मेनू टॉगल करा
अधिक
    बंद करा

    Terms and Condition Maha eHRMS

    TERMS & CONDITIONS FOR USE OF THE MAHA eHRMS PORTAL AND MOBILE APPLICATION

    Updated in accordance with the Digital Personal Data Protection Act, 2023; Digital Personal Data Protection Rules, 2025; Information Technology Act, 2000; Maharashtra State Data Policy, 2024; and the Maharashtra Public Records Act, 2005

    Introduction

    These Terms and Conditions govern the use of the Maharashtra Electronic Human Resource Management System (MahaeHRMS), comprising the mobile application and web platform developed and maintained by the General Administration Department (GAD),Government of Maharashtra. The objective of Maha eHRMS is to digitize and manage the service records and human resource processes of State Government employees in a transparent, secure, and efficient manner. By accessing or using Maha eHRMS, the User or Employee acknowledges and agrees to abide by these Terms. These Terms are intended for display on the Maha eHRMS portal hosted by the General Administration Department.

    For the purposes of these Terms, the following definitions apply:

    • “Personal Data” means any data about an individual that directly or indirectly identifies the individual. This includes personal information contained in your service records, such as contact details, identification information, employment and service history, salary and benefits, performance records, etc. (as defined under Section 2(t) of the DPDP Act,2023)
    • “User” or “Employee” refers to a State Government employee who is using Maha eHRMS and whose personal data is processed in Maha eHRMS. In terms of data protection law, the User is the Data Principal, the individual to whom the personal data relates.
    • “Department” refers to the General Administration Department, Government of Maharashtra, and its authorized officials administering Maha eHRMS. The General Administration Department is the Data Fiduciary, meaning it determines the purpose and means of processing Users’ personal data and its confidentiality.
    • “Processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. (as defined under Section 2(x) of the DPDP Act,2023)
    • “DPDP Act and Rules” means the Digital Personal Data Protection Act, 2023, enacted by the Government of India, which governs the processing of digital personal data and protection of individuals’ privacy rights and Rules, if any thereunder.
    • “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary. (as defined under Section 2(k) of the DPDP Act,2023)
    • “Maharashtra State Data Policy 2024” refers to the policy enacted by the Government of Maharashtra (Planning Department) in 2025 to standardize data governance and ensure data security and privacy in all State Departments.

      • Unless otherwise defined herein, all the terms used in these Terms shall have the same meaning as assigned to them under the Digital Personal Data Protection Act,2023, or any other applicable laws and amendments thereto from time to time.

      Legal Compliance and Governance

      Maha eHRMS has been designed and is operated in compliance with the provisions of the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, the Maharashtra State Data Policy, 2024, the Maharashtra Public Records Act, 2005, the Information Technology Act, 2000, and all other applicable laws, rules, and government instructions governing the management, protection, and retention of digital records within the State. The platform adheres to the principles of lawful, transparent, and secure processing of personal data as envisaged under the DPDP Act and the State’s data governance framework.

      As a Significant Data Fiduciary (SDF), the General Administration Department is required to fulfil enhanced compliance obligations under Section 10 of the DPDP Act, 2023 and Rule 15 of the DPDP Rules, 2025. These obligations include theappointment of a Data Protection Officer in accordance with Section 10(2) of the DPDP Act, the conduct of annual Data Protection Impact Assessments(DPIA) as mandated under Rule 15(3) of the DPDP Rules, the maintenance of detailed and up-to-date records of all processing activities, and the undertaking of independent data audits to ensure adherence to statutory requirements and internal controls.

      The Department may, from time to time, issue circulars, guidelines, or Standard Operating Procedures to operationalize these legal requirements and to ensure continued compliance with evolving statutory, technological, and administrative standards relating to data protection, cybersecurity, and digital governance.

      Purpose of Data Collection and Use

      • Authorized Use: Maha eHRMS shall collect and processes personal data of State Government employees for legitimate government purposes, primarily for HR management and administrative functions. This shall include maintaining complete digital service records from appointment to retirement, facilitating payroll and benefits, tracking promotions and transfers, managing leave and attendance, and processing pension and other post-retirement benefits. The processing of personal data is necessary for performance of public duties and legal obligations by the Government of Maharashtra, and for providing services or benefits to the employees as required by law. In many cases, this processing is undertaken as part of the employer’s official function or compliance with laws (e.g. maintaining service books), which is allowed under the DPDP Act without requiring separate consent of the employee (as it falls under “legitimate uses” or statutory necessity).

      • Transparency and Fairness: The Department is committed to processing data of the User/Employee/Data Principal in a transparent and fair manner. Upon request, the User/Employee/Data Principal shall be provided with details of the personal data collected, the purposes for which it is processed, and the entities with whom such data may be shared. The Department ensure that only such personal data that is necessary for the specified purpose will be collected and processed, and it will not be used for any new purpose that will be incompatible with the original purpose without obtaining consent or providing additional notice to the User/Employee/Data Principal as applicable.

      • Consent: Where certain personal data processing is based on consent of the User/Employee (for example, if in the future Maha eHRMS introduces optional features requiring your permission, or if any processing is not already mandated by law), such consent will be obtained in a free, informed, specific, and unambiguous manner. The User/Employee shall have right to withdraw any consent given, at any time, with ease equal to the manner in which consent was given. By accessing Maha eHRMS the User/Employee shall unconditionally accept to be legally bound by the terms and conditions. In case of withdrawal of consent, the processing of the personal data will be stopped that was based on consent and, within a reasonable time, cease (and ensure our data processors cease) processing the personal data unless such processing is required under law. Please note that withdrawal of consent will not affect processing that is done pursuant to another lawful basis or processing that took place before the withdrawal. It may also result in certain services or functionalities becoming unavailable, provided relying on the consent (for example, if an optional module of Maha eHRMS uses data based on consent, that module would be disabled upon withdrawal).

        • Categories of Data Collected

        The Maha eHRMS platform collects and maintains various categories of personal data relevant to the employment and service of the User. The collection of such data shall be strictly limited to what is necessary for the specified purpose, in accordance with the principle of data minimization prescribed under Rule 3(2) of the Digital Personal Data Protection Rules, 2025.

        • The App will collect and manage various categories of personal data relevant to employment of User/Employee. These may include:

        • Personal Identifiers: Name, employee code, date of birth, contact information (phone, email), address, photograph, biometrics data, medical information, and identity document details.

        • Employment Details: Department and office, designation, job role, joining date, service cadre, postings and transfer history, promotion details, pay scale and salary details, leave records, performance evaluations, disciplinary records (if any), and any other information maintained in your digital service book.

        • Payroll and Benefits: Bank account details for salary, tax identification (PAN), General Provident Fund (GPF)number, pension and gratuity nominations, medical insurance or health scheme enrolments, and other benefit-related information.

        • Documents and Certificates: Scanned copies or digital data from service-related documents such as appointment letters, promotion orders, educational certificates if required, identity documents for verification, etc., as uploaded in the system.

        • Usage Data: When the User/Employee shall use Maha eHRMS, certain technical information may be collected (such as log-in times, actions performed, device information) to ensure security and audit trails. This usage data generally will not be personal data but may be linked to profile of User/Employee for security monitoring and support.

        • Data processors: “Data Processor” means any authorised person, agency, or organisation that shall processes personal data on behalf of the Department for lawful and specified purposes under the DPDP Act, 2023.

          • The Maha eHRMS platform will collect only such personal data as is necessary to fulfil its stated administrative and service-related objectives. Wherever practicable, data will be sourced directly from the employee or from official departmental records. Additionally, authorized officials or department administrators may update or modify employee data as part of routine human resource workflows, subject to applicable policies and procedures.

          Data Sharing and Disclosure

          The personal data of Users shall not be sold or disclosed to unauthorized third parties. Data may be shared with other departments or authorities of the Government of Maharashtra, or the Government of India where required for administrative, statutory, or regulatory purposes, in accordance with Section 7(1)(c) of the Digital Personal Data Protection Act, 2023, which permits processing for the performance of State functions.

        • Technical partners or service providers engaged for the operation, maintenance, or enhancement of Maha eHRMS may process data strictly under the instructions of the Department and shall be bound by confidentiality and security obligations as required under Section 8(2) of the DPDP Act, 2023 and Rule 10 of the DPDP Rules, 2025. Such Data Processors shall not engage subcontractors without prior approval and shall be required to report any personal data breach immediately to the Department.

