Menu
Close
York Mumbai Logo
  • Study
    Study with us
    • Undergraduate
    • Postgraduate
    • All programmes
    Find Information
    • Admissions
    • Alumni
    • Careers and employability
    • Scholarships
    • Education loans
    • Global mobility
  • About

    A UNIVERSITY FOR PUBLIC GOOD

    A member of the Russell Group, we're a research-intensive university founded on excellence, equality and opportunity for all.
    Learn about the University
    • Jobs
    • Contact
  • Apply Now
  • University of York
  • Study
    Back to main menu
    Study with us
    • Undergraduate
    • Postgraduate
    • All programmes
    Find Information
    • Admissions
    • Alumni
    • Careers and employability
    • Scholarships
    • Education loans
    • Global mobility
  • About
    Back to main menu

    A UNIVERSITY FOR PUBLIC GOOD

    A member of the Russell Group, we're a research-intensive university founded on excellence, equality and opportunity for all.
    Learn about the University
    • Jobs
    • Contact
  • Apply Now
  • University of York
Mumbai campus
Home Employee privacy notice

Employees’, Consultants’, and Employment Candidates’ Privacy Notice

  • Who are we (Introduction)?
  • What is the purpose of this notice?
  • To whom is this notice directed (Scope)?
  • What other rules or notices apply?
  • What are the categories/types of personal data we collect about you?
  • How do we collect your personal data (Source)?
  • Why do we collect your personal data?
  • With whom do we share your personal data (Disclosure)?
  • International (cross-border) transfer of personal data
  • How long do we retain your personal data?
  • How do we protect your personal data (Data Security)?
  • What are your rights with respect to your personal data?
  • Contact us
  • Definitions

Who are we (Introduction)?

University of York Mumbai Campus Private Limited, a company incorporated under the laws of India and having its registered office at 303, INIZIO, Cardinal Gracious Road, Andheri (East), Mumbai – 400099, Maharashtra (hereinafter referred to as “UYMC”, “us”, or “we”) is committed to protecting and securing the confidentiality of, and to lawfully handling and effectively managing the personal data we collect from our employees, consultants, and employment candidates.

What is the purpose of this notice?

This Employees’, Consultants’, and Employment Candidates’ Privacy Notice (“Notice”) outlines and describes how personal data or information of employees, consultants, and employment candidates is collected, managed, and processed by UYMC. UYMC is committed to handling the personal data of its employees, consultants, and employment candidates with fairness and transparency, and in a lawful manner. This Notice covers the minimum controls and obligations that UYMC is committed to ensuring that the personal data of our employees, consultants, and employment candidates is collected, used, retained, and disclosed in a secure, lawful, transparent, and compliant manner.

To whom is this notice directed (Scope)?

This Notice inter alia applies to employees, consultants, and employment candidates (collectively “you”, “your”) of the UYMC, whether:

  • you are presently employed with (or were, in the past, in case of former employees/consultants); or 
  • you have made employment-related enquiries to; or 
  • you have applied or expressed interest (by submitting your resume or a job application) for employment (full-time or contractual) via the online job portal, recruitment event, or any other similar event or channel. 

This Notice also covers “you” as an intern or a recruit for short-term assignment(s) and is designed to inform you of the personal data that we collect, our purposes of processing that data, and your rights in connection with it.

Please note, however, that we may need to update this Notice from time to time, for example, to reflect changing legal requirements or processing activities. If we make any material changes to this Notice, we will let you know.

This Notice does not apply to personal data of other categories of individuals, such as our marketing leads, students, program applicants, faculty members, vendors, or clients engaged with or by UYMC. See our other privacy notices for more information. However, as more than one of the above notices may apply to you depending upon the context in which your personal data is collected and processed (e.g., an employee may also be a student), be sure to carefully read each applicable notice that we provide you so that you are fully informed.

What other rules or notices apply?

In some cases, local laws and regulations governing the processing of your personal data may be more restrictive than this Notice. Those more restrictive requirements will apply in that case. UYMC will provide you with additional privacy notices or information where applicable law(s) so require. In addition, this Notice may be supplemented from time to time with more specific privacy information or notices, for example, when you use a particular UYMC app or portal.

What are the categories/types of personal data we collect about you?

