In which of the following cases, Privacy by design applies for Infosys

In which of the following cases, Privacy by design applies for Infosys, even in the absence of a contractual obligation?

a) When Infosys is a data controller

b) When Infosys develops a solution for client

c) When Infosys is a Data Processor

d) Both A & B

The Correct Answer and Explanation is :

The correct answer is d) Both A & B.

Explanation:

Privacy by Design (PbD) is a concept introduced by the Privacy Commissioner of Canada in 1995. It mandates that privacy considerations must be integrated into the design and architecture of systems, business practices, and technologies from the outset, rather than being retrofitted. The core principles of Privacy by Design include proactive protection of privacy, embedding privacy measures throughout the lifecycle of data, and ensuring that privacy considerations are part of the foundation of any project.

1. When Infosys is a Data Controller (A): When Infosys is a data controller, it means that the company determines the purposes and means of processing personal data. As a data controller, Infosys is directly responsible for ensuring that personal data is handled in compliance with privacy laws, such as the GDPR or other data protection regulations. Privacy by Design is a core requirement for data controllers under GDPR. Even if there is no contractual obligation, Infosys must embed privacy protections from the start, ensuring data is collected, processed, and stored in a secure, compliant manner. This could include measures like anonymization, encryption, and implementing access controls.
2. When Infosys Develops a Solution for a Client (B): If Infosys is developing a solution for a client, it is likely to process personal data on behalf of that client. In this case, Infosys must also adhere to Privacy by Design principles. This includes designing solutions that protect privacy and ensure the proper handling of personal data from the start. Even in the absence of explicit contractual obligations, implementing privacy features like data minimization, secure processing, and data retention policies is crucial to comply with the overarching legal principles of privacy protection. Ensuring privacy at the development stage helps prevent data breaches and aligns with both the interests of clients and privacy laws.

Therefore, both cases A (Data Controller) and B (Developing a Solution) require Infosys to apply Privacy by Design, ensuring privacy and security even in the absence of a specific contractual obligation.