The Digital Personal Data Protection Act, 2023 (DPDP Act) is a significant development in Indian data protection. Here's a concise overview:
**Personal Data and Processing:**
- "Personal data" under DPDP Act refers to any data identifying an individual.
- "Processing" includes various operations, like collection and storage.
**Data Fiduciary and Data Processor:**
- "Data Fiduciary" determines data processing purposes.
- "Data Processor" processes data on behalf of a Data Fiduciary.
**Coverage:**
- DPDP Act covers those processing personal data, excluding personal or domestic purposes.
**Applicability:**
- Applies when processing occurs within or outside India related to offering goods/services within India.
**Permitted Processing:**
- Personal data can be processed with consent or under legitimate uses outlined in DPDP Act.
**Consent:**
- Consent should be clear, informed, and obtained through affirmative action.
**Notice:**
- A notice is mandatory before collecting personal data.
- Fresh notice required if processing begins before DPDP Act commencement.
**Data Fiduciary Obligations:**
- Appoint Data Processor via valid contract.
- Ensure data completeness, accuracy, and security.
- Erase data when purpose is fulfilled.
- Implement technical and security measures.
- Report breaches to Data Protection Board.
- Establish grievance redressal mechanism.
- Publish contact information of Data Protection Officer.
**Significant Data Fiduciary:**
- Conduct periodic data protection impact assessments.
- Appoint Data Protection Officer and independent data auditor.
**Data Protection Board:**
- An enforcement body established by the Central Government.
- Appeals go to Telecom Disputes Settlement and Appellate Tribunal.
**Consent Manager:**
- Facilitates consent management through an accessible platform.
- Registered with Data Protection Board.
**Data Principal Rights:**
- Right to access personal data.
- Right to correction, erasure, and grievance redressal.
- Right to nominate and withdraw consent.
**Cross-Border Data Transfers:**
- Generally allowed, but Central Government can restrict specific countries/territories.
**Penalties:**
- Non-compliance may result in penalties up to INR 250 Crores (approx. US$ 3,01,00,000).
**Compliance Timeframe:**
- No specific timeframe provided; companies should proactively prepare for DPDP Act compliance.
This summary provides a concise overview of the DPDP Act's key provisions and obligations.
The document summarizes key aspects of India's Personal Data Protection Bill, 2018. It discusses the bill's objectives to protect individual privacy and regulate how personal data is collected and processed. It outlines important definitions like personal data, sensitive personal data, and roles of data fiduciaries, processors and principals. It describes the bill's scope, lawful grounds for processing data, rights of individuals, and obligations of entities processing data, including transparency, security safeguards, impact assessments, and restrictions on sensitive data and cross-border transfers. It also discusses penalties for non-compliance and oversight by an independent Data Protection Authority.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
The document summarizes Malaysia's Personal Data Protection Act of 2010, which regulates the processing of personal data related to commercial transactions. It defines key terms, outlines 7 data protection principles, and discusses the rights of data subjects, offenses/penalties, and requirements for data users and sensitive personal data. It proposes a two-stage action plan for organizations to comply with the new law.
The Personal Information Protection Law (PIPL) was passed in China on August 20, 2021 and will take effect on November 1, 2021. This law establishes China's first comprehensive framework for regulating the processing and transfer of personal information of Chinese natural persons. It introduces strict rules for protecting personal information rights, processing personal information, and promoting its reasonable use. Key provisions include detailed rules for processing personal and sensitive personal information, obligations for personal information handlers, restrictions on transferring personal data, and penalties for non-compliance. With the law taking effect soon, organizations that handle personal data will need to ensure they comply with its regulations.
The document provides an in-depth analysis of India's newly introduced Digital Personal Data Protection Act, 2023. It highlights the Act's key provisions, including the scope of applicability, lawful grounds for processing personal data, consent and notice requirements, obligations of data fiduciaries and significant data fiduciaries, and more. The analysis compares the Act to its previous iterations and other data protection laws. It also provides a compliance roadmap to help organizations adhere to the Act's mandates.
On August 3, 2023, the Government of India, introduced the fifth iteration of India's proposed personal data protection
legislation, i.e., the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in Parliament. Previously, in December 2022,
the Ministry of Electronics and Information Technology had released a draft version of the bill (2022 Draft), inviting
public comments thereto.
Once in force, the DPDP Bill aims to amend and omit some of the
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
The document summarizes key aspects of India's Personal Data Protection Bill, 2018. It discusses the bill's objectives to protect individual privacy and regulate how personal data is collected and processed. It outlines important definitions like personal data, sensitive personal data, and roles of data fiduciaries, processors and principals. It describes the bill's scope, lawful grounds for processing data, rights of individuals, and obligations of entities processing data, including transparency, security safeguards, impact assessments, and restrictions on sensitive data and cross-border transfers. It also discusses penalties for non-compliance and oversight by an independent Data Protection Authority.
With the submission of SriKrishna Committee report on data protection, the final countdown for India’s own Data Protection Regime has finally begun. A detailed legal framework on data protection is to be implemented in the coming days.
Purpose of Data Protection Bill 2018- To protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.
The document summarizes Malaysia's Personal Data Protection Act of 2010, which regulates the processing of personal data related to commercial transactions. It defines key terms, outlines 7 data protection principles, and discusses the rights of data subjects, offenses/penalties, and requirements for data users and sensitive personal data. It proposes a two-stage action plan for organizations to comply with the new law.
