Data Fiduciary Obligations

Table Of Contents
  1. Applicable to all Data Fiduciaries
  2. SIgnificant Data FIduciaries
  3. Restrictions on Children / PwD Data Processing

Applicable to all Data Fiduciaries

Notice

When: At the time or before collecting or processing information

Contents:
  • Must be presented to the user
  • Must be clear and easily readable
  • Must be understandable without referring to any other information
  • Must contain
    • adequate details of personal data processed
    • purpose of processing personal data and the goods or services accessed by such processing
    • how the user can exercise their rights
    • a link to how the user can complaint to the Board

Grounds for processing

Personal data can be processed only on the basis of:

  • consent of the user
  • certain legitimate uses

Note: purpose of processing must be lawful (i.e. legal)

Obligations of Data Fiduciaries (companies/firms)

A company or firm is responsible must comply with the following:

  • Responsible for Data Processors complying with the Act.
  • Engage a Data Processor only under a contract
  • Ensure data is complete, accurate and consistent – when disclosing to someone else or taking a major decision about the user
  • Implement Technical and Organisational measures
  • Ensure data is protected from any data breach
  • Give notice to the Board and the user when there is a data breach
  • Lifecycle management of personal data
  • Publish business contact information of Data Protection Officer or a responsible person
  • Implement an effective grievance redressal mechanism

Data Principal (User) Rights

  • Right to access information about personal data
  • Right to correct and erase personal data
  • Right of grievance redressal
  • Right to nominate a person to exercise the rights on behalf of the user

Cross Border Data Transfers

  • No specific requirements
  • Permitted unless restricted by the Union Government
  • Compliance with all provisions of the DPDP Act

Data Lifecycle Management

  • Delete personal data when requested by the user
  • Delete personal data when user does not approach within a reasonable time frame (Some fixed time frames)
  • Cause the data processor to delete any personal data too

Handling personal data breach

  • As soon as known, notify the Data Protection Board and the all affected users
  • The initial notice must contain:
    • description of breach
    • consequences to the user
    • measure implemented 
    • safety measures user can take
    • business contact information of a person who can respond to queries
  • Within 72 hours or any extended time as allowed by the Board, provide the following information –
    • updated and detailed information; broad facts and reasons
    • measures to mitigate risk
    • person who caused the breach
    • remedial measures
      •  
    • report of intimation given to the users

SIgnificant Data FIduciaries

Additional Significant Data Fiduciary Obligations

  • Appoint an India-based Data Protection Officer
  • Appoint an independent data auditor
  • Carry out regular Data Protection Impact Assessment and Audits
  • Carry out due diligence for algorithms
  • Localisation of traffic data if recommended by the Union Government

Restrictions on Children / PwD Data Processing

Additional Restrictions on Processing Children’s Data

  • Obtain verifiable parental consent before processing a child’s data
  • Verify that the parent is an adult
  • No processing that causes detrimental effect on a child (e.g. dark patterns, addictive algorithms)
  • No tracking, behavioural monitoring or targeted advertisements at children

Additional Restrictions on Processing data of Persons With Disabilities (PwD)

  • Obtain verifiable consent from the guardian of a self-declared Person with Disability (PwD)
  • Verify that the person is validly appointed as the guardian