मेनू टॉगल करा
अधिक
    बंद करा

    Terms and Condition Maha-AASTHA

    Terms and Conditions for the Maha-AASTHA (e-HRMS) Digital Platform(s)

    Introduction

    These Terms and Conditions (“Terms”) govern the use of the Maha-AASTHA (Maharashtra Administrative Automation for Service, Trust & Human Resource Advancement) e-HRMS mobile application and web platform, hereinafter referred to as “Maha-AASTHA,” “Maha-AASTHA App,” “App,” or “Web Platform.” The App is developed and maintained by the General Administration Department (GAD), Government of Maharashtra, with the objective of digitizing and managing service records and human resource processes of state government employees in a transparent and efficient manner.

    By accessing or using Maha-AASTHA, you (the “User” or “Employee”) acknowledge and agree to abide by these Terms. These Terms are intended for display within the Maha-AASTHA platform.

    Definitions

    For the purposes of these Terms, the following definitions apply:

    • “Personal Data” means any data about an individual that directly or indirectly identifies the individual. This includes personal information contained in your service records, such as contact details, identification information, employment and service history, salary and benefits, performance records, etc.
    • “User” or “Employee” refers to a state government employee who is using Maha-AASTHA and whose personal data is processed in Maha-AASTHA. In terms of data protection law, the User is the Data Principal, the individual to whom the personal data relates.
    • “Department” or “We” refers to the General Administration Department, Government of Maharashtra, and its authorized officials administering Maha-AASTHA. The General Administration Department is the Data Fiduciary, meaning it determines the purpose and means of processing Users’ personal data.
    • “Processing” means any operation performed on personal data, such as collection, storage, use, updating, disclosure, or deletion.
    • “DPDP Act” means the Digital Personal Data Protection Act, 2023, enacted by the Government of India, which governs the processing of digital personal data and protection of individuals’ privacy rights.
    • “Draft DPDP Rules 2025” refers to the Draft Digital Personal Data Protection Rules, 2025, proposed under the DPDP Act, which provide additional implementation details (currently in draft form and subject to finalization).
    • “Maharashtra State Data Policy 2024” refers to the policy enacted by the Government of Maharashtra (Planning Department) in 2025 to standardize data governance and ensure data security and privacy in all state departments.

      • Unless defined above, terms used in these Terms shall have the same meaning as in the DPDP Act or other applicable laws.

      Legal Compliance and Governance

      Maha-AASTHA and the Department’s data practices are designed to comply with all applicable data protection laws and policies, including the DPDP Act, 2023 and the rules framed thereunder, as well as the Maharashtra State Data Policy 2024. All departments, including GAD, are required under the State Data Policy to ensure compliance with the DPDP Act. This means your personal data will be processed in accordance with the principles and obligations set out in the DPDP Act and subsequent rules. The State Data Policy further emphasizes data privacy and security: it mandates that government data systems must be digitized and compliant with prevailing data privacy and security legislation. Accordingly, the Department has instituted a robust data governance framework, under oversight of the State Data Authority and relevant committees, to enforce these standards.

      The Department may issue Standard Operating Procedures (SOPs), circulars, or guidelines from time to time to further implement these Terms and ensure compliance with new legal requirements (for example, when the Draft DPDP Rules 2025 are finalized). We are committed to keeping these Terms updated in line with any changes in law or policy.

      Purpose of Data Collection and Use

      • Authorized Use: Maha-AASTHA collects and processes personal data of state government employees for legitimate government purposes, primarily for HR management and administrative functions. This includes maintaining complete digital service records from appointment to retirement, facilitating payroll and benefits, tracking promotions and transfers, managing leave and attendance, and processing pension and other post-retirement benefits. The processing of personal data is necessary for performance of public duties and legal obligations by the Government of Maharashtra, and for providing services or benefits to the employee as required by law. In many cases, this processing is undertaken as part of the employer’s official function or compliance with laws (e.g. maintaining service books), which is an allowed basis under the DPDP Act without requiring separate consent of the employee (as it falls under “legitimate uses” or statutory necessity).

      • Transparency and Fairness: We are committed to processing your data in a transparent and fair manner. On requesting for such information, you will be provided with details of what personal data is collected, the purposes of processing, and the entities with whom your data may be shared. We ensure that only such personal data that is necessary for the specified purpose is collected and processed, and data will not be used for any new purpose that is incompatible with the original purpose without obtaining your consent or providing additional notice, as applicable.