The Personal Information Protection Law (PIPL) was passed in China on August 20, 2021 and will take effect on November 1, 2021. This law establishes China's first comprehensive framework for regulating the processing and transfer of personal information of Chinese natural persons. It introduces strict rules for protecting personal information rights, processing personal information, and promoting its reasonable use. Key provisions include detailed rules for processing personal and sensitive personal information, obligations for personal information handlers, restrictions on transferring personal data, and penalties for non-compliance. With the law taking effect soon, organizations that handle personal data will need to ensure they comply with its regulations.
The document provides an in-depth analysis of India's newly introduced Digital Personal Data Protection Act, 2023. It highlights the Act's key provisions, including the scope of applicability, lawful grounds for processing personal data, consent and notice requirements, obligations of data fiduciaries and significant data fiduciaries, and more. The analysis compares the Act to its previous iterations and other data protection laws. It also provides a compliance roadmap to help organizations adhere to the Act's mandates.
On August 3, 2023, the Government of India, introduced the fifth iteration of India's proposed personal data protection
legislation, i.e., the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in Parliament. Previously, in December 2022,
the Ministry of Electronics and Information Technology had released a draft version of the bill (2022 Draft), inviting
public comments thereto.
Once in force, the DPDP Bill aims to amend and omit some of the
Asia Counsel Vietnam summarises the long awaited Decree 13 on data protection. We provide useful steps to get prepared and comply with the new provisions which will take effect on 1 July 2023.
The document discusses the Protection of Personal Information Act (POPI) of South Africa. It defines key terms like personal information, processing, and responsible party. It outlines 8 conditions for the lawful processing of personal information according to POPI, including accountability, processing limitation, and purpose specification. Non-compliance with POPI can result in penalties, so organizations must understand and comply with the Act when handling personal information.
The document provides an overview and analysis of Bahrain's Personal Data Protection Law (PDPL). Some key points:
- The PDPL is Bahrain's primary data protection law, modeled after the EU's GDPR. It aims to establish requirements for processing personal data.
- The law applies to entities processing personal data of Bahraini residents, regardless of location. It provides for data subject rights and sets guidelines for processing, transfers, compliance, and penalties for violations.
- An analysis compares features of the PDPL to the GDPR, finding similarities in scope, rights, and legal bases for processing but less stringent penalties under the PDPL.
- The conclusion states that companies must evaluate the
The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
The document summarizes key aspects of data protection law in India. It outlines the Information Technology Act of 2000 and its amendments in 2008 that introduced provisions for protecting personal data. The Ministry of Communications and Information Technology then promulgated the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules in 2011 under these acts. The rules define sensitive personal data and set forth requirements for companies regarding privacy policies, consent, data access, security practices, and more to protect Indian citizens' personal information.
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
The document discusses India's Information Technology Act and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules introduced in 2011. The rules aim to protect personal data and information by requiring companies to establish privacy policies, obtain consent for data collection and use, provide access to information, and implement security practices. Companies that do not comply could face penalties including paying compensation for damages under the IT Act.
The document summarizes India's Personal Data Protection Bill from 2018. It discusses key aspects of the bill such as its similarities to Europe's GDPR, definitions of personal data and actors like data principals and fiduciaries. It also outlines obligations of fiduciaries, grounds for processing data, requirements around data localization and cross-border transfers. Rights of individuals and penalties for non-compliance are also summarized. In conclusion, it discusses how the bill was influenced by a recent Supreme Court decision establishing privacy as a fundamental right and that data protection law in India is currently transitioning.
The document discusses key aspects of personal data protection under China's draft Personal Information Protection Law (PIPL).
Some key points:
- The draft law defines personal data broadly and places restrictions on how personal data can be collected and processed. It requires consent from individuals for processing personal data.
- Sensitive personal data like biometrics, health data, and financial records receive more protections and require separate consent.
- The draft law applies both to companies processing data within China and overseas companies processing Chinese citizens' data. It requires foreign processors to establish entities within China.
- Data can only be transferred outside China if certain conditions are met like passing a security assessment. Cross-border transfers require notifying
Digital personal data protection BILL.docxgabbarsk3
The Digital Personal Data Protection Bill, 2023 aims to protect personal data and establish rights and obligations for individuals and entities processing personal data. It requires entities collecting personal data to obtain consent, only process data for specified purposes, and allow individuals to access and correct their data. It establishes a Data Protection Board to investigate breaches and complaints. The Bill is concise and written in plain language to be easily understood. It acknowledges women in lawmaking and safeguards children's data.
Republic Act 10173 Data Privacy Act of 2012 (DPA)
“An act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes”
The document is a presentation by the National Privacy Commission of the Philippines on key aspects of the country's Data Privacy Act of 2012. It discusses definitions of personal information, the rights of data subjects, and obligations of personal information controllers and processors. It also outlines penalties for non-compliance, emphasizing the need for accountability, appropriate security safeguards, and compliance with the law to avoid liability.
The Protection of Personal Information Act (POPI) regulates how personal information can be processed and establishes conditions for lawful processing. It aims to protect personal information and balance privacy rights with other rights like access to information. The POPI Act applies broadly to any party that collects, holds, or uses a person's information. It impacts procurement processes by requiring consent for personal information use, only collecting relevant data, and maintaining security. Non-compliance can result in fines, damages lawsuits, and reputational harm.
The document provides an overview of the UAE's new Personal Data Protection Law (PDPL). Some key points:
- The PDPL became effective in January 2022 and aims to protect privacy and personal data by establishing requirements for data processing.
- It applies to data controllers and processors operating in the UAE or handling data of UAE residents. Some government and health data is exempt.
- The law establishes rights for data subjects, requirements for lawful processing, security measures, data transfers, and appointments of data protection officers.