The personal data we collect and process may vary depending on the role, designation, and obligations arising under the applicable laws of the location (country) of the job-opening/position in question and/or of UYMC. The personal data that we collect from you is stored within the electronic records/database stored on servers (including cloud servers) located in Singapore, Japan, Canada, the U.S., India or in another country (including third countries that are not covered by an adequacy decision of the European Commission), as well as within physical records/databases.

UYMC collects the personal data only to the extent it requires it for a particular purpose(s), and it may collect, including but not limited to, the following types of personal data from you: 

Categories of personal data

Examples of personal data attributes within each category

Identification/Identity data

Full name, alias, gender, title, country of residence, nationality, citizenship, location, marital status, online identifier, IP address, date of birth, place of birth, age, photograph, biometric data (as part of any government-issued ID), race, proof of eligibility to work

Contact details

Home address, work address, phone number, email address, emergency contact details

Other joining details

Family details like dependents’ information, parents’ details, spouse’s details, children’s details

Financial data

Bank account information, social security number, tax identification number (including PAN), remuneration details from previous organization(s) (including perquisites, bonus, benefits), past salary slips, pension details, provident fund, tax deductions, current compensation (salary) and perks, CTC details

Educational and employment data (history)

Educational qualification, certifications, number of years of work experience, dates of hire and exit, job function, industry, job title, recent/current compensation (salary), name of the employer, rewards and recognition, professional memberships and licenses, employee ID, appraisal details, information generally included in a CV/resume, notice period

Role and position (employment) specific requirements

Employee category and status (full-time/part-time/intern/contracted), roles and responsibilities, reporting structure, working hours, employee ID, relocation preference, expected compensation (salary), country work authorization, professional reference(s) and recommendation(s), information required for overseas travel (official trips) or immigration, work permits and eligibility, information for initiating/conducting background verification and checks (including criminal history, health checkups, and drug testing) according to country-specific requirements and applicable laws, details for conducting credit checks, trainings completed, information required for initiating and conducting disciplinary proceedings, security camera (CCTV) footage, data generated through usage of official laptops and other assets (including location), reason for leaving and exit interview

Electronic identification data

Login ID, password, IP data, website visit logs, browser details

User-generated data

Interview responses, psychometric and behavioral assessment report, personality assessment report, video and audio recording during online interviews, video and audio recording during (online) official meetings or townhalls or other events, information generated during background verification and checks (including criminal history, health checkups, and drug testing) as per country-specific requirements and applicable laws, information generated during credit checks, presence and absence records (attendance), time sheet records, leave records (including reason, like vacation, personal, etc.), periodic performance evaluations and appraisals, promotion/demotion reports, career progress, complaints and suggestions, reports and findings from disciplinary proceedings, time and location of facility (including restricted areas) ingress and egress

Government-issued ID (including copy thereof)

National ID (including Aadhaar/UID and NRIC), passport, any other acceptable government document

Health information

Disabilities and special accommodation needed by you, blood group, sickness, allergies, meal preferences, maternity/paternity details

Other personal details

Personal references, language(s) proficiency, hobbies and interests, responses to employee surveys, feedback and suggestions, general/random information (not necessary for the employment management) like mother’s maiden name or pet’s name for verifying your identity for resetting your login credentials in case of lost/forgotten particulars including your username and password

Sensitive personal data 

Sensitive personal data or special categories of personal data (“SPD”) are personal data that are particularly sensitive in nature and merit specific protection, as the context of their processing could create greater risks to the fundamental rights and freedoms of individuals. SPD, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. The examples of SPD may vary depending upon the context and the laws of the respective countries from where the SPD originates, and may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sex life or sexual orientation, or data concerning health. 

UYMC may require collecting or processing sensitive personal data or special categories of personal data as covered in the table above. Should we require SPD for managing your application or employment with UYMC, or for any other related purpose(s), we will obtain your explicit consent towards such collection and processing in terms of this Notice at the point where the SPD is disclosed by you. 

Where the applicable law(s) provide other legal bases for processing SPD (as an exception to obtaining explicit consent), we may rely upon such legal basis as may be available to us in a particular situation. In the event you voluntarily disclose/share/upload/post/make public your SPD on our website, or any other public forum owned or controlled by us, you understand that the said SPD may be processed by us in accordance with the applicable law(s) and this Notice. 

