What are the Obligations of Data Fiduciary?

Various Obligations of Data Fiduciary are listed below:

1. Consent: Section 6 requires the Data Fiduciary to take free, specific, informed, unconditional and unambiguous consent from a Data Principal with clear affirmative action
2. Furnishing Notice to Data Principal: Section 5 requires that request to a Data Principal for consent shall be accompanied by a notice which will inform

a. The personal data and the purpose for which it is proposed to be processed.

b. The manner in which the Data Principal may exercise her rights as per the Act;

c. The way the Data Principal may make a complaint to the Data Protection Board as prescribed.

d. Offer the option to access the contents of the notice in the languages specified in Schedule 8 (eighth) of the Constitution of India.

e. Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder

3. Purpose limitation the consent shall signify an agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for such related/specified purpose. For any further processing further consent would be required:
• Erasure/Deletion of Data: As per Section 8, Data Fiduciary shall erase or delete the personal data and must also cause the Data Processor to erase and delete such personal data
• If the Data Principal withdraws consent or it can be safely assumed specified purpose is fulfilled,
• Unless retention is necessary for legal compliance is required to erase or delete personal data
• A purpose is no longer served if the data principal does not approach the data fiduciary or exercise any of her rights in relation to that processing
4. Ensure Completeness, Accuracy and Consistency: The Data Fiduciary to ensure the completeness, accuracy and consistency of personal data where such personal data is likely to be used to make a decision affecting Data Principal or is to be disclosed to another Data Fiduciary.
5. Implement Technical and Organizational Measures:  The Data Fiduciary to implement appropriate technical and organizational measures to ensure effective observance of the provisions of the act and applicable rules
6. Reasonable Security Safeguards: Section 8(5) requires a Data Fiduciary to protect personal data under its possession or control or undertaken on its behalf by a Data Processor by taking reasonable security safeguards to prevent personal data breach.
7. Breach Notification: In case of a personal data breach, the Data Fiduciary is required to intimate the Board and the affected Data Principal in the manner prescribed.
8. Publication of business contact information about DPO: A Data Fiduciary to publish, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
9. Grievance Redressal: Section 8(10) requires a Data Fiduciary to establish an effective mechanism to redress the grievances of Data Principals
10. Ensure Rights of Data Principal: A data fiduciary shall provide a mechanism to ensure the rights of data principal to access, correct and erasure, seek grievance redressal and nominate her personal data.
• Upon receiving a request to Access, provide a summary of personal data which is being processed by the Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data.
• the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared
• Any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
• Upon receiving a request for correction, completion, updating or deletion

(a) Correct the inaccurate or misleading personal data.

(b) Complete the incomplete personal data.

(c) Update the personal data,

(d) Delete personal data unless retention is necessary for specified purposes or compliance with law.

• Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals[3]

Cross-Border Data Transfer: Section 16 requires the Data Fiduciary to ensure that the transfer of personal data outside the territory of India aligns with the notifications or guidelines issued by the Central Government.