FAQs: Your Obligations as a Data Fiduciary

The Digital Personal Data Protection Act, 2023 (“Act”) sets out a modern accountability-based framework for handling digital personal data. As a Data Fiduciary, this means implementing operational systems that ensure privacy by design, lawful cross-border data strategies, and responsive grievance mechanisms amongst other requirements.

Compliance is no longer static; it requires dynamic monitoring of processes, staff trainings, and readiness for regulatory scrutiny.

This simplified FAQ sheds light on some crucial questions that you may have:

1. Who are the key stakeholders under the Act?

The key stakeholders under the Act are:

• Data Fiduciary (DF): Any person or entity that alone or jointly decides the purpose and means of processing personal data.

• Data Principal (DP): The individual whose personal data is processed, for a child and persons with disabilities it includes their parents or lawful guardian, and lawful guardian acting on their behalf respectively.

• Data Processor: Any person who processes personal data on the direction of a Data Fiduciary.

• Data Protection Board (DPB): The regulatory authority established to oversee compliance, address grievances, and enforcement of the Act.  

2. What kinds of personal data are regulated under the Act?

The Act regulates personal data in digital form (including those collected manually and digitised later) that can identify an individual, directly or indirectly or when combined with other information. This includes information ranging from basic information’s like name, email ID, to data identifiers like cookies, IP addresses.

Note: However, the Act does not apply when personal data is processed by an individual solely for personal or domestic purposes, or when the personal data has been made publicly available by the DP or any person discloses such personal data under a legal/regulatory obligation.

3. What activities are included within the definition of "processing" under the Act?

Processing under the Act refers to any operation or set of operations performed on digital personal data, whether automated or not, and includes activities from collection, recording, organizing, structuring, storage, adaptation, use, sharing, disclosure, restriction, to erasure or destruction. It covers the entire lifecycle of data handling, encompassing all ways personal data can be managed.

4. Does the Act apply to offshore online platform providing services to users in India?

Yes, the Act has extra territorial jurisdiction.  It applies to foreign entities, including offshore online platforms, that provide goods or services to individuals in India and to those that track or monitor the behaviour of DP who are Indian residents.

5. Is cross-border transfer of personal data permitted under the Act? If so, under what conditions?

Yes, as the Act currently stands, DF may transfer personal data outside India unless the Central Government by way of a notification adds a country to the negative list. However, in case of a stricter data localisation requirement, under sectoral regulations, such regulations will also apply.

6. Does a DF currently compliant with the SPDI Rules (under the IT Act, 2000 i.e., the current data protection law of India) need to comply with the Act once it comes into effect? What new obligations must it adhere to?

Yes, all DF handling personal data must comply with the Act, even if it already follows the SPDI Rules. The Act treats all digitised personal data the same and does not classify it into separate categories. It also introduces new duties such as obtaining clear and informed consent before processing personal data, enabling data principals to exercise their rights, implementing strong security measures, and reporting any data breaches.

Note: Besides some key obligations mentioned above, additional provisions are introduced by the Act that organisations must recognise and look at.

7. Is a notice valid if it clearly lists the personal data collected and its purposes?

No, this will not be considered a valid notice because as per the Act, a valid form of notice should also inform the DP how to exercise certain rights and how to file complaints to the DPB.

Note: The DF is required to give the notice content in English or any language listed in the Eighth Schedule of the Constitution.

8. What constitutes valid consent under the Act?

Under the Act, valid consent must be free, specific, informed, unconditional, and unambiguous, demonstrated by a clear affirmative action and must not have hidden conditions. Additionally, consent must be asked for in a simple language.

9. Can a DP withdraw consent? If so, what should be done?

Yes, a DP can withdraw their consent at any time. When consent is withdrawn, the DF must erase such personal data within a reasonable time, unless there is a legal justification or regulatory requirement to continue processing. However, any processing done before the withdrawal remains valid.

10. On what grounds is a DF permitted to process personal data?

A DF can only process personal data for a lawful purpose either upon obtaining consent from DPs or for certain legitimate uses as prescribed under the Act.

11. What are these certain legitimate uses that can be used by DFs?

Certain legitimate uses under the Act that can be used by DFs to process personal data include:

• When the DP voluntarily provides data and does not object to its use such as sharing their contact details when signing up for a service.

• For employment purposes or protecting the employer from loss or liability such as using employee data for payroll or preventing fraud.

• To fulfil legal obligations to disclose information to the state such as obligatory tax disclosures to authorities.

12. Is it mandatory to issue notice to the DP each time consent is requested?

Yes, every time personal data is collected for a purpose not already consented to before, a new, clear and concise notice must be provided either before or at the time of making the consent request.

Note: This notice may be delivered in writing or electronically and should be easily accessible and understandable to the DP. 

13. What are the rights a DF is required to provide to the DP under the Act?

DPs has the following rights depending upon the ground on which the personal data is provided to the DF:

• Right to access a summary of personal data which is being processed by and the processing activities undertaken by that DF, identities of all other DFs and DPs with whom the personal data has been shared, and right to access any other information as may be prescribed by the Central Government.

• Right to correction, completion, updating and erasure of personal data.

• Right of grievance redressal. 

• Right to nominate any other individual who shall exercise the rights of a DP in the event of death/incapacity of such a DP.

• Right to withdraw consent at any point with the ease of doing so being comparable to the ease with which such consent was given. 

