Obligations of Data Fiduciary
A Data Fiduciary is the person or entity that decides why personal data is used and how it is processed.
Section 4: Grounds of processing data
4(1).
Personal data of the Data Principal can be processed only by following the provisions of this Act.
This processing must be for a lawful purpose.
(a). This lawful purpose may be based on the consent given by the Data Principal.
(b). In certain cases, it may also be based on legitimate uses allowed under the Act.
4(2).
For the purposes of this section:
A lawful purpose refers to any purpose that is not specifically prohibited by law.
Section 5: Notice
5(1).
Every time a request is made to a Data Principal under section 6 to obtain consent, a notice must be provided.
This notice must be given by the Data Fiduciary to the Data Principal.
The notice must be given either before the consent request or along with the consent request.
(i).
The notice must clearly specify what personal data of the Data Principal is intended to be collected or used.
It should describe the exact categories or types of personal data proposed to be processed.
The notice must clearly state why this personal data is being processed.
Each purpose of processing should be explained in simple and understandable terms.
The Data Principal should be able to understand how her personal data will be used based on the information provided in the notice.
(ii).
The notice must clearly inform the Data Principal that she has certain rights under the law.
It should explain the rights available to her under section 6(4).
Section 6(4) deals with the right to withdraw the consent.
The notice must state how and through what method she can withdraw her consent.
It can be through a website, app, email, or written request.)
The notice must also explain the rights available to her under section 13.
Section 13 deals with Grievance redressal.
(iii).
The notice must inform the Data Principal that she has the right to make a complaint to the Board.
It should clearly state in what way or method the complaint can be made.
The complaint may be made through an online submission, written application, or any other prescribed mode.
The notice must clarify that the complaint process will follow the manner prescribed under the law or relevant rules.
The Data Principal should be able to understand where and how to approach the Board if she has a grievance.
The information provided should be clear enough to enable her to file a complaint without uncertainty or difficulty.
Illustration:
Suppose, X is an individual who wants to open a bank account.
X uses the mobile application or website of Y, which is a bank, to open the account.
As part of the legal Know-Your-Customer (KYC) requirements, the bank must verify X’s identity first.
So , X chooses to complete the KYC process through a live, video-based customer identification process.
This process requires Y to collect and process X’s personal data.
Before asking for, or at the time of asking for, X’s personal data, Y must give a notice to X.
The notice must clearly describe what personal data will be processed.
The notice must also explain the purpose for which X’s personal data will be processed.
5(2).
If the Data Principal has already given her consent before the commence of this Act and such consent relates to the Personal Data:
Then the following will apply:
(a).
The Data Fiduciary must give a notice to the Data Principal as soon as it is reasonably practicable.
The notice must inform the Data Principal about the following matters:
(i).
The personal data that has been processed.
The purpose for which such personal data has been processed.
(ii).
The manner in which the Data Principal may exercise her rights under Section 6(4) & 13.
(iii).
The manner in which the Data Principal may make a complaint to the Board.
The notice must be given in the manner and form as may be prescribed under the law.
(b).
The Data Fiduciary is permitted to continue processing the personal data even after the commencement of this Act.
Provided a valid consent has already been given by the Data Principal to the Fiduciary for such processing.
The processing can continue without interruption by the Data Fiduciary.
But , that said , the processing must stop once the Data Principal withdraws her consent.
So , until such withdrawal of consent takes place, the Data Fiduciary is legally allowed to process the personal data.
Illustration:
Suppose , X is an individual who had given her consent earlier , before the commencement of the Act.
This consent was given for the processing of her personal data.
The processing relates to an online shopping app or website.
This app or website is operated by Y, an e-commerce service provider.
After the Act comes into force, Y has a duty to inform X.
Y must provide this information as soon as practically reasonable to X after commencement of the Act.
The information may be given through email, in-app notification, or any other effective method.
The information must describe the personal data that is being processed.
The information must also explain the purpose for which X’s personal data is being processed.
5(3).
The Data Fiduciary has a mandatory obligation to provide language options for the notice.
The Data Principal must be given the option to access and read the contents of the notice.
This option applies to the notices referred to in 5(1) and 5(2).
The notice must also be available in English.
In addition to English, the notice must also be available in any language listed in the Eighth Schedule to the Constitution.
Section 6: Consent
6(1).
Consent given by the Data Principal must be free, specific, informed, unconditional, and unambiguous.
Such consent must be clearly shown through a clear affirmative action.
Such consent indicates agreement to process her personal data for a specified purpose.
The consent must be limited to only the personal data necessary for that specified purpose.
Illustration:
Suppose , X is an individual who downloads Y, which is a telemedicine application.
To provide its services, Y requests X’s consent to process her personal data.
The consent request covers two separate purposes:
Processing her personal data to make telemedicine services available.
Accessing her mobile phone contact list.
X agrees to both requests and signifies her consent.
However, accessing the mobile phone contact list is not necessary for providing telemedicine services.
Since that purpose is not essential, Y cannot rely on X’s consent for accessing the contact list.
Therefore, X’s valid consent is limited only to the processing of her personal data that is necessary for making telemedicine services available.
6(2).
Consent may be given under 6(1) for processing of personal data.
Such consent can contain multiple parts or permissions.
If any part of that consent violates:
The provisions of this Act.
The rules made under this Act.
Any other law that is currently in force.
then , that violating part is treated as an infringement.
The consent does not become entirely void because of this infringement.
Only the specific part of the consent that infringes the law is invalid.
