Digital Personal Data Protection Act 2022/23 of India

CHAPTER V

Compliance Framework

19. Data Protection Board of India

(1) The Central Government shall, by notification, establish, for the purposes of this Act, a Board to be called the Data Protection Board of India.

The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design.

(2) The strength and composition of the Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members shall be such as may be prescribed.

(3) The chief executive entrusted with the management of the affairs of the Board shall be such individual as the Central Government may appoint and terms and conditions of her service shall be such as the Central Government may determine.

(4) The Board shall have such other officers and employees, with such terms and conditions of appointment and service, as may be prescribed.

(5) The Chairperson, Members, officers and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code.

(6) No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee or officer for anything which is done or intended to be done in good faith under the provisions of this Act

20. Functions of the Board

(1) The functions of the Board are:

(a) to determine non-compliance with provisions of this Act and impose penalty under the provisions of this Act; and

(b) to perform such functions as the Central Government may assign to the Board under the provisions of this Act or under any other law by an order published in the Official Gazette.

(2) The Board may, for the discharge of its functions under the provisions of this Act, after giving a person, a reasonable opportunity of being heard and for reasons to be recorded in writing, issue such directions from time to time as it may consider necessary, to such person, who shall be bound to comply with the same.

(3) The Board may, in the event of a personal data breach, direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals.

(4) The Board may, on a representation made to it or on its own motion, modify, suspend, withdraw or cancel any direction issued under sub-section (2) and in doing so, may impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect

21. Process to be followed by the Board to ensure compliance with the provisions of the Act

(1) The Board shall function as an independent body and, as far as possible, function as a digital office and employ such techno-legal measures as may be prescribed.

(2) The Board may, on receipt of a complaint made by an affected person or on a reference made to it by the Central Government or a State Government or in compliance with the directions of any court or in case of non-compliance with section 16 of this Act by a Data Principal, take action in accordance with the provisions of this Act.

(3) The Board may authorise conduct of proceedings relating to complaints, by individual Members or groups of Members.

(4) The Board shall first determine whether there are sufficient grounds to proceed with an inquiry.

In case the Board determines that there are insufficient grounds, it may, for reasons recorded in writing, close such proceeding.

(5) In case the Board determines that there are sufficient grounds to proceed with inquiry, it may, for reasons recorded in writing, inquire into the affairs of any person for ascertaining whether such person is complying with or has complied with the provisions of this Act.

(6) The Board shall conduct such inquiry following the principles of natural justice including giving reasonable opportunity of being heard and shall record reasons for its actions during the course of such inquiry.

(7) For the purpose of conduct of inquiry under this section, the Board shall have powers to summon and enforce the attendance of persons, examine them on oath and inspect any data, book, document, register, books of account or any other document.

(8) Inquiry under this section shall be completed at the earliest.

The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.

(9) The Board may require the services of any police officer or any officer of the Central Government or a State Government to assist it for the purposes of this section and it shall be the duty of every such officer to comply with such requisition.

(10) During the course of the inquiry if the Board considers it necessary for preventing non-compliance with the provisions of this Act, it may, for reasons to be recorded in writing, issue interim orders after giving the concerned persons a reasonable opportunity of being heard.

(11) On conclusion of the inquiry and after giving the concerned persons a reasonable opportunity of being heard, if the Board determines that noncompliance by a person is not significant, it may, for reasons recorded in writing, close such inquiry. If the Board determines that the non-compliance by the person is significant, it shall proceed in accordance with section 25 of this Act.

(12) At any stage after receipt of a complaint, if the Board determines that the complaint is devoid of merit, it may issue a warning or impose costs on the complainant.

(13) Every person shall be bound by the orders of the Board.

Every order made by the Board shall be enforced by it as if it were a decree made by a Civil Court.

For the purpose of this sub-section, the Board shall have all the powers of a Civil Court as provided in the Code of Civil Procedure, 1908.

22. Review and Appeal

(1) The Board may review its order, acting through a group for hearing larger than the group which held proceedings in a matter under section 21, on a representation made to it, or on its own, and for reasons to be recorded in writing, modify, suspend, withdraw or cancel any order issued under the provisions of this Act and in doing so, may impose such conditions as it may deem fit, subject to which the modification, suspension, withdrawal or cancellation shall have effect.

(2) An appeal against any order of the Board shall lie to the High Court. Every appeal made under this section shall be preferred within a period of sixty days from the date of the order appealed against.

(3) No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.

23. Alternate Dispute Resolution

If the Board is of the opinion that any complaint may more appropriately be resolved by mediation or other process of dispute resolution, the Board may direct the concerned parties to attempt resolution of the dispute through mediation by a body or group of persons designated by the Board or such other process as the Board may consider fit

24. Voluntary Undertaking

(1) The Board may accept a voluntary undertaking in respect of any matter related to compliance with provisions of this Act from any person at any stage.

(2) Such voluntary undertaking may include an undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicize the voluntary undertaking.

(3) The Board may, after accepting the voluntary undertaking and with the agreement of the person who gave the voluntary undertaking vary the terms included in the voluntary undertaking.

Acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking, except in cases covered by sub-section (4).

(4) Where a person fails to comply with any term of the voluntary undertaking accepted by the Board, the Board may, after giving such person, a reasonable opportunity of being heard, proceed in accordance with section 25 of this Act.

25. Financial Penalty

(1) If the Board determines on conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance.

(2) While determining the amount of a financial penalty to be imposed under sub-section (1), the Board shall have regard to the following matters:

(a) the nature, gravity and duration of the non-compliance;

(b) the type and nature of the personal data affected by the noncompliance;

(d) whether the person, as a result of the non-compliance, has realized a gain or avoided any loss;

(e) whether the person took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action;

(f) whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non-compliance with the provisions of this Act; and

(g) the likely impact of the imposition of the financial penalty on the person.