1. Overview


1.1 Summary statement

Leap Green Energy Pvt Ltd, all their controlled subsidiaries and LGEPL's third party service providers (collectively, “Leap Green Energy Pvt Ltd” or “LGEPL”), is committed to respecting and protecting the accuracy, privacy, and security of Personal Data of Individuals with whom it interacts and complying with applicable laws and regulations in the regions it operates / conducts business in. This Policy sets forth LGEPL's requirements for privacy practices applicable to LGEPL, consistent with the expectations and plans of LGEPL corporate. This privacy policy should be read in conjunction with LGEPL's existing corporate privacy standards, frameworks, and guidelines (which includes, but is not limited to, Cybersecurity and Data Protection policies).

1.2 Policy objective

The objectives of this Policy are to:

  • Outline LGEPL's expectations for collecting, processing, disclosing, retaining, disposing and managing Personal Data of Individuals who interact with LGEPL.
  • Minimize the exposure and risk to LGEPL of potential reputational, regulatory, civil, financial or other damages resulting from a privacy breach or instance of privacy non-compliance.
  • Provide demonstrable LGEPL commitment and support for compliance with applicable privacy laws and regulations.
  • Promote transparent and consistent standards and practices in collecting, handling, and managing Personal Data across LGEPL.
  • Uphold individual rights of employees, suppliers, directors, officers, contractors, consultants, or customers and other Individuals under applicable privacy laws and regulations whose Personal Data may be processed by LGEPL; and
  • Provide foundational elements to set privacy requirements across LGEPL.

1.3 Scope

This Policy governs the collection, processing, disclosure, retention, disposal, and management of Personal Data entrusted to LGEPL by Individuals during LGEPL business operations, which may include but are not limited to suppliers, directors, officers, employees, contractors, consultants, or customers.

This Policy applies to all employees, suppliers, directors, officers, contractors, consultants, or customers who collect, store or process Personal Data on behalf of LGEPL.

This Privacy Policy sets forth foundational elements that LGEPL, its controlled subsidiaries, and LGEPL's third-party service providers are required to implement to help ensure compliance with applicable privacy laws and regulations. In addition, LGEPL Operating Businesses and subsidiaries are required to implement additional measures to address any applicable national or regional data protection and privacy laws and regulations in the jurisdictions in which they operate, or applicable contractual requirements that are not addressed by this Privacy Policy.

2. Key definitions


  • Personal Data – Any information about an Individual that identifies or could be reasonably associated with an Individual. This includes but is not limited to: name, date of birth, marital status, dependents, beneficiaries, background, immigration status, ethnic background, religion, financial, or social circumstances, home address, personal email address, personal telephone number, emergency contact information, social insurance number, bank account numbers, other ID numbers, income, employment or education history, credit records, loan records, and medical records all qualify as Personal Data. Personal data may be defined differently in different jurisdictions. Portfolio Companies must refer to their respective applicable laws and regulations.
  • Processing – Obtaining, recording, holding, or carrying out any operation on Personal Data processing. Processing also includes, but is not limited to, organizational operations such as, organizing, altering, retrieving, using, disclosing, anonymizing, blocking, and destroying Personal Data.
  • Individual – An identifiable natural person that can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Third Party – An outside company that processes Personal Data on behalf of LGEPL or provides Personal Data to LGEPL for Processing.

3. Privacy guiding principles


The following privacy principles are designed to help all LGEPL employees understand their responsibilities when collecting and Processing Personal Data.

