After years of discussion, confusion, and revisions the central government has finally introduced the Digital Personal Data Protection Bill 2023. Which regulates and protects the personal data digitally collected by companies, governments and individuals for prodigy any good or services. Now, these stakeholders will need to follow the updated framework for the collection, maintenance and processing of the digital personal data of the users. The users can give consent and revoke the same if they wish to. The question of digital data security has been discussed for a long time in parliament and on the national front in India while on the other hand, similar laws are already applicable on the global level with the rise of usage in digital services. The Digital Personal Data Protection Act will restore trust in the usage of online services especially those where transaction of sensitive personal information is involved.
Table of Contents
Useful Terms Used in the DPDP Bill 2023
The Digital Personal Data Protection Act 2023 defines various new terms that have to be understood to properly grasp the provisions of DPDP Bill 2023. Some of the important terms are as follows-
- Consent Manager:- A Consent Manager is a person approved by the Data Protection Board of India. They help a Data Principal easily give, handle, check, and take back their consent using an accessible, transparent and interoperable platform.
- Data Fiduciary:- The Data Fiduciary is the party that determines the purpose and means of processing the collected personal data.
- Data Principal:- The Data Principal is an individual to whom such personal data relates. If the individual is a child or a person with a disability then the lawful guardian of such individual shall be considered the Data Principal.
- Data Processor:- This entity is responsible for processing the personal data collected by the Data Fiduciary. The Data processor acts on behalf of the Data Fiduciaries.
- Data Protection Officer:- The Data Protection Officer is an individual appointed by the Data Fiduciary. It represents the Data Fiduciary for the provisions of this act and is responsible to the board of directors and similar governing body of the Data Fiduciary. The Data Protection Officer acts as the single point of contact to take grievances under this act.
Scope of Digital Personal Data Protection Act 2023
The DPDP Act provides security for personal data when it is transferred to the Data Fiduciary for specific legitimate uses. The entities covered under the definition of person are as follows-
- An individual
- A Hindu Undivided Family
- A Company
- A Firm
- Body of Individuals
- Association of Persons
- The State
- Any artificial juristic person
Limitations on the Processing of Personal Data
The Digital Personal Data Protection Act 2023 allows data processors to process data to a limited extent with certain conditions. Any processing beyond these limitations will be against the provisions of this act. A person can only use someone's personal information as stated in section 4 of the DPDP Act. It prescribes two conditions for the processing of personal data-
- It must be processed only for the purposes agreed upon by the Data Principal.
- It can only be processed for specific legitimate uses.
Certain legitimate use cases are further clarified under section 7 of the Digital Personal Data Protection Bill 2023. As per the provision, the personal data is only allowed to be processed by the Data Fiduciary in the following circumstances-
- For the purposes to which the data principal has given her consent.
- For providing various government services like the subsidy, benefits, certificates, licences, permits etc.
- For the performance of any function by the state under any law in the interest of sovereignty, integrity and security of the state.
- For fulfilling any obligation on any person to disclose any information to the state in accordance with the laws applicable.
- For complying with any judgement, order or decree issued by the court of law under any law for the time being in force.
- For responding to medical emergencies involving the threat to the health of the data principal or any other individual.
- For providing health service to any individual during an epidemic, outbreak of any disease or any other threat to public health.
- For providing services to any individual during a disaster or any breakdown of public order.
- For the purposes of employment or those related to safeguarding the employer from loss or liability where the data principal is an employee.
Obligations of the Data Fiduciary
The Data Fiduciary has to take various measures to ensure the security of data and the safety of the data principal. For this, the Digital Personal Data Protection Act of 2023 prescribe rules for the management of personal data under section 8. The major obligations are as follows-
- He shall comply with the provisions specified in this act.
- When the Data Fiduciary appoints a Data Processor to process the data of the Data Principal for providing them with any goods and services, it has to be under a valid contract only.
- The Data Fiduciary should ensure the completeness, accuracy and consistency of the data when it is being used by other fiduciaries or in a decision-making that affects the Data Principal.
- He should ensure the implementation of the DPDP Bill and the rules made thereunder through appropriate technical and organisational measures.
- A Data Fiduciary must ensure the safety of digital personal data using security measures to stop personal data from being accessed or used improperly.
- He should inform the data principal and the board about the breach of personal data as soon as the event takes place.
- If the retention of personal data of the Data Principal is not necessary to comply with any law, the Data Fiduciary and Data Processors should delete such personal data within a reasonable time after the withdrawal of the consent of the Data Principal.
- The Data Fiduciary has to communicate the business contact information of the Data Protection Officer in a reasonable manner and ensure the implementation of effective mechanisms to redress the grievances of the Data Principal.
Right To Access Information About Personal Data
The Data Principal has the right to access the information about her personal data which was submitted to the Data Fiduciary. The Digital Personal Data Protection Bill prescribed under section 11 that the Data Principal can request the Data Fiduciary to tell about the data being processed and the processing activities being taken on that data. The Data processor can also ask the Data Fiduciary about the identities of all the Data Fiduciary and Data Processors who have access to the submitted data with the description of data shared with these entities separately. It provides control to the Data Principal and also minimises the risk of unwarranted data processing further ensuring the safety of the data.
Grievance Redressal Under the DPDP Act 2023
Where there are rules, there is a breach. And the situation will be no different for the Digital Personal Data Protection Act. There may be a breach from the end of the Data Fiduciary or from the side of the Data Procesor. But you do not need to worry as the act provides the grievance address mechanisms under section 13. The Data Fiduciary and Consent Manager are obliged to provide you with the grievance redressal system as per the provisions of this act.
The grievance can be filed by the Data Principal when the Data Fiduciary or the Consent Manager do not fulfil their obligation related to the personal data of the Data Principal. The concerned Data Fiduciary and the Consent Manager need to respond to the grievances submitted by the Data Principal. Only after exhausting the opportunity of redressing the grievance through the means provided by the Data Fiduciary, the Data Principal can reach out to the Board and share the grievance for further redressal.
To wrap things up, the Digital Personal Data Protection Act of 2023 provides various preventive and corrective measures to safeguard the digital privacy of citizens. It provides various obligations for the Data Fiduciary and the processors to which they need to comply and in case of non-compliance, they need to face the consequences under this act. The personal data of the Data Principal cannot be accessed without its consent and only to the extent the consent is given. There are some exemptions but in an idle case, the Data Fiduciary cannot surpass the limitations as imposed by the DPDP Act. Even in the circumstances when the Data Fiduciary fails to oblige the conditions imposed by the act, the Data Principal can follow the grievance redressal system and get the rights reclaimed.
EPR Certificate, Waste Management, BIS Registration, ISI Registration, ESG Reporting, E-waste Plant Setup, Plastic Waste Plant Setup, Drug License, CDSCO Registration, EPR in E-waste Management, EPR in Battery Waste Management, EPR in Plastic Waste Management, EPR in Tyre Waste Management, Import and Export Code
This portion of the site is for informational purposes only. The content is not legal advice. The statements and opinions are the expression of author, not corpseed, and have not been evaluated by corpseed for accuracy, completeness, or changes in the law.