4 THE GAZETTE OF INDIA EXTRAORDINARY [PART II—

(c) not apply to—

(i) personal data processed by an individual for any personal or domestic
purpose; and
(ii) personal data that is made or caused to be made publicly available
by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for
the time being in force in India to make such personal data publicly
available.
Illustration.
X, an individual, while blogging her views, has publicly made available her personal
data on social media. In such case, the provisions of this Act shall not apply.
CHAPTER II
OBLIGATIONS OF DATA FIDUCIARY
Grounds for 4. (1) A person may process the personal data of a Data Principal only in accordance
processing with the provisions of this Act and for a lawful purpose,—
personal data.
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
(2) For the purposes of this section, the expression “lawful purpose” means any
purpose which is not expressly forbidden by law.
Notice. 5. (1) Every request made to a Data Principal under section 6 for consent shall be
accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal,
informing her,—
(i) the personal data and the purpose for which the same is proposed to be
processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of
section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board,
in such manner and as may be prescribed.
Illustration.
X, an individual, opens a bank account using the mobile app or website of Y, a bank.
To complete the Know-Your-Customer requirements under law for opening of bank account,
X opts for processing of her personal data by Y in a live, video-based customer identification
process. Y shall accompany or precede the request for the personal data with notice to X,
describing the personal data and the purpose of its processing.
(2) Where a Data Principal has given her consent for the processing of her personal
data before the date of commencement of this Act,—
(a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the
Data Principal a notice informing her,––
(i) the personal data and the purpose for which the same has been
processed;
(ii) the manner in which she may exercise her rights under sub-section (4)
of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the
Board,
in such manner and as may be prescribed.
SEC. 1] THE GAZETTE OF INDIA EXTRAORDINARY 5

(b) the Data Fiduciary may continue to process the personal data until and
unless the Data Principal withdraws her consent.
Illustration.
X, an individual, gave her consent to the processing of her personal data for an online
shopping app or website operated by Y, an e-commerce service provider, before the
commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable,
give through email, in-app notification or other effective method information to X, describing
the personal data and the purpose of its processing.
(3) The Data Fiduciary shall give the Data Principal the option to access the contents
of the notice referred to in sub-sections (1) and (2) in English or any language specified in
the Eighth Schedule to the Constitution.
6. (1) The consent given by the Data Principal shall be free, specific, informed, Consent.
unconditional and unambiguous with a clear affirmative action, and shall signify an
agreement to the processing of her personal data for the specified purpose and be limited to
such personal data as is necessary for such specified purpose.
Illustration.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i)
the processing of her personal data for making available telemedicine services, and (ii)
accessing her mobile phone contact list, and X signifies her consent to both. Since phone
contact list is not necessary for making available telemedicine services, her consent shall be
limited to the processing of her personal data for making available telemedicine services.
(2) Any part of consent referred in sub-section (1) which constitutes an infringement
of the provisions of this Act or the rules made thereunder or any other law for the time being
in force shall be invalid to the extent of such infringement.
Illustration.
X, an individual, buys an insurance policy using the mobile app or website of Y, an
insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the
purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data
Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a
complaint, shall be invalid.
(3) Every request for consent under the provisions of this Act or the rules made
thereunder shall be presented to the Data Principal in a clear and plain language, giving her
the option to access such request in English or any language specified in the Eighth
Schedule to the Constitution and providing the contact details of a Data Protection Officer,
where applicable, or of any other person authorised by the Data Fiduciary to respond to
any communication from the Data Principal for the purpose of exercise of her rights under
the provisions of this Act.
(4) Where consent given by the Data Principal is the basis of processing of personal
data, such Data Principal shall have the right to withdraw her consent at any time, with the
ease of doing so being comparable to the ease with which such consent was given.
(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne
by the Data Principal, and such withdrawal shall not affect the legality of processing of the
personal data based on consent before its withdrawal.
Illustration.
X, an individual, is the user of an online shopping app or website operated by Y, an
e-commerce service provider. X consents to the processing of her personal data by Y for the
purpose of fulfilling her supply order and places an order for supply of a good while making
payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or
website for placing orders, but may not stop the processing for supply of the goods already
ordered and paid for by X.
(6) If a Data Principal withdraws her consent to the processing of personal data under
sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data
Processors to cease processing the personal data of such Data Principal unless such
processing without her consent is required or authorised under the provisions of this Act
or the rules made thereunder or any other law for the time being in force in India.
 6 THE GAZETTE OF INDIA EXTRAORDINARY [PART II—

