# Data Protection

## Data Classification

| Classification | Examples | Handling |
|----------------|----------|----------|
| **Public** | Published license numbers, verification status | No restrictions |
| **Internal** | Processing statistics, workflow configurations | Staff access only |
| **Confidential** | Applicant personal data, documents | Role-based access |
| **Restricted** | Authentication credentials, encryption keys | System access only |

## Personal Data Inventory

| Data Category | Fields | Purpose | Retention |
|---------------|--------|---------|-----------|
| Identity | Name, Aadhaar (masked), photo | Applicant identification | License validity + 7 years |
| Contact | Email, phone, address | Communication | License validity + 7 years |
| Business | Business name, registration | License application | License validity + 7 years |
| Documents | Uploaded files | Verification | License validity + 7 years |
| Activity | Login times, actions | Audit | 7 years |

## Data Subject Rights

### Right to Access
Applicants can view all their personal data through the portal under "My Profile" and "My Applications."

### Right to Correction
Applicants can request corrections through the portal. Changes require verification for critical fields.

### Right to Erasure
Limited by legal retention requirements. Non-essential data can be erased upon request after license expiry.

### Right to Portability
Data export available in JSON and PDF formats through the portal.

## Data Security Controls

### Encryption

| State | Method |
|-------|--------|
| At Rest | AES-256 (database, files) |
| In Transit | TLS 1.3 |
| Backups | AES-256 with separate key |

### Access Control

- Role-based permissions
- Department-level data isolation
- Session timeout after inactivity
- Failed login lockout

### Anonymization

For analytics and reporting, personal identifiers are removed or pseudonymized.

## Breach Response

1. Detection and containment
2. Impact assessment
3. Notification to affected individuals (within 72 hours)
4. Notification to CERT-In (as required)
5. Root cause analysis
6. Remediation