Professional Documents
Culture Documents
Understanding India's
Digital Personal Data
Protection Act, 2023
HOW DID WE GET HERE?
Justice K.S. Puttaswamy (Retd) vs. Union of Personal Data Protection Bill, Personal Data Protection Bill,
India [August 24, 2017] 2018 2019
Right to Privacy recognized as part of Drafted by B.N. Srikrishna Introduced: December, 2019
Right to Life in landmark Supreme Committee - reviewed by the Cabinet Withdrawn: August, 2022
Court judgment Ministry
Automated Processing: It extends to all automated operations (in whole or part) performed on digital
personal data, including collection, recording, organization, storage, retrieval, use, indexing, sharing,
erasure and destruction of such personal data.
EXCLUSIONS/EXEMPTIONS
Consent Management
Users
Database
Create, Update,
Revoke, Verify Consent
*Current pictorial representation is of our understanding of consent management platforms, but it may change based on offered
products and government requirements under DPDPA.
Right to Access: (i) Summary of their data being processed, and processing activities undertaken;
and (ii) Identities of all Data Fiduciaries and Data Processors who have access to their data (except
where personal data has been shared for investigation/prosecution of offences). (Section 11)
Right to Correction and Erasure: Can request a Data Fiduciary to correct, complete, update, or
erase their personal data (except where data retention is required under law or for the specified
purpose). (Section 12)
RIGHTS OF
DATA Right of grievance redressal: Should be provided access to a readily available means of
grievance redressal. (Section 13)
PRINCIPAL
Right to nominate: Can nominate an individual to exercise their rights in the event of their death
or incapacity. (Section 14)
Comply with the provisions of all applicable laws for the time being in force.
Not impersonate another person while providing personal data for a specified purpose.
Not suppress any material information while providing personal data, unique
identifier, proof of identity, or proof of address issued by the State/ its instrumentalities.
DUTIES OF
DATA
PRINCIPAL Furnish only such information as is verifiably authentic, while exercising the right to
correction or erasure under DPDPA.
Publish details of a
grievance officer
Appeal
Telecom Disputes
Data Protection Board of India Settlement and Appellate
Tribunal
Mediation
PENALTIES AND ADJUDICATION
Data Protection Board The type and nature of the personal data affected by the breach;
of India
Repetitive nature of the breach;
opportunity to be heard
Whether the person took any action to mitigate the effects and
consequences of the breach, and the timeliness and effectiveness of such
action;
Monetary Penalty
[Schedule of DPDPA]
Whether the monetary penalty to be imposed is proportionate and
effective, having regard to the need to secure observance of and deter
breach of the provisions of DPDPA; and
No Criminal Sanctions: under
the DPDPA The likely impact of the imposition of the monetary penalty on the person.
PENALTIES AND
ADJUDICATION
TREATMENT OF CHILDREN'S DATA AND DATA OF DISABLED PERSONS
Children's data (an individual under the age of 18)
Verifiable consent to be given by parent/legal guardian
Prohibitions
(a) on processing data that is likely to have a detrimental effect on the well-being of a child;
(b) tracking and behavioral monitoring of children; and
(c) targeted advertisements directed at children.
Exemptions
Central Government may exempt certain classes of data fiduciaries (to be notified) from processing the personal data of
children for such purposes and subject to such conditions (to be notified) without obtaining verifiable consent of the
parent of such child or the lawful guardian.
Central Government may permit certain classes of data fiduciaries (to be notified) to undertake tracking or behavioral
monitoring of children or targeted advertising directed at children.
If Central Government is satisfied that the Data Fiduciary is processing data in a verifiably safe manner, it can provide the
same exemptions as mentioned above processing data of children above certain prescribed age limits. [Eg: If a gaming
platform for children collects data of children from (5-18 years) in a verifiably safe manner to the satisfaction of the central
government, it can provide above stated exemptions to collection of data of children above 16.]
WHAT DO I DO WHEN THERE IS A DATA BREACH?
Exempt certain business entities and Startups from specific provisions of the DPDPA
Exempt “instrumentalities of the State” from the applicability of the DPDA, in the
interests of sovereignty and integrity of India, security of the State, friendly relations
with foreign States, and maintenance of public order or preventing incitement to any
cognizable offence.
Exempt certain data fiduciaries from obtaining verifiable consent from parents or
legal guardians for processing their children's data for specific purposes and under
specific conditions and may also permit certain Data Fiduciaries to conduct tracking,
behavioral monitoring, or targeted advertising directed at children.
Notify the “negative list” of countries to which Indian data cannot be transferred.
Can I transfer data anywhere in the world? The DPDPA permits data transfer
outside India except to countries notified on the negative list, which the Government
is yet to notify.
SO WHAT DO I DO NOW?
Review process and documentation for obtaining consent from Data Principals .
Assess your organization’s data processing requirements, including the reasons for collecting personal
data and the purposes for which such data is used.
Identify entities with whom you share data and review the contracts with such entities to ensure
sufficient obligations to comply with DPDP Act and provides the Data Fiduciary with periodic audit
rights.
Organizations that collect or process personal data of children or persons with disabilities, review
preparedness to implement higher thresholds for “verifiable consent procedures”.
www.gamechangerlaw.com
#2259 l Level 22 l Regus World Trade Center
Brigade Gateway Campus l Malleswaram
West Bangalore - 560 055