CHAPTER III
GROUNDS FOR PROCESSING OF PERSONAL DATA WITHOUT CONSENT
Notwithstanding anything contained in section 11, the
personal data may be processed if such processing is necessary,—
(a) for the performance of any function of the State authorised by law for—
(i) the provision of any service or benefit to the data principal from the
State; or
(ii) the issuance of any certification, licence or permit for any action or
activity of the data principal by the State;
(b) under any law for the time being in force made by the Parliament or any
State
Legislature; or
(c) for compliance with any order or judgment of any Court or Tribunal in
India;
(d) to respond to any medical emergency involving a threat to the
life or a severe
threat to the health of the data principal or any other individual;
(e) to undertake any measure to provide medical treatment or health services
to any individual during an epidemic, outbreak of disease or any other
threat to public health; or
(f) to undertake any measure to ensure safety of, or provide assistance or
services
to, any individual during any disaster or any breakdown of public order.
(1) Notwithstanding anything contained in section 11 and subject to sub-section (2), any personal data, not being any sensitive personal data, may be processed, if such processing is necessary for—
(a) recruitment or termination of employment of a data principal by the data
fiduciary;
(b) provision of any service to, or benefit sought by, the data principal
who is an employee of the data fiduciary;
(c) verifying the attendance of the data principal who is an employee of the
data fiduciary; or
(d) any other activity relating to the assessment of the performance of the
data principal who is an employee of the data fiduciary.
(2) Any personal data, not being sensitive personal data, may be processed under sub-section (1), where the consent of the data principal is not appropriate having regard to the employment relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing under the said sub-section.
(1) In addition to the grounds referred to under sections 12 and 13, the personal data may be processed without obtaining consent under section 11, if such processing is necessary for such reasonable purposes as may be specified by regulations, after taking into consideration—
(a) the interest of the data fiduciary in processing for that purpose;
(b) whether the data fiduciary can reasonably be expected to obtain the
consent of the data principal;
(c) any public interest in processing for that purpose;
(d) the effect of the processing activity on the rights of the data
principal; and
(e) the reasonable expectations of the data principal having regard to the
context
of the processing.
(2) For the purpose of sub-section (1), the expression "reasonable purposes" may include—
(a) prevention and detection of any unlawful activity including fraud;
(b)
whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines.
(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall—
(a) lay down, by regulations, such safeguards as may be appropriate to
ensure the protection of the rights of data principals; and
(b) determine where the provision of notice under section 7 shall apply or
not apply having regard to the fact whether such provision shall
substantially prejudice the relevant reasonable purpose.
(1) The Central Government shall, in consultation with the Authority and the sectoral regulator concerned, notify such categories of personal data as "sensitive personal data" having regard to-
(a) the risk of significant harm that may be caused to the data principal by
the processing of such category of personal data;
(b) the expectation of confidentiality attached to such category of personal
data;
(c) whether a significantly discernible class of data principals may suffer
significant harm from the processing of such category of personal data; and
(d) the adequacy of protection afforded by ordinary provisions applicable to
personal data
(2) The Authority may specify, by regulations, the additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data.