Rights and Duties of the Data Principal

Written By BareMinLaw

Section 11: Right to access information about personal data

11(1).

  • A Data Principal has a right to seek information from a Data Fiduciary.

  • This right can be exercised against a Data Fiduciary to whom she has previously given consent.

  • Such consent includes consent referred to in 7(a).

  • Section 7(a) deals with Voluntary Consent given for a specific purpose.

    1. The Data Fiduciary to whom the request is made is referred to as the said Data Fiduciary.

    2. To exercise this right, the Data Principal must make a request.

    3. The request must be made in the manner prescribed under the law.

  • Upon receiving such a request, the said Data Fiduciary is required to provide the following:

  • (a). A Summary

    1. The Data Principal is entitled to receive a summary.

      1. The summary must relate to her personal data.

      2. The summary must cover the personal data that is currently being processed.

      3. Such processing must be carried out by the concerned Data Fiduciary.

    2. In addition to the data itself, the summary must also describe the processing activities.

    3. These processing activities must relate specifically to the personal data of the Data Principal.

    4. The objective is to give the Data Principal clarity on what personal data is being used and how it is being processed.

  • (b). Identities & Description

    1. The Data Principal has the right to know with whom her personal data has been shared.

      1. This includes the identities of all other Data Fiduciaries.

      2. It also includes the identities of all Data Processors.

      3. The sharing must have been done by the concerned Data Fiduciary.

    2. In addition to identities, a description must be provided.

    3. The description must explain what personal data was shared.

  • (c). Any other Additional Information

    1. The Data Principal may seek additional information beyond what is specifically listed.

      1. Such additional information must relate to her personal data.

      2. The information must also relate to the processing of that personal data.

      3. The scope of this information is not open-ended.

      4. It is limited to what may be prescribed under the law.

11(2).

  • Certain disclosure obligations do not apply in all situations.

    1. Specifically, the requirements under 11(1)(b) & 11(1)(c) are excluded in some cases.

    2. The exclusion applies where personal data is shared by the said Data Fiduciary with another Data Fiduciary.

    3. The receiving Data Fiduciary must be authorised by law to obtain such personal data.

    4. The sharing must be based on a request made in writing.

    5. The written request must come from the other Data Fiduciary.

  • The purpose of the request must relate to law-enforcement or security functions.

  • Such purposes may include:

    1. Prevention of offences.

    2. Detection of offences.

    3. Investigation of offences.

    4. Investigation of cyber incidents.

    5. Prosecution of offences.

    6. Punishment of offences.

  • In these situations, the said Data Fiduciary is not required to provide the information otherwise mandated under 11(1)(b) & 11(1)(c)

Section 12: Right to Correction and erasure of Personal Data

12(1).

  • A Data Principal is granted specific rights in relation to her personal data.

  • These rights apply to personal data for which she has previously given consent.

  • This includes consent given under Section 7(a).

  • The rights available to the Data Principal include:

    1. Correction of her personal data.

    2. Completion of incomplete personal data.

    3. Updating of her personal data.

    4. Erasure of her personal data.

  • These rights relate to the processing of such personal data.

  • The exercise of these rights must be in accordance with any requirements or procedures prescribed under any law currently in force

12(2).

  • A request may be made by a Data Principal seeking correction, completion, or updating of her personal data.

  • Once such a request is received, the Data Fiduciary is required to act.

  • The Data Fiduciary must take the following steps:

    1. (a). Correct any personal data that is inaccurate or misleading.

    2. (b). Complete any personal data that is incomplete.

    3. (c). Update the personal data to ensure it remains current.

  • These actions must be taken in response to the Data Principal’s request.

12(3).

  • A Data Principal may seek erasure of her personal data.

  • To do so, she must make a request to the Data Fiduciary.

  • The request must be made in the manner prescribed under the law.

    1. Once the Data Fiduciary receives such a request, it has a duty to act.

    2. The Data Fiduciary must erase the personal data of the Data Principal.

    3. However, erasure is not required in all cases.

  • The Data Fiduciary may retain the personal data if such retention is necessary for the specified purpose.

  • The Data Fiduciary may also retain the personal data if retention is required to comply with any law currently in force.

Section 13: Right of Grievance Redressal

13(1).

  • Data Principal is entitled to a right related to grievance redressal.

    1. This right includes access to readily available means of grievance redressal.

    2. Such grievance redressal must be provided either by a Data Fiduciary or by a Consent Manager.

    3. The grievance may arise from any act of the Data Fiduciary or Consent Manager.

  • The grievance may also arise from any omission by the Data Fiduciary or Consent Manager.

    1. The act or omission must relate to the performance of obligations by the Data Fiduciary or Consent Manager.

    2. These obligations must concern the personal data of the Data Principal.

    3. The grievance may also relate to the exercise of the Data Principal’s rights.

  • Such rights must be exercised under the provisions of this Act.

  • The grievance redressal mechanism must also cover rights exercised under the rules made under this Act.

13(2).

  • A grievance may be raised by a Data Principal under 13(1).

    1. Such grievance may be directed to a Data Fiduciary or to a Consent Manager.

    2. Upon receipt of the grievance, the Data Fiduciary or Consent Manager is required to respond.

    3. The response must be given within a time period that is prescribed under the law.

    4. The prescribed time period is calculated from the date on which the grievance is received.

  • Different time periods may be prescribed for all Data Fiduciaries.

