The Digital Personal Data Protection Act, (DPDP Act 2023) regulates the use of digital or online personal data as well as the collection, storage, and disposal of such data. The Act applies to all persons or entities engaged in any type of data collection, processing, storage, or transfer that affects the privacy rights of individuals. We have put together a guide to the applicability of the law. Come check it out!
Digital Personal Data Protection Act, 2023: A Guide to the Applicability of the Law
1. The Indian government may exempt startups from notice, accuracy, and
erasure requirements, significant data fiduciaries' obligations, and the
obligation to comply with data principals' access requests. (Section 17(3))
V. Startup Exemptions
The law does not apply to state instrumentalities that the government may
specify for public order, security, and similar purposes. (Section 17(2)(a))
Data erasure and data correction obligations do not apply to state
authorities. (Section 17(4))
III. State Exemptions
by an individual for any personal or domestic purpose;
personal data made publicly available (a) by a data principal or (b)
under a legal obligation;
necessary for research, archiving, or statistical purposes, if the data
is not used to take any decision specific to a data principal, and the
processing complies with government-prescribed standards.
(Sections 3(c) and 17(2)(b))
The law does not apply to processing:
IV. Overall Exemptions
The law applies within India to the processing of personal data collected
either in digital form or in non-digital form but digitised subsequently.
(Section 3(a))
I. Territorial Applicability
Digital Personal Data Protection Act, 2023: A
Guide to the Applicability of the Law
The law applies to the processing of digital personal data outside India if
the processing is in connection with the offering of goods or services to
data principals in India. (Section 3(b))
II. Extraterritorial Applicability
2. VI. Limited
Exemptions
Processing activities for the following purposes are exempt from
most obligations under the law:
Enforcement of any legal right or claim;
Performance of any judicial, regulatory, or supervisory function by any
court or other Indian body;
Prevention or investigation of offences;
Performance of a contract between an Indian entity and a foreign entity,
involving processing of personal data of data principals outside India;
M&A or reconstruction of companies approved by a judicial body; and
Debt enforcement.
(Section 17)
Cross-Border Data Transfers
Cross-border data transfer
requirements under the law will not
apply. However, sectoral laws that
impose higher standards of localisation
and cross-border data transfer
requirements will continue to apply.
Data Fiduciaries' Obligations
The obligation to comply with most
obligations fall away where processing
is undertaken for exempted purposes
set out above. However, the obligation
to implement security safeguards would
continue to apply, as would the
obligation to remain liable for acts of
data processors.
Data fiduciaries that undertake
processing for the exempted purposes
set out above are not required to give
effect to data principals' rights.
Provisions relating to data principals'
duties do not apply in respect of
processing undertaken for the
exempted purposes set out above.
Data Principals' Rights Data Principals' Duties
The following obligations do not apply to such
exempted processing:
4. TESTIMONIALS
Legal500
Very few lawyers and law firms understand data
protection. SpiceRoute is one of them.
Legal500
In the matters that we have worked on, every
member of their team has shown a very good
understanding of the case and the turnaround
time has been excellent; they have been very
good with communications and never missed a
deadline.
Chambers & Partners
The team at Spice Route Legal helps us with a
breadth of topics. In each of the cases, their
advice and work exceeds expectations. They
are very helpful in crunch situations when we
have to close a couple of contracts within a few
days.
Spice Route Legal provides very business-friendly
advice. We worked with Mathew and his great
team for one of our clients in relation to local
Indian law advice. The advice was so to the point
and the team answered all our questions in timely
manner and without follow up questions.
Legal500
Mathew Chacko is the best DP lawyer in India
that I have worked with. I am very confident to
refer him to our clients.
Chambers & Partners
Spice Route Legal has been adept in handling
cross-border nuances and has a unique ability to
suggest ways and means of striking a balanced
agreement while keeping our interests in mind. It's
a tightrope walk, but they do it well.
Legal500 Chambers & Partners
Aadya Misra continues to put in the legwork,
and both her and Mathew Chacko have been
willing to act as evangelists when it comes to
India’s open data standards across current and
upcoming public digital good'
5. CONTACT US
DROP BY AND SAY HI!
Phone Number
Website
Email Address
Address
080 - 4370 1400
www.spiceroutelegal.com
contact@spiceroutelegal.com
14th Floor, 909 Lavelle, Lavelle Road,
Bengaluru, 560001