The Data Protection Bill 2021

Section

CHAPTER V
RIGHTS OF DATA PRINCIPAL

17 Right to confirmation and access.

(1) The data principal shall have the right to obtain from the data fiduciary—
 

(a) the confirmation whether the data fiduciary is processing or has processed personal data of the data principal;
(b) the personal data of the data principal being processed or that has been processed by the data fiduciary, or any summary thereof; and
(c) a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal, including any information provided in the notice under section 7 in relation to such processing.
 

(2) The data fiduciary shall provide the information under sub-section (1) to the data principal in a clear and concise manner that is easily comprehensible to (***) a reasonable individual in a similar context.
(3) The data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them, in such manner as may be specified by regulations.
(4) The data principal shall have the following options, namely:-
 

(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.
 

18 Right to correction and erasure.

(1) The data principal shall, where necessary, having regard to the purposes for which personal data is being processed, subject to such conditions and in such manner as may be specified by regulations, have the right to—
 

(a) the correction of inaccurate or misleading personal data;
(b) the completion of incomplete personal data;
(c) the(***)updationof personal data that is out-of-date; and
(d) the erasure of personal data which is no longer necessary for the purpose for which it was processed.
 

(2) Where the data fiduciary receives a request under sub-section (1), and the data fiduciary does not agree with such correction, completion, updation or erasure having regard to the purposes of processing, such data fiduciary shall provide the data principal with adequate justification in writing for rejecting the application.
(3) Where the data principal is not satisfied with the justification provided by the data fiduciary under sub-section (2), the data principal may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.
(4) Where the data fiduciary corrects, completes, updates or erases any personal data in accordance with the provisions contained in sub-section (1), such data fiduciary shall also take, necessary and practicable, steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure, (***)having regard to the impact(***)such action may have (***) on the rights and interests of the data principal or on decisions made regarding them.

19 Right to data portability.

(1) Where the processing has been carried out through automated means, the data principal shall have the right to—

(a) receive the following personal data in a structured, commonly used and machine-readable format—
 

(i) the personal data provided to the data fiduciary;
(ii) the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or
(iii) the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained; and
 

(b) (***) transfer the personal data referred to in clause (a) (***) to any other data fiduciary in the format referred to in that clause.
(2) The provisions of sub-section (1) shall not apply where—
 

(a) processing is necessary for functions of the State or in compliance of law or any judgement or order of a court, tribunal or quasi-judicial authority under section 12;
(b) compliance with the request in sub-section (1) would (***) not be technically feasible,as determined by the data fiduciary in such manner as may be specified by regulations.

20 Right to be forgotten.

(1) The data principal shall have the right to restrict or prevent the continuing disclosure or processing of his personal data by a data fiduciary where such disclosure or processing—

(a) has served the purpose for which it was collected or is no longer necessary for the purpose;
(b) was made with the consent of the data principal under section 11 and such consent has since been withdrawn; or
(c) was made contrary to the provisions of this Act or any other law for the time being in force.
 

(2) The rights under sub-section (1) may be enforced only on an order of the Adjudicating Officer made on an application filed by the data principal, in such form and manner as may be prescribed, on any of the grounds specified under clauses (a), (b) or (***)(c) of that sub-section:
Provided that no order shall be made under this sub-section unless it is shown by the data principal that his right or interest in preventing or restricting the continued disclosure or processing of his personal data overrides the right to freedom of speech and expression and the right to information of any other citizen or the right of the data fiduciary to retain, use and process such data in accordance with the provisions of this Act and the rules and regulations made thereunder.
 

(3) The Adjudicating Officer shall, while making an order under sub-section (2), have regard to—
 

(a) the sensitivity of the personal data;
(b) the scale of disclosure or processing and the degree of accessibility sought to be restricted or prevented;
(c) the role of the data principal in public life;
(d) the relevance of the personal data to the public; and
(e) the nature of disclosure or processing and of the activities of the data fiduciary, particularly whether the data fiduciary systematically facilitates access to personal data and whether the activities shall be significantly impeded if disclosures or processing of the relevant nature were to be restricted or prevented.
 

(4) Where any person finds that personal data, the disclosure or processing of which has been restricted or prevented by an order of the Adjudicating Officer under sub-section (2), does not satisfy the conditions referred to in that sub-section any longer, he may apply for the review of that order to the Adjudicating Officer in such manner as may be prescribed, and the Adjudicating Officer shall review his order.
(5) Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal under section 73.
 

21 General conditions for (***) exercise of rights in this Chapter.

(1) The data principal, for exercising any right under this Chapter, except the right under section 20, shall make a request in writing to the data fiduciary either directly or through a Consent Manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations.
(2) For complying with the request made under sub-section (1), the data fiduciary may charge such fee as may be specified by regulations:
Provided that no fee shall be required for any request in respect of rights (***) under clause (a) or clause (b) of sub-section (1) of section 17 or section 18.
(3) The data fiduciary shall comply with the request under this Chapter and communicate the same to the data principal, within such period as may be specified by regulations.
(4) Where any request made under this Chapter is refused by the data fiduciary, it shall provide the data principal the reasons in writing for such refusal and shall inform the data principal regarding the right to file a complaint with the Authority against the refusal, within such period and in such manner as may be specified by regulations.
(5) The data fiduciary is not obliged to comply with any request under this Chapter where such compliance shall harm the rights of any other data principal under this Act:
Provided that the data fiduciary shall, subject to such conditions as may be specified by regulations, be obliged to comply with such request made by the data principal.