Employee Privacy Statement

This policy on data privacy (the “Policy”) applies to all Personal Information received by Allstate India including electronic, paper, or verbal information.

The privacy principles in this Policy have been developed based on Indian law.

Allstate India collects and uses Personal Information in order to select, manage and administer its workforce and workforce data; run its business operations; and ensure the safety and protection of its workforce and resources and for any purpose ancillary or incidental thereto, as Allstate India may deem fit. In collecting Sensitive Personal Information, Allstate India obtains consent from the relevant individual for such collection and use of his/her Sensitive Personal Information. Allstate India collects, retains and uses Personal Information for legally permitted purposes including in order to select, manage and administer its workforce and workforce data; run its business operations; and ensure the safety and protection of its workforce; provision of certain benefits to its employees; and resources and for any purpose ancillary or incidental thereto.

For the protection of the information shared with Allstate India and its affiliates for the purposes mentioned herein, Allstate India and its affiliates have in place information security policies and procedures that contain managerial, technical, operational and physical security measures that comply with security standards as per the applicable law, for collecting, receiving, possessing, storing , dealing with or handling Personal Information of the data subject and protecting such information from unauthorized access, use, modification, damage, disclosure and impairment through multiple control points including but not limited to technology and operations controls. Details of these security practices and procedures are available on the Company intranet: AllConnect - Allstate Information Security site.

Allstate India will use the Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Allstate India will take reasonable steps to ensure that the Personal Information is relevant to its intended use, accurate, complete, and current.

Allstate India shall have the right to amend or replace this Policy and the security practices and procedures from time to time at its sole discretion and provide details of such amended or replaced practices and procedures. Notwithstanding anything to the contrary contained in this Policy, the publication of such practices and procedures on the Company intranet shall be deemed to incorporate such practices and procedures in this Policy.

The name of any agency that may collect and retain Sensitive Personal Information of the relevant individual on behalf of Allstate India is available on the Company intranet. Allstate India shall have the right to appoint or replace the agency (ies) collecting and retaining the Sensitive Personal Information by publishing it on the Company intranet. The publication of such details on the Company intranet shall be deemed to incorporate such details in this Policy and unless objected to by the Data Subject, it will be deemed that the Data Subject has consented to such replacement and appointment. Pursuant to this consent, Allstate India may share Personal Information and Sensitive Personal Information with service providers and third party(s) listed on the Company Intranet.

Allstate India will disclose or transfer Personal Information only with the consent of the Data Subject or where such disclosure or transfer is necessary for the performance of a contract between the Data Subject and Allstate India, Data Subject and third party(s) or for compliance with a legal obligation. Such transfers include (a) intercompany transfers from Allstate India’s offices in India to Allstate India’s affiliate offices in the United States, United Kingdom and wherever they may be located; and (b) transfers to such third parties specified on the Company intranet. Allstate India shall have the right to modify/ amend the list of third parties to which Personal Information may be transferred, by publishing the same on the Company intranet. The publication on the Company intranet shall be deemed to incorporate such details in the Policy. Such transfers shall be made only to jurisdictions and/or third parties which implement and maintain security practices and procedures not lower than the standards prescribed by applicable law. Allstate India will obtain assurances from third parties to whom Personal Information is transferred that they will safeguard such information consistently with this Policy. Where Allstate India has knowledge that a third party to whom Personal Information was transferred is using or disclosing such information in a manner contrary to this Policy, Allstate India will take reasonable steps to prevent or stop the use or disclosure.

To the fullest extent required by applicable law, Allstate India will offer Data Subjects the opportunity not to provide the Sensitive Personal Information and to withdraw their earlier consent. The Data Subject may withdraw their consent by communicating the same to Allstate India in writing.

Upon a reasonable request, Allstate India may grant individuals reasonable access to correct, amend, or delete Personal Information that it holds about them. Additional management approvals may be required for same.

Any questions or concerns regarding the use or disclosure of Personal Information should be directed to Allstate India - Privacy Impact Assessment Group at AllstateIndia - PrivacyImpactAssessmentGroup@allstate.com.

Reporting Potential Policy Violations and Potential Privacy Incidents

Employees and contingent workers are required to immediately report any potential policy violations as well as suspected or actual unauthorized use, access, or disclosure of Personal Information (whether inadvertent or intentional). Potential policy violations and potential privacy incidents must be reported by:

• Sending an email directly to PrivacyIncidentManagement@allstate.com OR
• Contacting your immediate manager. Managers must immediately send an email to PrivacyIncidentManagement@allstate.com or report the concern to the Allstate Information Security Computer Incident Response Team at Cyber@allstate.com upon notification of a potential privacy incident OR
• Calling the Allstate i-Report Line toll-free at 000-800-050-383, or using the Allstate i-Report website Compliance Ethics Point (Select country and Begin report) OR
• Report Incident on the Allstate India Incident Management Portal by selecting Privacy as the 'Incident Type'.

Allstate India and Ethics Business Conduct investigates any potential or actual policy violations and privacy incidents in compliance with applicable company policies and procedures, laws, and regulations. In the event that Allstate India or its affiliates share, directly or indirectly with the relevant individuals, any Personal Information, the said individuals will be obligated, to use such Personal Information in accordance with the data security practices and procedures and internal privacy policy of Allstate India as available on the Company intranet. Further, such Personal Information shall be used only in the course of employment and not for any personal use of the individual. In case of unauthorized use by the individual of such Personal Information, Allstate India reserves the right to take disciplinary action including termination of the individual’s employment at its sole discretion after providing him/her with a reasonable opportunity to be heard.

You may contact the Information Protection and Privacy Governance Officer for any grievances in relation to collection of your information or any further clarifications on how we process your data, to update your details and to exercise your rights as described herein at:

We periodically review and may update or revise this Employee Privacy Statement. The date at the top of this page shows when this Employee Privacy Statement was last revised. We will let you know when we update the Employee Privacy Statement by changing the above date or via any other appropriate mode.