Data Protection Services in India

As a natural corollary to the growing infusion of technology into regular economic transactions, it becomes imperative to safeguard every individual personal data from potential insecurity in the process of collection, storage, processing and utilisation or disclosure. While the prospects of data protection became relevant with Information Technology Act, 2000 and recognition of Right to Privacy, a specialised statutory regime has only been sought to be established with the introduction of the Digital Personal Data Protection Act, 2023 to establish data protection in India.

Scope of the Digital Personal Data Protection Act

Essentially, the Act identifies informational privacy manifesting as personal data as an “essential facet” of the fundamental Right to Privacy. It sets out provisions to regulate the processing of personal data within Indian Territory or by the Indian Government, entities incorporated under Indian law and Indian citizens or outside Indian Territory but with some tangible connection in India. Under the Act, a data principal is an individual whose personal data is being processed. The entity or individual who decides the means and purposes of data processing is known as data fiduciary. This Act has a wide application and includes within its ambit everything from e- commerce, social media, IT companies, to brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies.

Rights of Data Principal

The purpose of DPDPA is also to lay down the rights of the data principal, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data principals should be in a clear and unambiguous manner.

Right to information about personal data To obtain confirmation of processing, summary of personal data, identification of data fiduciaries with whom personal data has been shared, etc

Right to correction and erasure of personal data
To ask for correction of inaccurate data or updating data or even deletion of data.

Right of grievance redressal
To file a complaint with the data fiduciary and file a grievance with the data protection board.

Right to nominate
To nominate any person to exercise these rights upon death or incapacitation of the data principal

Compliance Obligations

To ensure accountability, the Act provides a comprehensive outline of obligations of the entities responsible for deciding the means and purpose of data processing, with corresponding penalties for violations.
Processing of personal data is prohibited except for any specific, clear and lawful purpose. Under these provisions, processing of data is mandated to be subject to certain purpose, collection and storage limitations.
Grievance redressal mechanisms must also be implemented to address complaints of individuals.
There is a separate categorization of certain entities as significant data fiduciaries which is based on certain criteria such as volume of data processed and turnover of fiduciary.
There are additional obligations on these fiduciaries that include accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data (includes financial data, biometric data, caste, religious or political beliefs).
The Act also talks of transparency and accountability measures such as the Privacy by Design Policy which has to be in place for all data fiduciaries.

Privacy By Design

Every organisation should prepare a Privacy By Design Policy, containing:

the managerial, organisational, business practices and technical systems to avoid harm to data principal
the obligations of data fiduciaries
the technology used in the processing of personal data is in accordance with commercially accepted or certified standards
the legitimate interests of businesses including any innovation is achieved without compromising privacy interests
the protection of privacy throughout processing from the point of collection to deletion of personal data
the processing of personal data in a transparent manner
the interest of the data principal is accounted for at every stage of processing of personal data

Reporting Data Breaches

The Data Protection Board shall be informed about a breach of any personal data by the data fiduciary, where such data breach may cause harm to the data principal

The notices should contain the following information:

nature of personal data which is the subject-matter of the breach;
number of data principals affected by the breach;
possible consequences of the breach; and
action being taken by the data fiduciary to remedy the breach.

Penalties

The Act focuses on financial penalties to regulate compliance with the obligations. The Data Protection Board has the power to issue penalties up to INR 250 crore. Additionally, Data fiduciaries are liable to pay a penalty up to INR 250 crore for breach in observing the obligation of a data fiduciary to take reasonable security safeguards to prevent personal data breach.

Enforcement Mechanism

Lastly, the DPDPA provides for establishing the Data Protection Board to monitor and enforce the provisions. This Authority will have members with expertise in fields such as data protection and information technology. Any individual not satisfied with the grievance redressal by the data fiduciary can file a complaint to said Authority. There is a mechanism for appeal of such Orders of the Authority to an Appellate Tribunal and from there the Appeals will go to the Supreme Court.

Benefits of the DPDPA Implementation Program

Comply with Indian Privacy Laws efficiently and effectively.
Recognize, Access and Strategize Personal Data within your organization
Adapt, Improvise and leverage your existing privacy compliance in order to comply with the DPDPA.
Policy and Notice Management and maintain data privacy structures within the organizations.

If you are a company situated in India, and provide services globally, in regions such as US, Middle East or EU, please check our privacy programs provided as provided here.

Reach out to us

← Back

Thank you for your response. ✨

Thank you for submitting your request ! We will get in touch with you shortly.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 10 days 17 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.