- It introduces mechanisms for data subject complaints and potential penalties for non-compliance, to be enforced by the UAE Data Office. The document compares the PDPL to the
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
The Digital Personal Data Protection Bill, 2023 was introduced in Parliament in August 2023 to regulate the processing of digital personal data. It aims to provide a framework for handling personal data with transparency and accountability and recognizes privacy as a fundamental right. The bill defines key terms like personal data, data fiduciary, and data processor. It requires consent for processing personal data and allows transfer of data abroad except to restricted countries. Significant data fiduciaries will have additional obligations. The bill establishes a Data Protection Board of India to oversee compliance and impose penalties for violations. It exempts some government activities and processing for judicial functions from its purview.
This document summarizes key provisions of the General Data Protection Regulation (GDPR) and actions businesses should take to prepare for compliance. It outlines requirements for data audits and accountability, including keeping records of processing activities. Consent under GDPR must be freely given, specific, informed and unambiguous. Legitimate interests can also justify processing if it passes tests of being necessary and balanced against individual rights. Privacy notices must provide full transparency about data collection and use. Contracts with data processors must impose security and confidentiality obligations. Businesses should seek legal advice to ensure GDPR readiness.
Managing Data Protection guide powerpoint presentationsilvereyez11
This document provides an overview of data protection laws and best practices for organizations in Mauritius. It defines key terms like personal data and sensitive personal data. It describes the Data Protection Office and its functions. The Data Protection Act contains 8 principles for processing personal data fairly and securely. The document outlines how organizations can manage data protection, such as appointing a data protection lead, ensuring security, complying with individual rights like access requests, and conducting privacy impact assessments.
Enforcement Of Intellectual Property Rights Through CustomsVijay Dalmia
Custom Act, 1962 & Intellectual Property Rights Enforcement Rules, 2007
Apart from the various remedies provided under the IP Laws in India, one of the most efficient ways to protect and enforce intellectual property rights is through Custom Act, 1962
It prohibits import of goods that infringe Intellectual Property at the Custom Borders thereby restricting the entry of the goods infringing Intellectual Property Rights
Under Section 156 (1) read with Section 11 (2) (n) and (u) of the Customs Act, 1962, the Central Government has made the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007 applicable to imported goods.
The Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007 has been amended vide notification no. 56/2018. - Customs (N.T.) dated 22nd June 2018 and the said rules have been called the Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018.
Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018
Vide the said Amendment Rules, the Central Government has amended Rule 2 and Rule 5 of the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007.
As per the Amendment, in Rule 2 in clause (b), the words and figures “patent as defined in the Patents Act, 1970” has been omitted and in clause (c), the words and figures “the Patents Act, 1970” shall be omitted.
In Rule 5, after condition (b), two more conditions have been inserted.
The Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018 can be accessed from the following link: https://patentsrewind.files.wordpress.com/2018/07/custom-notification.pdf
After the amendment of 2018, the IPR Enforcement Rules 2007 permits a Right Holder to protect the following different types of Intellectual property-
Under the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007, goods infringing intellectual property rights which are made, reproduced, put into circulation or otherwise used in breach of the intellectual property laws in India or outside India and without the consent of the right holder or a person duly authorized to do so by the right holder.
Notice to be Registered by the Custom Authorities on satisfaction
Within 30 working days from the date of receipt of the notice under Rule 3 (1) or from the extended period as per Rule 3 (4), the Commissioner shall notify the applicant whether notice is registered or rejected.
Minimum validity of registration of notice for a period of 1 year
Prohibition and suspension of import of infringing goods under Section 11 of the Customs Act, 1962.
At all the Ports (Custom Borders) in India
Notice can be given by the Right Holder of the suspected infringing goods
Commissioner of Customs can suo moto suspend the clearance of such infringing goods
Rule 7(4): Where the Deputy Commissioner of Customs or Assistant Commissioner of Customs, as the case may be, has suspended clearance of goods on his own initiative and right holder
White Collar Crime by Vijay Pal Dalmia.pptxVijay Dalmia
A Crime is a Crime.
Colour does not change the crime.
Blue Collar crime is motivated by
fury,
vengeance,
Emotions.
White collar crime is a crime
motivated by greed
meticulously organized & accomplished
committed by the people who belongs to the higher class of society and
These people :
Are from reputable group of society.
Commit these crimes during the course of their occupation.
Usually have a better understanding of
technology,
their respective field,
disciplines etc.
are people of high stature and
There is generally an element of breach of trust by carrying out unethical business practices because of motivation to gain financially.
It is the offenders’ position that accords upon them the opportunity to perpetrate such crimes.
Essential elements of White Collar crime:
Fraud
Deceit
Cheating
Breach of Trust
Intent
Disguise
Knowledge
Concealment
Conspiracy
Organized
Planning
Legislations against White Collar Crimes in India
# Companies Act, 1960.
# Income Tax Act, 1961.
# Indian Penal Code, 1860.
# Commodities Act, 1955.
# Prevention of corruption Act, 1988.
# Negotiable Instrument Act,
# Prevention of Money Laundering Act, 2002.
# IT Act, 2005.
# Imports and Exports (Control) Act, 1950
#Fugitive Economic Offenders Act, 2018
#Foreign Exchange Management Act
# Special Court (Trial of offences relation to Transactions in Securities) Act, 1992
#Central Vigilance Commission Act, 2003
Vijay Pal Dalmia, AdvocateSupreme Court of India & Delhi High CourtEmail id: vpdalmia@gmail.com Mobile No.: +91 9810081079Linkedin: https://www.linkedin.com/in/vpdalmia/ Facebook: https://www.facebook.com/vpdalmia Twitter: @vpdalmia
More Related Content
Similar to DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
The document discusses the Protection of Personal Information Act (POPI) of South Africa. It defines key terms like personal information, processing, and responsible party. It outlines 8 conditions for the lawful processing of personal information according to POPI, including accountability, processing limitation, and purpose specification. Non-compliance with POPI can result in penalties, so organizations must understand and comply with the Act when handling personal information.