  • Accountability – LGEPL is responsible for Personal Data under its control. LGEPL defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  • Identifying purposes – The purposes for which Personal Data is being collected must be identified before or at the time of collection.
  • Consent – The knowledge and consent of the Individual are required in certain circumstances for the collection, Processing, disclosure, retention, disposal, or management of Personal Data The purposes for Processing the Personal Data should be analyzed prior to collection so that appropriate consent from the Individual can be obtained. In certain circumstances, consent may not be required per jurisdictional regulatory exemptions.
  • Limiting collection – The collection of Personal Data must be limited to that which is needed for the purposes identified at the time of collection. Information must be collected by fair and lawful means.
  • Limiting use, disclosure, and retention – Unless the Individual consents otherwise or it is required by law, Personal Data can only be processed or disclosed for the purposes for which it was collected. Personal data must only be kept as long as required to serve those purposes.
  • Accuracy – Personal data must be as accurate, complete, and up to date as possible in order to properly satisfy the purposes for which it was collected.
  • Safeguards – Personal data must be protected by appropriate security safeguards commensurate to the relative sensitivity of the Personal Data.
  • Openness – LGEPL must make detailed information about its policies and practices relating to the management of Personal Data publicly and readily available
  • Individual access – Upon request, an Individual must be informed of the existence, Processing, and disclosure of their Personal Data and be given access to that information. An Individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • Challenging compliance – An Individual shall be able to challenge LGEPL's compliance with the above principles and with applicable privacy laws and regulations. Their challenge should be addressed to the person accountable for the organization's compliance with regional privacy laws and regulations, Privacy Officer (or equivalent) – Regional / Operating Business.

3.1 Requirements

The following section further expands on the guiding principles and describes LGEPL's commitment to meeting its obligations regarding Personal Data.

3.1.1 Accountability

LGEPL is responsible for ensuring the appropriate handling and protection of the Personal Data that LGEPL has under its control.

  • LGEPL has appointed a Data Protection Officer –for each Operating Business to assist in proactively protecting Personal Data and promoting a culture of privacy in the organization and serving as a point of contact for all LGEPL staff and customers looking to identify or escalate privacy inquiries, incidents, breaches, or non-compliance.
  • LGEPL has implemented policies and practices that govern how LGEPL handles and protects Personal Data.

3.1.2 Identifying purposes

LGEPL must identify the reason for collecting Personal Data before or at the time of collection.

  • LGEPL does not process Personal Data for reasons other than the stated purpose of collection without first obtaining the Individual's consent.
  • LGEPL collects, processes, discloses, retains, disposes, and manages Personal Data where reasonably required to conduct its business, and as permitted or required by law.

LGEPL is accountable for conducting a review of their Personal Data collection processes to ensure that the purpose for Processing the Personal Data is clear and communicated to all employees who process Personal Data within LGEPL and done so in compliance with privacy requirements.

3.1.3 Consent

The primary way that Individuals exercise the right to control their Personal Data is through consent. Consent can be clearly expressed or implied. In either case, consent is only considered valid if it is reasonable to expect that Individuals understand the nature, purpose, and consequences of the collection, Processing, or disclosure, to which they are consenting.

  • LGEPL provides notice of the purposes for which LGEPL may collect, process, and disclose Personal Data through LGEPL online privacy statements and other written material. LGEPL specifies what Personal Data LGEPL is collecting and why, communicating this in a way that can be clearly understood.
  • Where appropriate, LGEPL obtains consent from Individuals for the collection, Processing and/or disclosure of their Personal Data. The type of consent to be obtained (express vs. implied) is to be determined by the Privacy Officer in consultation with the business stakeholders collecting the Personal Data.

LGEPL will be required to establish a process for the ongoing review and update to consent collection processes. Additionally, they will require establishing a central register of consent obtained to reflect this consent capture in the relevant downstream Processing activities.

3.1.4 Limiting collection

LGEPL does not collect Personal Data indiscriminately.

  • LGEPL limits the collection of Personal Data to what LGEPL reasonably needs for the purposes of conducting and administering its business.
  • LGEPL collects Personal Data only through fair and lawful means.

3.1.5 Limiting Processing, disclosure, and retention

Personal data should only be processed or disclosed for the purpose collected unless LGEPL has the Individual's consent, or the Processing/disclosure is otherwise legally authorized. This information should only be retained for the period necessary to fulfill the stated purpose, or according to legally mandated retention periods.

