Privacy by design policy

shall apply to—

• the processing of personal data where such data has been collected,disclosed, shared or otherwise processed within the territory of India;
• the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;

• the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—

  1. in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
  2. in connection with any activity which involves profiling of data principals within the territory of India.

shall not apply to the processing of anonymised data, other than the anonymised data referred to in section 91.

shall apply to—

• the processing of personal data where such data has been collected,disclosed, shared or otherwise processed within the territory of India;
• the processing of personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law;

• the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—

  • in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
  • in connection with any activity which involves profiling of data principals within the territory of India.

"anonymisation" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

"anonymised data" means data which has undergone the process of anonymisation;

"Appellate Tribunal" means the Tribunal established under sub-section (1)or notified under sub-section (4) of section 67;

"Authority" means the Data Protection Authority of India established under sub-section (1) of section 41;

"automated means" means any equipment capable of operating automatically in response to instructions given for the purpose of processing data;

"biometric data" means facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal,which allow or confirm the unique identification of that natural person;

"child" means a person who has not completed eighteen years of age;

"code of practice" means a code of practice issued by the Authority under section 50;

"consent" means the consent referred to in section 11;

"data" includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;

"data auditor" means an independent data auditor referred to in section 29;

"data fiduciary" means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data;

"data principal" means the natural person to whom the personal data relates;

"data processor" means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary;

"de-identification" means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

"disaster" shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005;

"financial data" means any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history;

"genetic data" means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the behavioural characteristics, physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

"harm" includes—

1. bodily or mental injury;
2. loss, distortion or theft of identity;
3. financial loss or loss of property;
4. loss of reputation or humiliation;
5. loss of employment;
6. any discriminatory treatment;
7. any subjection to blackmail or extortion;
8. any denial or withdrawal of a service, benefit or good resulting froman evaluative decision about the data principal;
9. any restriction placed or suffered directly or indirectly on speech,movement or any other action arising out of a fear of being observed or surveilled;
   or
10. any observation or surveillance that is not reasonably expected by thedata principal;

"health data" means the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services;

"intra-group schemes" means the schemes approved by the Authority under clause (a) of sub-section (1) of section 34;

"in writing" includes any communication in electronic format as defined in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000;

"journalistic purpose" means any activity intended towards the dissemination through print, electronic or any other media of factual reports, analysis,opinions, views or documentaries regarding—

1. news, recent or current events; or
2. any other information which the data fiduciary believes the public, orany significantly discernible class of the public, to have an interest in;

"notification" means a notification published in the Official Gazette and the expression "notify" shall be construed accordingly;

"official identifier" means any number, code, or other identifier, assigned to a data principal under a law made by Parliament or any State Legislature which may be used for the purpose of verifying the identity of a data principal;

"person" includes—

1. an individual,
2. a Hindu undivided family,
3. a company,
4. a firm
5. an association of persons or a body of individuals, whether incorporatedor not,
6. the State, and
7. every artificial juridical person, not falling within any of the precedingsub-clauses;

"personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;

"personal data breach" means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;

"prescribed" means prescribed by rules made under this Act;

"processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection,recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

"profiling" means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal;

"regulations" means the regulations made by the Authority under this Act;

"re-identification" means the process by which a data fiduciary or data processor may reverse a process of de-identification;

"Schedule" means the Schedule appended to this Act;

"sensitive personal data" means such personal data, which may, reveal, be related to, or constitute—

1. financial data;
2. health data;
3. official identifier;
4. sex life;
5. sexual orientation;
6. biometric data;
7. genetic data;
8. transgender status;
9. intersex status;
10. caste or tribe;
11. religious or political belief or affiliation; or
12. any other data categorised as sensitive personal data under section 15.

Explanation.— For the purposes of this clause, the expressions,—

• "intersex status" means the condition of a data principal who is—

  1. a combination of female or male;
  2. neither wholly female nor wholly male; or
  3. neither female nor male;
• "transgender status" means the condition of a data principal whosesense of gender does not match with the gender assigned to that data principalat birth, whether or not they have undergone sex reassignment surgery, hormonetherapy, laser therapy, or any other similar medical procedure;

"significant data fiduciary" means a data fiduciary classified as such under sub-section (1) of section 26;

"significant harm" means harm that has an aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm;

"State" means the State as defined under article 12 of the Constitution;

"systematic activity" means any structured or organised activity that involves an element of planning, method, continuity or persistence

Where the processing has been carried out through automated means, the data principal shall have the right to—

• receive the following personal data in a structured, commonly used and machine-readable format—

  1. the personal data provided to the data fiduciary;
  2. the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or
  3. the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained; and
• have the personal data referred to in clause (a) transferred to any other data fiduciary in the format referred to in that clause.

