DIGITAL PERSONAL

DATA PROTECTION - II
General obligations of Data Fiduciary

A Data Fiduciary shall be responsible for

complying with the provisions of the Act in
respect of any processing undertaken by it
or on its behalf by a Data Processor.
A Data Fiduciary may engage, appoint, use
or involve a Data Processor to process
personal data on its behalf for any activity
related to offering of goods or services to
Data Principals only under a valid contract.
 Where personal data processed by a Data
Fiduciary is likely to be—
 used to make a decision that affects the Data
Principal; or
 disclosed to another Data Fiduciary, the Data
Fiduciary processing such personal data shall
ensure its completeness, accuracy and consistency.
 A Data Fiduciary has to implement appropriate
technical and organisational measures.
 A Data Fiduciary shall protect personal data in its
possession or under its control, including in
respect of any processing undertaken by it or on
its behalf by a Data Processor, by taking
reasonable security safeguards to prevent
personal data breach.
In the event of a personal data breach, the Data
Fiduciary shall give the Board and each affected Data
Principal, intimation of such breach

A Data Fiduciary shall, unless retention is necessary

for compliance with any law for the time being in
force,—
(a)erase personal data, upon the Data Principal
withdrawing her consent or as soon as it is reasonable
to assume that the specified purpose is no longer
being served, whichever is earlier; and
(b)cause its Data Processor to erase any personal data
that was made available by the Data Fiduciary for
processing to such Data Processor.
 Illustrations.

(I)X, an individual, registers herself on an

online marketplace operated by Y, an e-
commerce service provider. X gives her
consent to Y for the processing of her personal
data for selling her used car. The online
marketplace helps conclude the sale. Y shall
no longer retain her personal data.
(II)X, an individual, decides to close her
savings account with Y, a bank. Y is required
by law applicable to banks to maintain the
record of the identity of its clients for a period
of ten years beyond closing of accounts. Since
retention is necessary for compliance with law,
Y shall retain X’s personal data for the said
period.
 Thepurpose referred to above shall be
deemed to no longer be served, if the
Data Principal does not––
 (a)approachthe Data Fiduciary for the
performance of the specified purpose; and
 (b)exerciseany of her rights in relation to
such processing, for such time period as
may be prescribed, and different time
periods may be prescribed for different
classes of Data Fiduciaries and for
different purposes.
A Data Fiduciary shall publish, the business
contact information of a Data Protection
Officer, if applicable, or a person who is able
to answer on behalf of the Data Fiduciary,
the questions, if any, raised by the Data
Principal about the processing of her
personal data.

AData Fiduciary shall establish an effective

mechanism to redress the grievances of
Data Principals
Processing of personal data of
children
 TheData Fiduciary shall, before processing
any personal data of a child or a person
with disability who has a lawful guardian,
obtain verifiable consent of the parent of
such child or the lawful guardian

 “consent of the parent” includes the consent of

lawful guardian
A Data Fiduciary shall not undertake
such processing of personal data that
is likely to cause any detrimental
effect on the well-being of a child
A Data Fiduciary shall not undertake
tracking or behavioural monitoring of
children or targeted advertising
directed at children.
Additional obligations of
Significant Data Fiduciary
 The Central Government may notify any Data Fiduciary
or class of Data Fiduciaries as Significant Data Fiduciary,
on the basis of an assessment of such relevant factors as
it may determine, including—
(a)the volume and sensitivity of personal data processed
(b)risk to the rights of Data Principal
(c)potential impact on the sovereignty and integrity of India
(d)risk to electoral democracy
(e)security of the State and
(f)public order.
 The Significant Data Fiduciary shall—
(a)appoint a Data Protection Officer who shall
—
(i)represent the Significant Data Fiduciary
(ii)be based in India
(iii)be an individual responsible to the Board of
Directors or similar governing body of the
Significant Data Fiduciary and
(iv)be the point of contact for the grievance
redressal mechanism
 The Significant Data Fiduciary shall
appoint an independent data auditor
to carry out data audit, who shall
evaluate the compliance of the
Significant Data Fiduciary
 The Significant Data Fiduciary shall undertake the
following other measures, namely:—
(i)periodic Data Protection Impact Assessment, which
shall be a process comprising a description of the rights
of Data Principals and the purpose of processing of their
personal data, assessment and management of the risk
to the rights of the Data Principals
(ii)periodic audit and
(iii)such other measures
RIGHTS AND DUTIES OF DATA
PRINCIPAL
 Right to access information about personal data.
 The Data Principal shall have the right to obtain from the
Data Fiduciary to whom she has previously given consent, for
processing of personal data, upon making to it a request in
such manner as may be prescribed,—
(a)a summary of personal data which is being processed by
such Data Fiduciary and the processing activities undertaken
by that Data Fiduciary with respect to such personal data;
(b)the identities of all other Data Fiduciaries and Data
Processors with whom the personal data has been shared by
such Data Fiduciary, along with a description of the personal
data so shared; and
(c)any other information related to processing of the personal
 Not to apply in respect of the sharing of any
personal data by the said Data Fiduciary
with any other Data Fiduciary authorised by
law to obtain such personal data, where such
sharing is pursuant to a request made in
writing by such other Data Fiduciary for the
purpose of prevention or detection or
investigation of offences or cyber incidents,
or for prosecution or punishment of offences.
Right to correction and erasure
of personal data
 A Data Principal shall have the right to correction,
completion, updating and erasure of her personal
data for the processing of which she has previously
given consent,
 A Data Fiduciary shall, upon receiving a request for
correction, completion or updating from a Data
Principal,—
(a)correct the inaccurate or misleading personal data;
(b)complete the incomplete personal data; and
(c)update the personal data.
A Data Principal shall make a request
to the Data Fiduciary for erasure of her
personal data, and upon receipt of such
a request, the Data Fiduciary shall
erase her personal data unless
retention of the same is necessary for
the specified purpose or for compliance
with any law for the time being in force.
Right of grievance redressal