  • Alternatively, different time periods may be prescribed for specific classes of Data Fiduciaries.

13(3).

  • A grievance may arise for a Data Principal under this section.

    1. Before taking the matter further, the Data Principal must first seek redressal under the grievance mechanism provided in this section.

    2. This grievance redressal process must be fully utilised.

    3. Only after exhausting this opportunity can the Data Principal approach the Board.

Section 14: Right to Nominate

14(1).

  • A Data Principal has the right to make a nomination.

    1. The nomination must be made in the manner prescribed under the law.

    2. The Data Principal may nominate any other individual.

    3. The nomination becomes relevant upon the death of the Data Principal.

    4. The nomination also becomes relevant if the Data Principal becomes incapacitated.

  • In such an event, the nominated individual may exercise the rights of the Data Principal.

  • These rights must be exercised in accordance with the provisions of this Act.

  • The exercise of rights must also comply with the rules made under this Act.

14(2).

  • For the purposes of this section the term incapacity refers:

    1. An inability to exercise the rights of the Data Principal.

    2. The rights in question are those provided under this Act.

    3. The definition also covers rights under the rules made under this Act.

  • Such inability may arise due to unsoundness of mind.

  • It may also arise due to infirmity of body.

  • Where either of these conditions exists, the Data Principal is treated as being incapacitated.

Section 15: Duties of Data Principal

  • A data principal may perform the following obligations:

  • (a).

    1. The exercise of rights under this Act is subject to certain conditions.

    2. While exercising such rights, compliance with the law is mandatory.

    3. All applicable laws that are currently in force must be complied with by the Data Principal.

    4. This requirement applies at the time the rights under this Act are exercised.

  • (b).

    1. While providing her personal data, certain conduct is expected from the Data Principal.

    2. The personal data must be provided for a specified purpose.

    3. In doing so, the Data Principal must ensure that she does not impersonate another person.

    4. This requirement exists to maintain the authenticity and integrity of personal data.

    5. Impersonation while providing personal data is prohibited.

  • (c).

    1. The Data Principal has a duty while providing her personal data.

    2. This duty applies when personal data is provided for obtaining or using certain official records.

    3. Such records may include any document.

      1. They may include a unique identifier , proof of identity or a proof of address.

      2. These documents or identifiers must be issued by the State or by any of its instrumentalities.

      3. While providing personal data for these purposes, the Data Principal must ensure that no material information is suppressed.

    4. Suppression of material information in such situations is not permitted.

  • (d).

    1. The Data Principal has a responsibility while exercising her rights.

    2. This responsibility applies when she raises a grievance or files a complaint.

      1. The grievance or complaint may be made before a Data Fiduciary.

      2. It may also be made before the Board.

      3. While doing so, the Data Principal must ensure that the grievance or complaint is not false.

    3. The grievance or complaint must also not be frivolous.

    4. Filing false or frivolous grievances or complaints is therefore prohibited.

  • (e).

    1. The Data Principal has certain duties while exercising certain rights.

      1. The rights concerned are the right to correction and the right to erasure.

      2. These rights are exercised under the provisions of this Act.

      3. They may also be exercised under the rules made under this Act.

    2. While exercising these rights, the Data Principal must furnish information.

    3. The information furnished must be verifiably authentic.

    4. Providing unverifiable or false information while seeking correction or erasure is not permitted.

Section 15. Duties of Data Principal

  • A Data Principal shall perform the following duties:

  • (a).

    1. All applicable laws that are currently in force must be complied with.

    2. Rights under this Act cannot be exercised in isolation.

    3. Exercising a right under this Act does not permit violation of other laws.

  • (b).

    1. Personal data may be provided for a specified purpose.

      1. While providing such data , the Data Principal must not assume the identity of another individual.

      2. Impersonation while providing personal data is prohibited.

      3. The obligation applies specifically when personal data is provided for a specified purpose.

  • (c).

    1. A Data Principal may provide personal data for official purposes.

    2. Such purposes may include obtaining or using:

      1. A document . unique identifier, proof of identity or proof of address.

    3. These documents or identifiers are issued by the State or its instrumentalities.

      1. While providing personal data for these purposes, full disclosure is required.

      2. Material information must not be suppressed.

      3. Suppression of relevant or important information is prohibited.

  • (d).

    1. A grievance or complaint may be raised by a Data Principal.

    2. Such grievance or complaint may be made to a Data Fiduciary or to the Board.

    3. While raising a grievance or complaint, truthfulness is required.

    4. A Data Principal must not register a false grievance or complaint.

    5. A Data Principal must also not register a frivolous grievance or complain

  • (e).

    1. A Data Principal may exercise the right to correction or erasure.

    2. Such rights are exercised under the provisions of this Act or the rules made thereunder.

    3. While exercising these rights, the Data Principal has a duty of accuracy.

    4. The Data Principal must furnish only such information as is verifiably authentic.

    5. Information that cannot be verified should not be

BareMinLaw https://bareminlaw.com
Previous

Processing of Personal Data of Children

Next

Special Provisions