CHAPTER II
OBLIGATIONS OF DATA FIDUCIARY

5. Grounds for processing digital personal data

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for lawful purpose-

(a) for which the data principal has given her consent or

(b) in respect of which the data principal is deemed to have given her consent.

Explanation:- For the purpose of this Act, the term "lawful purpose" means any purpose which is not expressly forbidden by law.

6. Notice

(1) Every request to a Data Principal for consent shall be accompanied or preceded by an itemised notice given by the Data Fiduciary to the Data Principal, in clear and plain language, containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data

Illustration:

X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the know-your-customer (KYC) requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with an itemised notice to X, describing the personal data and the purpose of its processing

(2) Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal an itemised notice in clear and plain language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed.

Explanation.—For the purposes of this section, the term—

(a) “notice” can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed; and

(b) “itemised” means presented as a list of individual items.

Illustration:

X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an ecommerce entity, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method an itemised notice to X, describing the personal data and the purpose of its processing

(3) The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule of the Constitution.

7. Consent

7. (1) Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of her wishes by which she, by a clear affirmative action, signifies agreement to the processing of her personal data, for the specified purpose and limited to such personal data as is necessary for the specified purpose.

Explanation.—For the purpose of this subsection, the term “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act.

Illustration:

X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (a) the processing of her personal data for making available telemedicine services, and (b) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact details are not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.

(2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or any other law for the time being in force shall be invalid to the extent of such infringement.

X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (a) the processing of her personal data by Y for the purpose of issuing the policy, and (b) waiving her right to file a complaint to the Data Protection Board of India. Part (b) of the consent, relating to waiver of her right to file a complaint, shall be invalid

(3) Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and plain language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.

The Data Fiduciary shall give to the Data Principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.

(4) Where consent given by the Data Principal is the basis of processing of personal data, she shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given

Illustration: ‘A’ enters into a contract with ‘B’ to provide a service ‘X’ to ‘B’. As part of the contract, ‘B’ consents to processing of her personal data by ‘A’. If ‘B’ withdraws her consent to processing of her personal data, ‘A’ may stop offering the service ‘X’ to ‘B’.

(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal.

Illustration: X, an individual, is the user of an online shopping app or website operated by Y, an ecommerce entity. X consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by X.

(6) If a Data Principal withdraws her consent to the processing of personal data under subsection (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing of the personal data of such Data Principal unless such processing without the Data Principal’s consent is required or authorised under the provisions of this Act or any other law for the time being in force in India.

Illustration:

X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data of Z for emailing bills.

(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

Explanation.—For the purposes of this section, a “Consent Manager” is a person who enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

(8) The Consent Manager referred to in subsection (7) shall be an entity that is accountable to and acts on behalf of the Data Principal.

(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

(10) Where consent of the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that it gave notice to the Data Principal and received her consent.

8. Deemed consent

 A Data Principal is deemed to have given consent to processing of her personal data—

(a) for the specified purposes for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data;

Illustration:

(A): X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. X shall be deemed to have given her consent to Y for the processing of her personal data for the purpose of sending the receipt.

(B): X, an individual, messages Y, a real estate broker, requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. X shall be deemed to have given her consent to Y for the processing her personal data for this purpose and Y may process her personal data to identify and inform her the details of accommodation available on rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X.

(b) for the performance of any function under any law for the time being in force, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, licence or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State, subject to standards followed by the State or such instrumentality for related processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of such data;

Explanation.—For the purposes of this clause, the term “State” shall have the meaning assigned to it in article 12 of the Constitution.

Illustration:

X, a pregnant woman, enrols herself on an app or website to avail of government’s maternity benefits programme, while consenting to provide her personal data for the purpose of availing of such benefits. X shall be deemed to have given her consent to the processing of her personal data for the purpose of determining her eligibility to receive benefits under any other government programme as well

(c) for compliance with any judgment or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;(4) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(d) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(e) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;

(f) for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; and

(g) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, provision of any service or benefit sought by a Data Principal who is an employee.

(8) in public interest, including for:

(a) prevention and detection of fraud;

(b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;

(c) network and information security;

(d) credit scoring;

(e) operation of search engines for processing of publicly available personal data;

(f) processing of publicly available personal data; and

(g) recovery of debt;

(9) for any fair and reasonable purpose as may be prescribed after taking into consideration:

a. whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal;

b. any public interest in processing for that purpose; and

 c. the reasonable expectations of the Data Principal having regard to the context of the processing.

9. General Obligations of Data Fiduciary

(1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties specified in this Act, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.

(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.

(3) A Data Fiduciary shall ensure that personal data processed by or on behalf of the Data Fiduciary is complete, accurate and consistent.

(4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act.

(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.

(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach in such form and manner as may be prescribed.

(7) A Data Fiduciary shall—

(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention and retention is no longer necessary for compliance with any law for the time being in force; and

(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor, upon completion of such processing.

Illustrations:

(A): X, an individual, registers herself on an online marketplace operated by Y, an ecommerce entity. X gives her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data.

(B): X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of 10 years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X’s personal data for the said period

(8) A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.

(9) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.

10. Additional obligations in relation to processing of personal data of children

(1) The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed.

Explanation: For the purpose of this section, “parental consent” includes the consent of lawful guardian, where applicable.

(2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed.

Explanation.—For the purposes of this subsection, “harm” means any detrimental effect on the well-being of a child.

(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

(4) The provisions of sub-sections (1) and (3) shall not be applicable to the processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed.

Explanation.—It is hereby clarified that the classes of Data Fiduciaries shall be such as may be specified while prescribing.

(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or such of the obligations under sub-sections (1) and (3) in respect of processing by that Data Fiduciary as the notification may specify

11. Additional obligations of Significant Data Fiduciary

11. (1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—  

a. the volume and sensitivity of personal data processed;

(b) risk to the rights of Data Principal;

c. potential impact on the sovereignty and integrity of India;

d. risk to electoral democracy;

e. security of the State;

f. public order; and

Explanation.—For the purposes of this subsection, the term “State” shall have the meaning assigned to it in article 12 of the Constitution.

(2) The Significant Data Fiduciary shall:

(a) appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act, be based in India and be responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary, and serve as the point of contact for the grievance redressal mechanism under the provisions of this Act;

(b) appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary with provisions of this Act; and

(c) undertake the following measures, namely:—

(i) periodic Data Protection Impact Assessment, a process comprising the description, purpose, assessment and management of risk to the rights of Data Principals, and such other matters with respect to processing of personal data as may be prescribed;

(ii) periodic audit; and

(iii) such other measures in relation to the purposes of this Act as may be prescribed.