TRANSPARENCY AND ACCOUNTABILITY MEASURES
22.Privacy by design policy.
(1) Every data fiduciary shall prepare a privacy by design policy, containing—
(a) the managerial, organisational, business practices and
designed to anticipate, identify and avoid harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of processing of personal data.
(2) Subject to the regulations made by the Authority, the data fiduciary may
submit its privacy by design policy prepared under sub-section (1) to the
Authority for certification within such period and in such manner as may be
specified by regulations.
(3) The Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1).
(4) The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.
23. Transparency in processing of personal data.
(1) Every data fiduciary shall take necessary steps to maintain transparency in processing personal data and shall make the following information available in such form and manner as may be specified by regulations—
(a) the categories of personal data generally collected and the manner of
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;
(d) the existence of and the procedure for exercise of rights of data principal under Chapter V and any related contact details for the same;
(e) the right of data principal to file complaint against the data fiduciary to the Authority;
(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under sub-section (5) of section 29;
(g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and
(h) any other information as may be specified by regulations.
(2) The data fiduciary shall notify, from time to time, the important
operations in the processing of personal data related to the data principal
in such manner as may be specified by regulations.
(3) The data principal may give or withdraw his consent to the data fiduciary through a consent manager.
(4) Where the data principal gives or withdraws consent to the data fiduciary through a consent manager, such consent or its withdrawal shall be deemed to have been communicated directly by the data principal.
(5) The consent manager under sub-section (3), shall be registered with the Authority in such manner and subject to such technical, operational, financial and other conditions as may be specified by regulations.
Explanation.—For the purposes of this section, a "consent manager" is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.
24. Security safeguards
(1) Every data fiduciary and the data processor shall, having regard to the nature, scope and purpose of processing personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, implement necessary security safeguards, including—
(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data; and
(c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically in such manner as may be specified by regulations and take appropriate measures accordingly.
25. Reporting of personal data breach.
(1) Every data fiduciary shall by notice inform the Authority about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.
(2) The notice referred to in sub-section (1) shall include the following particulars, namely:—
(a) nature of personal data which is the subject-matter of the breach;
number of data principals affected by the breach;
(c) possible consequences of the breach; and
(d) action being taken by the data fiduciary to remedy the breach.
(3) The notice referred to in sub-section (1) shall be made by the data
fiduciary to the
Authority as soon as possible and within such period as may be specified by
regulations, following the breach after accounting for any period that may
be required to adopt any urgent measures to remedy the breach or mitigate
any immediate harm.
(4) Where it is not possible to provide all the information specified in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without undue delay.
(5) Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.
(6) The Authority may, in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website.
(7) The Authority may, in addition, also post the details of the personal data breach on its website..
26. Classification of data fiduciaries as significant
(1) The Authority shall, having regard to the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely:—
(2) The data fiduciary or class of data fiduciary referred to in
sub-section (1) shall register itself with the Authority in such manner
as may be specified by regulations.
(3) Notwithstanding anything in this Act, if the Authority is of the opinion that any processing by any data fiduciary or class of data fiduciary carries a risk of significant harm to any data principal, it may, by notification, apply all or any of the obligations specified in sections 27 to 30 to such data fiduciary or class of data fiduciary as if it is a significant data fiduciary.
(4) Notwithstanding anything contained in this section, any social media intermediary,—
(i) with users above such threshold as may be notified by
Government, in consultation with the Authority; and
(ii) whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary:
Provided that different thresholds may be notified for different classes
of social media
Explanation.—For the purposes of this sub-section, a "social media intermediary" is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,—
(a) enable commercial or business oriented transactions;
(b) provide access to the Internet;
(c) in the nature of search-engines, on-line encyclopedias, e-mail services or on- line storage services.
27. Data protection impact assessment.
(1) Where the significant data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.
(2) The Authority may, by regulations specify, such circumstances, or class of data fiduciary, or processing operation where such data protection impact assessment shall be mandatory, and also specify the instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment.
(3) A data protection impact assessment shall, inter alia, contain—
(a) detailed description of the proposed processing operation, the
purpose of processing and the nature of personal data being processed;
(b) assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such risk of harm.
