|
The Data Protection Bill 2021
(This Bill has since been withdrawn and a new Version is expected to
be presented ) |
Section |
CHAPTER III
GROUNDS FOR PROCESSING OF PERSONAL DATA
WITHOUT CONSENT |
12 |
Grounds for processing of personal data without consent in certain
cases.
Notwithstanding anything contained in section 11, the personal data
may be processed if such processing is necessary,—
(a) for the performance of any function of the State authorised by law,
including for—
(i) the provision of any service or benefit to the data principal from
the State; or (ii) the issuance of any certification, licence or permit for any action
or activity of the data principal by the State;
(b) under any law for the time being in force made by Parliament or any
State Legislature; (***) (c) for compliance with any (***) judgement or order of any court,
quasi-judicial authority or Tribunal in India; (d) to respond to any medical emergency involving a threat to the life
or a severe threat to the health of the data principal or any other
individual; (e) to undertake any measure to provide medical treatment or health
services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (f) to undertake any measure to ensure safety of, or provide assistance
or services to, any individual during any disaster or any breakdown of
public order.
|
13 |
Processing of personal data necessary for purposes related to
employment, etc.
(1)Notwithstanding anything contained in section 11 and subject to
the provisions contained in sub-section (2), any personal data, not
being any sensitive personal data, may be processed, if such processing
is necessary or can reasonably be expected by the data principal for—
(a) recruitment or termination of employment of a data principal by the
data fiduciary; (b) provision of any service to, or benefit sought by, the data
principal who is an employee of the data fiduciary; (c) verifying the attendance of the data principal who is an employee of
the data fiduciary; or (d) any other activity relating to the assessment of the performance of
the data principal who is an employee of the data fiduciary.
(2) Any personal data, not being sensitive personal data, may be
processed under sub-section (1), where the consent of the data principal
is not appropriate having regard to the employment relationship between
the data fiduciary and the data principal, or would involve a
disproportionate effort on the part of the data fiduciary due to the
nature of the processing under the said sub-section.
|
14 |
Processing of personal data for other reasonable purposes.
(1) (***) Notwithstanding anything contained in section 11, the
personal data may be processed (***), if such processing is necessary
for (***) reasonable purposes as may be specified by regulations, after
taking into consideration—
(a) the legitimate interest of the data fiduciary in processing for that
purpose; (b)whether the data fiduciary can reasonably be expected, and it is
practicable to obtain the consent of the data principal; (c) any public interest in processing for that purpose; (d) the degree of any adverse effect of the processing activity on the
rights of the data principal; and (e) the reasonable expectations of the data principal having regard to
the context of the processing. (2) For the purpose of sub-section (1), the expression “reasonable
purposes” may include— (a) prevention and detection of any unlawful activity including fraud; (b) whistle blowing; (c) mergers (***), acquisitions, any other similar combinations or
corporate restructuring transactions in accordance with the provisions
of applicable laws; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines. (3) Where the Authority specifies a reasonable purpose under sub-section
(1), it shall— (a) lay down, by regulations, such safeguards as may be appropriate to
ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 7shallapply or
not apply having regard to the fact whether such provision shall (***)
prejudice the relevant reasonable purpose.
|
15 |
Categorisation of Personal Data as Sensitive Personal data
(1) The Central Government shall, in consultation with the Authority
and the sectoral regulator concerned, notify such categories of personal
data as "Sensitive personal data", having regard to—
(a) the risk of significant harm that may be caused to the data
principal by (***) processing of such category of personal data;
(b)the expectation of confidentiality attached to such category of
personal data;
(c) whether a significantly discernible class of data principals may
suffer significant harm from the processing of such category of personal data; and
(d) the adequacy of protection afforded by ordinary provisions
applicable to the personal data.
(2) The Authority may specify, by regulations, the additional safeguards
or restrictions for the purposes of repeated, continuous or systematic
collection of sensitive personal data for profiling of such personal
data. |