      • Consent: Where certain personal data processing is based on your consent (for example, if in the future Maha-AASTHA introduces optional features requiring your permission, or if any processing is not already mandated by law), such consent will be obtained in a free, informed, specific, and unambiguous manner. You have the right to withdraw any consent you have given, at any time, with ease equal to the manner in which consent was given. By accessing Maha-AASTHA you unconditionally accept to be legally bound by the terms and conditions. If you withdraw consent, we will stop the processing of the personal data that was based on consent and, within a reasonable time, cease (and ensure our data processors cease) processing your personal data unless such processing is required under law. Please note that withdrawal of consent will not affect processing that is done pursuant to another lawful basis or processing that took place before the withdrawal. It may also result in certain services or functionalities becoming unavailable if they relied on the consent (for example, if an optional module of Maha-AASTHA uses your data based on consent, that module would be disabled upon withdrawal).

        • Categories of Data Collected

        The App will collect and manage various categories of personal data relevant to your employment. These may include:

        • Personal Identifiers: Name, employee code, date of birth, contact information (phone, email), address, photograph, and identity document details.

        • Employment Details: Department and office, designation, job role, joining date, service cadre, postings and transfer history, promotion details, pay scale and salary details, leave records, performance evaluations, disciplinary records (if any), and any other information maintained in your digital service book.

        • Payroll and Benefits: Bank account details for salary, tax identification (PAN), provident fund number, pension and gratuity nominations, medical insurance or health scheme enrolments, and other benefit-related information.

        • Documents and Certificates: Scanned copies or digital data from service-related documents such as appointment letters, promotion orders, educational certificates if required, identity documents for verification, etc., as uploaded to the system.

        • Usage Data: When you use Maha-AASTHA, certain technical information may be collected (such as log-in times, actions performed, device information) to ensure security and audit trails. This usage data is generally not personal data but may be linked to your profile for security monitoring and support.

          • The Maha-AASTHA platform will collect only such personal data as is necessary to fulfill its stated administrative and service-related objectives. Wherever practicable, data will be sourced directly from the employee or from official departmental records. Additionally, authorized officials or department administrators may update or modify employee data as part of routine human resource workflows, subject to applicable policies and procedures.

          Data Sharing and Disclosure

          Your personal data will not be sold or disclosed to unauthorized third parties. The Department will share your data only in furtherance of legitimate purposes and in accordance with the DPDP Act’s provisions or other applicable laws. Key instances of data sharing include:

        • Within Government: Your data may be shared with other departments or authorities of the Government of Maharashtra or Government of India as required for administration. For example, information may be shared with the Finance Department/Treasury for salary processing, with the Pension Department for retirement benefits, or with regulatory authorities pursuant to legal requirements. Such sharing is done either with your consent or under a lawful exemption (such as compliance with a legal obligation or for performance of a public function) as permitted by Section 7 of the DPDP Act. If another government entity is authorized by law to obtain certain data (for instance, Vigilance or Audit departments), we may share the required data under proper authority. We will maintain records of any regular data sharing arrangements.

        • Data Processors and Service Providers: Maha-AASTHA may involve technical partners or service providers (for example, NIC or an IT vendor managing the e-HRMS infrastructure) that act as Data Processors on behalf of the Department. Such parties are bound by contractual agreements to process data only as per our instructions and to uphold strict confidentiality and security measures. As per the Maharashtra State Data Policy, any consultants, contractors, or service providers who have access to personal data must sign appropriate Non-Disclosure Agreements (NDAs) and implement technical and organizational security measures to ensure compliance with the DPDP Act. We remain responsible for the actions of our data processors and ensure they meet the standards of data protection required by law.

        • Legal Disclosures: If we receive a court order, law enforcement request, or any other legal obligation that requires us to disclose certain personal data, The General Administration Department will take appropriate steps to verify the legitimacy of such requests and ensure that any disclosure is limited to what is lawfully required, with due regard for the privacy and rights of the concerned employee.

          • Data Security

          We recognize the sensitivity of the personal data stored in Maha-AASTHA and have implemented reasonable security safeguards as required under Section-8 of the DPDP Act and the Draft DPDP Rules 2025. These measures are aimed at protecting your data against unauthorized access, loss, alteration, or misuse. Key security controls include:

        • Encryption & Access Control: Personal data is stored in encrypted form wherever applicable. Access to personal data is role-based and restricted to authorized personnel on a need-to-know basis. Users (employees) have secure credentials for accessing their own records, and internal administrators have tiered access rights as per their official role. Strong password policies and, where possible, multi-factor authentication are enforced to prevent unauthorized logins.

