.
Personal data may be collected at various touchpoints, including when:
- you register on or access TMGSL’s websites, portals, or digital platforms.
- you access, use, or enquire about services provided by TMGSL, including payroll processing, HR and workforce management services, insurance administration, accounts payable and receivable management, and other business support services.
- you interact with TMGSL’s digital platforms for service-related, business, or operational information.
- you contact TMGSL for enquiries, service requests, business communication, or customer and stakeholder support.
TMGSL acts as a Data Fiduciary where personal data is directly requested and collected through its platforms. In situations where you voluntarily choose to share personal data with third parties such as authorised business partners through our platforms or otherwise, those third parties act as independent Data Fiduciaries. They are responsible for ensuring compliance with applicable data protection laws, including obtaining valid consent from the concerned Data Principals.
In addition, not all personal data processed by us is collected directly from you. In certain cases, we may receive personal data from authorised business partners or service providers as part of service delivery or operational requirements. We ensure that all such personal data is processed lawfully, securely, and in accordance with the DPDP Act.
The sections below provide an overview of the categories of personal data processed, the related business activities and purposes, and the applicable lawful grounds.
The following list shows the various processing purposes for personal data here at TMGSL:
| Sr. No. | Categories of Personal Data Collected | Lawful Grounds of Processing | Platform / Source of Collection | Purpose for Collection |
|---|---|---|---|---|
| 1 | Business and Personal Contact Information (e.g., name, phone number, email ID, address, company name, designation) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Websites, emails, onboarding forms, visiting cards |
Business Communication & Relationship Management:
|
| 2 | Recruitment & Job Applicant Data (e.g., resumes, education details, work experience, salary details, interview feedback) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Careers portal, job portals, referrals, recruitment consultants, emails, HR systems |
Recruitment & Role Evaluation:
|
| 3 | Employee Personal & Employment Data (e.g., name, contact details, DOB, address, PAN, Aadhaar, bank details, employment records) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | HRMS, SAP, employee onboarding documents |
Talent Management & Workforce Administration:
|
| 4 | Employee Payroll & Benefits Data (e.g., salary details, bank account details, tax declarations, insurance details, PF/ESI data) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Payroll systems, SAP, statutory portals, insurance platforms |
Payroll & Statutory Compliance:
|
| 5 | Client SPOC Contact Data (e.g., name, designation, phone number, email ID) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Ticketing Portals, contracts, emails |
Client Coordination & Service Delivery:
|
| 6 | Client Employees Data (e.g., name, employee ID, salary data, bank details, insurance details, attendance records) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Client-provided systems, secure portals, payroll systems |
Client Payroll & HR Services:
|
| 7 | Vendor / Supplier SPOC Data (e.g., name, contact details, designation, company information) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Vendor onboarding forms, emails, procurement systems |
Vendor Onboarding & Communication:
|
| 8 | Client Vendor Data (e.g., vendor name, PAN, GST, bank details, invoices) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Client ERP systems, emails, accounting systems |
Accounts Payable (AP) & Vendor Management:
|
| 9 | Client Customer Data (e.g., name, contact details, service records, warranty details, complaint history) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Client ERP systems, service portals |
Accounts Receivable (AR) & Warranty Management:
|
| 10 | Query, Complaint & Support Interaction Data (e.g., emails, call records, tickets, service history) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Helpdesk systems, email, call logs |
Query Handling & Service Support:
|
| 11 | Website & Digital Interaction Data (e.g., IP address, device data, browser details, cookies) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Company website, analytics tools |
Website Operations & Analytics:
|
| 12 | Financial & Regulatory Compliance Data (e.g., PAN, GST details, invoices, audit records, statutory filings) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | ERP systems, statutory portals, email filings |
Financial Operations & Regulatory Compliance:
|
| 13 | Visitor Management & In-Premise Surveillance Data (e.g., visitor name, phone number, photograph, CCTV footage) | The processing of your data is based on your explicit consent in accordance with Section 6 of the DPDP Act. | Visitor management register, CCTV systems |
Physical Security & Safety Compliance:
|
| 14 | Operational & Process Data (e.g., service logs, performance data, feedback) | The processing of your data is based on Legitimate Use in accordance with Section 7 of the DPDP Act. Legitimate interest. | Internal systems, reports |
Operational Efficiency & Quality Improvement:
|
Personal Data Collected and Processed by Third Parties
As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, TMGSL engages authorised third parties (“Data Processors”) who process personal data strictly on our instructions. These partners are contractually obligated to maintain confidentiality, implement appropriate security controls, and process personal data only for the specific purposes defined by us.
