Data Fiduciary

By Reina Legal

11th December, 2019

The Personal Data Protection Bill (“PDPB”) has certain obligations that a data fiduciary needs to fulfil.

They are as follows:

  1. Lawful purpose-Process personal data only upon specific, clear and lawful purpose
  2. Limitation on purpose of processing of personal data-personal data shall be processed in a fair and reasonable manner and ensure the privacy of the data principal; and for the purpose consented to by the data principal or which is incidental to or connected with such purpose.
  3.  Limitation on collection of personal dataThe personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
  4. Requirement of notice for collection or processing of personal data-Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information.
  5. Quality of personal data processed-The data fiduciary shall take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
  6. Restriction on retention of personal data- The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing unless explicit consent has been given by the data principal or such retention is necessary to comply with any obligation under any law.
  7. Accountability of data fiduciary-The data fiduciary shall be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf.
  8. Consent necessary for processing of personal data-The personal data shall not be processed, except on the free, informed, specific, clear consent given by the data principal at the commencement of its processing. Such consent should also be capable of being withdrawn.