  • LGEPL processes and discloses Personal Data in order to conduct and administer its business.
  • LGEPL limits the Processing and disclosure of Personal Data to those purposes alone, unless the Individual consents otherwise (e.g. marketing or analytics purposes), or where the use or disclosure is permitted or required by law.
  • While conducting business, LGEPL may use service providers who require access to its systems or applications containing Personal Data. Where Personal Data is disclosed to third parties, LGEPL will take appropriate measures to ensure that such third parties process and protect that information to a level comparable to standards applied by LGEPL. As part of the third-party due diligence process, LGEPL reviews the privacy policy of the third party and contractual requirements in terms of privacy (if not there) and ensures the Third Parties also comply with LGEPL's privacy requirements (e.g. breach notification, retention, and secure destruction).
  • Whether Personal Data is stored by LGEPL or by its service providers, LGEPL takes careful steps to ensure that information is always protected. This includes working with LGEPL Third Parties to review the privacy and security safeguards they deploy and confirm they meet LGEPL standards.
  • LGEPL retains Personal Data only as long as reasonably necessary to fulfill its legitimate business, employment, and administrative purposes. Once no longer required, LGEPL disposes of or destroys Personal Data in a safe and secure manner.
  • Retention and disposal of Personal Data – LGEPL will retain such Personal Data as long as is reasonably necessary to fulfill the identified purpose(s) or as required by law.

LGEPL will have appropriate procedures to help ensure that Personal Data is destroyed securely to minimize risks of unauthorized access once the Personal Data is no longer required to fulfill the identified purpose for Processing.

3.1.6 Accuracy

It is important to have current and accurate information to conduct LGEPL's business activities, and to minimize the possibility that inappropriate, irrelevant, or incorrect information may be processed to make decisions about an Individual.

  • LGEPL is committed to ensuring the Personal Data it stores is as accurate, complete, and up to date, as is necessary for the purposes for which it was collected.
  • LGEPL relies on Individuals to provide accurate, complete, and up-to-date information about themselves. See also section 3.2.9 below.

3.1.7 Safeguards

LGEPL uses a combination of safeguards to protect Personal Data from collection through to destruction. By having these safeguards, LGEPL aims to avoid the possible loss, theft, misuse, unauthorized access, disclosure, or modification of the Personal Data that LGEPL holds.

Security safeguards should be applied in accordance with the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. More sensitive information (e.g. government issued IDs, financial account information, personal health information) should be safeguarded by a higher level of protection. For more information, please refer to the Corporate Cybersecurity and Data Protection Policies.

  • Administrative safeguards include policies (Corporate Cybersecurity Policy, Corporate Data Protection Policy), procedures (Cybersecurity Incident Response Plan), training, confidentiality and non-disclosure agreements, and risk assessments.
  • Physical safeguards include, for example, ID badges, access card readers, and lockable offices and cabinets.
  • Technical safeguards include, for example, role-based access controls based on a "need-to-know" basis, encryption of data, passwords, multi-factor authentication, logging, and monitoring.
  • As an organization, LGEPL has defined processes to manage and respond to privacy breaches.
  • The use of Personal Data in processes and systems are reviewed and protected on an ongoing basis.

3.1.7.1 Privacy Impact Assessments

LGEPL must complete a Privacy Impact Questionnaire for every new or amended initiative, project, business process, event, or system and when transfer of data occurs (e.g., outside of a geographical jurisdiction or as result of a significant transfer of ownership).

The potential privacy impact is assessed when new processes involving Personal Data are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors). For this purpose, processes involving Personal Data include the design, acquisition, development, implementation, configuration, modification, and management of the following:

  • Infrastructure
  • Systems
  • Applications
  • Websites
  • Procedures
  • Products and services
  • Databases and information repositories
  • Mobile computing and other similar electronic devices
  • Business processes

The Privacy Officer will review each Privacy Impact Questionnaire submitted. Unless approved by the Privacy Officer, if a Privacy Impact Assessment is required, such initiative, project, event, activity, or system must not be complete without an approved Privacy Impact Assessment.