We may share your personal data with different categories of processors to support our operations. Your personal data may be shared strictly for the purposes described in this Privacy Notice.
Your Rights as a Data Principal
As a Data Principal, you have the following rights in relation to your personal data processed by TMGSL:
Right to Access Information
You may request a summary of the personal data processed by us, including the categories of data, the purpose of processing, and details of third parties with whom the data has been shared. A copy may be provided in electronic form, subject to applicable legal requirements and exceptions under the DPDP Act.
Right to Correction and Erasure
You have the right to request correction of inaccurate or incomplete personal data and to request erasure of personal data that is no longer required for the purpose for which it was collected, unless retention is required under applicable law.
Grievance Redressal
You may raise grievances relating to the processing of your personal data or the exercise of your rights under the DPDP Act. TMGSL has established a grievance redressal mechanism to address such concerns in a timely manner, in accordance with applicable law.
Right to Nominate
You have the right to nominate an individual to exercise your rights on your behalf in the event of death or incapacity, in accordance with the DPDP Act.
We will respond to data principal rights requests in accordance with the timelines prescribed under the DPDP Act, 2023.
For security purposes, identity verification may be required before processing any request. Where a request cannot be fulfilled, a reasoned response will be provided.
For any queries or to exercise your rights, you may contact TMGSL’s Data Protection Officer at contactus.tmgsl@tatamotors.com
Retention and Deletion
We ensure that your Personal Data is accurate, up to date, and retained only for as long as necessary to fulfil the purposes for which it is collected, including providing access to and use of the website. Personal Data may also be retained as required to comply with applicable laws, regulations, legal obligations, resolve disputes, enforce agreements, or to establish, exercise, or defend legal claims.
Retention periods may vary depending on the nature of the Personal Data and the purpose of processing, and are determined in accordance with applicable statutory requirements, organisational retention policies, and limitation periods.
Once the relevant purpose has been fulfilled and the applicable retention period has expired, the Personal Data is securely deleted or anonymised in a systematic manner. Even after deletion from active systems, certain data may be retained in backup or archival systems for audit, legal, tax, or regulatory purposes, as permitted under applicable law.
Data Transfer Outside India
TMGSL primarily processes Personal Data within India. In the normal course of business, Personal Data is not transferred outside India. Where cross-border access or transfer is required in limited and specific circumstances, it is undertaken strictly in accordance with the Digital Personal Data Protection Act, 2023, and applicable directions issued by the Central Government.
Limited cross-border transfers may occur in connection with interactions involving overseas group entities, joint ventures, customers, vendors, or travel and logistics service providers, and only to the extent necessary for business purposes.
In all such cases, TMGSL implements appropriate safeguards, including:
TMGSL maintains transparency in its international data processing activities and undertakes cross-border transfers only where legally permitted and operationally necessary.
For queries relating to cross-border data processing, you may contact the Data Protection Officer at contactus.tmgsl@tatamotors.com
Changes to this Privacy Notice
This Privacy Notice is subject to modification in response to changes in our privacy practices or upon notification from governmental authorities. In the event of any amendments, the revised notice will be published on this website. Should there be significant changes affecting the processing of your personal data, we will notify you via email or through any other available communication channels.
Link to other Websites
Our websites may feature buttons or tools that link to services provided by other companies. We encourage you to review the privacy policies of these external sites, as they may have their own privacy notices in place. Please note that we cannot be held responsible for the privacy practices of these external sites.
How to Exercise Your Rights
You may exercise these rights by contacting our Data Protection Officer through the following means:
Contact our Data Protection Officer
Email: contactus.tmgsl@tatamotors.com
We will respond within 90 working days or as prescribed under the DPDP Act. You may also approach the Data Protection Board of India if you are not satisfied with our response.
Disclaimer
Individuals who are 18 years of age or older and possess the legal capacity are authorized to access our website and applications.
