FAQs on the Digital Personal Data Protection Act, 2023

Key Definitions

FAQ 1. What is the data protection act 2023?

The Data Protection Bill deals with general data protection rules to protect the privacy of Indian citizens. Also, the act allows the formation of a Data Protection Board (DPB) which solves the complaints of data breaches.

FAQ 2. When the data protection bill was enacted?

On August 11th, 2023 the Digital Personal Data Protection Act of India passed after several years of debates, and negotiations, with its publication in the Official Gazette. 

FAQ 3. What is the DPDP bill applicability?

The data protection bill will apply on the processing of digital personal data within India where such data is collected online, offline or is digitized. All entities who process personal data regardless of size or private status have to follow the data protection law. 

FAQ 4. Who is the consent manager?

Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform

FAQ 5. Who is a data protection officer?

Data Protection Officer means an individual appointed by the Significant Data Fiduciary under the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997

FAQ 6. Who are data fiduciaries?

Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

FAQ 7. Who are data processors?

Data Processor means any person who processes personal data on behalf of a Data Fiduciary. However, the data fiduciary decides in which manner the data will be processed and the data processor does not have control over the data and has no responsibility related to it.

FAQ 8. What does a personal data breach mean?

Personal data breach means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

Applicability and Non-applicability 

FAQ 9. What is the applicability of the Data Protection Act?

Subject to the provisions of the Act, it will –

• apply to the processing of digital personal data within the territory of India where the personal data is collected
  • in digital form, or
  • in non-digital form and digitized subsequently,
• also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

FAQ 10. What is the non-applicability of the Data Protection Act?

The data protection act is not applicable to – 

• personal data processed by an individual for any personal or domestic purpose, and
• personal data that is made or caused to be made publicly available by—
• the Data Principal to whom such personal data relates, or
• any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

Process of Using Personal Data 

FAQ 11. How do the data fiduciaries process the personal data?

• Data fiduciary can process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose
  • for which the Data Principal has given her consent; or
  • for certain legitimate uses.
• For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.

Personal Data Use and Withdrawl Notice 

FAQ 12. Is there any requirement to give notice to data principals by data fiduciaries?

Yes, the data fiduciary must give notice to the data principal to use her personal data. Every request for consent under the provisions of this Act or the rules made thereunder must be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorized by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

FAQ 13. Is there any requirement to intimate the data processor for using the personal data of the data principal?

Yes, every request made to a Data Principal under section 6 for consent must be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,

the personal data and the purpose for which the same is proposed to be processed

the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed

FAQ 14. Do data principals have the right to withdraw their consent for using personal data?

Yes, the data principal has a right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal. Also, such withdrawal will not affect the legality of processing personal data based on consent before its withdrawal.

FAQ 15. Will a data fiduciary use the data after withdrawing the consent from the data principal?

No, the data fiduciary cannot use the personal data when the data principal withdraws her consent unless such processing without her consent is required or authorized under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

FAQ 16. Withdraw the application filed to the consent manager?

The Data Principal can give, manage, review or withdraw her consent to the Data Fiduciary for using her personal data through a Consent Manager.

Obligations

FAQ 17. What is the obligation of a consent manager?

• The Data Principal can give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
• Accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.
• Every Consent Manager must be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
• Where consent given by the Data Principal is the basis of the processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary must be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.

FAQ 18. What are the obligations of data fiduciaries?

• To have security safeguards to prevent personal data breaches
• To intimate personal data breaches to the affected Data Principal and the Data Protection Board
• To erase personal data when it is no longer needed for the specified purpose
• To erase personal data upon withdrawal of consent;
• To have in place a grievance redressal system and an officer to respond to queries from Data Principals and
• To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessments to ensure a higher degree of data protection.

Exemptions

FAQ 19. What are the exemptions in the Data Protection Act?

For notified agencies, in the interest of security, sovereignty, public order, etc.

• For research, archiving or statistical purposes.
• For startups or other notified categories of Data Fiduciaries.
• To enforce legal rights and claims.
• To perform judicial or regulatory functions.
• To prevent, detect, investigate or prosecute offences.
• To process in India the personal data of non-residents under foreign contract.
• For approved mergers, demergers etc. and
• To locate defaulters and their financial assets etc.

Data Audit

FAQ 20. Who is an independent data auditor?

An independent data auditor is a certified person in Certified Public Accountant (CPA) or Chartered Accountant (CA). She provides audited financial statements and reports to their clients. Also, audit the financial statements and business transactions of the firms which are unrelated to them.

FAQ 21. Which audit is mandatory to be done in the data fiduciaries?

• By appointing an independent data auditor to carry out the data audit, who will
• evaluate the compliance of the Significant Data Fiduciary in accordance with the
• provisions of this Act. The periodic Data Protection Impact Assessment is mandatory.

Periodic Compliances

FAQ 22. What are the periodic compliances?

• Periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
• periodic audit, and
• such other measures, consistent with the provisions of this Act, as may be prescribed.

FAQ 23. Can a data principal file an application to update personal information?

Yes, a data principal can file an application to update the information from the data fiduciary.

Grievance Redressal

FAQ 24. What is the grievance redressal mechanism & its framework in data fiduciaries?

Grievance Redress Mechanism is an important part of every administration. No administration can become accountable, responsive and user-friendly without building a redressal mechanism. Data fiduciaries have to publish the contact details of the Data Protection Officer or a person who will answer the questions about the processing of personal data. For this, data fiduciaries will have to establish an effective grievance redressal mechanism.

FAQ 25. Do companies which are dealing with user data will have to protect the user's personal data even if it is stored with a third-party data processor?

Yes, companies have to protect the user's personal data, even if it is stored on a third-party data processor. The company is responsible if the user data is used without the permission of the user. Also, it is liable to pay compensation to the affected person.

Author: Dushyant Sharma

Hey there, I'm Dushyant Sharma. With the extensive knowledge I've gained in past 8 years, I have been creating content on various subjects such as banking, insurance, telecom, and all the important registration and licensing processes for various companies. I'm here to help everyone with my expertise in these areas through my articles.