IntelLend

Cybersecurity

Consumer Protection Complaint Privacy Policy

Version 1.0

Issued to: Intellend

1. Purpose

This policy establishes the framework for the lawful, transparent, and secure handling of personal data collected during the consumer complaint and grievance redressal process. It ensures compliance with the Digital Personal Data Protection (DPDP) Act, 2023, ISO/IEC 27001:2022, and applicable consumer protection legislation, including the Consumer Protection Act, 2019. The policy aims to protect the privacy and data rights of consumers while enabling the organisation to process complaints effectively and in accordance with regulatory obligations.

2. Scope

This policy applies to:

  • All employees, contractors, and third-party service providers who collect, process, store, or transmit personal data in connection with consumer complaints.
  • All business units and departments involved in customer service, complaint management, legal affairs, IT, and data governance.
  • All consumer complaint channels including written, electronic, web-based, and telephone submissions.
  • All personal data of consumers processed within India or in connection with services offered in India, in accordance with the DPDP Act, 2023.

3. Roles & Responsibilities

3.1 Grievance Officer

Receives and acknowledges consumer complaints; ensures timely resolution within 48 hours of receipt; maintains a complaint register; and coordinates with relevant departments. Contact must be prominently published on the organisation's website and communications.

3.2 Data Protection Officer (DPO)

Oversees compliance with the DPDP Act, 2023; reviews complaint data handling practices; manages data principal requests (access, correction, erasure); and maintains records of processing activities related to complaints.

3.3 IT / Information Security Team

Implements and maintains technical controls for the secure storage, access, and transmission of complaint data; manages access provisioning and de-provisioning; and responds to data security incidents.

3.4 Complaint Handling Team

Collects, records, and processes complaint information in accordance with this policy; ensures only the minimum necessary personal data is collected; and escalates unresolved complaints to the Grievance Officer.

3.5 Legal and Compliance Team

Monitors regulatory developments; ensures the organisation's complaint handling practices comply with the Consumer Protection Act, 2019, DPDP Act, 2023, and ISO 27001 requirements; and provides legal guidance on data disclosure obligations.

4. Policy Statement

5.1 Lawful Basis for Processing

The organisation processes personal data of consumers in connection with complaints on the following lawful bases:

  • Fulfilment of a legal obligation under the Consumer Protection Act, 2019.
  • Legitimate interest in resolving disputes and improving service quality.
  • Explicit consent of the consumer where additional data beyond the complaint is requested. All processing shall be limited to what is necessary for the specified purpose.

5.2 Data Collection and Minimisation

  • Only the minimum personal data required to process a complaint shall be collected.
  • Standard data elements include the consumer's name, contact details, nature of complaint, relevant transaction or product reference, and supporting documentation.
  • Collection of sensitive personal data (financial account details, health information) must be strictly justified, documented, and limited to what is directly relevant to resolving the complaint.

5.3 Access Control and Authorisation

  • Access to consumer complaint data shall be granted on a strict need-to-know basis in accordance with the organisation's Access Control Policy.
  • Role-based access controls (RBAC) shall be implemented. Access rights shall be reviewed quarterly and revoked immediately upon change of role or termination.
  • All access to complaint records shall be logged and audit trails retained for a minimum of three years.

5.4 Complaint Handling and Response Timelines

  • All complaints shall be acknowledged within 48 hours of receipt.
  • The Grievance Officer shall endeavour to resolve complaints within 30 days as required under the Consumer Protection Act, 2019.
  • Complex complaints may be extended to a maximum of 45 days with written notification to the consumer.
  • All complaint communications shall be conducted over encrypted channels where technically feasible.

5.5 Data Storage and Retention

  • Consumer complaint data shall be stored in designated, access-controlled systems. Data shall be retained for a minimum of five years from the date of final resolution of the complaint, or such longer period as required by applicable law or ongoing legal proceedings.
  • Upon expiry of the retention period, data shall be securely deleted or anonymised using approved methods.
  • Storage locations and retention schedules shall be documented in the organisation's Records of Processing Activities.

5.6 Third-Party Disclosure and Data Sharing

Consumer complaint data shall not be shared with third parties except:

  • Where required by law or court order.
  • With service providers or data processors engaged under a Data Processing Agreement (DPA) with adequate contractual safeguards; with the consumer's explicit consent.
  • Any cross-border transfer of complaint data shall comply with restrictions under the DPDP Act, 2023, and applicable government notifications.

5.7 Data Principal Rights

  • Consumers (as Data Principals) have the right to: access personal data held about their complaint; request correction of inaccurate data; request erasure of data where retention is no longer legally required; and nominate a representative for these rights.
  • Requests shall be processed by the DPO within timelines prescribed under applicable regulatory and consumer protection requirements. The exercise of these rights shall not adversely affect the status or resolution of the underlying complaint.

6. Compliance

All employees, contractors, and third parties subject to this policy are required to comply with its provisions. Non-compliance may result in disciplinary action, up to and including termination of employment or contract. Violations may also expose the organisation to regulatory penalties under the Consumer Protection Act, 2019, and the DPDP Act, 2023, including fines, penalties, and reputational damage.

Compliance monitoring shall be conducted through quarterly internal audits of complaint handling records, access logs, and data processing registers. Audit findings shall be reported to the CISO and DPO. Any identified gaps shall be remediated within 30 days of the audit report.

7. Review and Maintenance

This policy shall be reviewed and updated at least annually, or earlier in the event of:

  • Significant changes to applicable legislation, including amendments to the DPDP Act, 2023, or Consumer Protection Rules.
  • Material changes to the organisation's complaint handling processes or systems.
  • Findings from internal or external audits.
  • Data breach or significant complaint handling failure.

The DPO is responsible for coordinating the policy review process. All proposed amendments must be reviewed by the Legal and Compliance Team and approved by the CISO. Updated versions shall be communicated to all relevant stakeholders and the policy version log updated.