ILN Data Privacy Paper

India

a)Personal Data Breach - Any data that is subjected to unauthorized processing which also includes, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data would be regarded as a breach of personal data. b)Processing - Processing of personal data is considered as an operation or set of operations which is performed on digital personal data such as collection, recording, storage, organizing of data, etc. 3.2. Statutory exemptions The DPDPA provides for certain exemptions wherein the Data Fiduciaries are exempt from specific obligations. These exemptions include instances where processing is essential for legal enforcement or by judicial bodies, for investigation, or processing data of Data Principals outside India based on contractual agreements. Moreover, the law permits the Central Government to exempt state instrumentalities from compliance in the interest of national sovereignty, security, public order, or international relations. It also exempts data processing for research, archival, or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is conducted according to prescribed standards. Additionally, the government has the authority to exempt certain categories of entities from specific obligations outlined in the provisions related to notice, data processing for decision-making, erasure, additional obligations and access to personal data.

3.3. Territorial and extra-territorial application The DPDPA applies to the processing of personal data within the territory of India as well as the processing of personal data outside India (irrespective of where the Data Fiduciary is located) if such processing is in connection with any activity related to offering of goods or services to Data Principals located within India. Legislative Framework 4.1. Key stakeholders Following are the key stakeholders as per the DPDPA: 1. Data Fiduciary – Any individual or entity who is responsible for determining the purpose of processing of personal data. 2. Significant Data Fiduciary - The central government may notify a Data Fiduciary as a significant data fiduciary on the basis of certain factors which may include volume and sensitivity of personal data processed, risk to the right of Data Principal, security of the state, etc. 3. Data Principal - A person whose personal data is being collected for the purpose of processing. The DPDPA also provides for a condition where in case the individual is a child, the definition of Data Principal would further extend to its parents or legal guardians. Further, in case of a disabled person, the definition may extend to its lawful guardian.

www.ahlawatassociates.com

Made with FlippingBook - PDF hosting