Professional Documents
Culture Documents
LegaLogic DPDP Act 2023 28 08 2023
LegaLogic DPDP Act 2023 28 08 2023
LegaLogic does not warrant that any content or information contained in this presentation is accurate, correct,
complete or up-to-date, and hereby disclaims any and all liability to any person for any actual or threatened
loss or damage caused by errors or omissions, whether such errors or omissions result from negligence,
accident or otherwise.
LegaLogic assumes no liability for the interpretation and/or use of the content and/or information in this
presentation, nor does it offer any warranty of any kind, either expressed or implied in relation to such content
or information.
❖ Practical Challenges
➢ Case Studies
➢ Next Steps/ Takeaways
➢ Sectoral touchpoints
❖ CERT-IN
❖ The Information Technology Act, ❖ Healthcare : National Digital ❖ The Constitution of India –
2000 (IT ACT) Healthcare Mission - Ayushman Fundamental Right – “Right to
❖ The Information Technology Bharat Digital Mission Privacy”
(Reasonable Security Practices and ❖ Telecom : Obligations under the ❖ The Aadhaar Act, 2016
Procedures and Sensitive Personal licensing regime ❖ The Indian Contracts Act 1872
Data or Information) Rules, 2011 ❖ Financial : RBI regulations on Data ❖ The Indian Penal Code 1860 (IPC)
(SPDI Rules 2011) Localization, RBI Digital Lending
❖ The Information Technology Guidelines
(Intermediary Guidelines and Digital ❖ Insurance : IRDIA regulations for
Media Ethics Code) Rules, 2021 insurance sector
(Intermediary Guidelines 2021)
❖ CERT-In Directions for Incident
Reporting
EXAMPLES
A person has posted information on social media Personal data published on company website and
platforms – LinkedIn profiles leadership profiles
X, an individual, while blogging her views, has Data that is published on Ministry of Corporate
publicly made available her personal data on Affairs – Directorship Data
social media
New Regulator
Data Protection Board of
India
Consent Managers
Processing of Personal Data must be for a lawful purpose and based on one of the
following grounds
X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-
Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live,
video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X,
(Notice + Consent) describing the personal data and the purpose of its processing.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for
making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both.
Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the
(Purpose) processing of her personal data for making available telemedicine services.
X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for
(i) the processing of her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint
to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be
(Violation of law) invalid.
6. Medical emergencies
9. Purposes of employment and those related to safeguarding the employer from loss or liability
(Voluntary provision)
Right to nominate
1 Failure of Data Processor or Data Fiduciary to take reasonable Penalty up to INR 250 crore
security safeguards to prevent personal data breach
1 2 3 4
5 6 7
★ Applicable to all Body Corporates and Foreign Entities with India nexus
★ Enforcement Since June 28, 2022
For Private Circulation Only | Confidential | 47
Reportable Cyber Security Incidents
www.legalogic.com connectus@legalogic.com