We Do Not Sell Your Data
Your personal information is never sold, rented, or traded to any commercial third party.
Data Stored in India
All personal data is processed and stored on servers located within the Republic of India.
You Control Your Data
You have rights to access, correct, and request deletion of your personal information at any time.
Minimal Collection
We collect only the information strictly necessary to deliver our certification and public services.
Transparent Processing
We clearly document why we collect each category of data and the legal basis for doing so.
Time-Limited Retention
Personal data is retained only for the period required by law or legitimate operational need.
Who We Are & Scope of This Policy
JDN Assessment Certifications (hereinafter “we”, “us”, or “JDN Assessment Certifications”) is the National ISO Certification Authority constituted under the Quality Council of India, an autonomous body under the Ministry of Commerce & Industry, Government of India. Our registered office is at NBCC Place, East Kidwai Nagar, Pragati Vihar, New Delhi — 110 003.
This Privacy Policy applies to all personal data collected through our website (www.isocertindia.gov.in), our certification portal, training registration system, RTI portal, verification portal, and any other digital service operated by JDN Assessment Certifications. It also applies to personal data collected through postal correspondence, telephone interactions, and in-person visits to our offices.
This policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable guidance issued by the Government of India.
Data Fiduciary
Under the DPDP Act 2023, JDN Assessment Certifications acts as the Data Fiduciary — the entity that determines the purpose and means of processing your personal data. Our Data Protection Officer can be contacted at dpo@isocertindia.gov.in.
Personal Data We Collect
We collect personal data in the following categories, depending on how you interact with JDN Assessment Certifications. We collect only what is necessary for the specific purpose.
| Category | Examples | How Collected | Required? |
|---|---|---|---|
| Identity Data | Full name, designation, date of birth (for auditor registration) | Application forms, portals | Yes — for services |
| Contact Data | Email address, mobile number, postal address | Registration, correspondence | Yes — for communication |
| Organisational Data | Company name, CIN/GSTIN, industry sector, employee count | Certification application | Yes — for certification |
| Financial Data | Payment reference numbers, fee receipts (not card details) | Payment gateway records | Yes — for fee compliance |
| Professional Data | Qualifications, work experience, audit history (auditors only) | Auditor registration portal | For auditor roles only |
| Usage Data | IP address, browser type, pages visited, timestamps | Automatically (server logs) | Automatic — anonymised |
| Communication Data | Emails, enquiry form submissions, RTI content | When you contact us | When you contact us |
| Sensitive Personal Data | Disability status (for accessibility requests only) | Voluntary disclosure only | Never mandatory |
No Aadhar or PAN Collection
JDN Assessment Certifications does not collect Aadhaar numbers, PAN numbers, passport numbers, or bank account details through our website. Payment processing is handled by the Government of India’s authorised payment gateway — we receive only a payment confirmation reference.
Third-Party Websites
Our website may contain links to external sites including the Central Information Commission, NABCB, IAF, and other government portals. This Privacy Policy does not apply to those sites. We encourage you to read their respective privacy policies.
Purposes & Legal Basis for Processing
We process your personal data only for specific, lawful purposes. The table below sets out each purpose, the data used, and the legal basis under the DPDP Act 2023.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing ISO certification applications | Identity, Contact, Organisational, Financial | Performance of contract / Legal obligation |
| Issuing and maintaining certificates | Organisational, Professional | Legal obligation (ISO/IEC 17021) |
| Responding to RTI applications | Identity, Contact, Communication | Legal obligation (RTI Act 2005) |
| Processing training enrolments | Identity, Contact, Financial | Performance of contract |
| Sending service-related notifications | Contact | Legitimate interest / Consent |
| Certificate verification by third parties | Organisational (company name, cert no.) | Legal obligation / Public interest |
| Responding to complaints and grievances | Identity, Contact, Communication | Legal obligation / Legitimate interest |
| Improving our website and services | Usage Data (anonymised) | Legitimate interest |
| Statutory reporting to MCI, QCI, NABCB | Organisational (aggregated/anonymised) | Legal obligation |
| Auditor registration and management | Identity, Professional, Contact | Performance of contract / Legal obligation |
We Do Not Use Your Data for Marketing
JDN Assessment Certifications does not use your personal data for direct marketing, profiling, or targeted advertising. We may send you information about new certification schemes or training programmes that are directly relevant to your existing relationship with us — you can opt out at any time by emailing privacy@isocertindia.gov.in.
