FAQs on the Digital Personal Data Protection Act, 2023

Blog

FAQs on the Digital Personal Data Protection Act, 2023

Key Definitions

FAQ 1. What is the data protection act 2023?

The Data Protection Bill deals with general data protection rules to protect the privacy of Indian citizens. Also, the act allows the formation of a Data Protection Board (DPB) which solves the complaints of data breaches.

FAQ 2. When the data protection bill was enacted?

On August 11th, 2023 the Digital Personal Data Protection Act of India passed after several years of debates, and negotiations, with its publication in the Official Gazette. 

FAQ 3. What is the DPDP bill applicability?

The data protection bill will apply on the processing of digital personal data within India where such data is collected online, offline or is digitized. All entities who process personal data regardless of size or private status have to follow the data protection law. 

FAQ 4. Who is the consent manager?

Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform

FAQ 5. Who is a data protection officer?

Data Protection Officer means an individual appointed by the Significant Data Fiduciary under the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997

FAQ 6. Who are data fiduciaries?

Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

FAQ 7. Who are data processors?

Data Processor means any person who processes personal data on behalf of a Data Fiduciary. However, the data fiduciary decides in which manner the data will be processed and the data processor does not have control over the data and has no responsibility related to it.

FAQ 8. What does a personal data breach mean?

Personal data breach means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

 

Applicability and Non-applicability 

FAQ 9. What is the applicability of the Data Protection Act?

Subject to the provisions of the Act, it will –

FAQ 10. What is the non-applicability of the Data Protection Act?

The data protection act is not applicable to – 

 

Process of Using Personal Data 

Process of Using Personal Data

FAQ 11. How do the data fiduciaries process the personal data?

 

Personal Data Use and Withdrawl Notice 

FAQ 12. Is there any requirement to give notice to data principals by data fiduciaries?

Yes, the data fiduciary must give notice to the data principal to use her personal data. Every request for consent under the provisions of this Act or the rules made thereunder must be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorized by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

FAQ 13. Is there any requirement to intimate the data processor for using the personal data of the data principal?

Yes, every request made to a Data Principal under section 6 for consent must be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,

the personal data and the purpose for which the same is proposed to be processed

the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed

FAQ 14. Do data principals have the right to withdraw their consent for using personal data?

Yes, the data principal has a right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal. Also, such withdrawal will not affect the legality of processing personal data based on consent before its withdrawal.

FAQ 15. Will a data fiduciary use the data after withdrawing the consent from the data principal?

No, the data fiduciary cannot use the personal data when the data principal withdraws her consent unless such processing without her consent is required or authorized under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

FAQ 16. Withdraw the application filed to the consent manager?

The Data Principal can give, manage, review or withdraw her consent to the Data Fiduciary for using her personal data through a Consent Manager.

 

Obligations

Obligations

FAQ 17. What is the obligation of a consent manager?

FAQ 18. What are the obligations of data fiduciaries?

 

Exemptions

FAQ 19. What are the exemptions in the Data Protection Act?

For notified agencies, in the interest of security, sovereignty, public order, etc.

 

Data Audit

Data Audit

FAQ 20. Who is an independent data auditor?

An independent data auditor is a certified person in Certified Public Accountant (CPA) or Chartered Accountant (CA). She provides audited financial statements and reports to their clients. Also, audit the financial statements and business transactions of the firms which are unrelated to them.

FAQ 21. Which audit is mandatory to be done in the data fiduciaries?

 

Periodic Compliances

FAQ 22. What are the periodic compliances?

FAQ 23. Can a data principal file an application to update personal information?

Yes, a data principal can file an application to update the information from the data fiduciary.

 

Grievance Redressal

FAQ 24. What is the grievance redressal mechanism & its framework in data fiduciaries?

Grievance Redress Mechanism is an important part of every administration. No administration can become accountable, responsive and user-friendly without building a redressal mechanism. Data fiduciaries have to publish the contact details of the Data Protection Officer or a person who will answer the questions about the processing of personal data. For this, data fiduciaries will have to establish an effective grievance redressal mechanism.

FAQ 25. Do companies which are dealing with user data will have to protect the user's personal data even if it is stored with a third-party data processor?

Yes, companies have to protect the user's personal data, even if it is stored on a third-party data processor. The company is responsible if the user data is used without the permission of the user. Also, it is liable to pay compensation to the affected person.

Related post

Subscribe to our newsletter