The Data Protection Bill 2021

Section

CHAPTER VI
TRANSPARENCY AND ACCOUNTABILITY MEASURES

22 Privacy by design policy.


(1)Every data fiduciary shall prepare a privacy by design policy, containing—
 

(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
(b) the obligations of data fiduciaries;
(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;
(f) the processing of personal data in a transparent manner; and
(g) the interest of the data principal is accounted for at every stage of processing of personal data.
 

(2) (***)The data fiduciary may submit its privacy by design policy prepared under sub-section (1) to the Authority for certification within such period and in such manner as may be specified by regulations.
(3) Subject to the provisions contained in sub-section (2), the Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1).
(4) The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.
 

23 Transparency in processing of personal data.

(1) Every data fiduciary shall take necessary steps to maintain transparency in processing personal data and shall make the following information available in such form and manner as may be specified by regulations—

(a) the categories of personal data generally collected and the manner of such collection;
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;
(d) the existence of and the procedure for exercise of rights of data principal under Chapter V and any related contact details for the same;
(e)the right of data principal to file complaint against the data fiduciary to the Authority;
(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under sub-section (5) of section 29;
(g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; (***)
(h) where applicable, fairness of algorithm or method used for processing of personal data; and
(i) any other information as may be specified by regulations.
 

(2) The data fiduciary shall notify, from time to time, the important operations in the processing of personal data related to the data principal in such manner as may be specified by regulations.
(3) The data principal may give or withdraw his consent to the data fiduciary through a Consent Manager.
(4) Where the data principal gives or withdraws consent to the data fiduciary through a Consent Manager, such consent or its withdrawal shall be deemed to have been communicated directly by the data principal.
(5) The Consent Manager under sub-section (3), shall be registered with the Authority in such manner and subject to such technical, operational, financial and other conditions as may be specified by regulations.
Explanation.-(***)

24 Security safeguards.

(1) Every data fiduciary and the data processor shall, having regard to the nature, scope and purpose of processing personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, implement necessary security safeguards, including—
 

(a) use of methods such as de-identification and encryption;
(b) steps necessary to protect the integrity of personal data; and
(c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
 

(2) Every data fiduciary and data processor shall undertake a review of its security safeguards periodically in such manner as may be specified by regulations and take appropriate measures accordingly.

25 Reporting of (***) data breach.

(1) Every data fiduciary shall by notice,(***) report to the Authority about the breach of any personal data processed by (***) such data fiduciary.(***)
(2) The notice referred to in sub-section (1) shall be in such form as may be specified by regulations and include the following particulars, namely:—
(a) nature of personal data which is the subject matter of the breach;
(b) number of data principals affected by (***) such breach;
(c) possible consequences of (***) such breach; and
(d) the remedial actions being taken by the data fiduciary (***) for such breach.
(3) The notice referred to in sub-section (1) shall be (***) issued by the data fiduciary within seventy-two hours of becoming aware of such breach.(***)
(4) Where it is not possible to provide all the information (***) provided in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without any undue delay.
(5) (***)
(5)The Authority (***)shall, after taking into account the personal data breach and the severity of harm that may be caused to the data principal, direct the data fiduciary to report such breach to the data principal and take appropriate remedial actions(***) to mitigate such harm and to conspicuously post the details of the personal data breach on its website.
Provided that the Authority may direct the data fiduciary to adopt any urgent measures to remedy such breach or mitigate any harm caused to the data principal.
(7) (***)
(6) The Authority shall, in case of breach of non-personal data, take such necessary steps as may be prescribed.

26 Classification of data fiduciaries as significant data fiduciaries.

(1) The Authority shall, having regard to the any of the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely:—

(a) volume of personal data processed;
(b) sensitivity of personal data processed;
(c) turnover of the data fiduciary;
(d) risk of harm by processing by the data fiduciary;
(e) use of new technologies for processing; (***)
(f) any social media platform-
 

(i) with users above such threshold as may be prescribed, in consultation with the Authority; and
(ii) whose actions have or are likely to have a significant impact on the sovereignty and integrity of India, electoral democracy, security of the State or public order:
Provided that different thresholds may be prescribed for different classes of social media platforms;
 

(g) the processing of data relating to children or provision of services to them; or
(h)any other factor causing harm from such processing.
 

(2) The data fiduciary or class of data fiduciary referred to in sub-section (1) shall register itself with the Authority in such manner as may be specified by regulations.
(3) Notwithstanding anything contained in this Act, if the Authority is (***) satisfied that any processing by any data fiduciary or class of data fiduciaries carries a risk of significant harm to any data principal, it may, by notification, apply all or any of the obligations (***)provided in sections 27 to 30 to such data fiduciary or class of data fiduciaries, as if it is a significant data fiduciary.
(4) (***)
(4) Subject to the provisions contained in section 56, the significant data fiduciary shall be regulated by such regulations as may be made by the respective sectoral regulators.

