Notice Obligations and Consent Manager Framework

Rule 3: Notice given by Data Fiduciary to Data Principal

• (a).

  1. The notice must be presented in a way that stands on its own.

  2. The Data Principal should be able to understand the notice without referring to:

     1. Any other document.

     2. Any earlier information.

     3. Any future information provided by the Data Fiduciary.

  3. The objective is to make sure the notice is clear, transparent, and not fragmented.

• (b).

  1. The notice must be written in clear and plain language, not legal or technical jargon.

  2. It must give a fair and complete explanation of all details needed for the Data Principal to give specific and informed consent.

  3. At a minimum, the notice must:

  4. (i).

     1. Clearly list the types of personal data that will be processed.

     2. The Data Principal should know exactly what data is being collected, such as name, contact details, location, etc.

  5. (ii).

     1. The notice must clearly state:

        1. The specific purpose or purposes for which the personal data will be processed.

        2. The goods or services to be provided, or the uses enabled, because of such processing.

     2. This prevents vague or blanket consent and limits processing to defined purposes.

• (c).

  1. The notice must provide a specific communication link.

  2. These links can be any kind such as:

     1. A website link.

     2. An in-app link.

     3. An Access can also be provided through both these links.

  3. It must also explain other available methods, if any, through which the Data Principal can:

  4. (i).

     1. Withdraw consent- The process of withdrawal must be as easy as giving consent, ensuring fairness and user control.

  5. (ii).

     1. The notice must explain how the Data Principal exercise her rights under the act such as:

        1. Accessing her data.

        2. Seeking correction or erasure.

        3. Exercising any other right provided under the Act.

  6. (iii).

     1. Make a Complaint to the Board.

Rule 4: Registration and Obligations of Consent Manager

4(1).

• A person who satisfies the conditions mentioned for registration of Consent Managers in Part A of the First Schedule is eligible to apply.

  1. Such a person may submit an application to the Board to be registered as a Consent Manager.

  2. The application must include the particulars required by the Board.

  3. The applicant must also provide any additional information and documents that the Board specifies.

  4. The details, information, and documents required for the application will be published by the Board on its website.

  5. The applicant must follow the requirements as published by the Board while making the application.

4(2).

• Once the Board receives the application, it may conduct any inquiry if it considers necessary.

  1. The purpose of this inquiry is to check whether the applicant actually fulfils the conditions mentioned in Part A of the First Schedule.

  2. After conducting this inquiry, the Board will arrive at one of two conclusions.

• (a).

  1. If the Board is satisfied that the conditions are fulfilled, it will register the applicant as a Consent Manager.

  2. The Board will then inform the applicant about the registration.

  3. The Board will also publish the particulars of the registered Consent Manager on its website.

• (b).

  1. If the Board is not satisfied that the conditions are fulfilled, it will reject the application.

  2. In such a case, the Board must communicate the reasons for rejection to the applicant.

4(3).

• The Consent Manager must follow and perform all obligations mentioned in Part B of the First Schedule.

4(4).

• If the Board believes that a Consent Manager is not following the required conditions or obligations under this rule, then:

  1. The Board must first give the Consent Manager an opportunity to be heard.

  2. Post that, the Board may formally inform the Consent Manager about the non-adherence.

  3. The Board may also direct the Consent Manager to take necessary steps to comply with the conditions and obligations.

4(5).

• If the Board is satisfied that taking action is necessary to protect the interests of Data Principals, then:

  1. The Board must first give the Consent Manager an opportunity to be heard.

  2. Post this, the Board may pass a formal order, and must record its reasons in writing.

• (a).

  1. Under such an order, the Board may suspend or cancel the registration of the Consent Manager.

• (b).

  1. The Board may also issue any directions it considers appropriate to the Consent Manager in order to safeguard the interests of the Data Principals.

4(6).

• For the purposes of this rule, the Board has the power to ask the Consent Manager for information.

  1. When the Board makes such a request, the Consent Manager is required to provide the information called for.

  2. This power allows the Board to obtain any details it considers necessary to perform its functions under this rule.