The Data Protection Bill 2021

(This Bill has since been withdrawn and a new Version is expected to be presented )

CHAPTER II
OBLIGATIONS OF DATA FIDUCIARY

 (***) The processing of personal data (***) by any person (***) shall be subject to the provisions of this Act and the rules and regulations made thereunder.
 

 Every person processing personal data of a data principal shall process such personal data—

(a) in a fair and reasonable manner and ensure the privacy of the data principal; and
(b) for the purpose consented to by the data principal or which is incidental thereto or connected with such purpose or which is for the purpose of processing of personal data under section 12, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected.

The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
 

(1) Every data fiduciary shall give to the data principal (***), at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as is reasonably practicable, a notice containing the following information, namely:—

(a) the purposes for which the personal data is to be processed;
(b) the nature and categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds (***)provided in sections 12 to 14;
(f) the source of such collection, if the personal data is not collected from the data principal;
(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
(h) the information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data shall be retained in terms of section 9 or where such period is not known, the criteria for determining such period;
(j) the existence of and procedure for the exercise of rights mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by regulations.
 

(2) The notice referred to in sub-section (1) shall be clear, concise and easily comprehensible to an(***)individual and in multiple languages (***) to the extent necessary and practicable.
(3) The provisions of sub-section (1) shall not apply where such notice (***) prejudices the purpose of processing of personal data under section12.

(1) The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.

(2) While taking any steps under sub-section (1), the data fiduciary shall have regard to whether the personal data—
 

(a) is likely to be used to make a decision about the data principal;
(b) is likely to be disclosed to other individuals or entities including other data fiduciaries or processors; or
(c) is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments.
 

(3) Where personal data is disclosed to any other individual or entity, including other data fiduciary or processor, and the data fiduciary finds that such data does not comply with the requirements of sub-section (1), the data fiduciary shall (***) notify such individual or entity of this fact:
Provided that the provisions of this sub-section shall not apply where such notice prejudices the purpose of processing of personal data under section 12.
(4) A data fiduciary may share, transfer or transmit the personal data to any person as part of any business transaction in such manner as may be prescribed:
Provided that the provisions of this sub-section shall not apply where such sharing, transfer or transmission of personal data prejudices the purpose of processing of personal data under Section 12.

(1) The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of (***)such period.

(2) Notwithstanding anything contained in sub-section (1), the personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force.
(3) The data fiduciary shall undertake periodic review to determine whether it is necessary to retain the personal data in its possession.
(4) Where it is not necessary for personal data to be retained by the data fiduciary under sub-section (1) or sub-section (2), then, such personal data shall be deleted in such manner as may be specified by regulations.

The data fiduciary shall be responsible for complying with the provisions of this Act and the rules and regulations made thereunder in respect of any processing undertaken by it or on its behalf.
 

(1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.

(2) The consent of the data principal shall not be valid, unless such consent is—

(a) free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;(9 of 1872.)
(b) informed, having regard to whether the data principal has been provided with the information required under section 7;
(c)specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
 

(3) In addition to the provisions contained in sub-section (2), the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained—

(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference to be drawn either from conduct (***) or context; and
(c) after giving him the choice of separately consenting to the purposes of operations in the use of different categories of sensitive personal data relevant to processing.
 

(4) The provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be,-
 

(i) made conditional on the consent to the processing of any personal data not necessary for that purpose; and
(ii) denied based on exercise of choice.
 

(5) The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
(6) Where the data principal withdraws his consent from the processing of any personal data without any valid reason, (***) the consequences for the (***) same shall be borne by such data principal.