HCL Technologies ↗

Overview

HCL Technologies (HCLTech) operates as a global Data Fiduciary for its employees and website visitors, and as a Data Processor for its enterprise clients. Given its massive footprint in India and the US, its privacy policy (updated for April 2026) has transitioned from a GDPR-centric model to a hybrid framework that specifically acknowledges the Digital Personal Data Protection Act (DPDP) 2023 for its Indian operations.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ✅

HCLTech has moved away from “bundled consent.” Their policy for the Indian jurisdiction now specifies that consent is sought for specific purposes (e.g., recruitment, marketing, or service delivery).

What the policy says: “When processing personal data, HCLTech ensures there is a legal basis… and it is communicated to the individuals prior to processing.”

DPDP requirement: Notice must precede or accompany the request for consent and must be available in 22 scheduled languages.

Gap: While the notice is clear and specific, the multi-lingual requirement (as per Section 6(3)) is not immediately visible on the digital interface, potentially creating a procedural lapse in “informed consent” for non-English speaking data principals.

Section 7 — Certain Legitimate Uses ✅

HCLTech correctly identifies “Legitimate Uses” for employee data and state-mandated disclosures. Their policy for Indian employees aligns with Section 7(i), which allows processing for “employment purposes” or “protecting the fiduciary from loss/liability.”

Strength: They clearly distinguish between processing based on consent (for marketing) and processing based on legal obligation (Section 7).

Section 8 — Obligations of Data Fiduciary ✅

HCLTech demonstrates top-tier compliance here. They maintain ISO 27001 and ISO 27701 certifications, meeting the “reasonable security safeguards” requirement of Section 8(5).

Strength: They have a dedicated “Global Privacy Office” and an appointed Data Protection Officer (DPO) for India, fulfilling the requirement for a Significant Data Fiduciary (if classified as such) or a standard Fiduciary.

Section 9 — Data Retention ⚠️

Partial Compliance. The policy states that data will be deleted after the “expiration of the retention period.”

DPDP requirement: Section 9(1) requires the Fiduciary to erase data as soon as the purpose is served or consent is withdrawn.

Gap: The policy uses the phrase “or longer if required to fulfill legal/contractual obligations.” While legally sound, the lack of a transparent retention schedule for different data types (e.g., candidate data vs. client logs) makes it difficult for a Data Principal to verify if erasure has occurred.

Section 11 — Rights of Data Principal ✅

HCLTech has updated its portal to allow:

• Right to Access: Users can request a summary of data processed.
• Right to Correction/Erasure: Facilitated via the DSR Portal.
• Right to Nominate (Section 14): Major Strength. HCLTech is one of the few MNCs to explicitly mention the right to nominate an individual to act on the principal’s behalf in case of death or incapacity.

Section 12 — Right of Grievance Redressal ⚠️

HCL provides a direct email (privacy@hcltech.com) and a “The Right Way” portal for grievances.

Gap: Under the DPDP Act, the Data Principal must exhaust the Fiduciary’s grievance process before approaching the Board. HCL’s policy explains the internal process well but does not explicitly mention the 30-day resolution window or provide the specific contact mechanism for the Data Protection Board of India as an escalation point.

Section 16 — Cross-Border Data Transfer ✅

As a global entity, HCL transfers data across 50+ countries.

DPDP requirement: Data can be transferred unless the Central Government restricts it (Negative List).

Compliance: HCL uses a “Global Operating Model” that applies a baseline of “adequate protection” to all transfers, which satisfies the current Section 16 requirements of the Act.

Risk Assessment