The Data Protection Bill 2021

Section

CHAPTER III
GROUNDS FOR PROCESSING OF PERSONAL DATA
WITHOUT CONSENT

12 Grounds for processing of personal data without consent in certain cases.


Notwithstanding anything contained in section 11, the personal data may be processed if such processing is necessary,—

(a) for the performance of any function of the State authorised by law, including for—
 

(i) the provision of any service or benefit to the data principal from the State; or
(ii) the issuance of any certification, licence or permit for any action or activity of the data principal by the State;
 

(b) under any law for the time being in force made by Parliament or any State Legislature; (***)
(c) for compliance with any (***) judgement or order of any court, quasi-judicial authority or Tribunal in India;
(d) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual;
(e) to undertake any measure to provide medical treatment or health services to any individual during an
epidemic, outbreak of disease or any other threat to public health; or
(f) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.

13 Processing of personal data necessary for purposes related to employment, etc.

(1)Notwithstanding anything contained in section 11 and subject to the provisions contained in sub-section (2), any personal data, not being any sensitive personal data, may be processed, if such processing is necessary or can reasonably be expected by the data principal for—

(a) recruitment or termination of employment of a data principal by the data fiduciary;
(b) provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary;
(c) verifying the attendance of the data principal who is an employee of the data fiduciary; or
(d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary.
 

(2) Any personal data, not being sensitive personal data, may be processed under sub-section (1), where the consent of the data principal is not appropriate having regard to the employment relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing under the said sub-section.

14 Processing of personal data for other reasonable purposes.

(1) (***) Notwithstanding anything contained in section 11, the personal data may be processed (***), if such processing is necessary for (***) reasonable purposes as may be specified by regulations, after taking into consideration—

(a) the legitimate interest of the data fiduciary in processing for that purpose;
(b)whether the data fiduciary can reasonably be expected, and it is practicable to obtain the consent of the data principal;
(c) any public interest in processing for that purpose;
(d) the degree of any adverse effect of the processing activity on the rights of the data principal; and
(e) the reasonable expectations of the data principal having regard to the context of the processing.
(2) For the purpose of sub-section (1), the expression “reasonable purposes” may include—
(a) prevention and detection of any unlawful activity including fraud;
(b) whistle blowing;
(c) mergers (***), acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines.
(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall—
(a) lay down, by regulations, such safeguards as may be appropriate to ensure the protection of the rights of data principals; and
(b) determine where the provision of notice under section 7shallapply or not apply having regard to the fact whether such provision shall (***) prejudice the relevant reasonable purpose.

15 Categorisation of Personal Data as Sensitive Personal data

(1) The Central Government shall, in consultation with the Authority and the sectoral regulator concerned, notify such categories of personal data as "Sensitive personal data", having regard to—

  (a) the risk of significant harm that may be caused to the data principal by (***) processing of such category of personal data;
  (b)the expectation of confidentiality attached to such category of personal data;
  (c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of     personal data; and
   (d) the adequacy of protection afforded by ordinary provisions applicable to the personal data.

(2) The Authority may specify, by regulations, the additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data.