Individuals, companies, firms, governments, or other entities which determine the purpose and mode of processing an individual’s personal data are referred to as data fiduciaries.
The Digital Personal Data Protection Bill, 2022 (“DPDPB”) has certain obligations that a data fiduciary needs to fulfil.
They are as follows:
- A data fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete.
- Every data fiduciary and data processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
- In the event of a personal data breach, the data fiduciary or data processor as the case may be, shall notify the Board and each affected data principal.
- The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
- Every data fiduciary shall publish the business contact information of a data protection officer, if applicable, or a person who is able to answer on behalf of the data fiduciary, to address the data principal’s questions about the processing of their personal data.
- Every data fiduciary shall have in place a procedure and effective mechanism to redress the grievances of data principals
- The data fiduciary may share, transfer or transmit the personal data to any data fiduciary, or engage, appoint, use or involve a data processor to process personal data on its behalf , only under a valid contract, where consent of the data principal has been obtained. Such data processor may, if permitted under its contract with the data fiduciary, further engage, appoint, use, or involve another data processor in processing personal data only under a valid contract.
- In the event that personal data from individuals under the age of 18 is proposed to be processed, prior verifiable parental consent (including consent from a guardian) is required. Data fiduciaries are prohibited from tracking and behaviourally monitoring children or sending targeted advertisements to them, and any processing that may harm children.
- Significant data fiduciary must appoint a data protection officer who will represent the significant data fiduciary in India. An individual shall be appointed as the data protection officer by the board of directors of the significant data fiduciary or by similar governing bodies. The data protection officer shall be responsible for resolving grievances; appoint an independent data auditor who shall evaluate the compliance of the significant data fiduciary.