CHAPTER II
OBLIGATIONS OF DATA FIDUCIARY

5. Grounds for processing digital personal data

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act. For the purpose of this Act, “lawful purpose” means any purpose which is not expressly forbidden by law

6. Notice

(1) On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.

(2) Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary must give to the Data Principal an itemised notice in clear and plain language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed, as soon as it is reasonably practicable.

 For the purpose of this section: -

(a) “notice” can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed.

(b) “itemised” means presented as a list of individual items.

Illustration: ‘A’ contacts a bank to open a regular savings account. The bank asks ‘A’ to furnish photocopies of proof of address and identity for KYC formalities. Before collecting the photocopies, the bank should give notice to ‘A’ stating that the purpose of obtaining the photocopies is completion of KYC formalities. The notice need not be a separate document. It can be printed on the form used for opening the savings bank account.

(3) The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution of India.

7. Consent

(1) Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal's wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.

For the purpose of this sub-section, “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act.

(2) Any part of consent referred in sub-section (1) which constitutes an infringement of provisions of this Act shall be invalid to the extent of such infringement.

Illustration: ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’.

As part of the contract, ‘B’ consents to:

(a) processing of her personal data by ‘A’, and

(b) waive her right to file a complaint with the Board under the provisions of this Act.

Part (b) of the consent by which ‘B’ has agreed to waive her right shall be considered invalid.

(3) Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and plain language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

The Data Fiduciary shall give to the Data Principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.

(4) Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time.

The consequences of such withdrawal shall be borne by such Data Principal.

The withdrawal of consent shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal.

The ease of such withdrawal shall be comparable to the ease with which consent may be given.

Illustration: ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’. As part of the contract, ‘B’ consents to processing of her personal data by ‘A’. If ‘B’ withdraws her consent to processing of her personal data, ‘A’ may stop offering the service ‘X’ to ‘B’.

(5) If a Data Principal withdraws her consent to the processing of personal data under sub-section (4), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing of the personal data of such Data Principal unless such processing without the Data Principal’s consent is required or authorised under the provisions of this Act or any other law.

Illustration: ‘A’ subscribes to an e-mail and SMS-based sales notification service operated by ‘B’. As part of the subscription contract, ‘A’ shares her personal data including mobile number and e-mail ID with ‘B’ which shares it further with ‘C’, a Data Processor for the purpose of sending alerts to ‘A’ via email and SMS.

If ‘A’ withdraws her consent to processing of her personal data, ‘B’ shall stop and cause ‘C’ to stop processing the personal data of ‘A’.

(6) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

For the purpose of this section, a "Consent Manager" is a Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

(7) The Consent Manager specified in this section shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal.

Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

(8) The performance of any contract already concluded between a Data Fiduciary and a Data Principal shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.

Illustration: If ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’ then ‘A’ shall not deny to provide service ‘X’ to ‘B’ on B’s refusal to give consent for collection of additional personal data which is not necessary for the purpose of providing service ‘X’. (9) Where consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by the Data Fiduciary to the Data Principal and consent was given by the Data Principal to the Data Fiduciary in accordance with the provisions of this Act.

8. Deemed consent

A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary:

(1) in a situation where the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data;

Illustration: ‘A’ shares her name and mobile number with a Data Fiduciary for the purpose of reserving a table at a restaurant. ‘A’ shall be deemed to have given her consent to the collection of her name and mobile number by the Data Fiduciary for the purpose of confirming the reservation.

(2) for the performance of any function under any law, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State;

Illustration: ‘A’ shares her name, mobile number and bank account number with a government department for direct credit of agricultural income support. ‘A’ shall be deemed to have given her consent to the processing of her name, mobile number and bank account number for the purpose of credit of fertilizer subsidy amount to her bank account.

(3) for compliance with any judgment or order issued under any law;

(4) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(5) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;

(6) for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order;

(7) for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;

Illustration: ‘A’ shares her biometric data with her employer ‘B’ for the purpose of marking A’s attendance in the biometric attendance system installed at A’s workplace. ‘A’ shall be deemed to have given her consent to the processing of her biometric data for the purpose of verification of her attendance.

(8) in public interest, including for:

(a) prevention and detection of fraud;

(b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;

(c) network and information security;

(d) credit scoring;

(e) operation of search engines for processing of publicly available personal data;

(f) processing of publicly available personal data; and

(g) recovery of debt;

(9) for any fair and reasonable purpose as may be prescribed after taking into consideration:

a. whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal;

b. any public interest in processing for that purpose; and

 c. the reasonable expectations of the Data Principal having regard to the context of the processing.

9. General obligations of Data Fiduciary

(1) A Data Fiduciary shall, irrespective of any agreement to the contrary, or non-compliance of a Data Principal with her duties specified in this Act, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.

(2) A Data Fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, if the personal data:

(a) is likely to be used by the Data Fiduciary to make a decision that affects the Data Principal to whom the personal data relates; or

(b) is likely to be disclosed by the Data Fiduciary to another Data Fiduciary.

Illustration: ‘A’ has instructed her mobile service provider ‘B’ to mail physical copies of monthly bills to her postal address. Upon a change in her postal address, ‘A’ duly informs ‘B’ of her new postal address and completes necessary KYC formalities. ‘B’ should ensure that the postal address of ‘A’ is updated accurately in its records.

(3) A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.

(4) Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

(5) In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed.

For the purpose of this section “affected Data Principal” means any Data Principal to whom any personal data affected by a personal data breach relates.

(6) A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:

(a) the purpose for which such personal data was collected is no longer being served by its retention; and

(b) retention is no longer necessary for legal or business purposes.

Illustration (A): ‘A’ creates an account on ‘X’, a Social Media Platform. As part of the process of creating the account, ‘A’ shares her personal data with ‘X’. After three months, ‘A’ deletes the account. Once ‘A’ deletes the account, ‘X’ must stop retaining the personal data of ‘A’ or remove the means by which the personal data of ‘A’ can be associated with ‘A’.

Illustration (B): ‘A’ opens a savings account with a bank. As part of KYC formalities, ‘A’ shares her personal data with the bank. After six months, ‘A’ closes the savings account with the bank. As per KYC rules, the bank is required to retain personal data for a period beyond six months. In this case, the bank may retain ‘A’s’ personal data for the period prescribed in KYC Rules because such retention is necessary for a legal purpose.

(7) Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.

(8) Every Data Fiduciary shall have in place a procedure and effective mechanism to redress the grievances of Data Principals.

(9) The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.

10. Additional obligations in relation to processing of personal data of children

(1) The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed. For the purpose of this section, “parental consent” includes the consent of lawful guardian, where applicable.

(2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed.

(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child for such purposes, as may be prescribed.

11. Additional obligations of Significant Data Fiduciary

 1. The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including:

a. the volume and sensitivity of personal data processed;

b. risk of harm to the Data Principal;

c. potential impact on the sovereignty and integrity of India;

d. risk to electoral democracy;

e. security of the State;

f. public order; and

g. such other factors as it may consider necessary;

(2) The Significant Data Fiduciary shall:

(a) appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act and be based in India. The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. The Data Protection officer shall be the point of contact for the grievance redressal mechanism under the provisions of this Act;

(b) appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and

(c) undertake such other measures including Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act, as may be prescribed.

For the purpose of this section, “Data Protection Impact Assessment” means a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed.