CHAPTER II
4. Fair and reasonable processing.
Any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.
5. Purpose limitation.
(1) Personal data shall be processed only for purposes that are clear, specific and lawful.
(2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.
6. Collection limitation.
Collection of personal data shall be limited to such data that is necessary for the purposes of processing.
7. Lawful processing.
(1) Personal data shall be processed only on the basis of one or a combination of grounds of processing in Chapter III.
(2) Sensitive personal data shall be processed only on the basis of one or a combination of grounds of processing in Chapter IV.
8. Notice.
(1) The data fiduciary shall provide the data principal with the following information, no later than at the time of collection of the personal data or, if the data is not collected from the data principal, as soon as is reasonably practicable
(a) the purposes for which the personal data is to be processed;
(b) the categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds in section 12 to section 17, and section 18 to section 22;
(f) the source of such collection, if the personal data is not collected from the data principal;
(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data will be retained in terms of section 10 or where such period is not known, the criteria for determining such period;
(j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI and any related contact details for the same;
(k) the procedure for grievance redressal under section 39;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under section 35; and
(n) any other information as may be specified by the Authority.
(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.
(3) Sub-section (1) shall not apply where the provision of notice under this section would substantially prejudice the purpose of processing of personal data under sections15or 21of this Act.
9. Data quality.
(1) The data fiduciary shall take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed.(2) In considering whether any reasonable step is necessary under sub-section (1), the data fiduciary shall have regard to whether the personal data
(a) is likely to be used to make a decision about the data principal;
(b) is likely to be disclosed to other individuals or entities including other data fiduciaries or processors; or
(c) is kept in a form that distinguishes personal data based on facts from personal data based on opinions or personal assessments.
(3) Where personal data is disclosed to other individuals or entities, including other data fiduciaries or processors, and the data fiduciary subsequently finds that such data does not comply with sub-section (1), the data fiduciary shall take reasonable steps to notify such individuals or entities of this fact.
10. Data storage limitation.
(1) The data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed.
(2) Notwithstanding sub-section (1), personal data may be retained for a longer period of time if such retention is explicitly mandated, or necessary to comply with any obligation, under a law.
(3) The data fiduciary must undertake periodic review in order to determine whether it is necessary to retain the personal data in its possession.
(4) Where it is not necessary for personal data to be retained by the data fiduciary under sub- sections (1) and (2), then such personal data must be deleted in a manner as may be specified.
11. Accountability.
(1) The data fiduciary shall be responsible for complying with all obligations set out in this Act in respect of any processing undertaken by it or on its behalf.
(2) The data fiduciary should be able to demonstrate that any processing undertaken by it or on its behalf is in accordance with the provisions of this Act