Obligations of a Significant Data Fiduciary

Rule 13: Additional Obligations of Significant Data Fiduciary

13(1).

• Once it is notified as a Significant Data Fiduciary, or included in a notified class of such Data Fiduciaries, certain obligations arise.

• Within every period of twelve months from that date, the Significant Data Fiduciary must take action.

• It must carry out a Data Protection Impact Assessment.

• It must also conduct an audit.

• The purpose of both the assessment and the audit is to ensure effective compliance with the provisions of the Act and the rules made under it.

13(2).

• With respect to a Data Protection Impact Assessment and an audit:

  1. The Significant Data Fiduciary is responsible for ensuring that the assessment and audit are actually conducted by a competent person.

  2. Once the assessment and audit are completed, the person who carried them out must prepare a report.

  3. The report must focus on the significant observations, meaning the important findings that emerged during the assessment and the audit.

  4. The Significant Data Fiduciary must then ensure that this report is submitted to the Board.

• This requirement ensures that the Board is informed about:

  1. Key compliance issues, risks, and observations relating to the processing of personal data by the Significant Data Fiduciary.

13(3).

• The Significant Data Fiduciary must exercise due diligence.

• Due diligence is required to check the technical measures it uses, including algorithmic software.

• These technical measures may be used for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing personal data.

• The purpose of this verification is to ensure that such technical measures are not likely to create a risk.

13(4).

• The Significant Data Fiduciary must take measures to ensure compliance.

  1. These measures relate to personal data that is specified by the Central Government.

  2. Such specification is made on the basis of recommendations of a committee constituted by the Central Government.

  3. The personal data so specified must be processed subject to a restriction.

• The restriction is that the personal data and the traffic data related to its flow must not be transferred outside the territory of India.

13(5).

• The term committee means:

  1. The committee is constituted by the Central Government specifically for the purposes of this rule.

  2. The committee must include officials from the Ministry of Electronics and Technology.

  3. The committee may also include officials from other Ministries or Departments of the Central Government.

Rule 14: Rights of Data Principals

14(1).

• The objective is to enable Data Principals to exercise their rights under the Act.

• For this purpose, the Data Fiduciary must take certain steps.

• Where applicable, the Consent Manager must also comply.

• The required information must be prominently published.

• It must be published on the website or app, or both, as applicable.

• The publication must include:

  1. (a). Details of the means through which a Data Principal can make a request to exercise her rights; and

  2. (b). The particulars, if any, such as a username or other identifier, that may be required to identify the Data Principal under the terms of service.

14(2).

• The Data Principal may make a request to the Data Fiduciary.

  1. The request must be made to the Data Fiduciary to whom she had earlier given consent for processing her personal data.

  2. The request must be made using the means specified by that Data Fiduciary.

  3. While making the request, the Data Principal must also provide the particulars required by the Data Fiduciary.

• These particulars are required for identifying the Data Principal and for enabling the exercise of her rights.

14(3).

• Every Data Fiduciary and every Consent Manager are required to prominently publish information.

  1. The information must be published on their website or app, or both, about their grievance redressal system.

  2. The published information must specify the period within which grievances of Data Principals will be responded to.

  3. This response period must be reasonable and must not exceed ninety days.

• To ensure that grievances are actually responded to within this period:

  1. The Data Fiduciary and the Consent Manager must put in place appropriate technical measures.

  2. They must also implement appropriate organisational measures so that the grievance redressal system functions effectively within the stated time frame.

14(4).

• Data Principal may exercise her rights under the Act through another person.

  1. The Data Principal may nominate one or more individuals to exercise her rights.

  2. Such nomination must be made in accordance with the terms of service of the Data Fiduciary.

  3. The nomination must also comply with any other applicable law.

  4. The Data Principal must use the means specified by the Data Fiduciary for making such a nomination.

  5. She must also provide the particulars required by the Data Fiduciary for enabling the exercise of this right.

14(5).

• The term “Identifier” for this rule means:

  1. An identifier refers to any sequence of characters that is issued by the Data Fiduciary.

  2. The purpose of issuing such a sequence of characters is to identify the Data Principal.

• The term identifier includes examples such as:

  1. A customer identification file number.

  2. A customer acquisition form number.

  3. An application reference number.

  4. An enrolment ID.

  5. An email address.

  6. A mobile number.

  7. A licence number.

• Any such sequence of characters that enables identification of the Data Principal falls within the meaning of identifier.