Note: For instance, if a DP asks a DF’s agent to stop telemarketing calls, the DP should be immediately added to the DND list, and no one from the DP’s organisation should call them again unless the DP gives a fresh consent to be communicated via telemarketing.

14. Is a DF required to tell DPs which third parties their personal data has been shared with?

No, upfront disclosure is not mandatory; however, the DP can request this information anytime, and upon such a request, DF must provide the identities of the DFs and the Data Processors with whom such data is shared. Additionally, the DPs can also seek information on the processing activities undertaken by that DF with respect to such personal data.

15. When would an organization be designated as a Significant Data Fiduciary (SDF)?

The Central Government can decide in the future which organizations can be categorised as SDFs considering factors such as the volume of personal data processed, the sensitivity of such data, and whether handling this data could affect people’s rights or national security. Such, SDFs will be subject to additional compliances, for example periodic audits, periodic data protection impact assessments.

Note: If your organisation processes large volume of personal data, there’s a high chance you could be categorised as an SDF.

16. Do all organization need to appoint a Data Protection Officer (DPO)?

No, not every organisation needs a DPO. Appointment is required only if the organisation is designated as SDF. The DPO does not have to be a full-time employee, but they must have the right knowledge and skills for the designation and are required to report to the board or the governing body of the SDF.

Note: Even if an organisation is not required by law to appoint a DPO, it is still smart to appoint one or to have privacy champions to ensure better data protection practice and accountability.

17. What responsibilities does a DF have in the event of a personal data breach? How should breaches be communicated?

When a personal data breach occurs, data fiduciaries must promptly notify both the DPB and the affected DP. Such a notice should explain what happened, the types of data involved, and the steps taken to address the breach. The government will issue detailed rules on the manner and timelines for these notifications.

Note: It should be noted that as on date, all data breaches need to be reported to the DPB and DP irrespective of the nature and severity of that breach.

18. How should a DF manage the request of data deletion?

Upon receiving a request of this nature, the DF is advised to follow these steps:

• Verify the request – Confirm the identity of the requester and the validity of the request.

• Check legal retention requirements – Determine whether any applicable laws or regulations require retention of the requested data and inform the data principal if such requirements exist.

• Delete the data if permitted – Where no retention requirement applies, ensure deletion of all relevant personal data from internal systems and from all third-party processors (including vendors and tools) with whom the data was shared.

• Provide confirmation – Issue a written confirmation to the DP once the deletion is completed.

  
  

Note: Once the Act becomes effective, it is anticipated that the number of DP requests is going to increase and might also include requests that are not genuine, therefore, to ensure that DP requests are managed correctly, it is advised to verify the identity of all such requesters.

19. What are the rules for processing children’s personal data? Are there any exceptions?

Yes, a DF must additionally obtain verifiable parental or guardian consent before processing a child’s personal data. The processing must not adversely affect the child’s well-being and must exclude behavioural monitoring or targeted advertising. The government may grant exemptions for specific DFs or purposes if the processing methods ensure adequate safety and compliance with the law.

Note: DFs are advised to begin implementing age-gating mechanisms and integrating tokenization methods (like vaulted tokenization method) to ensure that no child’s personal data is processed without proper safeguards and compliance.

20. How does the Act regulate the processing of personal data of persons with disabilities?

The Act requires that before processing personal data of persons with disabilities who have a legally appointed guardian, verifiable consent must be obtained from such guardian.

Note: The Act does not distinguish between different levels of disability or capacity, treating all PWDs under similar rules as children.

21. How should a DF manage personal data that was collected before the Act came into force (Legacy Data)?

For personal data collected before the Act takes effect, DF are advised to:

• Issue updated privacy notices to DPs as soon as possible.

• Check existing consents – Where clear, documented and auditable consent was obtained before the Act came into force, processing may continue until that consent is withdrawn.

• Apply the Act’s requirements – The provisions on consent, permissible use, and deletion apply equally to personal data collected before the Act’s commencement and to data collected afterwards.

Note: For instance, if a DF can justify and document that a valid consent was collected by way of audit logs or consent logs even before the Act came into force, then the DF may continue processing that personal data until that consent is withdrawn. However, it is still advised that irrespective of such consent, the DF send updated privacy notice to such DP.

22. When and what penalties can be imposed on DF?

Penalties can be imposed on DFs each time they fail to comply with the Act, such as unauthorised access, improper sharing of personal data or not following breach notification requirements. The DPB may issue fines or other corrective actions depending on the findings from investigation, seriousness and frequency of the violation. Monetary penalties can be as high as INR 250 crore (about USD 30 million). Other corrective measures may include directions or conditions imposed on the DF to fix underlying compliance issues.

Note: Upon receipt of a reference in writing from the DPB regarding imposition of penalty by the DPB on Data Fiduciaries in 2 or more instances and in the “interest of general public”, the Central Government can order blocking public access to any online platform or system used by the DF to provide goods or services to DPs.

Note: It has been observed from various global data protection cases that investigating data breaches is crucial in determining penalties or corrective actions for organizations. Therefore, it is recommended that organizations make their privacy processes auditable, accountable, and transparent to ensure compliance.

Please stay tuned for our next explainer series where we will answer some foundational questions about the Act with focus on consent managers and data processors and try turning the law into practical guidance, to help you prepare with clarity and confidence.

For any queries regarding implementation of the Act, any further question, feedback or to set up a call, please write to us at  shreya.gupta@chandhiok.com and tmt@chandhiok.com.