Personal data of others provided by you:
In certain situations, you may provide us with the personal data of others (for example, friends, colleagues, family members, etc.), such as emergency contact details or professional references for your application, etc. In addition, you may also provide personal data about your family members or other beneficiaries for effective administration of health insurance benefits, term plan, retirement benefits, etc., as part of your employment.

In such cases, you are responsible for informing the individual(s) and/or obtaining their authorization (where legally required) towards the processing of their personal data for the purposes communicated to you.

How do we collect your personal data (Source)?

Personal data collected directly from you on our job portal
UYMC collects your personal data that we require in order to assess your candidature for the role you have applied for. You may either provide the required personal data by creating a new account on our website (job portal) or, in some cases, authorize third-party platforms like LinkedIn to share the data available with them with us. The remaining personal data attributes (that have not been updated on your chosen third-party platform) shall be additionally collected from you.

It is your responsibility and obligation to ensure that all personal data submitted to us is accurate, correct, complete, and up to date at the time of submission. Failure on your part to do so may adversely affect your candidature. Please keep us informed of any changes to your personal data.

Personal data collected from other legitimate sources 

Individuals (like our present or past employees, recruiters, head-hunters, etc.) may refer candidates to us for various roles and positions open with us. We may receive your personal data towards your candidature from the following (but not limited to) sources: 

  • Global job portals such as Naukri, Monster, IIMjobs, Glassdoor, Instahyre, Internshala, LinkedIn, who have been authorized by you to share your personal data available with them with us, for the purpose of your candidature towards the job-opening/role/position you are interested in. 
  • Search engines like Google. 
  • Individual referrals from sources like our present or past employees, other candidates, etc. 
  • Third-party vendors like staffing companies, head-hunters, recruitment consultants, etc. 
  • Events like campus recruitment, job fair, etc. 
  • Vendors conducting background verification and checks during the advanced stages of your candidature. 

If you have been referred to us by another individual, you may still need to register on our job portal to complete the interview, recruitment, and onboarding process. You may be asked to again provide

the personal data initially provided to us by your referrer, along with the additional information (personal data), as required. 

Personal data collected directly from you during the employee onboarding process 

Once you have cleared the interview process and an employment offer has been rolled out to you (and accepted by you), we may ask you to submit additional information and documents that were not collected as a candidate, since they were not required at that stage, for completing your onboarding process as an employee. 

Personal data generated before (as a candidate) and during your employment with UYMC 

Some or all the attributes listed under the ‘User-generated data’ category of personal data will be generated during your evaluation as a candidate, like at the time of the interview, verification, etc., and at the time of onboarding as an employee and during your term of employment. We may store and maintain this data in our records (about you) or in any other relevant database. 

Personal data of others provided by you 

In situations where you provide us with the personal data of others, as covered under the section ‘How do we collect your personal data (Source)?’, it becomes your responsibility to inform the individual(s) concerned about the processing of their personal data for the relevant purposes and to confirm to us that you have been authorized to submit such details to us for processing.  

Personal data collected via tracking technologies 

When you visit our website or use our service, third parties and we may use cookies and other tracking technologies to collect personal data from you.  This may include tracking your activities across time and third-party sites or services. For more information about this processing and your choices regarding it, see our Cookie Notice.

Why do we collect your personal data?

Purpose(s) of processing
UYMC uses your personal data, including your sensitive personal data, for the following primary purposes (not exhaustive) related to your job application, screening, onboarding, and employment:

Job application (recruitment) process:  

  • Assessing and managing your application for the job-opening/position that you have applied for or for other open roles (that match your profile) with UYMC around the world as a part of the end-to-end recruitment process. 

  • Conducting verification (as permitted under applicable laws), including background verification, credential verification, criminal verification, drug testing, etc. 

Onboarding process and during employment: 

  • Processing your offer of employment. 

  • Conducting applicable background and reference checks. 

  • Managing your payroll, incentives, and benefits (including health insurance and term plans). 

  • Fulfilling your training, learning, and upskilling needs and supporting other career development initiatives. 

  • Conducting periodic performance reviews. 

  • Managing complaints and conducting investigations.  

  • Arranging for business travels and/or relocation. 

  • Complying with regulatory requirements. 