Who We Share Your Data With
JDN Assessment Certifications shares personal data only where there is a legal basis to do so, or where you have given explicit consent. We never sell your personal data. The following categories of recipients may receive your data in specific circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| NABCB (National Accreditation Board for Certification Bodies) | Accreditation oversight, surveillance reporting | Government body — bound by law |
| IAF (International Accreditation Forum) | Peer evaluation, MLA reporting (aggregated data only) | IAF Data Governance Framework |
| Ministry of Commerce & Industry | Statutory reporting, policy compliance | Government body — bound by law |
| Central Information Commission | RTI second appeal proceedings only | Government body — bound by law |
| Lead Auditors (NABCB-registered) | Sharing applicant details for audit scheduling | Auditor agreement & NABCB code of conduct |
| Government Payment Gateway (PFMS/NEFT) | Fee collection and receipting only | Government-authorised gateway |
| IT Service Providers | Hosting, maintenance (under data processing agreements) | Contractual DPA, data stored in India |
| Law enforcement / Courts | Only when legally compelled by court order or statutory authority | Statutory authority only |
Public Certificate Registry
Certificate details (organisation name, certificate number, standard, scope, issue and expiry dates, and certified sites) are published on our public verification portal as part of our IAF accreditation obligations and to enable third-party verification. This is a legal requirement under ISO/IEC 17021-1:2015. If you have concerns, contact privacy@isocertindia.gov.in.
How Long We Keep Your Data
We retain personal data for the minimum period necessary to fulfil the stated purpose or as required by applicable law. The following retention schedule applies:
| Data Type | Retention Period | Reason |
|---|---|---|
| Certification application data | 7 years after certificate expiry | ISO/IEC 17021 accreditation requirement |
| Issued certificate records | 10 years after certificate expiry | Legal obligation and accreditation |
| Training enrolment records | 5 years after course completion | CPD point records and audit trail |
| RTI applications and responses | 5 years from date of response | Public Records Rules, 1997 |
| Auditor registration data | Duration of registration + 7 years | NABCB auditor oversight requirements |
| Contact / enquiry records | 3 years from last interaction | Limitation Act 1963 (claims period) |
| Website usage logs | 12 months (anonymised after 30 days) | Security monitoring and analytics |
| Payment records | 8 years | Financial audit and tax compliance |
| Grievance records | 5 years from resolution | Grievance redress compliance |
After the applicable retention period expires, personal data is securely deleted or anonymised in accordance with our Data Deletion Standard Operating Procedure. You may request earlier deletion of your data where we have no overriding legal obligation to retain it — see Your Rights below.
How We Protect Your Data
JDN Assessment Certifications implements robust technical, administrative, and physical security measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. Our security framework includes:
256-bit TLS Encryption
All data in transit is encrypted using TLS 1.3. Our website is served exclusively over HTTPS.
AES-256 At-Rest Encryption
All databases containing personal data are encrypted at rest using AES-256 on NIC-hosted servers.
Role-Based Access Control
Staff access to personal data is restricted to those with a legitimate operational need, logged and audited quarterly.
ISO 27001:2022 Aligned
Our information security management is aligned with ISO/IEC 27001:2022 — the same standard we certify organisations against.
Regular Backups
Data is backed up daily to geographically separated NIC data centres with 99.9% recovery capability.
72-Hour Breach Notification
In the event of a data breach affecting your rights, we will notify you within 72 hours as required by the DPDP Act 2023.
