Table of Contents
- Introduction & Purpose
- Definitions
- Legal Framework & Obligations
- What Constitutes a Notifiable Data Breach
- Breach Severity Assessment
- Internal Detection & Escalation (0–2 Hours)
- Breach Assessment & Documentation (2–24 Hours)
- Data Protection Board Notification (72-Hour Obligation)
- CERT-In Notification (6-Hour Obligation)
- User (Data Principal) Notification
- Vendor & Third-Party Breach Notification
- Notification Content Requirements
- Communication Channels & Methods
- Post-Breach Remediation
- Breach Register & Documentation
- No-Blame Internal Reporting Culture
- Interaction with Law Enforcement
- Policy Review
- Non-Compliance Consequences
- Contact & Reporting
1. Introduction & Purpose
This Data Breach Notification Policy ("Breach Policy") establishes mandatory procedures for detecting, assessing, and notifying relevant authorities and affected individuals when a personal data breach occurs on the SeekhoBecho.com platform operated by RLS Retail Private Limited ("Company"), registered at Plot-76-D, Phase IV, Udyog Vihar, Sector 18, Gurugram, Haryana – 122001.
The Breach Policy is designed to ensure the Company meets its legal obligations under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the CERT-In Cyber Security Directions 2022 ("CERT-In Directions"), and the Information Technology Act, 2000 ("IT Act") — while protecting the rights of Data Principals (Users) whose personal data may be affected.
Critical Timelines: DPDP Act 2023: Data Protection Board notification within 72 hours of awareness | CERT-In Directions 2022: CERT-In notification within 6 hours for specified incident types. Both timelines run from the moment the Company becomes "aware" — not from the moment of confirmed breach.
2. Definitions
| Term | Definition |
|---|
| "Personal Data Breach" | Any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of Data Principals (per DPDP Act 2023). |
| "Data Principal" | The individual to whom the personal data relates — i.e., Platform Users, subscribers, sellers, creators, or any individual whose data is processed by the Company. |
| "Data Protection Board (DPB)" | The statutory body established under DPDP Act 2023 responsible for receiving breach notifications and enforcing data protection obligations. |
| "Breach Discovery" | The moment any Company employee, contractor, or vendor becomes aware of a potential or actual data breach. This triggers the notification timeline. |
| "Notifiable Breach" | A personal data breach that requires mandatory notification to the Data Protection Board under DPDP Act 2023, Section 8(6). |
| "High-Risk Breach" | A breach likely to result in significant harm to Data Principals — such as financial fraud, identity theft, physical harm, or reputational damage — requiring direct User notification. |
3. Legal Framework & Obligations
| Obligation | Legal Source | Timeline | Recipient |
|---|
| Report specified cyber incidents | CERT-In Directions 2022, Clause 5 | Within 6 hours of detection | CERT-In (incident@cert-in.org.in) |
| Report personal data breach | DPDP Act 2023, Section 8(6) | Within 72 hours of awareness | Data Protection Board of India |
| Notify affected Data Principals | DPDP Act 2023, Section 8(6) + DPB Rules | As prescribed by DPB | Affected Users |
| Maintain ICT system logs | CERT-In Directions 2022, Clause 11 | Retain minimum 180 days | Internal retention |
| Preserve evidence | IT Act 2000, Section 65B | Immediately upon discovery | Internal forensics |
| Cooperate with investigation | DPDP Act 2023, Section 28 + IT Act 2000 | Upon request | DPB, CERT-In, law enforcement |
4. What Constitutes a Notifiable Data Breach
4.1 All Personal Data Breaches: Under DPDP Act 2023, ALL personal data breaches (actual or suspected) must be assessed for notification. The Company does not apply a "significance threshold" — all breaches are documented and assessed.
4.2 Categories of Personal Data Affected: The following categories, if breached, are treated as High-Risk Breaches requiring immediate User notification: (a) KYC data (PAN, Aadhaar, address, date of birth); (b) Financial data (bank details, payment records, payout history); (c) Authentication data (passwords, OTPs, session tokens); (d) Health or biometric data (if collected); (e) Gaming data combined with identity (username + real name + game history).
4.3 CERT-In Notifiable Incidents: Additionally, the following must be reported to CERT-In within 6 hours regardless of whether personal data is involved: unauthorised access to systems, malware/ransomware, denial of service attacks, website defacement, data exfiltration, scanning/probing of critical systems.
