After multiple iterations, India passed the Data Protection Bill into law— Digital Personal Data Protection Act, 2023 (“DPDPA”). Among other things, the new data protection act in India recognises the need of individuals to protect their personal data and, for this purpose, provides rights to individuals to whom the personal data relates, who are referred to as “data principals”. Where the “data principal” is— (a) a child, the term data principal includes the parents or lawful guardian of such a child or; (b) a person with disability, including their lawful guardian, acting on their behalf.
Basis our in-depth experience in assisting clients in the data protection domain, this article provides an overview of the data principal rights available under the privacy act in India and makes practical recommendations on how businesses may implement and maintain processes to enable such requests.
The existing framework for data principal rights is rooted in the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000. Under the SPDI Rules, data principals are empowered with —
(a) the right to review their personal data,
(b) the right to obtain rectification of their personal data,
(c) the right to withdraw consent to the processing of their personal data,
(d) the right to grievance redressal.
The Digital Personal Data Protection Act is set to repeal the SPDI Rules when it comes into effect and enhance the rights available under the SPDI Rules.
Under DPDPA, data principals are empowered with certain rights, including:
Access to Information: Where the ground for processing personal data is consent, a data principal has the right to make a request to the data fiduciary and seek:
(a) A summary of personal data being processed and the activities undertaken with respect to such personal data.
(b) The identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of such data.
(c) Any other information prescribed by the Indian government.
Correction and erasure: A data principal is entitled to request the personal data to be corrected, completed, updated, and erased, where the ground for processing personal data is consent. The right to erasure may be exercised when the specified purpose for which their personal data was collected is no longer served by its retention.
Nomination: A data principal is entitled to nominate another individual who will exercise the rights of the data principal under the new privacy act in India (DPDP) in the event of the data principal’s death or incapacity.
Withdraw consent: Where consent given by the data principal is the basis of processing personal data, the data principal has the right to withdraw their consent at any time. It should be as easy for the data principal to withdraw consent as it is to give consent.
Grievance redressal: A data principal is invested with the right to seek means of grievance redressal readily available that is offered by a data fiduciary or consent manager concerning any act or omission in the performance of its obligations or the exercise of data principal rights under the law.
The DPDPA also lays down specific duties for data principals. These include
The Digital Personal Data Protection Act is set to expand upon the rights available to individuals under the SPDI Rules. Accordingly, businesses ought to evaluate and revamp their internal data principal rights processes under the data protection act in India. In order to do that, businesses can take the following steps —
(a) appoint an officer to handle the front-end relationship with customers, particularly to respond to communications from customers (such as the data protection officer, where applicable).
(b) institute a proper UI/UX journey to ensure seamless facilitation of data subject rights, such as putting in place a data principal rights portal.
(c) set up internal mechanisms for request tracking, timeline maintenance, acknowledgements, and role divisions, and ensure that refusals and replies are in compliance with the law.
Non-observance of the obligation to comply with rights requests of the data principal may attract fines as high as INR 50 crores. As a data protection law firm, we recommend that businesses start evaluating their data principal rights processes at this stage itself. Businesses may contact their respective data protection law firm for assistance in this regard. They may also perform a global data review of other data privacy laws and best practices to inform their own compliance.
If you have any queries or would like to know more about the DPDPA, 2023, reach out to Spice Route Legal, recognised as the best data protection law firm in India. Email id: contact@spiceroutelegal.com.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.