        • Technical Safeguards: The system employs up-to-date security measures such as firewalls, secure HTTPS communication, intrusion detection systems, and regular security audits. In line with draft Rules, baseline security practices like encryption, data masking/obfuscation, and audit logging are followed. The system is hosted in a secure government data centre environment with physical security controls and backup facilities.

        • Organizational Measures: All officials and staff handling personal data through Maha-AASTHA will follow guidelines on data privacy and security. Departments have set up dedicated Maha-AASTHA cells with nodal officers, who oversee data quality and security compliance. Regular audits (including data protection impact assessments and independent data audits if applicable) are conducted to ensure compliance with the DPDP Act. If the Department is classified as a Significant Data Fiduciary under the DPDP Act, we will fulfil the additional obligations such as appointing a Data Protection Officer and undergoing annual data audits.

        • Anonymization and Minimization: In accordance with the Maharashtra State Data Policy 2024, departments should anonymize or de-identify personal data when using it for analytics or secondary purposes, unless the data in identifiable form is absolutely required for the process. We adhere to this principle – any analytics or reports generated from Maha-AASTHA for decision-making will use aggregated data or anonymized datasets unless identifying information is necessary. Personal identifiers will be removed or masked in any public disclosures or open data releases, in line with the State Data Policy.

          • Despite these measures, no system can be 100% secure. Users are responsible for maintaining the confidentiality of their login credentials and for following any security advisories issued by the Department.

          Data Retention and Deletion

          Personal data is retained only for as long as necessary to fulfill the purposes outlined in this policy or as required by applicable laws. Since Maha-AASTHA manages official government service records, many data elements must be preserved for extended durations—even beyond an employee’s retirement—in accordance with statutory record-keeping obligations. The Maharashtra State Data Policy and relevant legislation, including the Maharashtra Public Records Act, 2005, govern the retention timelines for various categories of data.

        • During Employment: Your data will be actively maintained and updated throughout your service.

        • After Retirement or Separation: Key personal data and service records may be archived as per government record retention rules. The Maharashtra State Data Policy encourages maintaining digital data registers as authoritative sources, which implies long-term retention of certain data. However, once the specified purpose is over – e.g., after you have retired, and all benefits are settled – we will not process your data for any new purposes except historical record or legal compliance.

        • Erasure of Data: Under the DPDP Act, you have the right to request erasure of personal data that is no longer necessary or if you withdraw consent for its use. Upon receiving a valid erasure request and provided there is no legal necessity to retain the data, the Department will erase your personal data. In practice, certain records (like those needed for pension or statutory compliance) may need to be retained even if you request deletion; in such cases, we will inform you of the justification (e.g., “retention is necessary for compliance with legal obligation”). We will also ensure that any third parties/processors that have access to your data as part of Maha-AASTHA operations erase the data from their systems where applicable.

        • Withdrawal of Consent: If you had consented to any optional data processing and later withdraw that consent (as described in Section 4 above), we will erase or anonymize the data collected under that consent, unless we have another lawful basis to retain it. Per Section 8(7) of the DPDP Act, we will not retain personal data beyond the period necessary for the purpose of processing, or beyond withdrawal of consent, whichever is earlier, except where retention is required for compliance with a legal obligation.

          • User Rights under the DPDP Act, 2023

          As a User of Maha-AASTHA (and thus a Data Principal under the DPDP Act), you are entitled to exercise certain rights regarding your personal data. We are committed to upholding these rights and have put in place processes to facilitate them. Your key data protection rights are as follows:

        • Right to Access Information: You have the right to obtain confirmation of whether we are processing your personal data, and to receive a summary of that data and how it is used. This includes information on the categories of personal data processed, the purposes of processing, and a list of third parties (other Data Fiduciaries or Data Processors) with whom your data has been shared. Through Maha-AASTHA or upon request, you will be provided with access to view your own service record and personal details stored in Maha-AASTHA.

