The Data Protection Bill 2021
RIGHTS OF DATA PRINCIPAL
||Right to confirmation and access.
(1) The data principal shall have the right to obtain from the
(a) the confirmation whether the data fiduciary is processing
or has processed personal data of the data principal;
(b) the personal data of the data principal being processed or
that has been processed by the data fiduciary, or any summary
(c) a brief summary of processing activities undertaken by the
data fiduciary with respect to the personal data of the data
principal, including any information provided in the notice
under section 7 in relation to such processing.
(2) The data fiduciary shall provide the information under
sub-section (1) to the data principal in a clear and concise manner
that is easily comprehensible to (***) a reasonable individual in a
(3) The data principal shall have the right to access in one place
the identities of the data fiduciaries with whom his personal data
has been shared by any data fiduciary together with the categories
of personal data shared with them, in such manner as may be
specified by regulations.
(4) The data principal shall have the following options, namely:-
(a) to nominate a legal heir or a legal representative as his
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing
of personal data in the event of the death of such data
||Right to correction and erasure.
(1) The data principal shall, where necessary, having regard to
the purposes for which personal data is being processed, subject to
such conditions and in such manner as may be specified by
regulations, have the right to—
(a) the correction of inaccurate or misleading personal data;
(b) the completion of incomplete personal data;
(c) the(***)updationof personal data that is out-of-date; and
(d) the erasure of personal data which is no longer necessary
for the purpose for which it was processed.
(2) Where the data fiduciary receives a request under sub-section
(1), and the data fiduciary does not agree with such correction,
completion, updation or erasure having regard to the purposes of
processing, such data fiduciary shall provide the data principal
with adequate justification in writing for rejecting the
(3) Where the data principal is not satisfied with the justification
provided by the data fiduciary under sub-section (2), the data
principal may require that the data fiduciary take reasonable steps
to indicate, alongside the relevant personal data, that the same is
disputed by the data principal.
(4) Where the data fiduciary corrects, completes, updates or erases
any personal data in accordance with the provisions contained in
sub-section (1), such data fiduciary shall also take, necessary and
practicable, steps to notify all relevant entities or individuals to
whom such personal data may have been disclosed regarding the
relevant correction, completion, updation or erasure, (***)having
regard to the impact(***)such action may have (***) on the rights
and interests of the data principal or on decisions made regarding
||Right to data portability.
(1) Where the processing has been carried out through automated
means, the data principal shall have the right to—
(a) receive the following personal data in a structured, commonly
used and machine-readable format—
(i) the personal data provided to the data fiduciary;
(ii) the data which has been generated in the course of
provision of services or use of goods by the data fiduciary; or
(iii) the data which forms part of any profile on the data
principal, or which the data fiduciary has otherwise obtained;
(b) (***) transfer the personal data referred to in clause (a)
(***) to any other data fiduciary in the format referred to in that
(2) The provisions of sub-section (1) shall not apply where—
(a) processing is necessary for functions of the State or in
compliance of law or any judgement or order of a court, tribunal
or quasi-judicial authority under section 12;
(b) compliance with the request in sub-section (1) would (***)
not be technically feasible,as determined by the data fiduciary
in such manner as may be specified by regulations.
||Right to be forgotten.
(1) The data principal shall have the right to restrict or
prevent the continuing disclosure or processing of his personal
data by a data fiduciary where such disclosure or processing—
(a) has served the purpose for which it was collected or is no
longer necessary for the purpose;
(b) was made with the consent of the data principal under
section 11 and such consent has since been withdrawn; or
(c) was made contrary to the provisions of this Act or any other
law for the time being in force.
(2) The rights under sub-section (1) may be enforced only on an
order of the Adjudicating Officer made on an application filed by
the data principal, in such form and manner as may be prescribed, on
any of the grounds specified under clauses (a), (b) or (***)(c) of
Provided that no order shall be made under this sub-section unless
it is shown by the data principal that his right or interest in
preventing or restricting the continued disclosure or processing of
his personal data overrides the right to freedom of speech and
expression and the right to information of any other citizen or the
right of the data fiduciary to retain, use and process such data in
accordance with the provisions of this Act and the rules and
regulations made thereunder.
(3) The Adjudicating Officer shall, while making an order under
sub-section (2), have regard to—
(a) the sensitivity of the personal data;
(b) the scale of disclosure or processing and the degree of
accessibility sought to be restricted or prevented;
(c) the role of the data principal in public life;
(d) the relevance of the personal data to the public; and
(e) the nature of disclosure or processing and of the activities
of the data fiduciary, particularly whether the data fiduciary
systematically facilitates access to personal data and whether
the activities shall be significantly impeded if disclosures or
processing of the relevant nature were to be restricted or
(4) Where any person finds that personal data, the disclosure or
processing of which has been restricted or prevented by an order of
the Adjudicating Officer under sub-section (2), does not satisfy the
conditions referred to in that sub-section any longer, he may apply
for the review of that order to the Adjudicating Officer in such
manner as may be prescribed, and the Adjudicating Officer shall
review his order.
(5) Any person aggrieved by an order made under this section by the
Adjudicating Officer may prefer an appeal to the Appellate Tribunal
under section 73.
||General conditions for (***) exercise of rights in this Chapter.
(1) The data principal, for exercising any right under this
Chapter, except the right under section 20, shall make a request in
writing to the data fiduciary either directly or through a Consent
Manager with the necessary information as regard to his identity,
and the data fiduciary shall acknowledge the receipt of such request
within such period as may be specified by regulations.
(2) For complying with the request made under sub-section (1), the
data fiduciary may charge such fee as may be specified by
Provided that no fee shall be required for any request in respect of
rights (***) under clause (a) or clause (b) of sub-section (1) of
section 17 or section 18.
(3) The data fiduciary shall comply with the request under this
Chapter and communicate the same to the data principal, within such
period as may be specified by regulations.
(4) Where any request made under this Chapter is refused by the data
fiduciary, it shall provide the data principal the reasons in
writing for such refusal and shall inform the data principal
regarding the right to file a complaint with the Authority against
the refusal, within such period and in such manner as may be
specified by regulations.
(5) The data fiduciary is not obliged to comply with any request
under this Chapter where such compliance shall harm the rights of
any other data principal under this Act:
Provided that the data fiduciary shall, subject to such conditions
as may be specified by regulations, be obliged to comply with such
request made by the data principal.