Completed Privacy Impact Assessments should include:

  • A description of the planned program or activity and its objectives.
  • An assessment of the initiative's privacy compliance as well as potential impacts to the Individual's privacy.
  • The measures planned to minimize impacts and comply with the applicable regional laws and regulations, as well as any additionally applicable LGEPL policies.
  • An assessment of the transfer of information to other jurisdictions. Specific jurisdictional laws and regulations will drive how granular the transfer assessment should be to comply.
  • An assessment of the disclosure of information to third parties.

3.1.7.2 Incident and breaches reporting

All incidents and breaches involving the unauthorized (e.g. deliberate or accidental) disclosure, misuse, loss, alteration, or destruction of Personal Data must be reported immediately by employees to the Corporate Privacy Officer and in accordance with established incident and breaches reporting procedures (as per respective Incident and Breaches Response Plan). Where required by applicable data protection and privacy laws and regulations and other legal and contractual requirements, LGEPL will also notify the relevant national and regional data protection authorities, impacted Individuals in the event of a Personal Data incident or breach. Data Privacy Regulatory Breach Notifications will be carried out by the Privacy Officer where possible.

3.1.8 Openness

LGEPL's policies and practices for managing Personal Data are readily available.

  • LGEPL shares information about its policies and practices relating to the management and handling of Personal Data through its public-facing LGEPL Privacy Policy and in notices on LGEPL websites.
  • Information about LGEPL's internal privacy program is shared on existing internal policy portals.
  • LGEPL also provides its Privacy Officer (or equivalent) contact information so that Individuals can ask questions.

3.1.9 Individual access

Individuals have a right to access the Personal Data that LGEPL holds about them.

  • Individuals can request access to Personal Data that LGEPL holds about them (including information on automated decision making), request corrections to that information if they believe there is an error or omission, and request deletion of the information that they have on them. In some instances, some exceptions might apply, please consult with your Regional Privacy Officer (or equivalent).
  • The requirements on response time to individual requests will vary by regulatory jurisdiction and will be reviewed by Privacy Officer and communicated to Individuals handling the Personal Data within that jurisdiction.
  • Access is not automatic and may be refused, if permitted or required by law. Access requests may be refused, or information redacted where legally required or permitted by law. Furthermore, LGEPL reserves the right to not allow changes to Personal Data that LGEPL believes to be accurate.

In order to respond to the requests of Individuals, each Operating Business is required to have a process to respond to these requests. This includes processes to authenticate the Individual requesting the information, decision trees for the overall redaction / referral / refusal of a request, and a process to track the request response including the overall time taken to respond.

For further inquiries regarding access to Personal Data, please contact Privacy Officer

3.1.10 Challenging compliance

Individuals have the right to submit a concern or complaint regarding LGEPL's privacy practices.

  • Individuals may direct their concerns or complaints to the LGEPL Corporate Privacy Officer through the contact information posted on the public-facing LGEPL website
  • Individuals may also submit a privacy complaint on LGEPL's information handling practices directly to the appropriate Privacy Commissioner and/or regulatory body.
  • LGEPL will investigate any privacy complaints it receives, and if found to be justified, LGEPL will take appropriate measures to correct its information handling practices, including, if necessary, amending existing LGEPL policies and procedures.

3.2 Additional requirements

3.2.1 Disclosure to third parties

LGEPL discloses Personal Data to third parties (including service providers and contractors) only for the purpose for which the information was obtained or compiled, for Processing that is consistent with that purpose or if otherwise permitted or mandated by law. If disclosure of Personal Data is needed to satisfy a new purpose that is unrelated to the original purpose for which it was collected and the disclosure is not otherwise permitted, LGEPL will notify the affected Individual(s) and obtain consent if necessary.

