Frequently Asked Questions
Let us answer some questions you might have related to the Digital Personal Data Protection Act, 2023 (DPDPA). If you have additional questions or need further assistance, please don't hesitate to reach out.
1. What is Data as per DPDPA, 2023?
Data is defined as a representation of information, facts, concepts, opinions, or instructions presented in a format that is suitable for communication, interpretation, or processing. This can be done either by human beings or through automated means.
2. What is processing of Personal Data as per DPDPA, 2023?
Processing refers to any wholly or partly automated operation, or a set of operations, performed on digital personal data. This includes activities such as:
1.Collection
2.Recording
3.Organization
4.Structuring
5.Storage
6.Adaptation
7.Retrieval
8.Use
9.Alignment or combination
10.Indexing
11.Sharing
12.Disclosure by transmission
13.Dissemination or otherwise making available.
14.Restriction
15.Erasure
16.Destruction
These operations collectively stand for how personal data is handled and managed throughout its lifecycle.
3. Under what circumstances can Digital Personal Data be processed?
Digital personal data can be processed on the following grounds:
1.Consent: When the Data Principal (the individual whose data is being processed) has explicitly given their consent for the processing of their data.
2.Legitimate Uses: For certain legitimate purposes as specified under the law, where processing is necessary for specific reasons, such as fulfilling legal obligations or protecting vital interests, even without the explicit consent of the Data Principal.
4. Who is Significant Data Fiduciary?
A Significant Data Fiduciary is a Data Fiduciary (an entity that processes personal data) that is notified by the Central Government based on an assessment of several relevant factors. These factors include:
1.Volume and sensitivity of personal data processed.
2.Risk to the rights of the Data Principal (individual whose data is being processed).
3.Potential impact on the sovereignty and integrity of India.
4.Risk to electoral democracy.
5.Security of the State.
6.Public order.
The Central Government decides which Data Fiduciaries or class of Data Fiduciaries qualify as "significant" based on these criteria.
5. Who is a Consent Manager?
A Consent Manager is an individual or entity registered with the Data Protection Board. Their role is to serve as a single point of contact that enables a Data Principal (the individual whose data is being processed) to give, manage, review, and withdraw their consent. This is done through an accessible, transparent, and interoperable platform, ensuring that the Data Principal has full control over their personal data consent decisions.
6. What is a Personal Data Breach?
A Personal Data Breach refers to any unauthorized processing of personal data or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. Such events compromise the confidentiality, integrity, or availability of the personal data, potentially putting it at risk.
7. Who is a Data Fiduciary?
A Data Fiduciary is any person or entity who, either alone or in conjunction with others, decides the purpose and means of processing personal data. This includes decisions about how and why personal data is processed.
8. Who is a Data Principal?
A Data Principal is the individual to whom the personal data pertains. If the individual is a child, the term includes the parents or lawful guardian of the child. Similarly, if the individual is a person with a disability, it includes their lawful guardian acting on their behalf.
9. What are the Rights of a Data Principal?
Rights of the Data Principal:
1. Right to Access Information about Personal Data:
Obtain a summary of personal data held by the Data Fiduciary. Know the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a description of the data shared. Receive any other relevant information related to the personal data and its processing.
2.Right to Correction and Erasure of Personal Data:
Request correction, completion, updating, or erasure of personal data for which they have previously given consent. Data Fiduciaries must make necessary changes as directed by the Data Principal.
3.Right of Grievance Redressal:
Have access to easily available means of grievance redressal provided by the Data Fiduciary or Consent Manager.
4.Right to Nominate:
Nominate another individual in case of death or incapacity, to manage their personal data on their behalf.
10. What are the Duties of the Data Principal?
Duties of the Data Principal:
1. Compliance with Applicable Laws: The Data Principal must comply with the provisions of all relevant laws while exercising their rights under the DPDPA, 2023.
2. Avoid Impersonation: The Data Principal must ensure that they do not impersonate another person when providing their personal data.
3. No Suppression of Material Information: The Data Principal must not withhold or suppress any material information when providing their personal data.
4. No False or Frivolous Complaints: The Data Principal must ensure that they do not file false or frivolous grievances or complaints with a Data Fiduciary or the Board.
5. Authenticity of Information: While exercising the right to correction or erasure, the Data Principal must provide only verifiably authentic information.
11. Who is a Data Processor?
A Data Processor is any person or entity that processes personal data on behalf of a Data Fiduciary. The Data Processor manages personal data under the instructions of the Data Fiduciary and does not have control over the purpose or means of processing the data.