Lawful (legal) basis for processing 

Privacy laws of certain jurisdictions require that one of the available lawful bases of processing, as prescribed by such privacy law, must be relied upon (satisfied) by UYMC before processing your personal data for each of the purposes listed earlier. The lawful basis that UYMC relies upon for a particular processing activity may differ from the lawful basis relied upon for another processing activity, i.e., different lawful bases may be relied upon to conduct different processing activities lawfully. 

All or some of the following lawful bases of processing may be available under the privacy law of a particular jurisdiction (country): 

  1. Consent: You have given consent (explicit/express or deemed/implied, depending upon the privacy law applicable) to the processing of your personal data for one or more specific purposes. 
  2. Performance of a contract: Processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. 
  3. Compliance with legal obligation: Processing is necessary for compliance with a legal obligation to which UYMC is subject. 
  4. Protection of vital interests: Processing is necessary to protect your vital interests or those of another natural person. 
  5. Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
  6. Legitimate interest: Processing is necessary for the purposes of the legitimate interests pursued by UYMC or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms under applicable data protection laws. 

Processing of sensitive personal data or special categories of personal data (‘SPD’) has been covered earlier under the section ‘What are the categories/types of personal data we collect about you?’. 

The most common processing activities under each purpose that we use (process) your personal data for, along with the respective legal basis for our processing activities, are listed below: 

Purpose of processing (along with respective processing activities)

Lawful (legal) basis for processing

Evaluation, assessment, and hiring

Evaluating your application and assessing your eligibility for the role you have applied for and other roles that may match your profile.

  • Legitimate interest (finding a suitable candidate for the role)
  • Performance of contract (taking steps prior to signing the employment contract if you are selected)

Conducting psychometric, behavioral, and personality assessments

  • Legitimate interest (finding a suitable candidate for the role)

Conducting face-to-face and/or online (remote) interviews, with audio/video recording (if necessary).

  • Legitimate interest (finding a suitable candidate for the role)
  • Consent (for audio/video recording)

Assessing your eligibility/authorization to work in the country of the role/position in question.

  • Legitimate interest
  • Performance of contract (taking steps prior to signing the employment contract)
  • Compliance with legal obligation (in case of EU and UK)

Calculating and making you an offer with monetary compensation and non-monetary benefits (CTC) if you’re selected.

  • Performance of contract (taking steps prior to signing the employment contract)
  • Compliance with legal obligation (in case of EU and UK)

Verification

Verifying documentation related to your identity, educational qualification, reference, and work experience, etc.

  • Legitimate interest
  • Performance of contract

Conducting background verification and checks (including criminal history, health checkups, drug testing, and credit checks), as per country-specific requirements and permitted under applicable laws.

  • Legitimate interest
  • Performance of contract (taking steps prior to signing the employment contract with you)

Sanction checks/screening in compliance with applicable sanction laws across geographies (for example, the sanctions list of the Office of Foreign Assets Control).

  • Legitimate interest
  • Performance of contract
  • Compliance with legal obligation (in case of EU and UK)

Onboarding

Creating your account and generating employee login details, including username and password.

  • Legitimate interest
  • Performance of contract

Generating employee ID and issuing identity card.

  • Legitimate interest
  • Performance of contract

During the employment term

Assigning you to a function/team and establishing a reporting structure.

  • Legitimate interest
  • Performance of contract

Planning and managing your work schedule, roles, and responsibilities.

  • Legitimate interest
  • Performance of contract

Managing relocation, transfer, secondment, and official travel (including processes related to visa requirements, immigration and work permits).

  • Legitimate interest
  • Performance of contract

Assisting you with your career development, including learning and upskilling initiatives.

Legitimate interest

Facilitating your participation/attendance in seminars, webinars, events, and other programs related to the organization and your role.

Legitimate interest

Facilitating collaboration with other employees.

Legitimate interest

Conducting an investigation and taking action on disciplinary matters related to you.

Legitimate interest

Audio/video recording of official meetings, town halls, and similar events.

Legitimate interest

Reviews and appraisals

Conducting periodic review and evaluation of your performance during your employment.

  • Legitimate interest
  • Performance of contract

Planning and managing your career progress, including promotion, performance improvement, demotion, termination, etc.

  • Legitimate interest
  • Performance of contract

Administration and management

Processing your payroll and employee benefits (including those related to your dependents) during and post-termination of employment.

