CHAPTER V
RIGHTS OF DATA PRINCIPAL
(1) The data principal shall have the right to obtain from the data
fiduciary—
(a) confirmation whether the data fiduciary is
processing or has processed personal data of the data principal;
(b) the personal data of the data principal being processed or that has
been processed by the data fiduciary, or any summary thereof;
(c) a brief summary of processing activities undertaken by the data
fiduciary with respect to the personal data of the data principal,
including any information provided in the notice under section 7 in
relation to such processing.
(2) The data fiduciary shall provide the information under sub-section
(1) to the data
principal in a clear and concise manner that is easily comprehensible to
a reasonable person.
(3) The data principal shall have the right to access in one place the
identities of the data fiduciaries with whom his personal data has been
shared by any data fiduciary together with the categories of personal
data shared with them, in such manner as may be specified by
regulations.
18.Right to correction and erasure.
(1) The data principal shall where necessary, having regard to the
purposes for which personal data is being processed, subject to such
conditions and in such manner as may be specified by regulations, have
the right to—
(a) the correction of inaccurate or misleading personal data;
(b) the
completion of incomplete personal data;
(c) the updating of personal data that is out-of-date; and
(d) the erasure of personal data which is no longer necessary for the
purpose for which it was processed.
(2) Where the data fiduciary receives a request under sub-section (1),
and the data fiduciary does not agree with such correction, completion,
updation or erasure having regard to the purposes of processing, such
data fiduciary shall provide the data principal with adequate
justification in writing for rejecting the application.
(3) Where the data principal is not satisfied with the justification
provided by the data fiduciary under sub-section (2), the data principal
may require that the data fiduciary take reasonable steps to indicate,
alongside the relevant personal data, that the same is disputed by the
data principal.
(4) Where the data fiduciary corrects, completes, updates or erases any
personal data in accordance with sub-section (1), such data fiduciary
shall also take necessary steps to notify all relevant entities or
individuals to whom such personal data may have been disclosed regarding
the relevant correction, completion, updation or erasure, particularly
where such action may have an impact on the rights and interests of the
data principal or on decisions made regarding them.
19. Right to data portability.
(1) Where the processing has been carried out through automated means,
the data principal shall have the right to—
(a) receive the following personal data in a structured, commonly used
and
machine-readable format—
(i) the personal data provided to the data fiduciary;
(ii) the data which has been generated in the course of provision of
services or use of goods by the data fiduciary; or
(iii) the data which forms part of any profile on the data principal, or
which
the data fiduciary has otherwise obtained; and
(b) have the personal data referred to in clause (a) transferred to any
other data fiduciary in the format referred to in that clause.
(2) The provisions of sub-section (1) shall not apply where—
(a) processing is necessary for functions of the State or in compliance
of law or
order of a court under section 12;
(b) compliance with the request in sub-section (1) would reveal a trade
secret of any data fiduciary or would not be technically feasible.
20. Right to be forgotten.
(1) The data principal shall have the right to restrict or prevent the
continuing disclosure of his personal data by a data fiduciary where
such disclosure—
(a) has served the purpose for which it was collected or is no longer
necessary for the purpose;
(b) was made with the consent of the
data principal under section 11 and such
consent has since been withdrawn; or
(c) was made contrary to the provisions of this Act or any other law for
the time being in force.
(2) The rights under sub-section (1) may
be enforced only on an order of the Adjudicating Officer made on an
application filed by the data principal, in such form and manner as may be prescribed, on any of
the grounds specified under clauses (a), (b) or clause (c) of that
sub-section:
Provided that no order shall be made under this sub-section unless it is
shown by the data principal that his right or interest in preventing or
restricting the continued disclosure
of his personal data overrides the right to freedom of speech and
expression and the right to information of any other citizen.
(3) The Adjudicating Officer shall, while making an order under
sub-section (2), having regard to—
(a) the sensitivity of the personal data;
(b) the scale of disclosure and the degree of accessibility sought to be
restricted
or prevented;
(c) the role of the data principal in public life;
(d) the relevance of the personal data to the public; and
(e) the nature of the disclosure and of the activities of the data
fiduciary, particularly whether the data fiduciary systematically
facilitates access to personal data and whether the activities shall
be significantly impeded if disclosures of the relevant nature were to
be restricted or prevented.
(4) Where any person finds that personal data, the disclosure of which
has been restricted or prevented by an order of the Adjudicating Officer
under sub-section (2), does not satisfy the conditions referred to in that sub-section, he may apply
for the review of that order to the Adjudicating Officer in such
manner as may be prescribed, and the Adjudicating Officer shall review
his order.
(5) Any person aggrieved by an order made under this section by the
Adjudicating
Officer may prefer an appeal to the Appellate Tribunal.
21.General conditions for the exercise of rights in this Chapter.
(1) The data principal, for exercising any right under this Chapter,
except the right under section 20, shall make a request in writing to
the data fiduciary either directly or through a consent manager with the
necessary information as regard to his identity, and the
data fiduciary shall acknowledge the receipt of such request within such
period as may be specified by regulations.
(2) For complying with
the request made under sub-section (1), the data fiduciary may
charge such fee as may be specified by regulations:
Provided that no fee shall be required for any request in respect of
rights referred to in clause (a) or (b) of sub-section (1) of section 17
or section 18.
(3) The data fiduciary shall comply with the request under this Chapter
and communicate the same to the data principal, within such period as
may be specified by regulations.
(4) Where any request made under this Chapter is refused by the data
fiduciary, it shall provide the data principal the reasons in writing
for such refusal and shall inform the data principal regarding the right
to file a complaint with the Authority against the refusal, within such
period and in such manner as may be specified by regulations.
(5) The data fiduciary is not obliged to comply with any request under
this Chapter where such compliance shall harm the rights of any other
data principal under this Act.