DSCI Certified Privacy Professional (DCPP) — Question 14

XYZ Inc of USA has setup a captive back office operations center in India. The captive is registered as a separate legal entity by the name XYZ India Private Limited and provides services only to XYZ Inc by catering its technology support needs. During the process of providing services, the Indian entity does not receive any customer information of the XYZ Inc. However, information such as financial information and biometric information etc. of the employees of XYZ India is shared with the XYZ Inc.
What necessary steps need to be taken before actual sharing of the aforesaid information happens?
1. Seek consent from the employees of XYZ India before sharing the information;
2. A lawful contract between the XYZ Inc and XYZ India regarding the terms of sharing and data protection measures to be taken, with the obligation on XYZ Inc of not sharing the received information further without permission from Indian entity;
3. The XYZ Inc should agree to provide better or at-par level of data protection as prescribed in the IT (Amendment) Act, 2008;
4. The country in which the XYZ Inc is located should ensure better or same level of data protection as prescribed in the IT (Amendment) Act, 2008

Answer options

• A. 1 and 2
• B. 1, 2 and 3
• C. 2 and 3
• D. 1 and 4

Correct answer: C

Explanation

The correct answer is C because establishing a lawful contract (option 2) ensures that both parties are clear on data sharing terms and protections, while agreeing to a higher level of data protection (option 3) is necessary to comply with the IT (Amendment) Act, 2008. Options A and B include seeking employee consent, which is important but not as critical as the contractual and compliance measures. Option D suggests a focus on the country’s data protection level, which is less relevant than the specific agreements between the entities.