5. Breach Severity Assessment
| Severity | Criteria | DPB Notification | User Notification |
|---|
| Critical | Large-scale breach (>1,000 Data Principals); sensitive data (KYC, financial); ongoing exfiltration | Within 72 hours (expedited) | Immediate — all affected Users |
| High | 100–1,000 Data Principals affected; account credential compromise; financial data exposed | Within 72 hours | Within 24 hours of notification to DPB |
| Medium | 1–100 Data Principals; non-sensitive data; limited exposure | Within 72 hours | Targeted notification to affected individuals |
| Low | Internal only; no personal data exposed; immediately contained | Assessment (may not require notification) | Not required (document reason) |
6. Internal Detection & Escalation (0–2 Hours)
6.1 Immediate Actions (First 2 Hours): Upon any employee, contractor, or vendor discovering a potential data breach: (a) Stop the breach where possible without destroying evidence; (b) Immediately notify compliance@seekhobecho.com and privacy@seekhobecho.com; (c) Do NOT attempt to contain, cover, or minimise without notifying the DPO; (d) Preserve all evidence — logs, screenshots, communications; (e) Do NOT discuss breach externally — no social media, no press, no User communications without approval.
6.2 DPO Activation: The Data Protection Officer (privacy@seekhobecho.com) must be informed within 2 hours of any suspected breach. The DPO initiates the formal breach assessment and leads the notification process.
6.3 Clock Starts: The 72-hour DPB notification clock and the 6-hour CERT-In clock start from the moment ANY Company personnel becomes aware of the incident — not from confirmation. When in doubt, treat the event as a breach.
7. Breach Assessment & Documentation (2–24 Hours)
7.1 Breach Assessment Checklist: Within 24 hours, the DPO must assess: (a) Nature and category of personal data involved; (b) Number of Data Principals potentially affected; (c) Likely consequences for affected individuals; (d) Whether the breach is ongoing; (e) Whether it is a CERT-In reportable incident; (f) Whether Data Principal notification is required.
7.2 Breach Record Creation: A formal Breach Record must be created containing: (a) Date/time of breach discovery; (b) Date/time of DPO notification; (c) Description of the breach; (d) Data categories affected; (e) Approximate number of Data Principals; (f) Likely consequences; (g) Containment measures; (h) Notification decisions and rationale.
7.3 Uncertainty Principle: If there is uncertainty about whether a breach has occurred or the scope of impact, notifications must still be filed based on what is known. Notifications may be supplemented with additional information as it becomes available.
8. Data Protection Board Notification (72-Hour Obligation)
8.1 Mandatory Filing: The Company must notify the Data Protection Board of India within 72 hours of becoming aware of a personal data breach. This obligation applies regardless of whether the breach is confirmed — suspected breaches that cannot be ruled out must be reported.
8.2 DPB Notification Content (per DPDP Act 2023 Rules):- Nature of the personal data breach
- Categories of personal data affected
- Approximate number of Data Principals affected
- Approximate number of personal data records affected
- Name and contact details of the Data Protection Officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach, including mitigation
8.3 Filing Channel: DPB notifications are filed through the mechanism prescribed by the Data Protection Board (currently MeitY portal or as specified in DPB Rules when notified). The DPO (privacy@seekhobecho.com) is responsible for filing.
8.4 Supplementary Notifications: If full information is not available at 72 hours, a preliminary notification is filed with available information, supplemented by additional notifications as information becomes available. The 72-hour window is not extended pending full information.
9. CERT-In Notification (6-Hour Obligation)
9.1 If the breach involves a CERT-In reportable incident (as classified under CERT-In Directions 2022), the Compliance Officer (compliance@seekhobecho.com) must file a notification with CERT-In within 6 hours of detection via: Email: incident@cert-in.org.in | Portal: www.cert-in.org.in | Phone: +91-1800-11-4949.
9.2 CERT-In and DPB notifications are parallel obligations — both must be filed within their respective timelines. Neither replaces the other.
9.3 CERT-In notifications are classified as restricted and must not be shared externally without CERT-In authorisation.
10. User (Data Principal) Notification
10.1 Notification Trigger: Data Principals must be notified when: (a) The DPB determines notification is required; (b) The breach involves sensitive data likely to cause harm (financial, identity, physical); (c) The breach affects authentication credentials (prompting immediate password reset).
10.2 Notification Content: User notification must include: (a) Clear description of what happened; (b) Categories of personal data involved; (c) Date of breach (or approximate date); (d) Likely consequences for the individual; (e) Steps the Company has taken to address the breach; (f) Recommended protective actions for the User; (g) Contact for further questions (privacy@seekhobecho.com); (h) DPO contact details.
10.3 Notification Method: Notifications delivered via: (a) Registered email (primary); (b) In-app notification (Platform); (c) WhatsApp to registered mobile (for high-risk breaches); (d) SMS (critical authentication credential breaches). All notifications are personalised — not generic bulk emails.
10.4 Language: Notifications are provided in English and, where operationally feasible, in Hindi.
11. Vendor & Third-Party Breach Notification
11.1 All technology vendors, cloud providers, payment processors, and data sub-processors must contractually report any breach affecting Company data within 4 hours of their own discovery.
