The PDPB 2019 enlists legal basis for processing of personal data. If an organization processes for any reason beyond one or more of these legal basis, it will deemed to be unlawful to process the personal data.
1. Consent given by data principal;
2. Performance of any function of the State authorised by law;
3. Obligation under the law being in force made by Parliament or State legislature;
4. Compliance with any order or judgment of any Court or Tribunal in India;
5. Medical emergency involving a threat to life or severe threat to health;
6. Providing medical treatment or health services during an epidemic or outbreak of disease;
7. Protecting the safety of individuals during a disaster or breakdown of public order;
8. Employment purposes like recruitment, termination, provision of any service, or benefit. However, such data shall not be sensitive personal data;
9. “Reasonable purposes” similar to the GDPR’s legitimate interests basis, but is limited to for preventing or detecting unlawful activity, whistleblowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, the operation of search engines, or processing of publicly available personal data.
Where a data fiduciary contravenes processing of personal data in violation of the provisions of the regulation it shall be liable to a penalty which may extend to 15 crore rupees or 4 % of its total worldwide turnover of the preceding financial year, whichever is higher.