The document provides an overview and analysis of Bahrain's Personal Data Protection Law (PDPL). Some key points:
- The PDPL is Bahrain's primary data protection law, modeled after the EU's GDPR. It aims to establish requirements for processing personal data.
- The law applies to entities processing personal data of Bahraini residents, regardless of location. It provides for data subject rights and sets guidelines for processing, transfers, compliance, and penalties for violations.
- An analysis compares features of the PDPL to the GDPR, finding similarities in scope, rights, and legal bases for processing but less stringent penalties under the PDPL.
- The conclusion states that companies must evaluate the
The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
The document summarizes key aspects of data protection law in India. It outlines the Information Technology Act of 2000 and its amendments in 2008 that introduced provisions for protecting personal data. The Ministry of Communications and Information Technology then promulgated the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules in 2011 under these acts. The rules define sensitive personal data and set forth requirements for companies regarding privacy policies, consent, data access, security practices, and more to protect Indian citizens' personal information.
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
The document discusses India's Information Technology Act and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules introduced in 2011. The rules aim to protect personal data and information by requiring companies to establish privacy policies, obtain consent for data collection and use, provide access to information, and implement security practices. Companies that do not comply could face penalties including paying compensation for damages under the IT Act.
The document summarizes India's Personal Data Protection Bill from 2018. It discusses key aspects of the bill such as its similarities to Europe's GDPR, definitions of personal data and actors like data principals and fiduciaries. It also outlines obligations of fiduciaries, grounds for processing data, requirements around data localization and cross-border transfers. Rights of individuals and penalties for non-compliance are also summarized. In conclusion, it discusses how the bill was influenced by a recent Supreme Court decision establishing privacy as a fundamental right and that data protection law in India is currently transitioning.
The document discusses key aspects of personal data protection under China's draft Personal Information Protection Law (PIPL).
Some key points:
- The draft law defines personal data broadly and places restrictions on how personal data can be collected and processed. It requires consent from individuals for processing personal data.
- Sensitive personal data like biometrics, health data, and financial records receive more protections and require separate consent.
- The draft law applies both to companies processing data within China and overseas companies processing Chinese citizens' data. It requires foreign processors to establish entities within China.
- Data can only be transferred outside China if certain conditions are met like passing a security assessment. Cross-border transfers require notifying
Digital personal data protection BILL.docxgabbarsk3
The Digital Personal Data Protection Bill, 2023 aims to protect personal data and establish rights and obligations for individuals and entities processing personal data. It requires entities collecting personal data to obtain consent, only process data for specified purposes, and allow individuals to access and correct their data. It establishes a Data Protection Board to investigate breaches and complaints. The Bill is concise and written in plain language to be easily understood. It acknowledges women in lawmaking and safeguards children's data.
Republic Act 10173 Data Privacy Act of 2012 (DPA)
“An act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes”
The document is a presentation by the National Privacy Commission of the Philippines on key aspects of the country's Data Privacy Act of 2012. It discusses definitions of personal information, the rights of data subjects, and obligations of personal information controllers and processors. It also outlines penalties for non-compliance, emphasizing the need for accountability, appropriate security safeguards, and compliance with the law to avoid liability.
The Protection of Personal Information Act (POPI) regulates how personal information can be processed and establishes conditions for lawful processing. It aims to protect personal information and balance privacy rights with other rights like access to information. The POPI Act applies broadly to any party that collects, holds, or uses a person's information. It impacts procurement processes by requiring consent for personal information use, only collecting relevant data, and maintaining security. Non-compliance can result in fines, damages lawsuits, and reputational harm.
The document provides an overview of the UAE's new Personal Data Protection Law (PDPL). Some key points:
- The PDPL became effective in January 2022 and aims to protect privacy and personal data by establishing requirements for data processing.
- It applies to data controllers and processors operating in the UAE or handling data of UAE residents. Some government and health data is exempt.
- The law establishes rights for data subjects, requirements for lawful processing, security measures, data transfers, and appointments of data protection officers.
- It introduces mechanisms for data subject complaints and potential penalties for non-compliance, to be enforced by the UAE Data Office. The document compares the PDPL to the
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Vijay Dalmia
REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION RULES, 2011
Under
The (Indian) Information Technology Act, 2000
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE BASIC AND GUIDANCE ON PRACTICAL HANDLING
Digital Personal Data Protection Bill 2023 PPT.pptxRohanTyagi57
The Digital Personal Data Protection Bill, 2023 was introduced in Parliament in August 2023 to regulate the processing of digital personal data. It aims to provide a framework for handling personal data with transparency and accountability and recognizes privacy as a fundamental right. The bill defines key terms like personal data, data fiduciary, and data processor. It requires consent for processing personal data and allows transfer of data abroad except to restricted countries. Significant data fiduciaries will have additional obligations. The bill establishes a Data Protection Board of India to oversee compliance and impose penalties for violations. It exempts some government activities and processing for judicial functions from its purview.
This document summarizes key provisions of the General Data Protection Regulation (GDPR) and actions businesses should take to prepare for compliance. It outlines requirements for data audits and accountability, including keeping records of processing activities. Consent under GDPR must be freely given, specific, informed and unambiguous. Legitimate interests can also justify processing if it passes tests of being necessary and balanced against individual rights. Privacy notices must provide full transparency about data collection and use. Contracts with data processors must impose security and confidentiality obligations. Businesses should seek legal advice to ensure GDPR readiness.
