The Data Protection Bill deals with general data protection rules to protect the privacy of Indian citizens. Also, the act allows the formation of a Data Protection Board (DPB) which solves the complaints of data breaches.
On August 11th, 2023 the Digital Personal Data Protection Act of India passed after several years of debates, and negotiations, with its publication in the Official Gazette.
The data protection bill will apply on the processing of digital personal data within India where such data is collected online, offline or is digitized. All entities who process personal data regardless of size or private status have to follow the data protection law.
Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform
Data Protection Officer means an individual appointed by the Significant Data Fiduciary under the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
Data Processor means any person who processes personal data on behalf of a Data Fiduciary. However, the data fiduciary decides in which manner the data will be processed and the data processor does not have control over the data and has no responsibility related to it.
Personal data breach means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Subject to the provisions of the Act, it will –
The data protection act is not applicable to –
Yes, the data fiduciary must give notice to the data principal to use her personal data. Every request for consent under the provisions of this Act or the rules made thereunder must be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorized by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.
Yes, every request made to a Data Principal under section 6 for consent must be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,
the personal data and the purpose for which the same is proposed to be processed
the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed
Yes, the data principal has a right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal. Also, such withdrawal will not affect the legality of processing personal data based on consent before its withdrawal.
No, the data fiduciary cannot use the personal data when the data principal withdraws her consent unless such processing without her consent is required or authorized under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
The Data Principal can give, manage, review or withdraw her consent to the Data Fiduciary for using her personal data through a Consent Manager.
For notified agencies, in the interest of security, sovereignty, public order, etc.
An independent data auditor is a certified person in Certified Public Accountant (CPA) or Chartered Accountant (CA). She provides audited financial statements and reports to their clients. Also, audit the financial statements and business transactions of the firms which are unrelated to them.
Yes, a data principal can file an application to update the information from the data fiduciary.
Grievance Redress Mechanism is an important part of every administration. No administration can become accountable, responsive and user-friendly without building a redressal mechanism. Data fiduciaries have to publish the contact details of the Data Protection Officer or a person who will answer the questions about the processing of personal data. For this, data fiduciaries will have to establish an effective grievance redressal mechanism.
Yes, companies have to protect the user's personal data, even if it is stored on a third-party data processor. The company is responsible if the user data is used without the permission of the user. Also, it is liable to pay compensation to the affected person.
Hey there, I'm Dushyant Sharma. With the extensive knowledge I've gained in past 8 years, I have been creating content on various subjects such as banking, insurance, telecom, and all the important registration and licensing processes for various companies. I'm here to help everyone with my expertise in these areas through my articles.