The remaining parts of the consent, which comply with the law, continue to be valid.
Illustration:
X is an individual who purchases an insurance policy through the mobile app or website of Y, who is an insurer.
During this process, Y asks X to give her consent.
X gives consent for two separate things:
First, she agrees to the processing of her personal data by Y for the purpose of issuing the insurance policy.
Second, she agrees to waive her right to file a complaint before the Data Protection Board of India.
The consent given for processing personal data for issuing the policy is valid because it is necessary for providing the insurance service.
However, the consent relating to waiving her right to file a complaint before the Data Protection Board of India is not valid.
That part of the consent is invalid because a statutory right cannot be waived through consent.
6(3).
Whenever consent is requested under this Act or the rules made under it , a consent request must be made.
The consent request must be made in a clear and plain language.
The consent request must be presented in a way that the Data Principal can easily understand.
The Data Principal must be given the option to view or access the consent request in English.
The Data Principal must also be able to access the consent request in any language listed in the Eighth Schedule to the Constitution.
The consent request must include the contact details of the Data Protection Officer, wherever such an officer is required to be appointed.
If a Data Protection Officer is not applicable, then:
The consent request must provide the contact details of another person authorised by the Data Fiduciary.
This contact person must be responsible for responding to communications from the Data Principal.
6(4).
When a person’s personal data is processed based on the consent given by the Data Principal, then:
That consent forms the legal basis for such processing.
It is these consent forms that legally allows the organisation to process the data.
The Data Principal has the right to withdraw her consent at any time.
There is no restriction on when this withdrawal can take place, as long as consent was the basis for processing.
The process for withdrawing consent must be simple and user-friendly.
The ease of withdrawing consent must be comparable to the ease with which the consent was originally given.
6(5).
When the Data Principal withdraws her consent, she must bear the consequences of that withdrawal.
Any kind of impact resulting from the withdrawal, such as loss of service or benefits, will fall on the Data Principal.
The withdrawal of consent operates only from the time it is withdrawn.
Any processing of personal data that took place before the withdrawal remains lawful.
So, withdrawal of consent does not make past data processing illegal if it was done validly on the basis of consent at that time.
Illustration:
X is an individual who uses an online shopping app or website operated by Y, who is an e-commerce service provider.
X gives her consent to Y to process her personal data for the purpose of fulfilling her supply order.
After giving consent, X places an order for a good through the app or website.
X also makes payment for the goods at the time of placing the order.
Later, X decides to withdraw her consent for the processing of her personal data.
After X withdraws her consent:
Y may restrict or disable X’s ability to place any new orders through the app or website.
However, Y must continue processing X’s personal data to complete the delivery of the goods that X had already ordered and paid for.
So Y cannot discontinue such processing for those existing orders.
6(6).
When a Data Principal withdraws her consent to the processing of her personal data under 6(5), then:
That withdrawal becomes effective for future processing.
After the withdrawal, the Data Fiduciary is required to stop processing the personal data of the Data Principal.
The Data Fiduciary must also ensure that any Data Processors acting on its behalf likewise stop processing the personal data.
This cessation of processing must take place within a reasonable time.
However, the Data Fiduciary is not required to stop processing the personal data if such processing is permitted without consent.
Processing may continue where it is required or authorised under the provisions of this Act.
Processing may also continue where it is required or authorised under the rules made under this Act.
In addition, processing may continue if it is required or authorised under any other law in force in India.
Illustration:
X is a telecom service provider.
X enters into a contract with Y, who acts as a Data Processor, to email telephone bills to X’s customers.
Z is a customer of X.
Z had earlier given her consent to X for the processing of her personal data for the purpose of emailing telephone bills.
Z later downloads X’s mobile app.
Through the app, Z chooses to receive her bills only on the app and not by email.
By choosing this option, Z effectively withdraws her consent for emailing of bills.
As a result, X must itself stop processing Z’s personal data for emailing bills.
X must also ensure that Y, the Data Processor, stops processing Z’s personal data for emailing bills.
6(7).
The Data Principal has the option to use a Consent Manager for handling her consent.
Through a Consent Manager, the Data Principal may give her consent to a Data Fiduciary.
The Consent Manager can also be used to manage existing consents.
The Data Principal may review the consents she has already given.
The Data Principal may withdraw her consent through the Consent Manager as well.
Using a Consent Manager allows the Data Principal to control her consent in a single, organised manner.
6(8).
The Consent Manager is responsible and answerable to the Data Principal.
The Consent Manager must act on behalf of the Data Principal.
The manner in which the Consent Manager acts must be in accordance with the law.
The Consent Manager must follow the obligations that may be prescribed under the Act or the rules.
6(9).
Every Consent Manager must be registered with the Board.
The registration must be done in the manner prescribed under the law.
The Consent Manager must comply with technical conditions that may be prescribed.
The Consent Manager must comply with operational requirements that may be prescribed.
The Consent Manager must meet financial conditions that may be prescribed.
The Consent Manager must also satisfy any other conditions that may be prescribed from time to time.
6(10).
The processing of personal data is based on the consent given by the Data Principal.
If, during any legal or regulatory proceeding, a question arises about whether such consent was validly obtained:
Then under such an issue must be examined.
In such a situation, the responsibility lies with the Data Fiduciary.
The Data Fiduciary is required to prove that a proper notice was given to the Data Principal.
The Data Fiduciary must also prove that the Data Principal actually gave her consent.
The notice and the consent must both be shown to be in accordance with the provisions of this Act.
They must also comply with the rules made under this Act.