Managing Data Protection guide powerpoint presentationsilvereyez11
This document provides an overview of data protection laws and best practices for organizations in Mauritius. It defines key terms like personal data and sensitive personal data. It describes the Data Protection Office and its functions. The Data Protection Act contains 8 principles for processing personal data fairly and securely. The document outlines how organizations can manage data protection, such as appointing a data protection lead, ensuring security, complying with individual rights like access requests, and conducting privacy impact assessments.
Similar to DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx (20)
Enforcement Of Intellectual Property Rights Through CustomsVijay Dalmia
Custom Act, 1962 & Intellectual Property Rights Enforcement Rules, 2007
Apart from the various remedies provided under the IP Laws in India, one of the most efficient ways to protect and enforce intellectual property rights is through Custom Act, 1962
It prohibits import of goods that infringe Intellectual Property at the Custom Borders thereby restricting the entry of the goods infringing Intellectual Property Rights
Under Section 156 (1) read with Section 11 (2) (n) and (u) of the Customs Act, 1962, the Central Government has made the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007 applicable to imported goods.
The Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007 has been amended vide notification no. 56/2018. - Customs (N.T.) dated 22nd June 2018 and the said rules have been called the Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018.
Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018
Vide the said Amendment Rules, the Central Government has amended Rule 2 and Rule 5 of the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007.
As per the Amendment, in Rule 2 in clause (b), the words and figures “patent as defined in the Patents Act, 1970” has been omitted and in clause (c), the words and figures “the Patents Act, 1970” shall be omitted.
In Rule 5, after condition (b), two more conditions have been inserted.
The Intellectual Property Rights (Imported Goods) Enforcement Amendment Rules, 2018 can be accessed from the following link: https://patentsrewind.files.wordpress.com/2018/07/custom-notification.pdf
After the amendment of 2018, the IPR Enforcement Rules 2007 permits a Right Holder to protect the following different types of Intellectual property-
Under the Intellectual Property Rights (Imported Goods) Enforcement Rules, 2007, goods infringing intellectual property rights which are made, reproduced, put into circulation or otherwise used in breach of the intellectual property laws in India or outside India and without the consent of the right holder or a person duly authorized to do so by the right holder.
Notice to be Registered by the Custom Authorities on satisfaction
Within 30 working days from the date of receipt of the notice under Rule 3 (1) or from the extended period as per Rule 3 (4), the Commissioner shall notify the applicant whether notice is registered or rejected.
Minimum validity of registration of notice for a period of 1 year
Prohibition and suspension of import of infringing goods under Section 11 of the Customs Act, 1962.
At all the Ports (Custom Borders) in India
Notice can be given by the Right Holder of the suspected infringing goods
Commissioner of Customs can suo moto suspend the clearance of such infringing goods
Rule 7(4): Where the Deputy Commissioner of Customs or Assistant Commissioner of Customs, as the case may be, has suspended clearance of goods on his own initiative and right holder
White Collar Crime by Vijay Pal Dalmia.pptxVijay Dalmia
A Crime is a Crime.
Colour does not change the crime.
Blue Collar crime is motivated by
fury,
vengeance,
Emotions.
White collar crime is a crime
motivated by greed
meticulously organized & accomplished
committed by the people who belongs to the higher class of society and
These people :
Are from reputable group of society.
Commit these crimes during the course of their occupation.
Usually have a better understanding of
technology,
their respective field,
disciplines etc.
are people of high stature and
There is generally an element of breach of trust by carrying out unethical business practices because of motivation to gain financially.
It is the offenders’ position that accords upon them the opportunity to perpetrate such crimes.
Essential elements of White Collar crime:
Fraud
Deceit
Cheating
Breach of Trust
Intent
Disguise
Knowledge
Concealment
Conspiracy
Organized
Planning
Legislations against White Collar Crimes in India
# Companies Act, 1960.
# Income Tax Act, 1961.
# Indian Penal Code, 1860.
# Commodities Act, 1955.
# Prevention of corruption Act, 1988.
# Negotiable Instrument Act,
# Prevention of Money Laundering Act, 2002.
# IT Act, 2005.
# Imports and Exports (Control) Act, 1950
#Fugitive Economic Offenders Act, 2018
#Foreign Exchange Management Act
# Special Court (Trial of offences relation to Transactions in Securities) Act, 1992
#Central Vigilance Commission Act, 2003
Vijay Pal Dalmia, AdvocateSupreme Court of India & Delhi High CourtEmail id: vpdalmia@gmail.com Mobile No.: +91 9810081079Linkedin: https://www.linkedin.com/in/vpdalmia/ Facebook: https://www.facebook.com/vpdalmia Twitter: @vpdalmia
Taxation of Cryptocurrencies – Virtual Digital Assets in India-VPDalmia.pptxVijay Dalmia
The document summarizes the taxation of cryptocurrencies in India. It defines cryptocurrencies as virtual digital assets under Indian law and outlines how they are taxed. Income from transferring cryptocurrencies is taxed at 30% and is subject to TDS of 1% by the payer. Gains from gifting cryptocurrencies are also taxed. Cryptocurrency exchanges providing trading services are subject to 18% GST. Overall, the document provides an overview of the key Indian tax and legal provisions related to cryptocurrencies.
Indian Approach On Bitcoins-cryptocurrencies- Blockchain Legal Practical Pe...Vijay Dalmia
There are no specific laws relating to Blockchain in India.
Under the Indian laws Blockchain is governed by the general laws of India including laws relating to contracts.
Blockchain Technology is being adopted practically by all, i.e. Government and Private Parties including Banks.
Cryptocurrencies/Crypto Assets/ Cryptos are not FIAT currencies.
Fiat Currency is different from Cryptocurrencies.