27 Data protection impact assessment.

(1) Where (***) a significant data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section.
(2) The Authority may by regulations specify, such circumstances or class of data fiduciaries or processing operation where such data protection impact assessment shall be mandatory, and also specify the instances where a data auditor under this Act shall be engaged by the data fiduciary to undertake a data protection impact assessment.
(3) A data protection impact assessment shall, inter alia, contain—
(a) detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;
(b) assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
(c) measures for managing, minimising, mitigating or removing such risk of harm.
(4) Upon completion of the data protection impact assessment, the data protection officer appointed under sub-section (1) of section 30, shall review the assessment and submit the assessment with his finding to the Authority in such manner as may be specified by regulations.
(5) On receipt of the assessment and its review, if the Authority has (***) satisfied itself that the processing is likely to cause harm to the data principals, (***) it may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as (***) may be specified by regulations.

28 Maintenance of records.

(1) The significant data fiduciary shall maintain accurate and up-to-date records of the following, in such form and manner as may be specified by regulations, namely:—
 


(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 10;
(b) periodic review of security safeguards under section 24;
(c) data protection impact assessments under section 27; and
(d) any other aspect of processing as may be specified by regulations.
 

(2) Notwithstanding anything contained in this Act, this section shall also apply to the State.
(3) Every social media (***) platform which is notified as a significant data fiduciary under sub-section (***) (1) of section 26 shall enable the (***) persons who register their service from India, or use their services in India, to voluntarily verify their accounts in such manner as may be prescribed.
(4) Any (***) person who voluntarily verifies his accounton a social media platform referred to in sub-section (3) shall be provided with such demonstrable and visible mark of verification, which shall be visible to all users of the service, in such manner as may be prescribed.

29 Audit of policies and conduct of processing, etc

(1) The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.

(2) The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including—
 

(a) clarity and effectiveness of notices under section 7;
(b) effectiveness of measures adopted under section 22;
(c) transparency in relation to processing activities under section 23;
(d) security safeguards adopted pursuant to section 24;
(e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25;
(f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and
(g) any other matter as may be specified by regulations.
 

(3) The Authority shall specify, by regulations, the form and procedure for conducting audits under this section and shall encourage the practice of appropriate concurrent audits.
(4) The Authority shall register in such manner the persons, with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as (***) may be (***) prescribed, as data auditors (***).
(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.
(6) The Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).
(7) Notwithstanding anything contained in sub-section (1), where the Authority is (***) satisfied that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the Authority may direct (***) such data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.

30 Data protection officer.

(1) Every significant data fiduciary shall appoint a data protection officer who shall be a senior level officer in the State or a key managerial personnel in relation to a company or such other employee of equivalent capacity in case of other entities, as the case may be, possessing such qualifications and experience as may be (***) prescribed (***) for carrying out the following functions, namely:—
 

(a) providing information and advice to the data fiduciary on matters relating to fulfilling its obligations under this Act;
(b) monitoring personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of this Act;
(c) (***)providing assistance to and co-operating with the Authority on matters of compliance of the data fiduciary with the provisions under this Act;
(d) providing advice to the data fiduciary on the development of internal mechanisms to satisfy the principles specified under section 22;
(e) (***)providing advice to the data fiduciary on carrying out the data protection impact assessments, and carry out its review under sub-section (4) of section 27;
(f) (***) maintaining an inventory of records to be maintained by the data fiduciary under section 28;and
(g) (***) act as the point of contact for the data principal for the purpose of grievance (***) redressal under section 32.
 

Explanation.- For the purposes of this sub-section, the expression “key managerial personnel” means—
 

(i) the Chief Executive Officer or the managing director or the manager;
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; or
(v) such other personnel as may be prescribed.
 

(2) Nothing contained in sub-section (1) shall prevent the data fiduciary from assigning any other function to the data protection officer, which it may consider necessary.
(3) The data protection officer appointed under sub-section (1) shall be based in India and shall represent the data fiduciary under this Act.

31 Processing by entities other than data fiduciaries.

(1) The data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor.

(2) The data processor referred to in sub-section (1) shall not engage, appoint, use, or involve another data processor in the processing on its behalf, except with the authorisation of the data fiduciary and unless permitted in the contract referred to in sub-section (1).
(3) The data processor, and any employee of the data fiduciary or the data processor, shall only process personal data in accordance with the instructions of the data fiduciary and treat it as confidential.

32 Grievance redressal by data fiduciary.

(1) Every data fiduciary shall have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner.

(2) A data principal may make a complaint of contravention of any of the provisions of this Act or the rules or regulations made thereunder, which has caused or is likely to cause harm to such data principal, to—
(a) the data protection officer, in case of a significant data fiduciary; or
(b) an officer designated for this purpose, in case of any other data fiduciary.
(3) A complaint made under sub-section (2) shall be resolved by the data fiduciary in an expeditious manner and not later than thirty days from the date of receipt of the complaint by such data fiduciary.
(4)Where a complaint is not resolved within the period specified under sub-section (3), or where the data principal is not satisfied with the manner in which the complaint is resolved, or the data fiduciary has rejected the complaint, the data principal may file a complaint to the Authority (***) under section 62.