Bhk and Associates

+91-9717416662, +91-9717416663, +91-9717416664, +91-9717416661  | Email: info@bhkna.in

Facebook Youtube Twitter
Menu

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

A BRIEF NOTE ON

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) was passed by both houses of Parliament and thereafter received the assent of the President of India on August 11, 2023. DPDP Act, 2023 aims to protect personal data (online or offline) and the need to process personal data for lawful purposes.

DPDP Act, 2023 is effective from August 11, 2023. It applies to a person who deals in processing (in or outside India) personal data in digital form or non-digital form and digitalized subsequently. DPDP Act, 2023 does not apply to:

  • Personal data processed by an individual for any personal or domestic purpose; or
  • Personal data made publicly available by the data principal (Individual) or under a legal obligation Key Definitions 1 “Personal Data” means any data about an individual who is identifiable by or in relation to such data 2 “Data Principal (Individual)” is the individual to whom the personal data relates:
  • Where an individual is a child, the term includes the parent or lawful guardian of the child
  • Where an individual is a person with disability, it includes her lawful guardian acting on behalf of such individual 3 “Data Fiduciary (Individual, company and others)” is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data 4 “Data Processor (Third Party)” is any person who processes personal data on behalf of a data fiduciary
  • If the data principal has given his / her consent for processing the personal data, and
  • The processing of data should only be for lawful purposes. FAQs on DPDP Act, 2023 When can a Data Fiduciary (Company / others) process the Personal Data of an individual? The data fiduciary can obtain the consent of the data principal by way of issuing a notice and notice contains:
  • The type of personal data and its purpose of collection
  • Inform his / her right to withdraw consent
  • The process of filing a complaint against Data Fiduciary to the Data Protection Board (DPB) in case of any breach Note: In case a Data Principal has given consent before the effective date of the DPDP Act, 2023, in such cases, the Data Fiduciary shall again need to take consent as given above after the effective date. How can consent be obtained for the processing of data? The Data Fiduciary can use the personal data of the Data Principal without his / her consent for the following reasons:
  • Data Principal has voluntarily provided his / her personal data for specified purposes (personal or domestic nature) • Personal Data provided for availing various schemes like subsidies, licences, or permits etc. of the Government • To protect the interest of sovereignty and integrity or security of India
  • For compliance with any judgement or court order
  • During medical treatment, medical emergencies, epidemics, and others
  • For the purposes of employment. When is consent not necessary from the Data Principal?
  • The Data Principal has the following rights regarding his / her personal data:
  • Right to withdraw his / her consent at any time
  • Right to access information about personal data
  • Right to correct and erase his / her personal data • Right of grievance and nominate. FAQs on DPDP Act, 2023 When can an Data Principal (individual) withdraw his / her consent?
  • To ensure that a notice has been issued to the Data Principal to obtain her consent
  • To ensure that Free Consent has been obtained before processing the Personal Data
  • To appoint a consent manager to manage the consent of Data Principals
  • To enter into a valid contract with the data processor to process the personal data
  • To implement appropriate technical and organisational measures to ensure effective compliance with the provisions of DPDP Act, 2023
  • To erase personal data at the request of the data principal or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, except when the retention of personal data is necessary for compliance with any law
  • To take reasonable security safeguards to prevent personal data breaches
  • In case of personal data breach, the Data Fiduciary shall give notice to the DPB and each data principals about such breach
  • To ensure the compliance of the notifications of the Government regarding the transfer of personal data for processing to a country or territory outside India. What are the obligations of Data Fiduciary (Company)?
  • Evaluate the present practice in your organisation regarding data privacy
  • Prepare / establish a data privacy policy (processing of personal data, notice, consent, data retention) in view of the DPDP Act, 2023
  • Make necessary changes in the Employment Contract in view of the DPDP Act, 2023
  • Make necessary changes in Contract with Data Processor in view of the DPDP Act, 2023
  • Adopt, and deploy data privacy technologies suitable for enhancing data protection
  • Communicate and create awareness about the necessary changes in the privacy policies and the requirement of the DPDP Act, 2023. Way Forward Steps to be taken to meet the requirements of the DPDP Act, 2023 The Data Protection Board (DPB) has the power to impose penalties upto INR 250 Crores for the below non-compliances:
  • Not taking reasonable security safeguards: upto INR 250 Crores
  • Not informing DPB and Data Principal in case of Breach: upto INR 200 Crores
  • Breach in observance of additional obligations of significant data fiduciary: up to INR 150 Crores Breach of any other provisions: upto INR 50 Crores Breach by Data Principal – upto INR 10,000. Penalties
ARCHIVES
CATEGORIES
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?
Hi, how can I help?