CHAPTER VI
 

DATA PRINCIPAL RIGHTS

24. Right to confirmation and access. —

(1) The data principal shall have the right to obtain from the data fiduciary

(a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal;

(b) a brief summary of the personal data of the data principal being processed or that has been processed by the data fiduciary;

(c) a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal, including any information provided in the notice under section 8 in relation to such processing activities.

(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.


25. Right to correction, etc.—

(1) Where necessary, having regard to the purposes for which personal data is being processed, the data principal shall have the right to obtain from the data fiduciary processing personal data of the data principal

(a) the correction of inaccurate or misleading personal data;

(b) the completion of incomplete personal data; and

(c) the updating of personal data that is out of date.
 

(2) Where the data fiduciary receives a request under sub-section (1), and the data fiduciary does not agree with the need for such correction, completion or updating having regard to the purposes of processing, the data fiduciary shall provide the data principal with adequate justification in writing for rejecting the application.

(3) Where the data principal is not satisfied with the justification provided by the data fiduciary under sub-section (2), the data principal may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.

(4) Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.


26. Right to Data Portability. —

(1) The data principal shall have the right to—

(a) receive the following personal data related to the data principal in a structured, commonly used and machine-readable format—

(i) which such data principal has provided to the data fiduciary;

(ii) which has been generated in the course of provision of services or use of goods by the data fiduciary ;or

(iii) which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained.

(b) have the personal data referred to in clause (a) transferred to any other data fiduciary in the format referred to in that clause.

(2) Sub-section (1) shall only apply where the processing has been carried out through automated means, and shall not apply where—

(a) processing is necessary for functions of the State under section 13;

(b) processing is in compliance of law as referred to in section 14; or

(c) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.


27. Right to Be Forgotten. —

(1) The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure

(a) has served the purpose for which it was made or is no longer necessary;

(b) was made on the basis of consent under section 12 and such consent has since been withdrawn; or

(c) was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature.

(2) Sub-section (1) shall only apply where the Adjudicating Officer under section 68 determines the applicability of clause (a), (b) or (c) of sub-section (1) and that the rights and interests of the data principal in preventing or restricting the continued disclosure of personal data override the right to freedom of speech and expression and the right to information of any citizen.

(3) In determining whether the condition in sub-section (2) is satisfied, the Adjudicating Officer shall have regard to

(a) the sensitivity of the personal data;

(b) the scale of disclosure and the degree of accessibility sought to be restricted or prevented;

(c) the role of the data principal in public life;

(d) the relevance of the personal data to the public; and

(e) the nature of the disclosure and of the activities of the data fiduciary, particularly whether the data fiduciary systematically facilitates access to personal data and whether the activities would be significantly impeded if disclosures of the relevant nature were to be restricted or prevented.

(4) The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

(5) Where any person finds that personal data, the disclosure of which has been restricted or prevented by an order of the Adjudicating Officer under sub-section (2) does not satisfy the conditions referred to in that sub-section any longer, they may apply for the review of that order to the Adjudicating Officer in such manner as may be prescribed, and such Adjudicating Officer shall review her order on the basis of the considerations referred to in sub-section (3).


28. General conditions for the exercise of rights in this Chapter. —

(1) The exercise of any right under this Chapter, except the right under section 27,shall only be on the basis of a request made in writing to the data fiduciary with reasonable information to satisfy the data fiduciary of the identity of the data principal making the request and the data fiduciary shall acknowledge receipt of such request within such period of time as may be specified.

(2) The data fiduciary may charge a reasonable fee to be paid for complying with requests made under this Chapter, except for requests made under clauses (a) and (b) of sub-section (1) of section 24 and section 25 which shall be complied with by the data fiduciary without charging any fee.

(3) The Authority may specify a reasonable time period within which the data fiduciary shall comply with the requests under this Chapter, and such time period shall be communicated to the data principal along with the acknowledgement referred to in sub-section (1).

(4) Where any request made under this Chapter is refused by the data fiduciary, it shall provide the data principal making such request with adequate reasons for such refusal as per the provisions of this Chapter in writing, and shall inform the data principal regarding the right to file a complaint with the Authority against the refusal within such period and in such manner as may be specified.

(5) The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

(6) The manner of exercise of rights under this Chapter shall be in such form as may be provided by law or in the absence of such law, in a reasonable format to be followed by each data fiduciary.