Background and Purpose of DPDPA

India’s Digital Personal Data Protection Act (DPDPA), introduced in 2023, has been established to regulate the processing of digital personal data. This legislation aims to uphold individuals’ right to privacy and ensure that personal data is handled lawfully and transparently. By doing so, it aligns India’s data protection standards with global frameworks, promoting accountability among entities that process personal data.

Scope and Applicability

  • The Act applies to the processing of digital personal data within the territory of India where the personal data is collected in:
    – Digital form
    – Non-digital form that is subsequently digitized
  • It also applies to processing of personal data outside India if such processing is related to offering goods or services to Data Principals located within India.
  • The Act does not apply to:
    – Personal data processed by an individual for personal or domestic purposes
    – Personal data made publicly available by:
    a) The Data Principal to whom such personal data relates
    b) Any other person who is legally obligated under Indian law to make the personal data publicly available

For instance: X, an individual blogging her views, has publicly disclosed her personal data on social media. In this case, the Act’s provisions shall not apply.

Key Provisions of the DPDPA

Definitions and Core Concepts

  • Data: Representation of information, facts, concepts, opinions, or instructions suitable for communication, interpretation, or processing by humans or automated means.
  • Data Principal: The individual to whom the personal data relates. For children, it includes parents or legal guardians; for persons with disabilities, it includes their lawful guardian.
  • Data Fiduciary: Any person (individual or entity) that determines the purpose and means of processing personal data.
  • Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
  • Digital Personal Data: Personal data in digital form.
  • Personal Data: Any data related to an identifiable individual.
    Processing: Automated or partly automated operations on digital personal data, including collection, storage, organization, retrieval, use, sharing, erasure, and other related activities.

Grounds for Processing Personal Data:

a) A person may process a Data Principal’s personal data only:
– With the Data Principal’s consent; or
– For certain legitimate uses as prescribed.
b) “Lawful purpose” refers to any purpose not expressly forbidden by law.

Rights of Data Principal

Right to Access Information About Personal Data:

  • The Data Principal can obtain a summary of their personal data and details of processing activities.
  • Information regarding all Data Fiduciaries with whom the data is shared, along with a description of the data shared.
  • Any other prescribed information as per the Act.

Right to Correction and Erasure of Personal Data:

  • The Data Principal can request correction, completion, updating, or erasure of their personal data.
  • Upon such request, the Data Fiduciary must take prompt steps to correct, update, or complete the personal data.
  • The Data Fiduciary must erase the data upon request, unless retention is required by law.

Right of Grievance Redressal:

  • The Data Principal must have easy and accessible means to file grievances related to personal data.
  • The Data Fiduciary or Consent Manager must respond to grievances within the prescribed time.
  • The Data Principal is required to seek grievance resolution under this mechanism before approaching the Board.

Right to Nominate:

The Data Principal may nominate another individual to exercise these rights in the event of their death or incapacity (unsound mind or physical infirmity).