Report a Security Concern
If you believe your personal data may have been compromised, or if you discover a security vulnerability on our website, please contact us immediately at security@isocertindia.gov.in. We take all security reports seriously and will respond within 24 hours.
How We Use Cookies
Our website uses cookies — small text files stored on your device — to ensure functionality and improve your experience. We do not use advertising, retargeting, or social media tracking cookies. You can manage your cookie preferences below.
You can also manage cookies through your browser settings. For guidance, visit allaboutcookies.org. Note that disabling essential cookies may prevent you from using our certification portal.
Your Data Protection Rights
Under the Digital Personal Data Protection Act 2023 and other applicable laws, you have the following rights regarding your personal data held by JDN Assessment Certifications. To exercise any right, contact our Data Protection Officer at dpo@isocertindia.gov.in. We will respond within 30 days.
Right to Access
Request a copy of the personal data we hold about you, and information about how we process it.
Right to Correction
Request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data where there is no overriding legal obligation for us to retain it.
Right to Object
Object to the processing of your personal data where we rely on legitimate interest as the legal basis.
Right to Data Portability
Receive your personal data in a structured, commonly used format (JSON / CSV) for transfer to another organisation.
Right to Lodge a Complaint
Lodge a complaint with the Data Protection Board of India if you believe your data rights have been violated.
Right to Nominate
Under the DPDP Act 2023, you may nominate another person to exercise your data rights on your behalf in case of incapacity or death.
Withdraw Consent
Where we rely on your consent for processing (e.g. newsletters), you may withdraw it at any time without affecting prior processing.
How to Exercise Your Rights
Email our Data Protection Officer at dpo@isocertindia.gov.in with “Data Rights Request” in the subject line. Include your full name, contact details, and a clear description of your request. We will verify your identity and respond within 30 days. Complex requests may take up to 60 days — we will notify you of any extension.
Protection of Children’s Data
JDN Assessment Certifications’s services are directed exclusively at organisations and adult professionals. We do not knowingly collect personal data from any person under the age of 18. Our certification, training, and portal services require applicants to be adults acting on behalf of legally registered organisations.
If we become aware that personal data of a person under 18 has been inadvertently collected, we will delete it immediately. If you believe we may hold data relating to a minor, please contact dpo@isocertindia.gov.in without delay.
DPDP Act Compliance for Children
In accordance with Section 9 of the Digital Personal Data Protection Act 2023, we undertake not to process personal data of children and not to engage in tracking, behavioural monitoring, or targeted advertising directed at children.
Updates to This Privacy Policy
We review this Privacy Policy at least annually, and whenever there are significant changes to our data processing activities or applicable law. When we update this policy, we will:
- Update the “Last Revised” date at the top of this page
- Post a prominent notice on our website for at least 30 days
- Send an email notification to all registered portal users
- For material changes, seek fresh consent where required by law
Your continued use of our services after a policy update constitutes acceptance of the revised terms. If you do not agree, you may discontinue use of our services and request deletion of your data as described in Section 8.
| Version | Date | Summary of Changes |
|---|---|---|
| v3.0 | 01 Jan 2025 | Full rewrite to comply with DPDP Act 2023. Added Data Portability and Nomination rights. Cookie categories expanded. |
| v2.1 | 15 Aug 2023 | Updated data retention schedules. Added ISO 27001:2022 security alignment note. Clarified public registry disclosure. |
| v2.0 | 01 Apr 2022 | Added cookie management controls. Updated sharing table for NABCB and IAF. Added IT Rules 2011 compliance statement. |
| v1.0 | 01 Jan 2020 | Initial Privacy Policy published following website launch. |
Privacy Queries & Complaints
If you have any questions about this Privacy Policy, wish to exercise your data rights, or wish to report a privacy concern, please contact our Data Protection Officer. If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.
Data Protection Board of India
If you remain dissatisfied after contacting our DPO, you may file a complaint with the Data Protection Board of India once constituted under the DPDP Act 2023. Details of the Board’s complaint mechanism will be published on meity.gov.in.