The Data Protection Bill 2021
TRANSPARENCY AND ACCOUNTABILITY MEASURES
||Privacy by design policy.
(1)Every data fiduciary shall prepare a privacy by design policy,
(a) the managerial, organisational, business practices and
technical systems designed to anticipate, identify and avoid
harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in
accordance with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any
innovation is achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the
point of collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every
stage of processing of personal data.
(2) (***)The data fiduciary may submit its privacy by design
policy prepared under sub-section (1) to the Authority for
certification within such period and in such manner as may be
specified by regulations.
(3) Subject to the provisions contained in sub-section (2), the
Authority, or an officer authorised by it, shall certify the privacy
by design policy on being satisfied that it complies with the
requirements of sub-section (1).
(4) The privacy by design policy certified under sub-section (3)
shall be published on the website of the data fiduciary and the
||Transparency in processing of personal data.
(1) Every data fiduciary shall take necessary steps to maintain
transparency in processing personal data and shall make the
following information available in such form and manner as may be
specified by regulations—
(a) the categories of personal data generally collected and
the manner of such collection;
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional
situations or any exceptional purposes of processing that create
a risk of significant harm;
(d) the existence of and the procedure for exercise of rights of
data principal under Chapter V and any related contact details
for the same;
(e)the right of data principal to file complaint against the
data fiduciary to the Authority;
(f) where applicable, any rating in the form of a data trust
score that may be accorded to the data fiduciary under
sub-section (5) of section 29;
(g) where applicable, information regarding cross-border
transfers of personal data that the data fiduciary generally
carries out; (***)
(h) where applicable, fairness of algorithm or method used for
processing of personal data; and
(i) any other information as may be specified by regulations.
(2) The data fiduciary shall notify, from time to time, the
important operations in the processing of personal data related to
the data principal in such manner as may be specified by
(3) The data principal may give or withdraw his consent to the data
fiduciary through a Consent Manager.
(4) Where the data principal gives or withdraws consent to the data
fiduciary through a Consent Manager, such consent or its withdrawal
shall be deemed to have been communicated directly by the data
(5) The Consent Manager under sub-section (3), shall be registered
with the Authority in such manner and subject to such technical,
operational, financial and other conditions as may be specified by
(1) Every data fiduciary and the data processor shall, having
regard to the nature, scope and purpose of processing personal data,
the risks associated with such processing, and the likelihood and
severity of the harm that may result from such processing, implement
necessary security safeguards, including—
(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data;
(c) steps necessary to prevent misuse, unauthorised access to,
modification, disclosure or destruction of personal data.
(2) Every data fiduciary and data processor shall undertake a
review of its security safeguards periodically in such manner as may
be specified by regulations and take appropriate measures
||Reporting of (***) data breach.
(1) Every data fiduciary shall by notice,(***) report to the
Authority about the breach of any personal data processed by (***)
such data fiduciary.(***)
(2) The notice referred to in sub-section (1) shall be in such form
as may be specified by regulations and include the following
(a) nature of personal data which is the subject matter of the
(b) number of data principals affected by (***) such breach;
(c) possible consequences of (***) such breach; and
(d) the remedial actions being taken by the data fiduciary (***) for
(3) The notice referred to in sub-section (1) shall be (***) issued
by the data fiduciary within seventy-two hours of becoming aware of
(4) Where it is not possible to provide all the information (***)
provided in sub-section (2) at the same time, the data fiduciary
shall provide such information to the Authority in phases without
any undue delay.
(5)The Authority (***)shall, after taking into account the personal
data breach and the severity of harm that may be caused to the data
principal, direct the data fiduciary to report such breach to the
data principal and take appropriate remedial actions(***) to
mitigate such harm and to conspicuously post the details of the
personal data breach on its website.
Provided that the Authority may direct the data fiduciary to adopt
any urgent measures to remedy such breach or mitigate any harm
caused to the data principal.