Virtual Currencies like Bitcoins are not legal currencies or fiat currency, issued by any Government, and in fact, these are not a currency at all.
Virtual Currencies like Bitcoins are nomenclature for various “computer algorithms”, which are being used to generate codes by private parties and traded over the internet.
Most of the currencies in the world including the currency of India i.e. rupee, are Fiat currencies. Fiat money is the currency that a government has declared to be legal tender, but which may not be backed by any physical commodity like Gold.
The prices of such currencies are
arbitrary
without any backing of any government and geographical restrictions.
Virtual Currencies like Bitcoins are
State Free,
Border Free and
Control Free.
removes the need of a trusted third party such as a governmental agency, bank, etc.
A Virtual Currency like Bitcoin, is a stateless digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank like the Reserve Bank of India, rendering it immune from government interference.
At the moment, there is no express law that classifies virtual currencies as a good, service, security, commodity, derivative or currency
Some of the laws which have a direct bearing on the legal aspects relating to illegal Virtual Currencies like Bitcoins, are as under:
The Constitution of India, 1950;
Reserve Bank of India Act, 1934,
The Foreign Exchange Management Act, 1999 (“FEMA”);
The Reserve Bank of India Act, 1934 (“RBI Act”);
The Coinage Act, 1906 (“Coinage Act”);
The Securities Contracts (Regulation) Act, 1956 (“SCRA”);
The Sale of Goods Act, 1930 (“Sale of Goods Act”);
The Payment and Settlement Systems Act, 2007 (“Payment Act”).
Indian Contract Act, 1872 (“Contract Act”).
The term ‘Currency’ has been defined under Section 2(h) of the Foreign Exchange Management Act, 1999 to include all currency notes, postal notes, postal orders, money orders, cheques, drafts, travelers cheques, letters of credit, bills of exchange and promissory notes, credit cards or such other similar instruments, as may be notified by the Reserve Bank.
It is clear that Bitcoin is not similar to any of the instruments mentioned in the definition, especially digital or virtual currencies. Section 2(m) of The Foreign Exchange Management Act, 1999, ‘foreign currency’ has been defined as any currency other than Indian currency.
Under Section 2 (q) of FEMA, “Indian currency” means currency which is expressed or drawn in Indian
Need for having Security, Email & Internet Usage Policy in Companies - Legal ...Vijay Dalmia
This document discusses the need for companies to have robust IT security, email, and internet usage policies. It notes that most organizations do not have adequate policies in place to protect data and prevent misuse. The document outlines why such policies are important from both a legal and risk management perspective. It discusses how policies help establish appropriate usage of company resources, prevent data theft, and ensure compliance with privacy laws. The document advises that policies should apply to all employees and others associated with the organization. It provides examples of objectives that policies can achieve, such as maintaining security and productivity. The conclusion emphasizes that policies help reduce legal risks and damage to an organization's reputation.
The right to be taken out of Police custody by being brought before a Magistrate is a right given in the interest of, the accused.
Arrest and detention can not be used to extract confession or as a means of compelling people to give information.
It prevents Police Stations being used as though they were prisons - a purpose for which they are unsuitable.
It affords an early recourse to a judicial officer independent of the Police on all questions of bail or discharge.
When the petitioner was arrested the Police Officer knew that he cannot complete his investigation within 24 hours, in such a case, Section 167(1), Cr.P.C. provides for the transmission forthwith of a copy of the entries in the Police Diary relating to the case and for the production of the accused before such Magistrate.
Special emphasis has to be laid on the words "forthwith" in Section 167(1).
The Criminal Procedure Code does not authorise detention by the police for 24 hours after the arrest.
A Police Officer making an arrest without warrant shall, without unnecessary delay take or send the person arrested before a Magistrate.
No Police Officer shall detain in custody a person arrested without warrant for a longer period than under all the circumstances of the case is reasonable, and such period shall not, in the absence of a special order of a Magistrate under Section 167, exceed twenty four hours exclusive of the time necessary for the journey from the place of arrest to the Magistrate's Court.
Thus, the twenty-four hours prescribed is the outermost limit beyond which a person cannot be detained in Police custody.
It is certainly not an authorization for the Police to detain him for twenty-four hours in their custody.
It is only in a case where a Police Officer considers that the investigation can be completed within the period of twenty-four hours that such detention for twenty-four hours is permitted. This is clear from Section 167(1), Cr.P.C.
When an arrested person is brought before a Magistrate, he has to decide whether
he should remand the person to Jail custody under Section 167(2) Cr.P.C. as requested by the Police and at the same time he has to decide whether the request of the person for bail should be granted.
In order to decide the question of remand, he must be satisfied on a perusal of the entries in the Police Diary that there were grounds for believing that the accusation or information against the accused was well founded and that the Police have exercised their right of arresting without warrant legally and further that it was necessary for the purpose of investigation that the accused should be remanded to custody.
Unless, the Magistrate is satisfied on all these points, he can- not remand the accused to Jail custody.
It. is for this purpose that Section 167(1) enjoins that a copy of the entries in the Police Diary should be transmitted to Court.
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia AdvocateVijay Dalmia
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate
Police Remand Judicial Remand & Default bail by Vijay Pal Dalmia Advocate - Terms, Conditions, Rights of Accused. Duty of Police and Courts
Indian approach on bitcoins, cryptocurrencies and blockchain – legal practica...Vijay Dalmia
This document provides an overview of blockchain technology and cryptocurrencies according to Indian law. It discusses that blockchain is distinct from cryptocurrencies, which are based on but not the same as blockchain. It outlines that while blockchain is legally recognized, cryptocurrencies are not considered legal tender in India and fall into a legal gray area. The document also examines how existing Indian laws around banking, currency, securities, and money transmission may apply to cryptocurrency.
