ILN Data Privacy Paper

India

Data Principal shall also be given the right to withdraw consent at any point of time as easily as the consent was given. However, as regards the withdrawal, it has been further specified that, “such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal”. Moreover, such a withdrawal makes it mandatory for the Data Fiduciary to end the processing of the personal data of the Data Principal (unless specifically provided by the DPAPA). 5.2. Data storage and retention timelines While no specific timelines have been prescribed for the retention of personal data, a Data Fiduciary is required to store personal data of the Data Principal only for specified purposes which indicates that as soon as the specified purpose is over, the personal data shall not be retained. 5.3. Data correction, completion, updating or erasure of data Upon withdrawal of consent by the Data Principal (even before the completion of the specified purpose of the data collected), the Data Fiduciary and its Data Processors shall erase or cease to process the personal data of the Data Principal within a reasonable time (which is yet be specified by the rules). Further, the Data Principal can request corrections, completion of missing information, or updates to any inaccurate or incomplete data held by a Data Fiduciary.

5.4. Data protection and security practices and procedures As a general obligation, the Data Fiduciary is mandated to implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. 5.5. Disclosure, sharing and transfer of data As regards the disclosure, sharing or transfer of personal data of the Data Principal, the DPDPA provides that information regarding the extent and purpose of sharing of the personal data needs to be disclosed to the Data Principal and consent for the same needs to be sought by way of a consent notice. 5.6. Cross border transfer of data The Central Government has the power to restrict the transfer of personal data by a Data Fiduciary for processing to specific countries or territories outside India by notifying A Data Fiduciary or the Consent Manager shall establish an effective and readily available mechanism to redress the grievances of Data Principals in case of any act or omission or regarding the performance of their obligations in relation to the personal data of such Data Principal. the list of such countries. 5.7. Grievance redressal

www.ahlawatassociates.com

Made with FlippingBook - PDF hosting