The provisions of sub-section (1) shall not apply where—

• processing is necessary for functions of the State or in compliance of law or order of a court under section 12;

• compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

The sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer,and where—

• the transfer is made pursuant to a contract or intra-group scheme approved by the Authority:
  Provided that such contract or intra-group scheme shall not be approved, unless it makes the provisions for—

  1. effective protection of the rights of the data principal under this Act,including in relation to further transfer to any other person; and
  2. liability of the data fiduciary for harm caused due to non-compliance of the provisions of such contract or intra-group scheme by such transfer; or

• the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation on the basis of its finding that—

  1. such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements;and
  2. such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction:
     Provided that any finding under this clause shall be reviewed periodically in such manner as may be prescribed;
• the Authority has allowed transfer of any sensitive personal data or class of sensitive personal data necessary for any specific purpose.

Notwithstanding anything contained in sub-section (2) of section 33, any critical personal data may be transferred outside India, only where such transfer is—

• to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action under section 12; or

• to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such transfer to be permissible under clause (b) of sub-section (1) and where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State.

Any transfer under clause (a) of sub-section (2) shall be notified to the Authority within such period as may be specified by regulations.

The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, create a Sandbox.

Any data fiduciary whose privacy by design policy is certified by the Authority under sub-section (3) of section 22 shall be eligible to apply, in such manner as may be specified by regulations, for inclusion in the Sandbox created under sub-section (1).

Any data fiduciary applying for inclusion in the Sandbox under sub-section (2) shall furnish the following information, namely:—

• the term for which it seeks to utilise the benefits of Sandbox, provided that such term shall not exceed twelve months;

• the innovative use of technology and its beneficial uses;
• the data principals or categories of data principals participating under the proposed processing; and
• any other information as may be specified by regulations.

The Authority shall, while including any data fiduciary in the Sandbox, specify—

• the term of the inclusion in the Sandbox, which may be renewed not more than twice, subject to a total period of thirty-six months;

• the safeguards including terms and conditions in view of the obligation sunder clause (c) including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards; and

• that the following obligations shall not apply or apply with modified form tosuch data fiduciary, namely:—

  1. the obligation to specify clear and specific purposes under sections 4 and 5;
  2. limitation on collection of personal data under section 6; and
  3. any other obligation to the extent, it is directly depending on the obligations under sections 5 and 6; and
  4. the restriction on retention of personal data under section 9.

Where the data fiduciary contravenes any of the following provisions,—

• obligation to take prompt and appropriate action in response to a data security breach under section 25;

• failure to register with the Authority under sub-section (2) of section 26,
• obligation to undertake a data protection impact assessment by a significant data fiduciary under section 27;
• obligation to conduct a data audit by a significant data fiduciary under section 29;
• appointment of a data protection officer by a significant data fiduciary under section 30,

it shall be liable to a penalty which may extend to five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher;

Where a data fiduciary contravenes any of the following provisions,—

• processing of personal data in violation of the provisions of Chapter II or Chapter III;

• processing of personal data of children in violation of the provisions of Chapter IV;
• failure to adhere to security safeguards as per section 24; or
• transfer of personal data outside India in violation of the provisions of Chapter VII,

it shall be liable to a penalty which may extend to fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.

For the purposes of this section,—

• the expression "total worldwide turnover" means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement,as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, and where such revenue is generated within India and outside India.

• it is hereby clarified that total worldwide turnover in relation to a data fiduciary is the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors,including—

  1. the alignment of the overall economic interests of the data fiduciary and the group entity;
  2. the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary;and
  3. the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.
• where of any provisions referred to in this section has been contravened by the State, the maximum penalty shall not exceed five crore rupees under sub-section (1), and fifteen crore rupees under sub-section (2), respectively

Where an offence under this Act has been committed by a company, every person who, at the time the offence was committed was in charge of, and was responsible to,the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

Nothing contained in sub-section (1) shall render any such person liable to any punishment provided in this Act, if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence.

Notwithstanding anything contained in sub-section (1), where an offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager,secretary or other officer shall also be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
Explanation.—For the purpose of this section—

• "company" means any body corporate, and includes—

  1. a firm; and
  2. an association of persons or a body of individuals whether incorporated or not.

• "director" in relation to—

  1. a firm, means a partner in the firm;
  2. an association of persons or a body of individuals, means any member controlling affairs thereof.