Sanction for prosecution of offences under chapter xii of the income tax actVijay Dalmia
Under Chapter XII of the (Indian) Income Tax Act-1961, a person cannot be prosecuted for an offence Under Sections 275A, 275B, 276, 276A, 276B, 276BB, 276C, 276CC, 276D, 277, 277A or 278, except with the previous sanction of the Principal Commissioner or Commissioner or Commissioner(Appeals) or the appropriate Authority. Accordingly, in all cases of prosecution the fact of proper sanction by a competent authority is sine qua non, for initiating prosecution against an offender by the Income Tax Authorities. The issue of valid previous sanction becomes important, and may be taken as a defense by the accused during the course of trial. Following are the important points, which are to be considered, while granting sanction in any matter:
Guide for de-mystifying law of trade mark enfocrement and litigation in indiaVijay Dalmia
The document provides an overview of trademark litigation law in India. It discusses several key points:
1) Trademarks can be protected in India through registration or as unregistered marks via infringement or passing off lawsuits.
2) Rights in trademarks can be acquired via registration, first adoption and continuous bona fide use, or assignment.
3) Registered trademarks may face cancellation petitions or opposition during registration. Unregistered marks rely on passing off claims.
4) Registration does not preclude passing off claims, as marks can still be challenged on grounds like prior use or registration.
IPR Enforcement in India through Criminal Measures - By Vijay Pal DalmiaVijay Dalmia
This document summarizes Indian laws relating to intellectual property including trademarks, copyrights, patents, industrial designs, geographical indications, and internet/information technology. It outlines the criminal statutes and procedures for IP infringement cases, noting that infringement is a cognizable offense allowing police to directly file cases. Upon conviction, penalties include imprisonment up to 3 years and fines up to Rs. 200,000 for trademarks, and minimum 6 month imprisonment and Rs. 50,000 fine for copyright. Special provisions also address copyright enforcement authorities in various states.
The document summarizes the process of criminal trials in India. It outlines the key laws governing criminal procedure and offenses in India, including the Code of Criminal Procedure, Indian Penal Code, and Indian Evidence Act. It then provides a flow chart depicting the typical stages of a criminal investigation and trial in India, from police investigation and filing charges to court proceedings, potential appeals, and outcomes of acquittal or conviction. Key concepts in Indian criminal law like bailable vs. non-bailable offenses, anticipatory bail, and cognizable vs. non-cognizable cases are also defined for context.
LAW OF THE SEMICONDUCTOR INTEGRATED CIRCUITS IN INDIA By Vijay Pal DalmiaVijay Dalmia
This document discusses Indian laws regarding the registration and protection of semiconductor integrated circuit layout designs. It outlines the key provisions of the Semiconductor Integrated Circuits Layout-Design Act, 2000, including definitions, registration procedures, opposition processes, rights conferred, infringement exceptions, penalties for infringement, and jurisdictional filing requirements. The layout-design is registered for 10 years and confers exclusive rights and remedies against unauthorized reproduction and distribution.
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
Information Technology Policy for Corporates is the need of the hour as organisations, are continuously at a stake for violation of information technology laws, commission of cyber crimes, sexual harassment, e-mail violations, and misuse of internet and intranet.
This document summarizes intellectual property laws and enforcement in India. It outlines the main forms of IP rights protected, including trademarks, copyrights, patents, industrial designs, and geographical indications. Registration is required for patents, industrial designs, and geographical indications but not for trademarks and copyrights. Registration confers monopoly rights and shifts the burden of proof to the opposing party in litigation. Civil remedies for IP infringement include injunctions, damages, seizure of infringing materials, and pre-trial asset preservation. Criminal remedies include fines and imprisonment. Interim injunctions are a key remedy to maintain the status quo. The document also discusses opposition and cancellation proceedings, domain name disputes, trade secret protection approaches, Anton Pillar orders, and highlights some
This document provides an overview of patent law from an Indian perspective. It defines what a patent is, outlines the key benefits and requirements for obtaining a patent in India, and describes the patent application and granting process. The document also discusses what can and cannot be patented, infringement issues, and how patents can provide strategic advantages for companies.
1. The document discusses wills in the Indian perspective, including the meaning and procedure of wills under Indian law. It defines the key characteristics of wills and different types of wills such as conditional, joint, mutual, and concurrent wills.
2. It outlines the advantages of making a will, eligibility requirements, the role and selection of executors, and the necessity of appointing an executor. The document also discusses the registration, deposit, revocation and alteration of wills.
3. The enforcement of wills through probate and letters of administration is explained, along with the defined meanings and necessity of obtaining probate or letters of administration under Indian law.
The Medical Council of India regulates uniform standards of higher qualifications in medicine and recognition of medical qualifications in India and abroad. Official registration of doctors with recognized medical qualifications is controlled by the council, and procedures have been laid out under the Indian Medical Council Act 1956 and Indian Medical Degree Act 1916. Although there are no legal constraints specifically dealing with methodology of executing or dispensing medical services in India, various laws including the Drugs and Cosmetics Act, 1940 define negligence; criminal intent; sale, manufacture and distribution of drugs etc., while judicial precedent and case laws determine medical negligence on a case by case basis. The healthcare service provider adopting telemedicine methods of medical practice must ensure that medical consultation, prescriptions, treatment and drugs are dispensed only in accordance with legal provisions and guidelines regulating the medical and healthcare sector in India.
