The Digital Personal Data Protection Act (DPDPA), 2023 got enacted on 11th August 2023.
Below is a glimpse of the Act.
☄️This is the first Act of the Parliament of India where "she/her" pronouns are used unlike the usual "he/him" pronouns.
☄️A Data Protection Board of India has been established by Central Government under this act.
☄️Applicability:
This enactment applies to the processing of digital personal data within the territory of India where the personal data is collected-
(i) in digital form; or
(ii) in non-digital form and digitized subsequently;
The act also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to individual within the territory of India.
☄️Non-Applicability:
The act shall not apply to—
i. personal data processed by an individual for any personal or domestic purpose; and
ii. personal data made or caused to be made publicly available by
a) the person to whom such personal data relates;
or
b) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
☄️Obligations of Person collecting Digital Personal Data (Data Fiduciary):
Use of Digital Personal Data is allowed for a lawful purpose—
a) for which the individual has given their consent;
or
b) for certain legitimate uses.
He shall inform the Individual to whom data belongs, before requesting the data describing the personal data and the purpose of its processing.
☄️Request for Data:
Data Fiduciary shall give to the Individual a notice providing the contact details of a Data Protection Officer (including for data already in possession) informing them –
a) the personal data and the purpose for which the same has been processed;
b) the manner in which she may exercise her rights u/s 6(4) and 13 i.e., Individual shall have the right to withdraw their consent at any time, and
c) the manner in which the Data Principal may make a complaint to the Board(Data Protection Board of India),
• Consent shall be free, specific, informed, unconditional and unambiguous.
• The Data Fiduciary may continue to process the personal data until and unless the Individual withdraws their consent.
• The withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal
☄️New concept of Consent Managers
Consent Manager’s are third-party entities that use an interoperable tech framework to enable consent regulation digitally. Data Fiduciary may use the services of a consent manager to manage the consent of the Individual. A consent manager represents the Individuals and takes action on their behalf when granting, managing, reviewing, or revoking consent.
Every Consent Manager shall be registered with the Board formed under the act.
companysecretary cs dpdpa2023 data