LegaliTech

Navigating Technology Law

Action points for FinTech companies post the Digital Personal Data Protection Act, 2023

New obligations for FinTechs to comply:

1. The Act is applicable to all digital personal data thus ensuring more protection to
not just sensitive personal data as it was before.
2. In place of Policy of privacy, Notice and Consent Manager has been mandated.
Notice and Consent to be provided in languages under the Eighth Schedule of the
Constitution apart from English.
● For consent given before the commencement of the Act, DFs to provide
them a Notice as well. Notice to include the manner in which a DP may
exercise her rights as well as how to make a complaint to the Board.
3. FinTech companies that are startups have been exempted from the mandate of
Notice and additional obligations for Significant Data Fiduciaries.
4. While processing Personal Data of Children or persons with disability, consent to
be obtained through parent/lawful guardian.
5. Summary of personal data processed & identities of DFs with whom it has been
shared to be provided to DP.
6. Data Principal and the Data Protection Board to be intimated incase of a personal
data breach.
7. Board to impose monetary penalties for breach of provisions of the Act.
Quantum of amount of penalty provided under The Schedule of the Act.
8. SDFs obligated to appoint a Data Protection Officer and conduct periodic Data
Protection Impact Assessment. Data Protection Officer for grievance redressal &
as a point of contact incase of data breach.
9. Section 16 allows extraterritorial processing & transfer of Personal Data, except
to such countries restricted by Central Government through notification.