12. Who is the Data Protection Officer?
Data Protection Officer (DPO) is an individual appointed by a Significant Data Fiduciary to oversee data protection activities and ensure compliance with data protection laws and regulations. The DPO handles managing and safeguarding personal data within the organization.
13. What are the Functions of Digital Protection Officer?
Functions of the Digital Protection Officer:
1.Representation: The Digital Protection Officer (DPO) represents the Significant Data Fiduciary in matters related to data protection.
2.Location: The DPO must be based in India.
3.Accountability: The DPO is directly accountable to the Board of Directors or the equivalent governing body of the Significant Data Fiduciary.
4.Grievance Redressal: The DPO serves as the primary point of contact for the grievance redressal mechanism, acting as the Head of the Digital Office.
14 . Which is the Appellate Tribunal of Digital Protection Board
of India?
The Appellate Tribunal of the Data Protection Board of India functions as a higher authority to hear appeals against decisions made by the Board. It is modelled after the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which was set up under Section 14 of the Telecom Regulatory Authority of India Act, 1997. The Appellate Tribunal serves as a quasi-judicial body, and its decisions can be further appealed to the Supreme Court of India.
15. What are the certain legitimate uses for processing personal data?
A Data Fiduciary may process personal data of a Data Principal for any of the following uses:
(a) For the Specified Purpose:
A Data Fiduciary may process personal data for the purpose for which the Data Principal has voluntarily provided it if the Data Principal has not withdrawn their consent for the use of their data.
(b) For State or Instrumentalities to Provide Subsidies, Benefits, Services, etc.:
A Data Fiduciary may process personal data for the State or its instrumentalities to provide subsidies, benefits, services, certificates, licenses, or permits, under the following conditions:
(i) The Data Principal has previously consented to processing their personal data for such purposes.
(ii) The personal data is available in digital form or has been digitized from a database or document maintained by the State or its instrumentalities, and processing follows the standards set by the Central Government or relevant laws.
(c) For Performance of Functions by the State or Instrumentalities:
Data may be processed for functions required under any law in force in India, or for the sovereignty, integrity, or security of India, or the security of the State.
(d) For Legal Obligations:
Data may be processed to fulfil any legal obligation in India, such as disclosing information to the State or its instrumentalities, following laws governing such disclosures.
(e) For Compliance with Judgments or Orders:
Data may be processed to follow judgments or orders issued under any law in India or orders relating to contractual or civil claims outside India.
(f) For Medical Emergencies:
Data can be processed to respond to a medical emergency that threatens the life or immediate health of the Data Principal or another individual.
(g) For Public Health Safety:
Personal data may be processed to provide medical treatment or health services during an epidemic, disease outbreak, or other public health threats.
(h) For Disaster or Public Order:
Data may be processed to ensure safety or aid during disasters or breakdowns of public order.
(i) For Employment-Related Purposes:
Personal data may be processed for employment purposes, such as safeguarding the employer from loss or liability. This includes preventing corporate espionage, maintaining confidentiality of trade secrets, intellectual property, and classified information, or providing services or benefits to employees.
16. Does every company need a Data Protection Officer?
No, only companies that are designated as Significant Data Fiduciaries by law must appoint a Data Protection Officer (DPO).
17. Is the compliance as per DPDPA, 2023 applicable to companies outside India?
Yes, the compliance with the DPDPA, 2023 applies to companies outside India in the following cases:
1.Processing within India: If the processing of digital personal data occurs within the territory of India, where the personal data is collected.
2.Processing outside India: If the processing of digital personal data outside India is related to offering goods or services to Data Principals within the territory of India.
18. What is to be included in a Notice?
A notice must include the following information:
1.Personal Data and Purpose: A clear description of the personal data being processed and the purpose for which it will be processed.
2.Exercise of Rights: An explanation of how Data Principals can exercise their rights related to their personal data.
3.Grievance Redressal: Information on how a complaint can be made to the Data Protection Board.
4.Language Requirement: The notice must be provided in 22 languages, as specified in the 8th Schedule of the Constitution of India, to ensure accessibility for all individuals.
19. What is to be included in a Consent Form?
Key Points on Consent as per the Data Protection Law:
1.Consent must be free, specific, informed, unconditional, and unambiguous: Consent should be given by the Data Principal through a clear affirmative action and must specify the purpose of processing. It should be limited to the data necessary for the specified purpose.
2.Invalid Consent for Infringement: If any part of consent violates the provisions of the Data Protection Act or any other applicable law, that part of the consent is deemed invalid.
