CHAPTER IV
Special Provisions
16. Processing of personal data outside India
(1) The Central Government may, by notification,
restrict the transfer of personal data by a Data Fiduciary for processing to
such country or territory outside India as may be so notified.
(2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.
17: Exemptions
(1) The provisions of Chapter II, except sub-sections
(1) and (5) of section 8, and those of Chapter III and section 16 shall not
apply where—
(a) the processing of personal data is necessary for
enforcing any legal right or claim;
(b) the processing of personal data by any court or
tribunal or any other body in India which is entrusted by law with the
performance of any judicial or quasi-judicial or regulatory or supervisory
function, where such processing is necessary for the performance of such
function;
(c) personal data is processed in the interest of
prevention, detection, investigation or prosecution of any offence or
contravention of any law for the time being in force in India;
(d) personal data of Data Principals not within the
territory of India is processed pursuant to any contract entered into with any
person outside the territory of India by any person based in India;
(e) the processing is necessary for a scheme of
compromise or arrangement or merger or amalgamation of two or more companies or
a reconstruction by way of demerger or otherwise of a company, or transfer of
undertaking of one or more company to another company, or involving division of
one or more companies, approved by a court or tribunal or other authority
competent to do so by any law for the time being in force; and
(f) the processing is for the purpose of ascertaining
the financial information and assets and liabilities of any person who has
defaulted in payment due on account of a loan or advance taken from a
financial institution, subject to such processing being in accordance with the
provisions regarding disclosure of information or data in any other law for
the time being in force.
Explanation.—For the purposes of this clause, the
expressions “default” and “financial institution” shall have the meanings
respectively assigned to them in sub-sections (12) and (14) of section 3 of
the Insolvency and Bankruptcy Code, 2016.
Illustration.
X, an individual, takes a loan from Y, a bank. X
defaults in paying her monthly loan repayment instalment on the date on which it
falls due. Y may process the personal data of X for ascertaining her financial
information and assets and liabilities.
(2) The provisions of this Act shall not apply in
respect of the processing of personal data—
(a) by such instrumentality of the State as the Central
Government may notify,in the interests of sovereignty and integrity of India,
security of the State, friendly relations with foreign States, maintenance of
public order or preventing incitement to any cognizable offence relating to any
of these, and the processing by the Central Government of any personal data
that such instrumentality may furnish to it; and
(b) necessary for
research, archiving or statistical purposes if the personal data is
not to be
used to take any decision specific to a Data Principal and such processing is
carried on in accordance with such standards as may be prescribed.
(3) The Central Government may, having regard to the
volume and nature of personal data processed, notify certain Data Fiduciaries or
class of Data Fiduciaries, including startups, as Data Fiduciaries to whom the
provisions of section 5, sub-sections (3) and (7) of section 8 and sections 10
and 11 shall not apply.
Explanation.—For the purposes of this
sub-section, the term “startup” means a private limited company or a partnership
firm or a limited liability partnership incorporated in India, which is eligible
to be and is recognised as such in accordance with the criteria and process
notified by the department to which matters relating to startups are allocated
in the Central Government.
(4) In respect of processing by the State or any
instrumentality of the State, the provisions of sub-section (7) of section 8
and
sub-section (3) of section 12 and, where such processing is for a purpose that
does not include making of a decision that affects the Data Principal,
sub-section (2) of section 12 shall not apply.
(5) The Central Government may, before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification.
P.S:
17(1) to be read with:
Section 8(1): (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor....Not Exempted
Section 8(5):(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach....Not Exempted
Chapter II: Obligations, Chapter III: Rights, Section 16: Cross Border transfer...Exempted
17(2) (a) to be read with
Section 8(7):
A Data Fiduciary shall, unless retention is necessary for
compliance with any law for the time being in force,—
(a) erase
personal data, upon the Data Principal withdrawing her
consent or as soon as it is reasonable to assume that the specified
purpose is no longer being served, whichever is earlier; and
(b)
cause its Data Processor to erase any personal data
that was made available by the Data Fiduciary for processing to such Data
Processor.
Section 12(3): A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.
Section 12(2)
(2) A Data Fiduciary shall, upon receiving a request for correction, completion
or updating from a Data Principal,—
(a) correct the inaccurate or misleading
personal data;
(b) complete the incomplete personal data; and
(c) update
the personal data.
17(3) to be read with
Section 5: Notice
Section 8(3)
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a)
used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.
Section 8(7)
A Data Fiduciary shall, unless retention is necessary for
compliance with any law for the time being in force,—
(a) erase
personal data, upon the Data Principal withdrawing her
consent or as soon as it is reasonable to assume that the specified
purpose is no longer being served, whichever is earlier; and
(b)
cause its Data Processor to erase any personal data
that was made available by the Data Fiduciary for processing to such Data
Processor.
Section 10: Significant Data Fiduciary
Section 11: Right to Access