        • Data may also be disclosed pursuant to lawful directions, court orders, or statutory obligations. Personal
          data shall not be transferred outside India unless permitted by the Central Government and subject to adequate safeguards, in accordance with Section 16 of the DPDP Act, 2023 and Rule 14 of the DPDP Rules, 2025.

          • Data Security

          Recognizing the sensitivity of the personal data stored in Maha eHRMS, the Department shall implement reasonable and appropriate technical and organizational measures to protect such data against unauthorized access, alteration, loss, or misuse, as required under Section 8(5) of the Digital Personal Data Protection Act, 2023 and Rule 16 of the Digital Personal Data Protection Rules, 2025. These measures include encryption, secure communication protocols, firewalls, intrusion detection systems, role-based access control, multi-factor authentication, data masking, and regular security audits.

        • As a Significant Data Fiduciary, the Department shall conduct annual Data Protection Impact Assessments,
          independent audits, and periodic risk assessments in accordance with Rule 15 of the DPDP Rules, 2025. Any personal data breach shall be reported to the Data Protection Board of India and to affected Users as mandated under Section 8(6) of the DPDP Act, 2023 and Rule 12 of the DPDP Rules, 2025.

        • Users are responsible for maintaining the confidentiality of their login credentials and for following security advisories issued by the Department.

          • Data Retention and Deletion

          Personal data shall be retained only for as long as necessary to fulfil the purposes for which it is processed or as required under applicable laws, including the Maharashtra Public Records Act, 2005. Retention practices shall comply with Section 8(7) of the Digital Personal Data Protection Act, 2023 and Rule 20 of the Digital Personal Data Protection Rules, 2025, which mandate that personal data shall not be retained beyond the period necessary for the purpose of processing unless required for legal compliance.

        • Certain categories of data may be archived for long-term preservation in accordance with statutory obligations. Once the purpose of processing is fulfilled, personal data shall be deleted or anonymized unless retention is required under law. Users may request erasure of personal data that is no longer necessary or where consent has been withdrawn; however, such requests may be declined where retention is mandated by law, in accordance with Section 13 of the DPDP Act, 2023. The Department shall maintain retention logs and ensure that Data Processors also comply with deletion requirements.

          • User Rights under the DPDP Act

          The User, as a Data Principal, shall have the right to obtain confirmation of whether the Department is processing his or her personal data and to receive a summary of such data, in accordance with Section 11 of the Digital Personal Data Protection Act, 2023. The User may request correction or updating of inaccurate or outdated information under Section 12 of the DPDP Act, 2023 and may seek erasure of personal data where legally permissible under Section 13.

        • Where processing is based on consent, the User may withdraw such consent at any time as provided under Section 6(7) of the DPDP Act, 2023. The User shall have access to a grievance redressal mechanism under Section 14 of the DPDP Act, 2023 and may nominate another person to exercise rights in the event of death or incapacity under Section 14(2).

        • All rights requests shall be subject to identity verification as required under Rule 9 of the DPDP Rules, 2025, and shall be acknowledged and resolved within the timelines prescribed under Rule 22 of the DPDP Rules, 2025

          • User Responsibilities

          Users of Maha eHRMS are expected to use the platform responsibly and in accordance with applicable laws, service rules, and departmental policies. In addition to the obligations arising under the Maharashtra Civil Services Rules and other relevant government instructions, Users shall comply with the duties prescribed under Section 15 of the Digital Personal Data Protection Act, 2023, which require every Data Principal to provide accurate information, refrain from impersonating another individual, avoid suppressing material information, and not file frivolous or false grievances or complaints.

          • Users shall ensure that any personal data or document submitted through Maha eHRMS is accurate, authentic, and not misleading. They shall not deliberately input false information or omit material details while updating their profile or submitting forms. Users shall not share their login credentials, passwords, or authentication details with any other person, nor shall they permit unauthorized access to the platform. Any attempt to access, modify, or retrieve the data of another employee without authorization shall constitute a violation of these Terms and may attract disciplinary action under applicable service rules, in addition to penalties under the DPDP Act.