(4) Upon completion of the data protection impact assessment, the data
protection officer appointed under sub-section (1) of section 30, shall
review the assessment and submit the assessment with his finding to the
Authority in such manner as may be specified by regulations.
(5) On receipt of the assessment and its review, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as the Authority may deem fit.
28. Maintenance of records.
(1) The significant data fiduciary shall maintain accurate and up-to-date records of the following, in such form and manner as may be specified by regulations, namely:—
(a) important operations in the data life-cycle including collection,
transfers, and erasure of personal data to demonstrate compliance as
required under section 10;
(b) periodic review of security safeguards under section 24;
protection impact assessments under section 27; and
(d) any other aspect of processing as may be specified by regulations.
(2) Notwithstanding anything contained in this Act, this section shall
also apply to the State.
(3) Every social media intermediary which is notified as a significant data fiduciary under sub-section (4) of section 26 shall enable the users who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
(4) Any user who voluntarily verifies his account shall be provided with such demonstrable and visible mark of verification, which shall be visible to all users of the service, in such manner as may be prescribed.
29.Audit of policies and conduct of processing,etc.
(1) The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.
(2) The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including—
(a) clarity and effectiveness of notices under section 7;
(b) effectiveness of measures adopted under section 22;
(c) transparency in relation to processing activities under section 23;
(d) security safeguards adopted pursuant to section 24;
(e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25;
(f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and
(g) any other matter as may be specified by regulations.
(3) The Authority shall specify, by regulations, the form and procedure
audits under this section.
(4) The Authority shall register in such manner, the persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under this Act.
(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.
(6) The Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).
(7) Notwithstanding anything contained in sub-section (1), where the Authority is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the Authority may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.
30. Data protection officer.
(1) Every significant data fiduciary shall appoint a data protection officer possessing such qualification and experience as may be specified by regulations for carrying out the following functions—
(a) providing information and advice to the data fiduciary on matters
relating to fulfilling its obligations under this Act;
(b) monitoring personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of this Act;
(c) providing advice to the data fiduciary on carrying out the data protection impact assessments, and carry out its review under sub-section (4) of section 27;
(d) providing advice to the data fiduciary on the development of internal mechanisms to satisfy the principles specified under section 22;
(e) providing assistance to and co-operating with the Authority on matters of compliance of the data fiduciary with the provisions under this Act;
(f) act as the point of contact for the data principal for the purpose of grievances redressal under section 32; and
(g) maintaining an inventory of records to be maintained by the data fiduciary under section 28.
(2) Nothing contained in sub-section (1) shall prevent the data
fiduciary from assigning any other function to the data protection
officer, which it may consider necessary.
(3) The data protection officer appointed under sub-section (1) shall be based in India and shall represent the data fiduciary under this Act.
31. Processing by entities other than data fiduciaries
(1) The data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor.
(2) The data processor referred to in sub-section (1) shall not engage, appoint, use, or involve another data processor in the processing on its behalf, except with the authorisation of the data fiduciary and unless permitted in the contract referred to in sub-section (1).
(3) The data processor, and any employee of the data fiduciary or the
data processor, shall only process personal data in accordance with the
instructions of the data fiduciary and treat it confidential.
32.Grievance redressal by data fiduciary.
(1) Every data fiduciary shall have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner.
(2) A data principal may make a complaint of contravention of any of the provisions of this Act or the rules or regulations made thereunder, which has caused or is likely to cause harm to such data principal, to—
(a) the data protection officer, in case of a significant data
(b) an officer designated for this purpose, in case of any other data fiduciary.
(3) A complaint made under sub-section (2) shall be resolved by the data
fiduciary in an expeditious manner and not later than thirty days from
the date of receipt of the complaint by such data fiduciary.
(4) Where a complaint is not resolved within the period specified under sub-section (3), or where the data principal is not satisfied with the manner in which the complaint is resolved, or the data fiduciary has rejected the complaint, the data principal may file a complaint to the Authority in such manner as may be prescribed.