top of page
Bended Metal Lines

Data Protection

Updated: 06th January 2025

Current data protection regime in India

Currently there is no standalone legal framework to govern data protection in India. The Information Technology Act, 2000 (IT Act) and rules notified thereunder currently forms the basis for Data Protection. This included the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) (or the "SPDI Rules").

On August 11, 2023, the Government of India has published Digital Personal Data Protection Act, 2023 (DPDP Act), which when notified will form the personal data protection and regulatory regime in India. 

DPDP Enforcement

DPDP Act will come into force as pre the notification by Central Government in the Official Gazette.
 
The Central Government may appoint different dates for different provisions of DPDP Act, and the provisions of the Act shall come into force to such effect.

DPDP Framework

Notable definitions

"Data"

A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

"Digital Personal Data"

Personal data in digital form.

"Personal Data"

any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

"Processing"

​In relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

DPDP - Scope & Applicability 

The provisions of DPDP are applicable to:

Processing of digital personal data:

Within the territory of India

Where the personal data is collected–
(i) in digital form; or
(ii) in non-digital form and digitised subsequently

Outside the territory of India

If such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India

The Process

The definition of "Processing" under the DPDP is non-exhaustive and means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

Although the definition includes variety of activities, the process can be classified into six broad categories:

Collection

Storage

Use

Processing

Transmission

Erasure/ Destruction

Process Stakeholders

Data Principal

The individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf.

Data Fiduciary

Means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

Significant Data Fiduciary

Means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of DPDP.

Data Processor

Means any person who processes personal data on behalf of a Data Fiduciary.

Access our DPDP Obligations Tool to identify Obligations of stakeholders under DPDP Act.

IMMEDIATE STEPS REQUIRED:

1. Conduct Data Mapping and Assessment

2. Establish effective Consent Mechanisms

3. Review agreements with Data Processors

4. Implement updated Privacy Policies

5. Implement effective Data security measures

hOW WE CAN HELP:

We can help in:
 

  1. Identifying your role as a 'Data Fiduciary', 'Significant Data Fiduciary', 'Data Processor' or 'Data Principal'.

  2. Data Mapping and Assessment

  3. Implementing Consent Mechanisms

  4. Review of agreements with Data Processors

  5. Implementing updated Privacy Policies

  6. Compliance in implementing effective Data security measures

DPDP Obligations Tool

DPDP Obligations

Select multiple categories to filter Obligations. Use Remove button to clear all applied Filter(s).

Implement reasonable security safeguards to prevent Personal Data breach and protect the Personal Data in its possession

General Obligations

Ensure that Personal Data being processed is complete, accurate and consistent.

General Obligations

Ensure that any transfer of personal data for processing to any country outside India, as permissible under DPDP Act, shall only be done in accordance with terms prescribed by the Central Government.

General Obligations

Consent Notice must contain:
• A description of the Personal Data sought to be collected from the Data Principal and the purpose for its
processing;
• The manner in which the Data Principal may exercise her right to withdraw consent and to grievance redressal; and
• the manner in which the Data Principal may make a complaint to the Data Protection Board.

Notice Obligations

For consent obtained before commencement of DPDP Act, a notice similar to "Consent Notice" shall be provided to Data Principal as soon as it is reasonably practicable.

Notice Obligations

Provide upon request: A summary of the personal data of the data principal which is being processed by you and the processing activities undertaken with respect to such personal data.

Information Access

Ensure that collection of Personal Data of Data Principals is only for a lawful purpose.

General Obligations

Implement appropriate technical and organizational measures to ensure effective observance of provisions of DPDP Act.

General Obligations

Provide option to access contents of Consent Notice in English or any of 22 (twenty-two) languages specified in Constitution of India.

Notice Obligations

Provide a notice to Data Principal, in clear and plain language, along with a request for consent ("Consent Notice").

Notice Obligations

Provide upon request of Data Principal: Such information as may be prescribed by the Central Government.

Information Access

Upon request of Data Principal: Provide identities of any other data fiduciaries and data processors with whom the personal data has been shared.

Information Access

TRAILBLAZER LOGO.jpg

Delhi:

V 35, LGF, Green Park Main, New Delhi 110016

  • LinkedIn
  • Facebook
  • YouTube
  • Twitter
  • Instagram

Copyright © TrailBlazer Advocates

bottom of page