Data Protection FAQs

The Board has the powers to impose the following penalties:

The appeal shall be filed within a period of sixty days from the date of receipt of order of the Data Protection Board against which the appeal is to be filed.

As per section 27, following are the powers and functions of the Board:

a. To direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act

b. To inquire into such breach and impose penalty as provided in this Act against the Data Fiduciary, Consent Manager, Intermediary (under section 37)

c. To inquire into such breach and impose penalty as provided in this Act on receipt of an intimation of breach of any condition of registration of a Consent Manager

d. Issue such directions to person who shall be bound to comply with the same.

e. Modify, suspend, withdraw or cancel such direction and, while doing so, impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect

Additionally, the Board is provided with the same powers as are vested in a Civil Court under the Code of Civil Procedure. 1908, to discharge its functions in respect of following matters:

a. Summoning and enforcing the attendance

b. Examination on oath

c. Discovery and production of documents

d. Inspection of documents

e. Receiving evidence of affidavit

f. Any other matter

As per section 33(2) while determining the amount of monetary penalties, the Board shall consider the following factors:

1. The nature, gravity and duration of the breach
2. The type and nature of the personal data affected by the breach
3. Repetitive nature of the breach;
4. Whether the person, as a result of the breach, has realized a gain or avoided any loss;
5. Whether any action was taken to mitigate the effects and consequences of the breach and timeliness and effectiveness of the such action
6. Whether monetary to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions
7. The likely impact of the imposition of the penalty on the person

Section 29 states that the any persona aggrieved by the order of the Board may file an appeal before the Appellate Tribunal where the Appellate Tribunal shall be the authority established under Section 18 of the Telecom Regulatory Authority of India i.e. The Telecom Disputes Settlement and Appellate Tribunal

Establishment: As per section 18, for the purposes of the Act, the appropriate Board shall be the Data Protection Board

Constitution:

As per section 19, the Data Protection Board shall have a Chairperson and other Members as notified by the central government. The Chairperson and other members must have appropriate knowledge and practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board, and at least one among them shall be an expert in the field of law.

Section 6(8) provides that, The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.

a. Take Consent of Parents or Lawful Guardian to process PI of children: As per section 9, the Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian.

b. Prohibition of Detrimental Processing: As per section 9(2), Data Fiduciary is prohibited to process personal data which is likely to cause any detrimental effect on the well-being of a child.

c.Prohibition of Specific Activities: As per section 9(3) a data fiduciary shall not undertake tracking, behavioral monitoring and targeted advertising for children.

a. Appoint a Data Protection Officer: As per section 10(2), the DPO is an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary and shall represent the Significant Data Fiduciary for the provisions of this act. He shall be based in India and shall be the point of contact for grievance redressal.

b. Appoint an independent data auditor to carry out audits. {section 10(2)}

c. Undertake DPIAs and Audit: As per section 10, Undertake Data Protection Impact Assessments and audits to ensure effective observance of the provisions of this Act and the rules.

Undertake DPIAs and Audit:  As per section 10, Undertake Data Protection Impact Assessments and audits to ensure effective observance of the provisions of this Act and the rules

Comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of the act.

a. To ensure not to impersonate another person while providing her personal data for a specified purpose;

b. To ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;

c. To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board;

d. To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.

a. Personal data/information means any data about an individual who is identifiable by or in relation to such data

b. Data Principal means the individual to whom the personal data relates

c. Data Fiduciary means any person who is alone or in conjunction with other person determines the purpose and means of processing of the personal data.

d. Data processor means any person who processes personal data on behalf of a Data Fiduciary for any activity related to offering of goods or services to Data Principals only under a valid contract.

e. Significant Data Fiduciary means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government

f. Consent Manager A person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

g. Data Protection Officer means an individual appointed by the Significant Data Fiduciary, responsible to the Board of Directors or similar governing body of Significant Data Fiduciary and is a point of contact for the grievance redressal mechanism under the provisions of the Act

Various Obligations of Data Fiduciary are listed below:

1. Consent: Section 6 requires the Data Fiduciary to take free, specific, informed, unconditional and unambiguous consent from a Data Principal with clear affirmative action
2. Furnishing Notice to Data Principal: Section 5 requires that request to a Data Principal for consent shall be accompanied by a notice which will inform

a. The personal data and the purpose for which it is proposed to be processed.

b. The manner in which the Data Principal may exercise her rights as per the Act;

c. The way the Data Principal may make a complaint to the Data Protection Board as prescribed.

d. Offer the option to access the contents of the notice in the languages specified in Schedule 8 (eighth) of the Constitution of India.

e. Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder

3. Purpose limitation the consent shall signify an agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for such related/specified purpose. For any further processing further consent would be required:
• Erasure/Deletion of Data: As per Section 8, Data Fiduciary shall erase or delete the personal data and must also cause the Data Processor to erase and delete such personal data
• If the Data Principal withdraws consent or it can be safely assumed specified purpose is fulfilled,
• Unless retention is necessary for legal compliance is required to erase or delete personal data
• A purpose is no longer served if the data principal does not approach the data fiduciary or exercise any of her rights in relation to that processing
4. Ensure Completeness, Accuracy and Consistency: The Data Fiduciary to ensure the completeness, accuracy and consistency of personal data where such personal data is likely to be used to make a decision affecting Data Principal or is to be disclosed to another Data Fiduciary.
5. Implement Technical and Organizational Measures:  The Data Fiduciary to implement appropriate technical and organizational measures to ensure effective observance of the provisions of the act and applicable rules
6. Reasonable Security Safeguards: Section 8(5) requires a Data Fiduciary to protect personal data under its possession or control or undertaken on its behalf by a Data Processor by taking reasonable security safeguards to prevent personal data breach.
7. Breach Notification: In case of a personal data breach, the Data Fiduciary is required to intimate the Board and the affected Data Principal in the manner prescribed.
8. Publication of business contact information about DPO: A Data Fiduciary to publish, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
9. Grievance Redressal: Section 8(10) requires a Data Fiduciary to establish an effective mechanism to redress the grievances of Data Principals
10. Ensure Rights of Data Principal: A data fiduciary shall provide a mechanism to ensure the rights of data principal to access, correct and erasure, seek grievance redressal and nominate her personal data.
• Upon receiving a request to Access, provide a summary of personal data which is being processed by the Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data.
• the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared
• Any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
• Upon receiving a request for correction, completion, updating or deletion

(a) Correct the inaccurate or misleading personal data.

(b) Complete the incomplete personal data.

(c) Update the personal data,

(d) Delete personal data unless retention is necessary for specified purposes or compliance with law.

• Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals[3]

Cross-Border Data Transfer: Section 16 requires the Data Fiduciary to ensure that the transfer of personal data outside the territory of India aligns with the notifications or guidelines issued by the Central Government.

The DPDP applies to the processing of digital personal data i.e. personal data collected in digital form or collected in non-digital form and subsequently digitized within the territory of India.

Yes, the DPDP also applies to the processing of digital personal data outside the territory of India, if such processing relates to offering of goods or services to Data Principals within the territory of India.