FAQs on the DPDP Act , the DPDP draft Rules, Consent Management, and more…..
Rights and Duties of a Data Principal.
Yes. Every Data Principal has the right to request details of the personal data being processed about them. They can also ask the Data Fiduciary for a summary of that data, information on who it has been shared with, and other relevant details, all in line with the consent they originally provided.
Yes. The right to access applies only when personal data is being processed based on an individual’s consent. It does not extend to situations where the Data Fiduciary has shared information with entities legally authorized to access it, for example, for the prevention, detection, or investigation of offences or cyber incidents.
A Data Principal can ask for corrections to any inaccurate or misleading information, complete any missing details, update existing data, and request that their personal data be erased, provided it is not required to be retained for legal or specified purposes.
Significant data fiduciaries carry greater accountability. They must conduct Data Protection Impact Assessments (DPIAs), undergo annual audits, and ensure fair, transparent data handling. They also have stricter obligations on cross-border transfers and risk management, reflecting their larger impact on individuals.
Yes. When a Data Principal submits such a request, the Data Fiduciary must make the necessary corrections, add missing details, or update the data as requested, in line with the law.
A Data Principal can submit an erasure request to the concerned Data Fiduciary in the manner prescribed by the Central Government. The Data Fiduciary is required to delete the data unless it needs to be retained for a lawful or specific purpose.
Every Data Principal has the right to use the grievance redressal mechanism provided by the Data Fiduciary or the Consent Manager to raise concerns about data processing or the exercise of their rights.
A Data Fiduciary or Consent Manager is required to address grievances within the timeframe specified by the Central Government under the DPDP Act, 2023.
The DPDP Act allows a Data Principal to nominate another person to exercise their rights under the law in case of their death or incapacity. Incapacity refers to situations where the individual is unable to act due to unsoundness of mind or physical infirmity.
Data Principals must follow applicable laws, avoid impersonating others, not hide or misrepresent important information, and refrain from submitting false grievances. They must also provide verifiable and authentic information when requesting data correction or erasure.
Yes. Data Principals must share only accurate and authentic information, particularly when seeking correction or erasure of personal data. This helps maintain the integrity and reliability of the data being processed.
Obligations of Data Fiduciary
If a personal data breach occurs, the Data Fiduciary must promptly notify both the Data Protection Board and the affected Data Principals. The notification should include details of the breach, its nature, and the corrective actions taken to mitigate its impact, all in accordance with the procedure prescribed under the Act.
A Data Fiduciary is required to delete personal data once the Data Principal withdraws consent or when the data is no longer needed for the purpose it was collected. The Data Fiduciary must also ensure that any Data Processor handling the data erases it accordingly.
When personal data is used for decision-making or shared with another Data Fiduciary, the processing Data Fiduciary must ensure that the data is complete, accurate, and consistent to prevent errors or misrepresentation.
A Data Fiduciary may process personal data only for a lawful purpose and either with the Data Principal’s consent or for legitimate uses permitted under the DPDP Act, 2023.
Every consent request must be accompanied or preceded by a clear notice explaining what personal data will be processed, the purpose of processing, and how the Data Principal can exercise their rights or file a complaint with the Data Protection Board.
Consent must be free, specific, informed, unconditional, and unambiguous. It should be given through a clear affirmative action and must be limited to the specific purpose for which the data is being collected or processed.
Yes. A Data Principal may withdraw consent at any time. However, the withdrawal does not affect the legality of processing carried out before the withdrawal. The Data Principal will bear any consequences arising from such withdrawal, such as discontinued services that rely on their consent.
Once consent is withdrawn, the Data Fiduciary must stop processing the individual’s personal data within a reasonable timeframe, unless such processing is required or authorized under the DPDP Act, 2023 or any other applicable law.
Significant Data Fiduciaries have enhanced compliance duties. They must appoint a Data Protection Officer (DPO), conduct regular data audits, carry out Data Protection Impact Assessments (DPIAs), and implement any additional safeguards prescribed under the DPDP Act, 2023.
When handling children’s personal data, a Data Fiduciary must obtain verifiable consent from the child’s parent or lawful guardian. They must ensure that data is not processed in any manner that could harm the child’s well-being and must avoid activities such as tracking, behavioral monitoring, or targeted advertising directed at children.
Yes. The Central Government may prescribe specific exemptions for certain classes of Data Fiduciaries or particular processing purposes. Additionally, some obligations may be relaxed for Data Fiduciaries whose processing practices are verified to be safe for children.
Dispute Resolution & Penalties
An aggrieved party can file an appeal with the Appellate Tribunal within 60 days of receiving the Board’s order or direction. The appeal must follow the forms, procedures, and fees prescribed under the Act.