  • Performance of contract
  • Compliance with legal obligation (in case of EU and UK)

Tracking your attendance and managing absence records.

  • Legitimate interest
  • Performance of contract

Recording and maintaining timesheets.

  • Legitimate interest
  • Performance of contract

Maintaining leave records with reasons, like vacation, personal, health, maternity, etc.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Maintaining an active directory of your employment details, including contact information and location, accessible by other employees across the globe.

Legitimate interest

Sending surveys, including employee satisfaction surveys, to receive feedback and suggestions to understand and enhance the overall employment experience.

Legitimate interest

Maintaining records related to usage of and access to buildings and facilities (including restricted areas).

Legitimate interest

Verifying your identity for resetting your login credentials in case of lost/forgotten particulars, including your username and password.

Legitimate interest

Securing IT assets and organizational data using a multi-factor authentication mechanism.

Legitimate interest

Investigating and addressing your complaints, grievances, and issues.

Legitimate interest

Investigating and addressing complaints, grievances, and issues against you.

Legitimate interest

Submitting records and reports required by the regulatory authorities.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Complying with applicable laws, rules, regulations, codes of practice or guidelines and associated administrative activities:

 

Responding to requests by government or law enforcement authorities conducting any investigation.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Using personal data in connection with legal claims or litigation.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Complying with directions, orders, including subpoenas or other legal process(es) of competent courts, legal or regulatory bodies (including but not limited to disclosures to such regulatory bodies).

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Investigating, preventing, or taking suitable action regarding illegal activities, suspected fraud, security issues, enforcing our terms and conditions, or this Notice, or to protect our rights, property, or safety, and those of others.

  • Legitimate interest
  • Public interest

Processing personal data for audit checks and other regulatory purposes.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Implementing a whistleblower program (or other complaint mechanism) and setting up a hotline and a web portal for collecting whistleblower reports (anonymous or identified).

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Monitoring and ensuring network and information security, including preventing unauthorized access to our systems and preventing attacks through viruses, malicious software, etc., and ensuring business continuity.

Legitimate interest

Managing and controlling access to official assets and equipment, including laptops, telephones, IT assets, etc.

Legitimate interest

Monitoring office area and facilities using CCTV and other security and surveillance technologies.

Legitimate interest

Ensuring compliance with employment terms and conditions (contract) and applicable policies and procedures.

Legitimate interest

Ensuring compliance with regulatory obligations associated with your employment.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Internal reporting and/or accounting purposes.

  • Legitimate interest
  • Compliance with legal obligation (in case of EU and UK)

Successors in the event of a merger, acquisition, or reorganization.

Legitimate interest

Other purposes

Sending you job alerts (as a candidate) based on your profile or internal job postings (as an employee).

Legitimate interest

Communicating and coordinating with external parties, including clients and vendors.

Legitimate interest

Organizing and managing special events like team building exercises, sports competitions, health events, LGBTQ+ events, etc.

Legitimate interest

Training our workforce/employees on different processes that may involve the processing of your personal data.

Legitimate interest

Conducting business analytics, marketing research, and data analysis.

Legitimate interest

For business planning and continuity purposes.

Legitimate interest

Exit (resignation or termination) management and conducting exit interviews.

Legitimate interest

Ex-employee engagement communications.

Legitimate interest

For any other purpose as disclosed to you at the point of collection or pursuant to your consent.

Consent

Maintaining emergency contact information and making appropriate arrangements in the event of an emergency.

Protection of vital interests

Making suitable arrangements and special accommodations due to your health reasons, including temporary or permanent disability.

  • Legitimate interest
  • Protection of vital interests

Where UYMC wishes to use your personal data for a new purpose that has not been included in the table above, UYMC will process your personal data for such new purpose, as per the provisions of the applicable privacy law(s). Where required, UYMC will notify you of the new purpose in accordance with the applicable law(s) and obtain your consent (or rely on any other lawful basis available to us) before processing your personal data for the new purpose. 

Legitimate interest as the lawful (legal) basis for processing – additional information

You have the right to object at any time, on grounds relating to your situation, to the processing of your personal data carried out for our legitimate interests or of a third party. 

Please refer to the section ‘What are your rights with respect to your personal data?’ for more details. 