 A Data Principal shall have the right to have readily available

means of grievance redressal provided by a Data Fiduciary or
Consent Manager in respect of any act or omission of such Data
Fiduciary or Consent Manager regarding the performance of its
obligations in relation to the personal data of such Data Principal
or the exercise of her rights under the provisions of this Act and
the rules made thereunder.
 The Data Fiduciary or Consent Manager shall respond to any
grievances within such period as may be prescribed from the
date of its receipt for all or any class of Data Fiduciaries.
 The Data Principal shall exhaust the opportunity of redressing
her grievance before approaching the Board.
Right to nominate

A Data Principal shall have the right to

nominate, any other individual, who shall, in
the event of death or incapacity of the Data
Principal, exercise the rights of the Data
Principal
 “incapacity”
means inability to exercise the
rights of the Data Principal due to
unsoundness of mind or infirmity of body
Duties of Data Principal
 A Data Principal shall perform the following duties, namely:—
 (a)comply with the provisions of all applicable laws for the time
being in force while exercising rights under the provisions of this Act;
 (b)to ensure not to impersonate another person while providing her
personal data for a specified purpose;
 (c)to ensure not to suppress any material information while
providing her personal data for any document, unique identifier,
proof of identity or proof of address issued by the State or any of its
instrumentalities;
 (d)to ensure not to register a false or frivolous grievance or
complaint with a Data Fiduciary or the Board; and
 (e)to furnish only such information as is verifiably authentic, while
exercising the right to correction or erasure under the provisions of
this Act or the rules made thereunder.
SPECIAL PROVISIONS
Processing of personal data
outside India.
 The Central Government may, by notification,
restrict the transfer of personal data by a Data
Fiduciary for processing to such country or territory
outside India as may be so notified.
 Nothing contained in this section shall restrict the
applicability of any law for the time being in force in
India that provides for a higher degree of protection
for or restriction on transfer of personal data by a
Data Fiduciary outside India in relation to any
personal data or Data Fiduciary or class thereof
EXEMPTIONS
 Not apply where—
 (a)the processing of personal data is necessary for enforcing any
legal right or claim;
 (b)the processing of personal data by any court or tribunal or any
other body in India which is entrusted by law with the performance
of any judicial or quasi-judicial or regulatory or supervisory
function, where such processing is necessary for the performance
of such function;
 (c)personal data is processed in the interest of prevention,
detection, investigation or prosecution of any offence or
contravention of any law for the time being in force in India;
 (d)personal data of Data Principals not within the territory of India
is processed pursuant to any contract entered into with any person
outside the territory of India by any person based in India
Not apply where—
 the processing is necessary for a scheme of compromise or
arrangement or merger or amalgamation of two or more companies or a
reconstruction by way of demerger or otherwise of a company, or
transfer of undertaking of one or more company to another company, or
involving division of one or more companies, approved by a court or
tribunal or other authority competent to do so by any law for the time
being in force; and
 the processing is for the purpose of ascertaining the financial
information and assets and liabilities of any person who has defaulted
in payment due on account of a loan or advance taken from a financial
institution, subject to such processing being in accordance with the
provisions regarding disclosure of information or data in any other law
for the time being in force.
 Illustration.X, an individual, takes a loan from Y, a bank. X defaults in
paying her monthly loan repayment instalment on the date on which it
falls due. Y may process the personal data of X for ascertaining her
financial information and assets and liabilities.
 The provisions of the Act not to apply in respect of the
processing of personal data—
(a)by such instrumentality of the State as the Central
Government may notify, in the interests of sovereignty and
integrity of India, security of the State, friendly relations
with foreign States, maintenance of public order or
preventing incitement to any cognizable offence relating to
any of these, and the processing by the Central
Government of any personal data that such instrumentality
may furnish to it; and Processing of personal data outside
India.
(b)necessary for research, archiving or statistical purposes
if the personal data is not to be used to take any decision
specific to a Data Principal and such processing is carried
on in accordance with such standards as may be prescribed
 Explanation.—For the purposes of this sub-
section, the term “startup” means a private
limited company or a partnership firm or a
limited liability partnership incorporated in
India, which is eligible to be and is
recognised as such in accordance with the
criteria and process notified by the
department to which matters relating to
startups are allocated in the Central
Government.