- A person may process data of data principal only in accordance with the provisions of act and for lawful purpose for which the subject has given consent or deemed to have given consent.
- Consent of the Data Principal means any freely given, specific, informed, unambiguous indication of her wishes, expressed through a clear affirmative action, indicating agreement to process their personal data for a specified purpose and limited to the necessary data for that purpose.
- If any part of the given consent violates the provisions of DPDPB or any other applicable law, it will be invalid to the extent of the infringement.
- Requests for consent must be presented to the Data Principal in clear and plain language, along with contact details of a Data Protection Officer or an authorized person for communication related to exercising their rights under DPDPB.
- The Data Principal has the right to withdraw her consent at any time, the ease of withdrawal must be comparable to the ease with which consent was given.
- The Data Principal bears the consequences of withdrawing consent, but the withdrawal does not affect the lawfulness of processing personal data based on consent before its withdrawal.
- If the Data Principal withdraws consent, the Data Fiduciary and its processors within a reasonable time must stop processing the personal data (including processing by data processors) unless permitted or required by the Act or other applicable laws.
- The Data Principal may manage, review, or withdraw consent through a “Consent Manager,” an accessible, transparent, and interoperable platform. The Consent Manager acts on behalf of the Data Principal and must be registered with the Board under such technical, operational, financial and other conditions prescribed.
- Where consent of the Data Principal is the basis of processing of personal data, in such case consent is questioned in any proceeding, the Data Fiduciary must prove that it provided notice to the Data Principal and obtained consent.
- Deemed Consent: A Data Principal is deemed to have given consent to the processing of her personal data in the following situations:
- When the Data Principal voluntarily provides her personal data to the Data Fiduciary for specified purposes and does not express refusal to consent to its use.
- For the performance of any function under the current laws, provision of services or benefits, issuance of certificates, licenses, or permits by the State or any of its instrumentalities, subject to compliance with applicable policies or laws governing such data.
- To comply with any judgment or order issued under the current laws in India or any judgment or order related to contractual or civil claims under foreign laws.
- In response to a medical emergency threatening the life or immediate threat to health of the Data Principal or another individual.
- To provide medical treatment or health services during an epidemic, disease outbreak, or any other public health threat.
- To ensure safety, provide assistance, or services during disasters or public order breakdowns.
- For employment-related purposes or safeguarding employers from losses or liabilities, preventing corporate espionage, maintaining confidentiality of trade secrets, IP, or classified information, and providing services or benefits requested by Data Principal who is an employee.
- Consent of children: The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed. “Parental consent” means the consent of a lawful guardian, where applicable.