        • Right to Correction and Update: If you believe that any personal data, we hold about you is inaccurate, outdated, or incomplete, you have the right to request its correction, completion, or updating. For instance, if your contact address has changed or there is an error in your service record, you can request a correction. We encourage you to keep your information up to date; certain fields may be directly editable by you through Maha-AASTHA (with appropriate verification), or you may contact the nodal officer to update the official record. Upon verification, the Department will take prompt steps to correct the data as requested – this may include correcting factual mistakes, adding supplemental information to complete a record, or updating records to reflect changes. We may ask for supporting documentation where necessary to validate the requested corrections (for example, an official document for a date of birth correction).

        • Right to Erasure: You have the right to request deletion of your personal data in our systems, subject to certain conditions. If the data is no longer necessary for the purpose it was collected, or if you withdraw consent (where consent was the basis for processing), or if the processing is unlawful, you may ask that the data be erased. When we receive an erasure request and if no legal exception applies, we will erase the personal data concerned. However, please understand that this right is balanced with other obligations – for government administrative records, we may be required by law to retain certain information (e.g., service history for pension purposes, or records needed for audits). In such cases, we will inform you of the reason we cannot delete certain data. Any data that is not subject to such obligations will be deleted or anonymized. Additionally, under DPDP Act Section 8(7), we are in any case required to erase personal data once the specified purpose is fulfilled and retention is not necessary.

        • Right to Withdraw Consent: As mentioned earlier in Section 4, if any processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. You can do so by using the consent management features in Maha-AASTHA (if available) or by contacting the Grievance Officer. Once consent is withdrawn, we will cease processing the data that was based on consent and delete it as described, unless we have an alternate legal basis to continue or a legal requirement to retain the data. We will also notify any third-party Data Processors to stop processing your data on our behalf.

        • Right to Grievance Redressal: You have the right to raise a grievance or complaint regarding any aspect of your personal data handling, and to have an accessible mechanism for redressal. If you believe your data has been mishandled, if you are dissatisfied with our response to an earlier request, or if you have any concerns about privacy, you can lodge a complaint. The Department is obligated to address your grievance in a timely manner and provide a resolution or response within a prescribed period. (As of now, the Draft DPDP Rules 2025 propose a timeline of 7 days for responding to grievances.)

        • To Nominate: The DPDP Act allows you to nominate a representative to exercise your data right on your behalf in case of your death or incapacity. You may formally nominate (in writing, as per the prescribed manner) another person – for example, a family member or legal heir – who can access or manage your Maha-AASTHA data if you are no longer able to do so. This nomination should be kept updated by you. The nominee can then request access, correction, or other actions on your data for the purpose of settling your matters (such as pension or other service benefits) in the event of your demise or if you are incapacitated.

          • We endeavour to make the exercise of your rights as simple and user-friendly as possible, in line with the law. Most requests are free of charge. However, abuse of rights (such as excessive or unfounded requests) may be addressed as per the DPDP Act provisions. Note that under Section 15 of the DPDP Act; while exercising your rights you have certain duties (explained in Section 10 below), such as not providing false information or not filing frivolous complaints.

          User Responsibilities (Employee Duties)

          Users of Maha-AASTHA are expected to use the platform responsibly and in accordance with applicable laws and government rules. In addition to complying with these Terms, you have specific duties under the DPDP Act and the service rules:

        • Accuracy of Information: You must ensure that any personal data or document you provide through Maha-AASTHA is accurate, authentic, and not misleading. Do not deliberately input false information or omit any material information when updating your profile or submitting forms. Providing correct data helps maintain an accurate service record and avoids discrepancies. If you realize that some information is wrong, promptly request a correction rather than leaving it incorrect.

        • Authorized Use Only: Your account credentials (username, password, and any OTP or security mechanisms) are personal to you. Do not share your login details or allow anyone else to access Maha-AASTHA using your identity. Impersonating another person or misusing another employee’s data is strictly prohibited. If you have access to subordinate staff data, you must use that access only for official purposes. Unauthorized access or attempts to breach the system’s security may lead to disciplinary action and legal penalties.

        • Compliance with Law and Policy: While exercising your data rights or using Maha-AASTHA, you should comply with all applicable laws, rules, and departmental policies.

          • The App should be used only for legitimate official purposes. Any misuse of Maha-AASTHA (such as extracting data for personal gain, altering records without authorization, etc.) can result in action under service conduct rules and applicable law.

