Specifications

Detail

Applicability

• Processing of digital personal data within India where such data is collected:
  • In digital form or
  • In non-digital form and digitized subsequently. 
• Processing of personal data outside India if it is for offering goods or services in India. 
• Does not apply to: 
  • Personal data processed for any personal purpose.
  • Personal data that is made or caused to be made publicly available by- 
    • Data Principal to whom such personal data relates; or 
    • any other person under legal obligation to make such personal data publicly available

Consent

• Personal data may be processed only for a lawful purpose after obtaining the consent of the Data Principal (who shall have the right to withdraw consent at any time). 
  • Consent will not be required for 'legitimate uses' including the provision of benefits or services by the government, medical emergency etc. 
• For a child or a person with a disability, consent will be provided by the parent or legal guardian.

Data Protection Board of India (DPBI)

• Provides for the establishment of DPBI by the Central government.
• Key functions of the Board:
  • Monitoring compliance and imposing penalties. 
  • Directing data fiduciaries to take necessary measures in event of a data breach. 
  • Hearing grievances made by affected persons. 
• Board members will be appointed for two years and will be eligible for re-appointment. 
• Appeals against decisions will lie with Telecom Disputes Settlement and Appellate Tribunal.

Rights and Duties of Data Principal

• Data principal will have the right to
  • Obtain information about processing. 
  • Seek correction and erasure of personal data.
  • Grievance redressal.
  • Right to nominate a person to exercise rights in case of death or incapacity.
• Data principals must not register a false or frivolous complaint and furnish any false particulars.
• Violation of duties will be punishable with a penalty of up to Rs 10,000

Obligations of Data Fiduciaries

• Data Fiduciary (Entity determining the purpose and means of processing) must
  • Ensure the accuracy and completeness of data. 
  • Build reasonable security safeguards to prevent a data breach. 
  • Inform DPBI and affected persons in the event of a breach. 
  • Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.

Significant Data Fiduciaries (SDF)

• Central Government may notify any Data Fiduciary as SDF, based on factors such as:
  • Volume and sensitivity of personal data processed, Risk to the rights of data principal  
  • Potential impact on sovereignty and integrity of India 
  • Security of the State, Risk to electoral democracy  and Public order
• SDF will have certain additional obligations including appointing a data protection officer and an independent data auditor and undertaking impact assessment.

Parental Consent

• Under Section 9 of the DPDP, 2023 data fiduciaries must obtain verifiable consent from parents or legal guardians before processing children's data.
  • The Act also bans harmful data processing and ad targeting for children (Age below 18).

Exemptions

• Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases, including: 
  • For notified agencies, in the interest of security, sovereignty, public order, etc.; 
  • For research, archiving or statistical purposes; 
  • For start-ups or other notified categories of Data Fiduciaries; 
  • To enforce legal rights and claims; o Prevention and investigation of offences; 
  • To perform judicial or regulatory functions; 
  • To process in India personal data of non-residents under foreign contract. 
• Central government may exempt certain activities in the interest of the security and public order.