Illustration.
X, a telecom service provider, enters into a contract with Y, a Data Processor, for
emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her
consent to X for the processing of her personal data for emailing of bills, downloads the
mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall
cause Y to cease, the processing of the personal data of Z for emailing bills.
(7) The Data Principal may give, manage, review or withdraw her consent to the Data
Fiduciary through a Consent Manager.
(8) The Consent Manager shall be accountable to the Data Principal and shall act on
her behalf in such manner and subject to such obligations as may be prescribed.
(9) Every Consent Manager shall be registered with the Board in such manner and
subject to such technical, operational, financial and other conditions as may be prescribed.
(10) Where a consent given by the Data Principal is the basis of processing of
personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall
be obliged to prove that a notice was given by her to the Data Principal and consent was
given by such Data Principal to the Data Fiduciary in accordance with the provisions of this
Act and the rules made thereunder.
Certain 7. A Data Fiduciary may process personal data of a Data Principal for any of following
legitimate uses. uses, namely:—
(a) for the specified purpose for which the Data Principal has voluntarily
provided her personal data to the Data Fiduciary, and in respect of which she has not
indicated to the Data Fiduciary that she does not consent to the use of her personal
data.
Illustrations.
(I) X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her
personal data and requests Y to acknowledge receipt of the payment made for the purchase
by sending a message to her mobile phone. Y may process the personal data of X for the
purpose of sending the receipt.
(II) X, an individual, electronically messages Y, a real estate broker, requesting Y to
help identify a suitable rented accommodation for her and shares her personal data for this
purpose. Y may process her personal data to identify and intimate to her the details of
accommodation available on rent. Subsequently, X informs Y that X no longer needs help
from Y. Y shall cease to process the personal data of X;
(b) for the State and any of its instrumentalities to provide or issue to the Data
Principal such subsidy, benefit, service, certificate, licence or permit as may be
prescribed, where––
(i) she has previously consented to the processing of her personal data
by the State or any of its instrumentalities for any subsidy, benefit, service,
certificate, licence or permit; or
(ii) such personal data is available in digital form in, or in non-digital form
and digitised subsequently from, any database, register, book or other document
which is maintained by the State or any of its instrumentalities and is notified
by the Central Government,
subject to standards followed for processing being in accordance with the policy
issued by the Central Government or any law for the time being in force for governance
of personal data.
Illustration.
X. a pregnant woman, enrols herself on an app or website to avail of government’s
maternity benefits programme, while consenting to provide her personal data for the purpose
of availing of such benefits. Government may process the personal data of X processing to
determine her eligibility to receive any other prescribed benefit from the government;
 SEC. 1] THE GAZETTE OF INDIA EXTRAORDINARY 7

