This article aims to provide an overview of the Digital Personal Data Protection Act, 2023 (hereinafter also referred to as 'DPDP Act').
Data Principal AND Data Fiduciary AND Data Protection Board of India AND Personal Data AND Appellate Tribunal AND DPDP AND digital AND data AND
The Digital Personal Data Protection Act, 2023 recently received the assent of the President on 11th August 2023. The DPDP Act aims to recognise the rights of individuals pertaining to protection of their personal data in digital form or in non-digital form which is subsequently digitised and usage of such personal data of individuals by any other person for lawful purposes.
Clause (i) of Section 2 defines 'Data Fiduciary' as a person who by themselves or in conjunction with any other person determines the purpose and means of processing the personal data of the data principal.
Clause (j) of Section 2 defines 'Data Principal' as any person to whom the personal data relates and also includes their lawful guardian in case the personal data relates to a minor or any person with a disability.
PROCESSING PERSONAL DATA
Section 4: A Data Fiduciary can only process the personal data of a Data Principal for lawful purposes that are not expressly prohibited by law and for legitimate uses after duly obtaining the consent of the Data Principal.
Section 5:It is pertinent that the Data Fiduciary gives a notice to the Data Principal at the time or before requesting for the consent of the Data Principal. The following shall be informed to the Data principal:
- Nature of the personal data and the purpose for which the same is required to be processed.
- Manner in which the Data Principal can withdraw the consent given by them to the Data Fiduciary for processing their personal data (Section 6 (4)) and exercise their rights of grievance redressal (Section 13).
- Manner in which a complaint may be made by the Data Principal to the Data Protection Board of India
CONSENT OF DATA PRINCIPAL
Section 6: The consent obtained by the Data Principal ought to be:
The Data Principal's consent ought to signify an agreement to the processing of their personal data for a specific purpose and the use of such personal data must be limited to the specified purpose.
The request for obtaining the consent of the Data Principal for processing their personal data must be presented to them in a clear and plain language. The Data Principal should be able to access such request in English or any other language contained in Schedule 8 of the Constitution of India.
Section 9: In order to process the personal data of a child, the Data Fiduciary ought to obtain the consent of the lawful guardian of the child. The Data Fiduciary should not process any personal data that is likely to have a detrimental effect on the well-being of the child, should not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
WITHDRAWAL OF CONSENT
Section 6 (6), Section 8 (7)
The Data Principal can withdraw their consent at any time either on their own or through the Consent Manager. Thereafter, it is incumbent on the Data Fiduciary to stop using and processing the personal data of the Data Principal within a reasonable time period except in situations when the law authorises the use of such personal data even after the consent is revoked.
DUTIES OF DATA FIDUCIARY
Section 8, Section 10
- Complying with the provisions of the DPDP Act and any other rules made therein under with respect to processing the personal data of the Data principal undertaken by the Data Fiduciary or by the Data Processor on their behalf
- Ensuring completeness, accuracy and consistency of the personal data of the Data Principal
- Implementing appropriate measures to ensure effective observance of the provisions of DPDP Act
- Protecting the personal data of the Data Principal
- Taking reasonable measures to prevent breach of the personal data of the Data Principal
- In case of breach of such personal data, informing the Data Protection Board of India and the Data Principal in the prescribed manner
- Erasing the personal data of the Data Principal in case they withdraw their consent or the purpose for which the data was being used has been served
- Establishing an effective grievance redressal mechanism
- Publishing business contact information of the Data Protection Officer
- Appointment of Data Protection Officer
- Appointment of an independent Data Auditor
- Undertake periodic Data Protection Impact Assessment
- Undertake periodic audit
DUTIES OF DATA PRINCIPAL
- Complying with all laws that are in force while exercising their rights under the DPDP Act
- Ensuring not to impersonate any other person while divulging their personal information.
- Ensuring not to be hide any material information.
- Ensuring not to file any false or frivolous complaint with the Data Protection Board of India
- Furnishing authentic information while sharing their personal data
RIGHTS OF DATA PRINCIPAL
- Section 11: The Data Principal has the right to access various kinds of information about their personal data such as a summary of the personal data, processing activities undertaken by the Data Fiduciary, information regarding other Data Fiduciaries or Data Processors with whom the personal data has been shared, description of the personal data that has been shares and any other information relating to their personal data.
- Section 12: The Data Principal has the right to request the Data Fiduciary to erase, correct, complete or update the personal data of the Data Principal.
- Section 13: The Data Principal has the right of grievance redressal.
- Section 14:The Data Principal has the right to nominate any other person as a Data Principal in the event of their death or in case of incapacity of the Data Principal.
DATA PROTECTION BOARD OF INDIA
Section 27, Section 28
- The powers of theData Protection Board of India shall be akin to a civil court under the Code of Civil Procedure, 1908 with respect to summoning any person, enforcing their attendance, examining them on oath, receiving evidence, inspecting any data, document, books etc.
- The Data Protection Board of India shall be an independent bodyfunctioning as a digital officethat will receive complaints, hear andpronounce decisions, adopt prescribed techno-legal measures etc
- When a complaint is intimated to the Data Protection Board of India, it shall first determine sufficient grounds to proceed with an inquiry that adheres with the principles of natural justice. In case of insufficient grounds, the proceedings shall be closed.
- In case of breach of personal data of the Data Principal, theData Protection Board of India shall direct remedial and mitigating measures and impose penalty as prescribed by the DPDP Act.
Any person aggrieved by the order of the Data Protection Board of India can prefer an appeal to the Appellate Tribunal within 60 days from the date on which the order or direction was received along with prescribed fees.
ALTERNATE DISPUTE RESOLUTION
If the Data Protection Board of India believes that a complaint can be mediated, it can direct the parties to resolve their dispute through mediation.
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf (last visited on 24 August 2023)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.