CHAPTER IX
EXEMPTIONS
42. Security of the State.
(1) Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.
(2) Any processing authorised by a law referred to in sub-section (1) shall be exempted from the following provisions of the Act
(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI;
(f) Chapter VII, except section 31; and
(g) Chapter VIII.
43. Prevention, detection, investigation and prosecution of contraventions of law.
(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.
(2) Any processing authorised by law referred to in sub-section (1) shall be exempted from the following provisions of the Act
(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI;
(f) Chapter VII except section 31; and
(g) Chapter VIII.
(3) Sub-section (1) shall apply in relation to processing of personal data of a data principal who is a victim, witness, or any person with information about the relevant offence or contravention only if processing in compliance with the provisions of this law would be prejudicial to the prevention, detection, investigation or prosecution of any offence or other contravention of law.
(4) Personal data processed under sub-section (1) shall not be retained once the purpose of prevention, detection, investigation or prosecution of any offence or other contravention of law is complete except where such personal data is necessary for the maintenance of any record or database which constitutes a proportionate measure to prevent, detect or investigate or prosecute any offence or class of offences in future.
44. Processing for the purpose of legal proceedings.
(1) Where disclosure of personal data is necessary for enforcing any legal right or claim, seeking any relief, defending any charge,opposing any claim, or obtaining any legal advice from an advocate in any impending legal proceeding such processing shall be exempted from the following provisions of this Act
(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI; and
(f) Chapter VII, except section 31.
(2) Where processing of personal data by any Court or Tribunal in India is necessary for the exercise of any judicial function, such processing shall be exempted from the following
provisions of this Act(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI; and
(f) Chapter VII, except section 31.
45. Research, archiving or statistical purposes.
(1) Where processing of personal data is necessary for research, archiving, or statistical purposes, such processing may be exempted from such provisions of this Act as the Authority may specify except section 4, section 31 and section 33.
(2) For the purpose of sub-section (1), the Authority may exempt different categories of research, archiving, or statistical purposes from different provisions of the Act.
(3) Sub-section (1) shall apply only where
(a) compliance with the provisions of this Act will disproportionately divert resources from the purpose referred to in sub-section (1);
(b) the purposes of processing cannot be achieved if the personal data is anonymised;
(c) the data fiduciary has carried out de-identification meeting the standard contained in any code of practice under section 61, where the purpose of processing can be achieved if the personal data is in a de-identified form;
(d) personal data will not be used to take any decision specific to or action directed specifically towards the data principal; and
(e) personal data will not be processed in a manner that gives rise to a risk of significant harm to the data principal.
46. Personal or domestic purposes.
(1) Personal data processed by a natural person in the course of a purely personal or domestic purpose, shall be exempted from the following provisions of this Act
(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
d) Chapter V;
e) Chapter VI;
(f) Chapter VII; and
(g) Chapter VIII.
(2) Sub-section (1) shall not apply where the relevant processing
(a) involves disclosure to the public; or
(b) is undertaken in connection with any professional or commercial activity.
47. Journalistic purposes.
(1) Where the processing of personal data is necessary for or relevant to a journalistic purpose, the following provisions of the Act shall not apply
(a) Chapter II, except section 4;
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI;
(f) Chapter VII except section 31; and
(g) Chapter VIII.
(2) Sub-section (1) shall apply only where it can be demonstrated that the processing is in compliance with any code of ethics issued by
(a) the Press Council of India, or
(b) any media self-regulatory organisation
48. Manual processing by small entities.
(1) Subject to any law for the time being in force, where personal data is processed through means other than automated means by a small entity, the following provisions of the Act shall not apply
(a) Sections 8, 9 and 10 in Chapter II;
(b) Clause
(c) of sub-section (1) of section 24, and sections 26 and 27 in Chapter VI; and
(d) Section 29 to section 36, and sections 38 and 39 in Chapter VII.
(2) For the purposes of sub-section (1), a small entity shall be any data fiduciary which
(a) did not have a turnover of more than twenty lakh rupees or such other lower amount as may be prescribed by the Central Government in the preceding financial year;
(b) does not collect personal data for the purpose of disclosure to any other individuals or entities, including other data fiduciaries or processors; and
(c) did not process personal data of more than one hundred data principals in any one day in the preceding twelve calendar months.
Explanation: For the purpose of sub-section (2), turnover means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, by the data fiduciary in the preceding financial year.