Tech mahindra
Tech mahindra

Statement on compliance with the GDPR for Tech Mahindra

Date : February 14, 2018


GDPR provides an opportunity to design, build and enforce increased trust across the entire organization, safeguarding the personal data rights of individual citizens, customers, and associates—and turning that into wider operational and business gains.

The GDPR (the General Data Protection Regulation) that comes into force on May 25, 2018 is a game changer for many organizations. It triggers additional obligations to review internal processes and to implement the appropriate technical and organizational measures and further embed data privacy in their internal culture while putting in place the right governance. These changes are designed to enable them to act as accountable organizations and to “be able to demonstrate compliance” with the principles relating to personal data processing under enhanced liabilities and sanctions. But ultimately, they are an opportunity to design, build and enforce increased trust across the entire organization, safeguarding the personal data rights of individual citizens, customers, and associates—and turning that into wider operational and business gains.


Tech Mahindra is committed to high standards of information security and privacy. We place a high priority on protecting and managing data in accordance with accepted standards including ISO 27001 and PCI-DSS. The company will comply with applicable GDPR regulations when they take effect in 2018, including as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services. Our team of experienced business analysts, consultants and digital specialists will also help to support customers in meeting their obligations through the provision of expert services and value-adding solutions.

Appointment of organization wide Data Protection Officer for Tech Mahindra

Tech Mahindra has appointed Sunil Sanger as Data Privacy Protection Officer (DPO). He is currently heading the office of Internal Audit, Risk Management and the Corporate Ombudsman. He will also head the office of Data Privacy Protection Officer (DPO) of Tech Mahindra Limited, with effect from 14 February 2018 to work independently and report into the Vice Chairman.

This appointment is in conformity to the General Data Protection Regulations (GDPR) which officially became EU Regulation 2016/679, heralding a new era of data protection across the European Union, leading to varied ramifications for companies around the world.

Tech Mahindra’s Data Privacy Protection Officer will inform, advice and monitor compliance. The company will implement controls and tools as appropriate that support the process, provide necessary privacy, security safeguards and ongoing delivery of Data Privacy and Data Protection objectives.

DPO is accountable and responsible to:

  • Inform and advise the controller or the processor and the employees about data protection provisions
  • Monitor compliance with the EU General Data Protection Regulation, including the assignment of responsibilities, awareness raising and training of staff involved in processing operations, and the related audits
  • Provide advice where requested on data protection impact assessments
  • Cooperate with the regulatory supervisory authorities
  • Act as the first contact point for the supervisory authority and individuals whose data has been processed

Tech Mahindra’s commitment to GDPR compliance

Tech Mahindra has been implementing its own program to achieve GDPR compliance. As stated in its Code of Business Ethics, Tech Mahindra is committed to protecting privacy and the personal data it receives, whether from its associates, clients, or from other stakeholders.

Tech Mahindra is building on existing security and business continuity management systems and certifications, including ISO 9001, ISO 27001 and ISO 22301, PCI-DSS and IGSoC, to ensure our own compliance.

It is important to recognize that compliance is a shared responsibility and all organizations will need to adapt business processes and data management practices.

Compliance Program at Tech Mahindra

Tech Mahindra has a robust ISO 27001 based Management System (ISMS) and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements within the ISMS using internal and external advisors. Led by our CISO, we have updated information security policies and procedures will build on existing management systems (including ISO 27001 and ISO 22301) and the foundation of our Information Control and Classification policy, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

A Comprehensive Compliance Program at Tech Mahindra

For Tech Mahindra, Data Privacy is a priority. We make this a reality by undertaking the following:

GOVERNANCE—A global governance which includes Data Protection Officers among others, privacy lawyers, security and cybersecurity professionals at Corporate and local levels of customer engagement dedicated to ensuring deployment of the GDPR program

AWARENESS—Privacy and security awareness training for associates through e- learning and test, including account-specific privacy and security training as per customer engagements

SECURITY—Compliance with security standards’ best practices

INCIDENT MANAGEMENT—Security incident response process and client-specific incident response plans as Tech Mahindra takes all security incidents very seriously

POLICIES—Update and implementation of privacy and security policies, guidelines, and tools for GDPR compliance to integrate privacy-by-design, data minimization, third-party due diligence

DATA SUBJECT RIGHTS—Update of data subject rights policies to GDPR

AUDIT—Regular maturity assessments and audits with results communicated to the highest level of management and mandatory remediation plans.

How to Contact:

If you have any questions about the organization privacy policy, privacy practices, privacy statement, any concerns or a complaint regarding the treatment of your privacy or a possible breach of your privacy, please contact our Data Privacy Protection Officer using the details set out below.

Contact person: Sunil Sanger

Contact address: Data Privacy Office, Tech Mahindra Limited, SDF B - 1, Noida Special Economic Zone

Noida - 201305 (Uttar Pradesh) India Phone:+ 91 120 4785922

Alternatively, can be emailed to:

Important Note: We will treat your requests or complaints confidentially. Our representative will contact you within a reasonable time after receipt of your complaint to discuss your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in timely and appropriate manner.

End of Statement


For further information please write to

For further information please write to