        • No Frivolous Complaints: If you have any grievance or intend to exercise any right, ensure that your request or complaint is genuine. You should not file false or frivolous grievances or complaints with the Department or with the Data Protection Board. Misusing the grievance mechanism or providing false claims may attract penalties under Section 15(d) of the DPDP Act. We value feedback and legitimate grievances to improve the system, but any abuse of these channels undermines their effectiveness.

        • Security Practices: Follow any security instructions provided (for example, periodic password changes, not using easily guessable passwords, etc.). If you suspect that your account has been compromised or notice any unusual activity, notify the support team or Grievance Officer immediately so that protective measures can be taken.

        • Device Responsibility: If you use the mobile App, maintain your device’s security (e.g., use a lock screen, don’t leave the device unattended while logged in, etc.). The Department is not responsible for unauthorized access to data on a device you have lost, or which is infected by malware due to your negligence.

          • By fulfilling these responsibilities, you contribute to the overall security and reliability of the Maha-AASTHA system and ensure that your rights and those of your colleagues can be respected effectively.

          Changes to Terms and Conditions

          These Terms and Conditions may be updated or revised by the Department from time to time. Changes may occur due to updates in the law (for example, if the Draft DPDP Rules 2025 come into force with requirements that necessitate modifications to our policies) or due to changes in Maha-AASTHA’s features and data practices. Whenever we make material changes to these Terms, we will notify Users through appropriate channels – this may include an in-app notification, a circular to all departments, or an email/SMS notification. The updated Terms will be made available within Maha-AASTHA portal.

          Your continued use of Maha-AASTHA after changes to the Terms constitutes acceptance of the revised Terms. However, if a change requires collecting new consent from you (for example, if we introduce a new purpose for data processing that wasn’t originally covered), we will seek that consent separately. We encourage you to review the Terms periodically to remain informed about how your data is protected.

          For historical record, major versions of the Terms may be archived by the Department. If you wish to see an earlier version for any reason, you may contact the Grievance Officer.

          Contact Information

          If you have any questions, concerns, or requests regarding these Terms or your personal data in Maha-AASTHA, you may contact our designated officials below:
          Joint Secretary, General Administration Department (Services)
          General Administration Department, Government of Maharashtra,
          Mantralaya-Annex Building,
          Mumbai, Maharashtra (India).
          Email: gad.maha-aastha@mah.gov.in
          Phone:022-220245

          Governing Law and Dispute Resolution

          This Terms and Conditions document is governed by the laws of India. It is intended to be consistent with the Digital Personal Data Protection Act, 2023 and rules made thereunder, as well as relevant state laws and policies of Maharashtra. In the event of any conflict between these Terms and an applicable law/regulation, the provisions of the law will prevail, and the Terms will be interpreted in a manner that complies with the law.

          Any dispute or claim arising from these Terms, or the use of Maha-AASTHA App shall be resolved through the following mechanisms:

        • Data Protection Board of India: If the dispute involves personal data protection (such as an alleged violation of the DPDP Act), and it is not resolved internally, it may be raised before the Data Protection Board of India as per the procedures under the DPDP Act. The Board has authority to adjudicate complaints and impose penalties or remediation.

        • Other Avenues: For disputes not relating directly to data protection (for example, a service matter issue), the usual administrative or legal forums (such as departmental appeals, Maharashtra Civil Services tribunals, or courts) may be approached. However, those are outside the scope of this Terms document, which is focused on data and Maha-AASTHA usage terms.

        • Jurisdiction: Any legal proceedings, if necessary, shall be subject to the appropriate courts in Mumbai, Maharashtra, or forums as determined by applicable service rules and laws.

          • Acceptance

          By using Maha-AASTHA, you acknowledge that you have read and understood these Terms and Conditions and agree to abide by them. These Terms constitute a binding agreement between you and the General Administration Department, Government of Maharashtra regarding the use of the Maha-AASTHA and the handling of your personal data. If you do not agree with any part of these Terms, you should refrain from using the Maha-AASTHA; however, note that certain data processing might still occur as required by law for maintaining your employment records even if you choose not to personally use Maha-AASTHA (in such cases, your data will still be protected as per the above terms).

          The Government of Maharashtra is dedicated to protecting your personal data and privacy rights while using Maha-AASTHA. This document is provided in the interest of transparency and legal compliance, following the principles of the DPDP Act 2023 and the Maharashtra State Data Policy 2024. For any further clarification, you may contact the Grievance Officer.