(6) The Authority shall, in case of breach of non-personal data,
take such necessary steps as may be prescribed.
||Classification of data fiduciaries as significant data
(1) The Authority shall, having regard to the any of the
following factors, notify any data fiduciary or class of data
fiduciary as significant data fiduciary, namely:—
(a) volume of personal data processed;
(b) sensitivity of personal data processed;
(c) turnover of the data fiduciary;
(d) risk of harm by processing by the data fiduciary;
(e) use of new technologies for processing; (***)
(f) any social media platform-
(i) with users above such threshold as may be prescribed, in
consultation with the Authority; and
(ii) whose actions have or are likely to have a significant
impact on the sovereignty and integrity of India, electoral
democracy, security of the State or public order:
Provided that different thresholds may be prescribed for
different classes of social media platforms;
(g) the processing of data relating to children or provision of
services to them; or
(h)any other factor causing harm from such processing.
(2) The data fiduciary or class of data fiduciary referred to in
sub-section (1) shall register itself with the Authority in such
manner as may be specified by regulations.
(3) Notwithstanding anything contained in this Act, if the Authority
is (***) satisfied that any processing by any data fiduciary or
class of data fiduciaries carries a risk of significant harm to any
data principal, it may, by notification, apply all or any of the
obligations (***)provided in sections 27 to 30 to such data
fiduciary or class of data fiduciaries, as if it is a significant
(4) Subject to the provisions contained in section 56, the
significant data fiduciary shall be regulated by such regulations as
may be made by the respective sectoral regulators.
||Data protection impact assessment.
(1) Where (***) a significant data fiduciary intends to undertake
any processing involving new technologies or large scale profiling
or use of sensitive personal data such as genetic data or biometric
data, or any other processing which carries a risk of significant
harm to data principals, such processing shall not be commenced
unless the data fiduciary has undertaken a data protection impact
assessment in accordance with the provisions of this section.
(2) The Authority may by regulations specify, such circumstances or
class of data fiduciaries or processing operation where such data
protection impact assessment shall be mandatory, and also specify
the instances where a data auditor under this Act shall be engaged
by the data fiduciary to undertake a data protection impact
(3) A data protection impact assessment shall, inter alia, contain—
(a) detailed description of the proposed processing operation, the
purpose of processing and the nature of personal data being
(b) assessment of the potential harm that may be caused to the data
principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such
risk of harm.
(4) Upon completion of the data protection impact assessment, the
data protection officer appointed under sub-section (1) of section
30, shall review the assessment and submit the assessment with his
finding to the Authority in such manner as may be specified by
(5) On receipt of the assessment and its review, if the Authority
has (***) satisfied itself that the processing is likely to cause
harm to the data principals, (***) it may direct the data fiduciary
to cease such processing or direct that such processing shall be
subject to such conditions as (***) may be specified by regulations.
||Maintenance of records.
(1) The significant data fiduciary shall maintain accurate and
up-to-date records of the following, in such form and manner as may
be specified by regulations, namely:—
(a) important operations in the data life-cycle including
collection, transfers, and erasure of personal data to
demonstrate compliance as required under section 10;
(b) periodic review of security safeguards under section 24;
(c) data protection impact assessments under section 27; and
(d) any other aspect of processing as may be specified by
(2) Notwithstanding anything contained in this Act, this section
shall also apply to the State.
(3) Every social media (***) platform which is notified as a
significant data fiduciary under sub-section (***) (1) of section 26
shall enable the (***) persons who register their service from
India, or use their services in India, to voluntarily verify their
accounts in such manner as may be prescribed.
(4) Any (***) person who voluntarily verifies his accounton a social
media platform referred to in sub-section (3) shall be provided with
such demonstrable and visible mark of verification, which shall be
visible to all users of the service, in such manner as may be
||Audit of policies and conduct of processing, etc
(1) The significant data fiduciary shall have its policies and
the conduct of its processing of personal data audited annually by
an independent data auditor under this Act.
(2) The data auditor shall evaluate the compliance of the data
fiduciary with the provisions of this Act, including—
(a) clarity and effectiveness of notices under section 7;
(b) effectiveness of measures adopted under section 22;
(c) transparency in relation to processing activities under
(d) security safeguards adopted pursuant to section 24;
(e) instances of personal data breach and response of the data
fiduciary, including the promptness of notice to the Authority
under section 25;
(f) timely implementation of processes and effective adherence
to obligations under sub-section (3) of section 28; and
(g) any other matter as may be specified by regulations.
