Duties of Data Fiduciary under DPDPA, 2023

Introduction

As personal information is rapidly digitised in the modern era, protecting people’s privacy is more important than ever. The Data Privacy and Protection Act (DPDP) of 2023 in India establishes a thorough framework for handling personal data. It introduces the ideas of Data Fiduciaries and Significant Data Fiduciaries. In this blog post, we’ll detail the principal duties of Data Fiduciaries and Significant Data Fiduciaries under Chapter II of the DPDP Act.

Obligations of Data Fiduciary

1. Processing Based on Consent

Section 4 of the DPDP Act states that a Data Fiduciary processing personal data may only do so under certain circumstances. These prerequisites include acquiring valid consent from the Data Principal (the person to whom the data belongs). The Data Principal’s consent or specific permitted uses may be the basis for giving consent for a legal purpose. 

2. Giving Data Principal Notice

The need to alert Data Principals about the processing of their personal data is emphasised in Section 5 of the Act. A Data Fiduciary must give the Data Principal the following notice when asking for consent:

1. the processed personal data.
2. the reason for the processing.
3. information regarding the rights of the data principal as exercised.
4. submitting complaints to the Data Protection Board’s complaint procedure.

This ensures that Data Principals are fully informed about how their personal data will be handled and can consent in an informed manner.

3. Verifiable Consent

The conditions for requesting consent from Data Principals are described in Section 6. Free, transparent, informed, unconstrained, unambiguous consent that includes a conspicuous affirmative action. Individuals must, therefore, expressly and voluntarily consent to process their personal data and fully understand how it will be used.

4. Consent Revocation

Data Principals are always free to revoke their consent at any time. The ease of giving and withdrawing consent is guaranteed under Section 6(4). The withdrawal of consent, nevertheless, does not affect the legality of data processing that took place before the withdrawal.

Reasons for Processing Personal Data

Section 7 of the DPDP Act states that Data Fiduciaries may process personal data for several reasons. These reasons comprise:

1. Processing data for the precise reason the data principal submitted it, assuming the principal has not objected to the processing.
2. Instrumentalities of the State preparing information so that the government can use it to grant various benefits, services, certificates, licences, or permissions.
3. Processing of Data for State Functions: The State processes data for legal obligations.
4. Processing data to comply with laws, orders, or judgements is known as compliance with laws and order.
5. Medical Emergencies and Public Health: Analysing data to address epidemics, public health issues, or medical emergencies.
6. Processing data to ensure safety, assistance, or services during disasters or breakdowns of public order.
7. Processing data for employment-related purposes and safeguarding employers from loss or liability.
   

Additional Responsibilities of Fiduciaries of Significant Data

Identification as a Fiduciary for Significant Data

The Central Government is given the authority to designate specific Data Fiduciaries as Significant Data Fiduciaries under Section 10 of the DPDP Act based on data volume, sensitivity, risk to rights, and impact on national interests.

Additional Compliance

Significant Data Fiduciaries have additional responsibilities on top of what regular Data Fiduciaries must do. These consist of:

1. A Data Protection Officer must be designated who serves as a point of contact for handling complaints and who also represents the organisation in accordance with the Act.
2. Independent Data Auditor: To assess its compliance with the DPDP Act, a substantial data fiduciary must appoint an independent data auditor.
3. Data processing’s effects on data principals’ rights must be considered in regular Data Protection Impact Assessments (DPIAs).
4. Periodic Audits: Regular audits should be conducted to ensure the Act is being followed.

Additional measures compliant with the Act may be mandated through government notifications for Significant Data Fiduciaries.

Penalties for Failure to Comply

The DPDP Act must be followed to the letter because failure to do so could result in severe fines. The Act lists the following sanctions for violations:

1. Breach of Data Fiduciary’s duty to take adequate security precautions to prevent personal data leak under section 8’s subsection (5): 250 crores or less.
2. Up to 200 crores for failure to comply with the requirement to notify the Board or the affected Data Principal of a personal data breach under section 8’s subsection (6).
3. Up to Rs. 200 crore for violating section 9’s additional obligations concerning minors.
4. Up to 150 crore for a breach of the Significant Data Fiduciary’s additional section 10 requirements.

Conclusion
A significant step has been taken to protect individual privacy and ensure ethical data processing practices with the DPDP Act of 2023. Organisations and people must navigate the complicated world of data privacy in the digital age by being aware of their duties as Data Fiduciaries and Significant Data Fiduciaries. Stakeholders can contribute to a more open, safe, and privacy-conscious digital ecosystem by following the rules stated in the Act.

Stay updated on the latest laws of data privacy with Tsaaro