Performance of a contract as the lawful (legal) basis for processing – additional information 

Please note that if you fail to provide certain information when requested, we may be unable to take steps to enter into a contract with you or to perform our contractual obligations under an existing agreement with you. 

Consent as the lawful (legal) basis for processing – additional information 

Where the collection and use of your personal data is based on your consent, you are entitled to withdraw that consent at any time by contacting us (please refer to the ‘Contact Us’ section of this Notice), or by contacting your HR business partner or the concerned recruiter (if you are a candidate). Please note that withdrawing your consent may have an adverse impact on our ability to engage with you, but it will not affect the lawfulness of processing that has already occurred based on your consent.

With whom do we share your personal data (Disclosure)?

Disclosure to third-party service providers
UYMC may share your personal data with the following third-party service providers. These third-party service providers will require access to your personal data to perform certain limited functions for UYMC; however, they may not generally use, for their own purposes, your personal data that they process:

  • Technology service providers, such as network and IT security, internet services, video communications, customer support and communication, and telecom services, are essential for running business operations and protecting them from external and internal threats. 
  • Service providers for business continuity management and contingency planning in the event of business disruptions. 
  • Training and LMS platforms for completing the company-assigned training. 
  • Skill assessment platforms for conducting work-related assessments. 
  • Document management and execution platforms for the signing of contracts and other documents on our behalf. 
  • Employer of Record (EOR) service providers in the regions where we deem necessary to engage an EOR in conformity with other applicable laws of that region. 
  • Service providers offering human resource management system (HRMS) tools and platforms for automating and streamlining HR processes. 
  • Service providers that manage and process employee payroll for us. 
  • Service providers conducting sanction checks and screening. 
  • Tools and platforms for making outbound calls to prospective customers and recording those calls. 
  • Service providers hosting surveys and feedback forms for us. 
  • Service providers providing office tools, audio-video conferencing platforms (with the option to record the meeting/conference), collaboration platforms, etc. 
  • Travel agents and visa processing agents to make arrangements for business travel. 
  • Local transportation vendors like cab service providers. 
  • Third-party service providers for establishing and implementing a whistleblower program by setting up and independently managing a hotline and a web portal for collecting whistleblower reports (anonymous or identified). 

We take reasonable steps, such as obtaining contractual commitments from our third-party service providers, to limit and protect the use of your personal data by them. 

Disclosure to other third parties 

UYMC may share your personal data with the following (non-agent) third parties (list not exhaustive): 

  • Professional advisors and consultants, including law firms, tax consultants, business/management consultants, and auditors, etc., for running operations efficiently and in a compliant manner. 
  • Professional advisors and consultants managing background verification (BGV), reference checks, credit checks, health checks, etc. 
  • External members, advisors, and professionals who are part of internal committees like disciplinary, grievance redressal, ethics, POSH (Prevention of Sexual Harassment at Workplace), etc. 
  • Regulatory authorities and government bodies, including those related to taxation, health, human resources, social security, etc., to comply with applicable orders, rules, and regulations as an organization. 
  • Hotels and airlines to make arrangements for business travel. 
  • Prospective (and actual) sellers or buyers and their advisers in connection with any financing, merger, acquisition or sale of any of our business or assets. 
  • Prospective or actual clients, vendors, or university partners for official communication and business transactions. 
  • Data collection forms (e.g., Google Forms) where UYMC shall provide only your contact details (generally only the email address) to trigger the notification and the link to the form. Personal data provided via the said form may also be available to the third-party providing the service, and you are advised to read the privacy notice (policy) and terms & conditions of the third-party before entering any personal data into the form. 

In addition to the above, UYMC also shares your personal data, more specifically as stated, with the following third parties:

Recipients

Categories of personal data

Why we share (Purpose)

Our main/foreign campus.

Please note that the privacy policy of the main/foreign campus shall apply in its processing of your personal data.