11.2 A vendor's breach of Company data is treated as a Company breach for DPDP Act and CERT-In notification purposes. The 72-hour and 6-hour clocks run from the moment the Company (or its vendor acting on its behalf) becomes aware.
11.3 The Company will cooperate with vendor breach investigations and may require vendors to assist with User notification where the breach originated from vendor systems.
12. Notification Content Requirements
| Notification Type | Required Content | Who Prepares |
|---|
| DPB Notification | Breach nature, data categories, affected count, consequences, measures, DPO contact | DPO |
| CERT-In Notification | Incident type, affected systems, attack vector, IOCs, containment actions | Compliance Officer |
| User Notification | Plain-language breach description, data involved, consequences, protective actions, contact | DPO + Customer Support |
| Vendor Notification | Incident details, impacted data scope, investigation cooperation request | IRT Lead + Legal |
13. Communication Channels & Methods
13.1 All external breach notifications (DPB, CERT-In, Users) are reviewed and approved by the DPO and Legal Officer before dispatch. No unauthorised external communications about breaches.
13.2 A dedicated breach communication log is maintained recording: notification content, recipients, timestamp, delivery confirmation, and any responses received.
13.3 If a breach attracts media attention, all media enquiries are directed to compliance@seekhobecho.com. Only the Founder/Director-approved spokesperson may comment publicly.
14. Post-Breach Remediation
14.1 Following breach containment and notification, the Company implements: (a) Immediate security patches for identified vulnerabilities; (b) Enhanced monitoring of affected systems; (c) Credential resets for compromised accounts; (d) Review and hardening of access controls; (e) Vendor security assessment review.
14.2 Affected Users are provided with: (a) Clear guidance on protective steps (password reset, enabling 2FA, monitoring accounts); (b) Credit/identity monitoring guidance if financial data was exposed; (c) Contact for follow-up queries.
14.3 A Post-Breach Review Report is prepared within 30 days and shared with the Founder/Director. Corrective actions are tracked to completion.
15. Breach Register & Documentation
15.1 All personal data breaches (notifiable or not) are recorded in the Company's Breach Register maintained by the DPO. The Breach Register includes: breach ID, date of discovery, description, data categories affected, number of Data Principals, notification decisions, and remediation status.
15.2 The Breach Register is available for inspection by the Data Protection Board upon request. It is classified as Confidential — Internal.
15.3 Breach records retained for minimum 8 years. Records of DPB-notified breaches retained until any associated regulatory proceedings are concluded + 5 years.
16. No-Blame Internal Reporting Culture
16.1 The Company operates a no-blame culture for internal breach reporting. Employees who in good faith report a suspected breach will not face disciplinary action for the act of reporting — regardless of whether the concern proves valid.
16.2 Deliberately concealing, delaying, or covering up a breach is a serious misconduct offence and will result in immediate disciplinary action and potential legal referral.
17. Interaction with Law Enforcement
17.1 If a breach involves criminal activity (e.g., hacking under IT Act 2000, Section 66; unauthorised access; identity theft), the Company will file a complaint with the Cyber Crime Division of the relevant police authority and cooperate with investigation.
17.2 Law enforcement requests for breach-related data are processed through the Legal Officer (compliance@seekhobecho.com). No breach data is shared with law enforcement without appropriate legal authorisation.
18. Policy Review
18.1 Reviewed annually and after every notifiable breach. Updated for changes to DPDP Act Rules, DPB guidelines, CERT-In Directions, or IT Act regulations. Approved by Founder/Director.
19. Non-Compliance Consequences
19.1 Failure to notify DPB within 72 hours: May attract financial penalties under DPDP Act 2023. The DPB has power to impose penalties, issue directions, and require remediation.
19.2 Failure to notify CERT-In within 6 hours: Violation of IT Act 2000, Section 70B. May attract penalties and prosecution.
19.3 Internal non-compliance: Immediate disciplinary action per the Company's Code of Conduct (COD-01).
20. Contact & Reporting
Data Protection Officer / DPDP Compliance
privacy@seekhobecho.com
Breach assessment, DPB notifications, User notifications
Compliance & CERT-In Liaison
compliance@seekhobecho.com
CERT-In reporting, incident escalation, legal holds
Grievance Officer — IT Rules 2021
grievance@seekhobecho.com
User-reported breach concerns
General Support
support@seekhobecho.com
Account security concerns, breach impact queries
CERT-In: incident@cert-in.org.in | +91-1800-11-4949
Data Protection Board: www.meity.gov.in
Company Address: RLS Retail Private Limited, Plot-76-D, Phase IV, Udyog Vihar, Gurugram, Haryana – 122001