3.Clear and Plain Language: Consent requests should be presented in clear, plain language. The request must offer the option to view it in any language specified in the Eighth Schedule of the Constitution. Contact details of the Data Protection Officer (if applicable) or another authorized person must be included to facilitate communication for exercising rights under the Act.
4.Right to Withdraw Consent: Data Principals have the right to withdraw their consent at any time. The process of withdrawal should be as easy as providing consent initially.
5.Consequences of Withdrawal: Withdrawal of consent does not affect the legality of any data processing that occurred prior to the withdrawal.
6.Cessation of Processing upon Withdrawal: Once consent is withdrawn, the Data Fiduciary must stop processing the Data Principal’s personal data, along with any Data Processors involved, within a reasonable time. However, if the data must be processed due to other legal reasons, processing may continue without consent.
20. Can data processing be continued if the consent has been
withdrawn?
No, if a Data Principal withdraws their consent for the processing of personal data, the Data Fiduciary must, within a reasonable time, cease processing the personal data. This applies to both the Data Fiduciary and its Data Processors.
However, processing can continue without the Data Principal's consent if it is required or authorized under the provisions of the DPDPA, 2023, other relevant rules, or any applicable law in India.
21. What is Data Protection Board of India?
The Data Protection Board of India (DPB) is a regulatory body tasked with enforcing India's data protection laws under the Digital Personal Data Protection (DPDP) Act, 2023. Its main functions include:
1.Enforcing Data Protection Regulations: The DPB investigates breaches of the DPDP Act and can impose penalties of up to ₹250 Crore for violations.
2.Handling Complaints: The Board addresses complaints from individuals about data breaches or mishandling of personal data by data fiduciaries.
3.Monitoring Compliance: The DPB oversees compliance with the DPDP Act and can instruct data fiduciaries to take corrective actions in response to data breaches.
4.Safeguarding Privacy Rights: The Board ensures that privacy rights are upheld following legal requirements.
Operating digitally to ease quicker resolution of complaints, the DPB's members are appointed by the central government for two-year terms, with the government also defining the number of members and the selection process.
22. What is the Constitution of the Board?
The Data Protection Board of India (DPB) will be composed of:
A Chairperson and a specified number of Members, as decided and notified by the Central Government.
Both the Chairperson and Members must be individuals of high integrity, ability, and standing, with specialized knowledge or significant practical experience in areas such as:
Data governance
Administration and enforcement of laws related to social or consumer protection.
Dispute resolution
Information and communication technology
Digital economy
Law, regulation, or techno-regulation
Any other relevant domain, as considered beneficial by the Central Government.
Furthermore, at least one Member must be an expert in law.
23. What are the Powers and Functions of the Board?
Powers and Functions of the Data Protection Board:
1.Personal Data Breach (Section 8):
Urgent Measures and Inquiry: Upon receiving a notification of a personal data breach, the Board can direct urgent remedial or mitigation measures. It can also investigate the breach and impose penalties as per the law.
2.Complaints and Breaches by Data Fiduciaries:
Inquiries on Complaints: If a Data Principal files a complaint about a personal data breach or a breach by a Data Fiduciary (such as failure to protect personal data or violating the Data Principal’s rights), the Board may investigate and impose penalties according to the Act.
Government or Court Referrals: The Board may act on complaints referred to it by the Central Government, State Government, or as directed by any court to inquire into breaches and impose penalties.
3.Breaches by Consent Managers:
If a Data Principal files a complaint regarding a breach of obligations by a Consent Manager (e.g., mishandling personal data), the Board will investigate and may impose penalties as provided under the Act.
4.Breach of Consent Manager Registration Conditions:
Investigation and Penalty: If there is a breach of any condition of registration of a Consent Manager, the Board may inquire and impose penalties.
5.Breach of Intermediary Provisions:
If the Central Government refers a breach regarding intermediary obligations (under section 37(2)), the Board may investigate the breach and impose penalties.
Additional Powers of the Board:
1.Issuing Directions:
The Board can issue directions to the concerned person after providing an opportunity for hearing and recording reasons. The person is required to comply with these directions.
2.Modifying or Cancelling Directions:
The Board may modify, suspend, withdraw, or cancel any direction it has issued, based on a representation from the affected person or a referral from the Central Government. Any modifications or cancellations come with conditions set by the Board.
These functions ensure that the Board has both investigatory and directive powers to enforce compliance with the provisions of the data protection law.