          • By fulfilling these responsibilities, Users contribute to the overall security, integrity, and reliability of the Maha eHRMS system and help ensure that the rights of all employees are protected in accordance with the DPDP Act and DPDP Rules.

          Changes to Terms and Conditions

          The Department may revise or update these Terms from time to time due to changes in law, policy, or system functionality. Material changes shall be communicated to Users through appropriate channels, including in-app notifications, circulars, or email/SMS alerts. Continued use of Maha eHRMS after such changes shall constitute acceptance of the revised Terms.

          Contact Information

          In accordance with the obligations prescribed under Section 10(2) of the Digital Personal Data Protection Act, 2023, the General Administration Department, being designated as a Significant Data Fiduciary, shall appoint a Data Protection Officer who shall be responsible for overseeing compliance with the DPDP Act and the Digital Personal Data Protection Rules, 2025. The Data Protection Officer shall serve as the primary point of contact for matters relating to the processing of personal data under Maha eHRMS, including issues concerning the exercise of rights by the User, data protection compliance, and coordination with the Data Protection Board of India.

          Further, as required under Section 14 of the DPDP Act, 2023 and Rule 22 of the DPDP Rules, 2025, the Department shall designate a Grievance Officer to address complaints or concerns raised by Users regarding the processing of their personal data, delays or deficiencies in responding to rights requests, or any other matter relating to data protection. The Grievance Officer shall acknowledge grievances within the timelines prescribed under the DPDP Rules and shall ensure that appropriate action is taken to resolve such grievances in a fair and timely manner.

          The contact details of the Data Protection Officer and the Grievance Officer, including their official designation, office address, email ID, and telephone number, shall be published on the Maha eHRMS portal and kept updated from time to time. Users may reach out to these designated officials for any queries, concerns, or requests relating to the processing of their personal data, the exercise of their rights under the DPDP Act, or any matter arising from these Terms and Conditions. The Department shall ensure that all communications received through these channels are handled with due diligence and in accordance with the statutory obligations imposed under the DPDP Act and DPDP Rules.

          Governing Law and Dispute Resolution

          These Terms shall be governed by the laws of India, including the provisions of the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, the Information Technology Act, 2000, and all other applicable Central and State enactments governing data protection, digital governance, and public administration. Any dispute relating specifically to the processing, protection, or handling of personal data under Maha eHRMS may be raised before the Data Protection Board of India, in accordance with the procedures laid down under Chapter V of the DPDP Act, 2023, which provides for adjudication, inquiry, and enforcement mechanisms relating to personal data breaches and non-compliance.

          Service-related disputes that do not pertain to personal data protection shall be addressed through the appropriate administrative or judicial forums established under the relevant service rules, including but not limited to departmental appellate authorities, the Maharashtra Administrative Tribunal, or other competent authorities as applicable. For all legal proceedings arising from or connected with the use of Maha eHRMS, the jurisdiction shall lie exclusively with the competent courts located in Mumbai, Maharashtra, subject to the statutory provisions governing territorial jurisdiction and the nature of the dispute.

          Acceptance

          By accessing or using the Maha eHRMS platform, whether through the web portal or the mobile application, the User expressly acknowledges, confirms, and declares that he or she has carefully read, understood, and agreed to the entirety of these Terms and Conditions. The User further affirms that such use constitutes valid and informed acceptance of these Terms in accordance with the principles of lawful consent and acknowledgment under applicable laws, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000.

          The User’s continued access to or use of Maha eHRMS shall be deemed to constitute unequivocal acceptance of these Terms and shall create a binding and enforceable legal relationship between the User and the General Administration Department, Government of Maharashtra. This acceptance shall have the same legal effect as if the User had executed a written agreement with the Department, and the User shall be bound by all obligations, responsibilities, and duties set forth herein.

          The User also acknowledges that the Department retains the authority to modify or update these Terms in accordance with applicable laws and administrative requirements, and that continued use of the platform after such modifications shall constitute deemed acceptance of the revised Terms. The User agrees that it is his or her responsibility to review the Terms periodically to remain informed of any changes.

          These Terms and Conditions are issued by the General Administration Department, Government of Maharashtra (Developer of Maha eHRMS)

          Last Updated: December 8th, 2025.