(3) The Authority shall specify, by regulations, the form and
procedure for conducting audits under this section and shall
encourage the practice of appropriate concurrent audits.
(4) The Authority shall register in such manner the persons, with
expertise in the area of information technology, computer systems,
data science, data protection or privacy, possessing such
qualifications, experience and eligibility having regard to factors
such as independence, integrity and ability, as (***) may be (***)
prescribed, as data auditors (***).
(5) A data auditor may assign a rating in the form of a data trust
score to the data fiduciary pursuant to a data audit conducted under
(6) The Authority shall, by regulations, specify the criteria for
assigning a rating in the form of a data trust score having regard
to the factors mentioned in sub-section (2).
(7) Notwithstanding anything contained in sub-section (1), where the
Authority is (***) satisfied that the data fiduciary is processing
personal data in such manner that is likely to cause harm to a data
principal, the Authority may direct (***) such data fiduciary to
conduct an audit and shall appoint a data auditor for that purpose.
||Data protection officer.
(1) Every significant data fiduciary shall appoint a data
protection officer who shall be a senior level officer in the State
or a key managerial personnel in relation to a company or
such other employee of equivalent capacity in case of other
entities, as the case may be, possessing such qualifications and
experience as may be (***) prescribed (***) for carrying out the
following functions, namely:—
(a) providing information and advice to the data fiduciary on
matters relating to fulfilling its obligations under this Act;
(b) monitoring personal data processing activities of the data
fiduciary to ensure that such processing does not violate the
provisions of this Act;
(c) (***)providing assistance to and co-operating with the
Authority on matters of compliance of the data fiduciary with
the provisions under this Act;
(d) providing advice to the data fiduciary on the development of
internal mechanisms to satisfy the principles specified under
(e) (***)providing advice to the data fiduciary on carrying out
the data protection impact assessments, and carry out its review
under sub-section (4) of section 27;
(f) (***) maintaining an inventory of records to be maintained
by the data fiduciary under section 28;and
(g) (***) act as the point of contact for the data principal for
the purpose of grievance (***) redressal under section 32.
Explanation.- For the purposes of this sub-section, the
expression “key managerial personnel” means—
(i) the Chief Executive Officer or the managing director or
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; or
(v) such other personnel as may be prescribed.
(2) Nothing contained in sub-section (1) shall prevent the data
fiduciary from assigning any other function to the data protection
officer, which it may consider necessary.
(3) The data protection officer appointed under sub-section (1)
shall be based in India and shall represent the data fiduciary under
||Processing by entities other than data fiduciaries.
(1) The data fiduciary shall not engage, appoint, use or involve
a data processor to process personal data on its behalf without a
contract entered into by the data fiduciary and such data processor.
(2) The data processor referred to in sub-section (1) shall not
engage, appoint, use, or involve another data processor in the
processing on its behalf, except with the authorisation of the data
fiduciary and unless permitted in the contract referred to in
(3) The data processor, and any employee of the data fiduciary or
the data processor, shall only process personal data in accordance
with the instructions of the data fiduciary and treat it as
||Grievance redressal by data fiduciary.
(1) Every data fiduciary shall have in place the procedure and
effective mechanisms to redress the grievances of data principals
efficiently and in a speedy manner.
(2) A data principal may make a complaint of contravention of any of
the provisions of this Act or the rules or regulations made
thereunder, which has caused or is likely to cause harm to such data
(a) the data protection officer, in case of a significant data
(b) an officer designated for this purpose, in case of any other
(3) A complaint made under sub-section (2) shall be resolved by the
data fiduciary in an expeditious manner and not later than thirty
days from the date of receipt of the complaint by such data
(4)Where a complaint is not resolved within the period specified
under sub-section (3), or where the data principal is not satisfied
with the manner in which the complaint is resolved, or the data
fiduciary has rejected the complaint, the data principal may file a
complaint to the Authority (***) under section 62.