Did you know?
Under the Digital Personal Data Protection Act and Rules, personal data can be processed only for a lawful purpose which is either consented or for legitimate uses*.
What is Consent?
Consent shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose
Valid consent
- Must be in a clear and plain language,
- Accessible in English or any language specified in the Eighth Schedule to the Constitution
- Provide the contact details of a Data Protection Officer, or of any other person authorised.
Children & Persons with Disabilities
Special protection applies for Children (<18 years) and Persons with disabilities. Processing requires verifiable consent of the parent/ guardian
Withdrawal of Consent
- Law mandates that withdrawal should be as easy as giving consent.
- Data already processed lawfully remains valid
- Shall require Data Processors to cease processing the personal data
Exceptions
The Act permits certain legitimate uses* where consent is not required, such as:
- When data is voluntarily provided for a specific purpose.
- State functions (e.g., Govt benefits, sovereignty, security, or integrity)
- Compliance with law or court orders
- Medical emergencies and disasters
- Employment-related purposes
How to manage consents?
Organisation can appoint a Consent Manager to receive, manage, review, or withdraw consent on behalf of organisation.