(c) for the performance by the State or any of its instrumentalities of any function
under any law for the time being in force in India or in the interest of sovereignty and
integrity of India or security of the State;
(d) for fulfilling any obligation under any law for the time being in force in India
on any person to disclose any information to the State or any of its instrumentalities,
subject to such processing being in accordance with the provisions regarding
disclosure of such information in any other law for the time being in force;
(e) for compliance with any judgment or decree or order issued under any law
for the time being in force in India, or any judgment or order relating to claims of a
contractual or civil nature under any law for the time being in force outside India;
(f) for responding to a medical emergency involving a threat to the life or
immediate threat to the health of the Data Principal or any other individual;
(g) for taking measures to provide medical treatment or health services to any
individual during an epidemic, outbreak of disease, or any other threat to public
health;
(h) for taking measures to ensure safety of, or provide assistance or services to,
any individual during any disaster, or any breakdown of public order.
Explanation.—For the purposes of this clause, the expression “disaster” shall
have the same meaning as assigned to it in clause (d) of section 2 of the Disaster
53 of 2005. Management Act, 2005; or
(i) for the purposes of employment or those related to safeguarding the employer
from loss or liability, such as prevention of corporate espionage, maintenance of
confidentiality of trade secrets, intellectual property, classified information or provision
of any service or benefit sought by a Data Principal who is an employee.
8. (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of General
a Data Principal to carry out the duties provided under this Act, be responsible for complying obligations of
Data
with the provisions of this Act and the rules made thereunder in respect of any processing Fiduciary.
undertaken by it or on its behalf by a Data Processor.
(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor
to process personal data on its behalf for any activity related to offering of goods or
services to Data Principals only under a valid contract.
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness,
accuracy and consistency.
(4) A Data Fiduciary shall implement appropriate technical and organisational measures
to ensure effective observance of the provisions of this Act and the rules made thereunder.
(5) A Data Fiduciary shall protect personal data in its possession or under its control,
including in respect of any processing undertaken by it or on its behalf by a Data Processor,
by taking reasonable security safeguards to prevent personal data breach.
(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and
each affected Data Principal, intimation of such breach in such form and manner as may be
prescribed.
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law
for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as
 8 THE GAZETTE OF INDIA EXTRAORDINARY [PART II—

soon as it is reasonable to assume that the specified purpose is no longer being

served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available
by the Data Fiduciary for processing to such Data Processor.
Illustrations.
(I) X, an individual, registers herself on an online marketplace operated by Y, an
e-commerce service provider. X gives her consent to Y for the processing of her personal
data for selling her used car. The online marketplace helps conclude the sale. Y shall no
longer retain her personal data.
(II) X, an individual, decides to close her savings account with Y, a bank. Y is required
by law applicable to banks to maintain the record of the identity of its clients for a period of
ten years beyond closing of accounts. Since retention is necessary for compliance with law,
Y shall retain X’s personal data for the said period.
(8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no
longer be served, if the Data Principal does not––
(a) approach the Data Fiduciary for the performance of the specified purpose;
and
(b) exercise any of her rights in relation to such processing,
for such time period as may be prescribed, and different time periods may be prescribed for
different classes of Data Fiduciaries and for different purposes.
(9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business
contact information of a Data Protection Officer, if applicable, or a person who is able to
answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal
about the processing of her personal data.
(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances
of Data Principals.
(11) For the purposes of this section, it is hereby clarified that a Data Principal shall be
considered as not having approached the Data Fiduciary for the performance of the specified
purpose, in any period during which she has not initiated contact with the Data Fiduciary
for such performance, in person or by way of communication in electronic or physical form.
Processing of 9. (1) The Data Fiduciary shall, before processing any personal data of a child or a
personal data person with disability who has a lawful guardian obtain verifiable consent of the parent of
of children.
such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Explanation.—For the purpose of this sub-section, the expression “consent of the
parent” includes the consent of lawful guardian, wherever applicable.
(2) A Data Fiduciary shall not undertake such processing of personal data that is
likely to cause any detrimental effect on the well-being of a child.
(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children
or targeted advertising directed at children.
(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of
personal data of a child by such classes of Data Fiduciaries or for such purposes, and
subject to such conditions, as may be prescribed.
(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its
processing of personal data of children is done in a manner that is verifiably safe, notify for
such processing by such Data Fiduciary the age above which that Data Fiduciary shall be
exempt from the applicability of all or any of the obligations under sub-sections (1) and (3)
in respect of processing by that Data Fiduciary as the notification may specify.
Additional 10. (1) The Central Government may notify any Data Fiduciary or class of Data
obligations of Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant
Significant
Data factors as it may determine, including—
Fiduciary.