  • Identification/Identity data
  • Contact details
  • Educational and employment data (history)
  • User-generated data
  • Other personal details
  • Screening and shortlisting of candidates
  • Conducting interviews
  • Assessing and evaluating your performance
  • Administrative purposes, including maintaining records
  • Regulatory reporting
  • Audit
  • Any other purpose(s) listed under the section ‘Lawful (legal) basis for processing’

We share your personal data with the (non-agent) third parties based on one of the lawful bases, listed under the section ‘Lawful (legal) basis for processing’, which may be legally available to us. Where required by the applicable privacy law(s), we will seek your consent before sharing your personal data with third parties. Third parties with whom your personal data has been shared may, in some cases, independently determine the purposes and uses of your personal data; in such cases, that third party recipient’s own privacy policy (notice) will govern their use of your personal data. 

Disclosure without notification 

In some cases or circumstances, we may disclose your personal information to third parties without notifying you. These circumstances could include: 

  • Where UYMC is required to do so as per applicable laws/rules/regulations, or by order of a court, tribunal, or any other regulatory authority, or other legal process or compulsion. 
  • Where UYMC, in good faith, believes that such disclosure is reasonably necessary to comply with a legal obligation, process, order, or request. 
  • Where UYMC is legally required to or believes in good faith that such disclosure is reasonably necessary to safeguard the rights, property or other interests of UYMC, its employees, vendors, clients, customers of clients, third parties or the public as required and permitted by the applicable law(s). 
  • Where the provision of the information would be disproportionate or would result in the impossibility or serious impairment of achieving the objectives of processing.

International (cross-border) transfer of personal data

Due to the global nature of our business which comprises of partnership with various universities across the globe and presence of vendors/service providers (processors) that are present in and operating out of different countries and facilitate and support our services, and other third parties (esp. those listed in the earlier section) established in an overseas location, your personal data may be shared, disclosed, or transferred to these parties in other countries where the privacy and data protection law(s) may differ from those in your country.

The cross-border transfer of your personal data shall be done in compliance with the concerned provisions and requirements of the privacy law(s) applicable to your personal data.

How long do we retain your personal data?

UYMC will retain your personal data for as long as necessary for the purpose(s) for which it has been collected, in accordance with the applicable law(s), and as set out in our retention policy and/or schedule. The duration for which we retain your personal data may vary depending on the purpose(s) for which it is processed.

We will retain and use your personal data to the extent necessary to comply with our legal obligations, for example, to comply with statutory audits, resolve disputes, comply with orders or requests issued by competent court(s), and enforce our legal agreements and policies.

In certain circumstances, we may anonymize your personal data so that it can no longer be associated with you. In such cases, we may use this information without further notice to you.

How do we protect your personal data (Data Security)?

UYMC implements appropriate technical and organizational measures to ensure the security of your personal data and to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. These measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by us.

We make every reasonable effort to ensure the safety and security of your personal data in accordance with the applicable law(s) and industry standards while considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Despite all our efforts, the risk of a personal data breach persists as no method of internet transmission or storage guarantees complete security. In the unlikely event of a personal data breach, we will assess and investigate the breach and take the necessary actions, including notifying the relevant supervisory authority and the individuals affected, in compliance with the applicable law(s) within the prescribed timelines.

What are your rights with respect to your personal data?

You may check and update certain personal data within our systems either by logging in to your password-protected account (in some cases) or by contacting your HR business partner or the recruiter concerned (if you are a candidate). It is your responsibility to ensure that the personal data you have shared with us is accurate, complete, up to date, and reflected in our records.

Privacy laws in some jurisdictions provide individuals with certain rights regarding the processing of their personal data (subject to conditions and exceptions set out in those laws). These rights are jurisdiction-specific and may not be available to all. Some or all these rights (and even some additional rights) may be available to you under the privacy law(s) of other jurisdictions as well, but that depends upon the scope of privacy law(s) applicable to your personal data.

  • Right of access: to obtain confirmation from us as to whether or not personal data concerning you is being processed. 
  • Right to rectification: to get your inaccurate personal data corrected or rectified, and incomplete personal data completed. 
  • Right to erasure: to have your data deleted (this is not an absolute right and is subject to exemptions available under the applicable privacy law). 
  • Right to restriction of processing: obtain restriction of processing. 
  • Right to data portability: to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have it transmitted to another controller. 
  • Right to object on grounds relating to your particular situation, especially where we are relying on a legitimate interest (or those of a third party), and there is something about your particular situation which makes you want to object to processing on this ground. 
  • Right to object to automated decision making and profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. 
  • Right to nomination in case of death or incapacity: to nominate another individual to exercise your rights, in the event of death or incapacity.