Yes. The Appellate Tribunal may admit a late appeal if it is satisfied that there was a valid reason for the delay.
The Appellate Tribunal can confirm, modify, or set aside the Board’s order after providing all parties involved an opportunity to be heard.
The Appellate Tribunal aims to resolve appeals as quickly as possible, ideally within six months from the date the appeal is filed.
Orders of the Appellate Tribunal are enforceable like a decree of a civil court. The Tribunal can forward its orders to a local civil court for execution if needed.
If the Board believes a complaint can be resolved amicably, it may direct the parties to attempt mediation through a mutually agreed mediator or as permitted under existing laws.
Voluntary undertakings are commitments accepted by the Board from any person, promising to comply with the provisions of the Act. These may include commitments to take specific actions or refrain from certain practices.
Breaching a voluntary undertaking is considered a violation of the Act. In such cases, the Board may initiate penalty proceedings under Section 33, after giving the person an opportunity to be heard.
The Board evaluates several factors, including the severity and duration of the breach, the type of personal data affected, whether the breach is repetitive, any gain or loss resulting from it, efforts made to mitigate its impact, and the financial or operational effect of the penalty on the entity involved.
Yes. Penalties vary depending on the nature and seriousness of the breach. The Act provides guidelines for determining the appropriate penalty for each type of violation.
While financial penalties are the primary form of enforcement, the Board can also impose corrective measures, such as issuing specific directions or setting compliance conditions for the Data Fiduciary or Consent Manager.
Yes. Repeated breaches are considered an aggravating factor, and the Board may impose more severe penalties for entities that violate the Act multiple times.
When determining penalties, the Board considers whether the violator gained financially or avoided a loss due to the breach. This factor can increase the severity of the penalty imposed.
Penalties are enforceable like a civil court decree. If required, the Appellate Tribunal can forward the order to a local civil court for execution.
Section 39 restricts civil courts from intervening in matters where the Board has authority under the Act. No injunctions can be granted against actions taken under the DPDP Act.
Under Section 40, the Central Government can frame rules to implement the objectives of the Act. These rules may cover various areas, including consent management, obligations of Data Fiduciaries, and procedures for filing appeals.
Yes. Section 42 allows the Central Government to amend the Schedule of penalties. However, any increase in penalties cannot exceed twice the amount specified when the Act was originally enacted.
Cross-Border Data Transfers & Special Cases
Yes. Under Section 16(1), a Data Fiduciary may transfer personal data to countries or territories that have been specifically notified by the Central Government.
Yes. Section 17 provides that some provisions of Chapter II, Chapter III, and Section 16 do not apply in certain circumstances, such as legal enforcement, judicial functions, investigation of offences, or specific business processes.
Certain restrictions on cross-border transfers under Section 16 do not apply in specific cases, such as: enforcing legal rights or claims, judicial purposes, investigation or detection of offences, processing non-residents’ data in India under a contract, mergers or amalgamations, or assessing financial information in cases of loan defaults.
Section 17(2) exempts certain government bodies from some provisions of the Act when processing data in the interest of national security, public order, or other areas specified by law.
Yes. Data processing for research, archiving, or statistical purposes is exempt under Section 17(2)(b), provided the data is not used to make decisions about a specific individual and the processing follows prescribed standards.
Yes. Under Section 17(3), the Central Government may notify certain Data Fiduciaries, including startups, as exempt from specific provisions of the Act.
Certain provisions, such as those related to consent and erasure of personal data, do not apply to State processing, particularly when the processing does not involve decision-making that directly affects the Data Principal, as specified in Section 17(4).
Yes. The Central Government may, by notification, declare that specific provisions of the Act do not apply to certain Data Fiduciaries or classes of Data Fiduciaries for a defined period.
Proposed penalties for data privacy breach in the DPDP Act 2023
The DPDP Act empowers the Data Protection Board to impose penalties on both Data Fiduciaries and Data Principals, depending on the type and severity of the breach.
Major Penalties for Data Fiduciaries:
• Failure to maintain reasonable security safeguards: Up to INR 250 crore for not taking adequate measures to prevent personal data breaches.
Other Penalties for Data Fiduciaries:
• Failure to notify the Board or affected Data Principals of a personal data breach: Up to INR 200 crore.
• Non-compliance with additional obligations related to children’s data: Up to INR 200 crore.
• Violation of obligations of a Significant Data Fiduciary: Up to INR 150 crore.
• Breach of any other provision of the Act or its rules: Up to INR 50 crore.
Penalties for Data Principals:
• Non-compliance with duties of a Data Principal: Up to INR 10,000.
Note: Penalties are determined by the Data Protection Board after considering factors such as the severity and duration of the breach, the type of personal data affected, and the steps taken to mitigate its impact.