Disclosure to third parties outside of the regional geographic jurisdiction where the Personal Data was obtained, and the area stipulated in the respective consent given by the data subject should be reviewed and documented via the Privacy Impact Assessment as outlined in section 3.2.7.1 above.

Disclosure to Third Parties should be tracked via a centralized records of Processing activities document or consent management solution. The choice of method shall be left to the discretion of the Regional Privacy Officer (or equivalent).

3.2.2 Notifications

Where required by applicable data protection and privacy laws and regulations, LGEPL will notify the relevant national or regional data protection authorities prior to Processing any Personal Data and must comply with any relevant preconditions for Processing such information. Where relevant, Operating Businesses and subsidiary companies are required to ensure their notifications to the relevant data protection authorities are in place and are accurate and up to date. All notifications must be sent to the Regional Privacy Officer (or equivalent) to be documented. The Cybersecurity Incident Response Plan provides further guidance on notifications.

3.2.3 Use of cookies and digital identifiers

LGEPL might use analytics and functionality cookies to track and analyze user experience and behavior on LGEPL websites. These cookies help LGEPL understand how users navigate the LGEPL site, which pages they visit, and how they interact with the content. This information is used to improve the website's performance, content, and user experience.

Third party cookies: Third parties (including, for example, LGEPL affiliates, advertising networks, social networks (such as Facebook, Twitter, and LinkedIn) and providers of external services like web traffic analysis services) may also use cookies such as analytic cookies, over which LGEPL has no control.

Such information will be shared with the public through notices on LGEPL's websites. Key considerations for cookies and digital identifiers are:

  • Allow users to indicate their acceptance or non-acceptance of the analytic and third-party cookies mentioned above. Users can manage their cookie preferences, including options to control or disable certain types of cookies.
  • Use of cookies may be subject to regional privacy laws, regulations and requirements. Clear information should be provided to users about the use of cookies and obtain their consent, where necessary, in accordance with regional applicable laws.
  • Retention of data collected through cookies should be aligned with the existing retention requirements outlined in the Corporate Data Protection Policy.
  • LGEPL cookie policy should be reviewed on an ongoing basis and updated to reflect changes in LGEPL's use of cookies or regional laws and applicable regulatory requirements.
  • LGEPL is committed to ensuring compliance with cookie-related requirements and has developed applicable training procedures for employees to be trained and educated about the LGEPL's cookie practices and privacy policies.

3.2.4 Training

LGEPL establishes and maintains a privacy training and awareness program to ensure LGEPL personnel receive training related to their ongoing privacy obligations and responsibilities as a part of the broader privacy program. Additional specific training may be required for selected employees based on their roles and responsibilities and the risk of the Personal Data that they handle. All employees handling Personal Data will be required to take annual privacy training on the applicable requirements for their role.

4. Compliance - Policy violations / Enforcement and disciplinary action

Adherence to this policy is mandatory. Any violation or attempted violation of the Privacy Policy may result in disciplinary action, up to and including summary dismissal or, where appropriate, the termination of a contract for the provision of services by a supplier. It should also be noted that in some of the jurisdictions in which LGEPL operates, employees may be held personally liable for civil or criminal penalties if they knowingly or recklessly violate applicable data protection and privacy laws and regulations.

Any employee that believes the Privacy Policy has not been correctly implemented by their Operating Business must contact their line manager in the first instance and then the Regional Privacy Officer (or equivalent). Any inappropriate conduct may also be reported confidentially via LGEPL's independent whistleblower reporting line in accordance with the Code of Business Conduct and Ethics and Acceptable Use Policy.

5. Policy communication

It is the responsibility of all LGEPL employees to know these principles and to conduct their activities accordingly. The Corporate Cybersecurity and IT Compliance Team will maintain this policy on the LGEPL intranet and periodically communicate it as well as any updates to key stakeholders via internal communication protocols.