    We will process your request to exercise the above rights in accordance with the law(s) applicable in relation to the rights exercised by you. As permitted by applicable law, we may refuse unreasonably repetitive requests, require disproportionate technical effort, compromise the privacy of others, interfere with an ongoing investigation, or refuse to do so for any other reason that is impractical. We do not discriminate against you for exercising any of your rights in a manner that would violate applicable law. 

    As a policy, UYMC allows you to access your personal data, verify and challenge the accuracy and completeness of your personal data, and have it corrected, amended, or deleted if inaccurate and, in limited circumstances, object to processing of your personal data even if the law in your jurisdiction does not accord you those rights, but we will apply our discretion in how we process such requests except as otherwise required by applicable law. We may require you to establish your identity and provide evidence to justify the amendment of your personal data held by us. You can exercise these rights by contacting us per the Contact Us section below. 

    In addition, we enable you to exercise certain choices regarding cookies and certain other tracking technologies, as explained in our Cookie Notice. 

    To exercise a data subject right or to make an inquiry about your personal data, please contact your HR business partner, the concerned recruiter (if you are a candidate), or write to us at

    [email protected]. We may need to verify and confirm your identity before processing and fulfilling your request. This is another appropriate security measure to protect your personal data. 

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless, and subject to applicable law, your request for access is clearly unfounded, excessive, or repetitive. Alternatively, we may refuse to comply with the request in such circumstances in accordance with the applicable laws. 

    Right to complain: You may have the right to lodge a complaint with your local data protection authority about our processing of your personal data. For more information, please contact your local data protection authority. We would, however, welcome the opportunity to discuss, address, and resolve your concerns before you contact your local data protection authority. So, please contact us in the first instance at [email protected].

Contact us

Any questions, concerns, or complaints about the operation of this Notice can be addressed to the Data Protection Officer at [email protected]. In addition to contacting your HR business partner or the recruiter concerned (if you are a candidate), you may submit your concerns or complaints about our privacy practices to our Data Protection Officer at [email protected] or at the following address: 

One Boulevard,
Powai,
Mumbai - 400076,
Maharashtra,
India

Whenever we receive a formal complaint, we attempt to contact the complainant individually and resolve their grievances and/or concerns truthfully and with utmost transparency.

In addition to contacting us, you may, in certain countries, file a complaint with your local data protection authority if you so choose.

Definitions

In this Notice, the following terms (whether or not capitalized) shall have the meanings set out below, and cognate terms shall be construed accordingly. If an applicable law or data protection law has a different definition or incorporates a different term for the definition/meaning given hereunder, such definition or term shall be applied to the extent applicable:

Employee means any person, current or past, employed for wages or salary. 

Consultant means a person, current or past, who joins UYMC for contractual or assignment-based employment. 

Candidate means a person who has applied for employment. 

Data Principal means the individual to whom the personal data relates and where such individual is: 

  1. child, includes the parents or lawful guardian of such a child; 
  2. a person with disability, includes her lawful guardian, acting on her behalf. 

Personal Data means any data about an individual who is identifiable by or in relation to such data. 

Sensitive Personal Data (SPD) means Personal Data which is more significantly related to the notion of a reasonable expectation of privacy. However, data may be considered more or less sensitive depending on context or jurisdiction.  

Process and Processing means (1) a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; and (2) any other action that may be taken with respect to Personal Data.  

(Data) Fiduciary or (Data) Controller means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. 

(Data) Processor means any person who processes personal data on behalf of a Data Fiduciary. 

Onward Transfer means the subsequent transfer of personal data by a recipient in one country to another recipient in a different country or to an international organization, after the data has already been initially transferred from its original location (country of origin) to the first recipient making the transfer. 

Personal Data Breach means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

Other links

  • Application cookie notice
  • Accessibility

York Mumbai Logo

  • [email protected]
  • +91 8494 912 121

Information for

  • Admissions
  • Scholarships
  • Education loans
  • Global mobility
  • Alumni
  • Student policies

Study with us

  • Undergraduate
  • Postgraduate
  • Careers and employability

Popular links

  • Apply now
  • About the University
  • Prospectus
  • Contact us
  • Jobs
© University of York
  • Privacy
  • Employee Privacy Notice
  • Cookies
  • Accessibility