Law of nutritional and supplement food products in India-The ConflictVijay Dalmia
One of the potential threats for manufacturing and sale of
food/health supplements such as “Dietary food supplement”, “Food supplements”, “Nutritional supplements”, “Health supplements”, is its categorization in the category of “Food” or “Drugs”, as there is
a very thin line between “drugs/medicines” and “nutritional
supplements”
A Critical Study of ICC Prosecutor's Move on GAZA WarNilendra Kumar
ICC Prosecutor Karim Khan's proposal to its judges seeking permission to prosecute Israeli leaders and Hamas commanders for crimes against the law of war has serious ramifications and calls deep scrutiny.
Corporate Governance : Scope and Legal Frameworkdevaki57
CORPORATE GOVERNANCE
MEANING
Corporate Governance refers to the way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is, in essence, a toolkit that enables management and the board to deal more effectively with the challenges of running a company.
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
1. THE (INDIAN) DIGITAL PERSONAL DATA PROTECTION ACT,
2023
By
Vijay Pal Dalmia, Advocate
Supreme Court of India & Delhi High Court
Email id: vpdalmia@gmail.com
Mobile No.: +91 9810081079
LinkedIn: https://www.linkedin.com/in/vpdalmia/
Facebook: https://www.facebook.com/vpdalmia
X (Twitter): @vpdalmia
2. NEED FOR THE DPDP ACT, 2023
01
02
03
04
05
RECOGNITION OF ‘RIGHT TO PRIVACY’
To confer rights on individuals to
protect their personal data and
place duties on the entities that
processes these personal data and
to strikes an important balance in
protecting users’ rights and
promoting innovation in digital
businesses.
CONFERRING RIGHTS
AND DUTIES
PROTECTION AND SECURITY
To penalise the parties in case of
unlawful processing of personal
data.
IMPOSING PENALTIES
Digital transactions have
transformed economics as well as
social interactions and use of
personal data is a common aspect
of such transactions. Therefore,
protection of personal data has
become a need as well as a pre-
requisite for the growth of digital
economy.
GROWTH OF ECONOMY
Need for protection and security of personal
data of users and to process data for lawful
purpose.
In the case of Justice K S Puttaswamy (Retd.) &
Anr. v. Union of India and Ors., (2017) 10 SCC 1, the
Supreme Court recognized the right to privacy as a
facet of Article 21 of the Constitution of India, i.e.,
Protection of Life and Personal Liberty, a
Fundamental Right.
4. “Data Fiduciary means any person
who alone or in conjunction with
other persons determines the
purpose and means of processing of
personal data”.
Personal Data means any data
about an individual who is
identifiable by or in relation to such
data.
DATA FIDUCIARY [S. 2(i)]
DATA FIDUCIARY [S. 2(i)]
6
5 3
2
1
4
5. “Data Processor means any person
who processes personal data on
behalf of a Data Fiduciary.”
6
5 3
1
DATA PROCESSOR [S. 2(K)]
4
2
6. “Data Principal means the individual
to whom the personal data relates
and where such individual is—
(i) a child, includes the parents or
lawful guardian of such a child;
(ii) a person with disability, includes
her lawful guardian, acting on her
behalf.”
6
5
2
1
DATA PRINCIPAL [S. 2(j)]
4
3
7. 6
5
4
3
2
1
“Significant Data Fiduciary means
any Data Fiduciary or class of Data
Fiduciaries as may be notified by
the Central Government under
section 10.”
Significant Data Fiduciary has the
additional obligations to appoint
Data Protection Officer,,
Independent Data Auditor and
conduct periodic Data Protection
Impact Assessment.
04
SIGNIFICANT DATA FIDUCIARY [S.2(z)]
8. 6
3
2
1
CONSENT MANAGER [S. 2(g)]
“Consent Manager means a person
registered with the Board, who acts as a
single point of contact to enable a Data
Principal to give, manage, review and
withdraw her consent through an
accessible, transparent and interoperable
platform.”
The role of Consent Manager is to
facilitate the Data Principal by managing
their consent and is accountable to Data
Principal.
4
5
9. 5 3
2
1
DATA PROTECTION OFFICER [S. 2(l)
“Data Protection Officer means an
individual appointed by the
Significant Data Fiduciary under
clause (a) of sub-section (2) of
section 10.” The Data Protection
officer
• shall represent the Significant
Data Fiduciary
• must be based in India
• shall be the point of contact for
the grievance redressal
mechanism
4
6
10. The DPDP Act contemplates the establishment of a Data Protection Board, as an enforcement
body, by the Central Government. Civil courts are barred from entertaining suits or proceedings
for any matter in respect of which the Board is empowered.
Under the DPDP Act, the Data Protection Board has the following powers:
1. To direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal
data breach
2. To inquire into such breach
3. Impose penalties for non-compliances
4. Inspect any document
5. Summon and enforce attendance of any person etc.
Appeal can be filed against the order of DPB before Appellate Tribunal within 60 days
DPB
Telecom Disputes
Settlement and
Appellate Tribunal
Supreme court
DATA PROTECTION BOARD
OF INDIA
11. APPLICATION
OF THE
DPDP ACT
S. 3(a) & 3(b)
NON-APPLICABILITY
OF THE
DPDP ACT
S. 3(c)
Processing of Personal Digital Data within territory of India,
where data collected is in digital form OR in physical form
BUT subsequently digitized.
Processing of Personal Digital Data outside the territory of
India, if such processing is being done to offer goods or
services to Data Principal within the territory of India.
Processing of Personal Data by an individual ONLY for
personal or domestic use.
Where the personal data is publicized by the Data Principal
himself OR any other person who is under obligation under
law to made such personal data publicly available.
12. GROUNDS FOR PROCESSING DATA
Section 4 of the DPDP Act states that a person i.e., a Data Fiduciary can process data of a Data Principal
only for a lawful purpose-
for which the Data Principal has given her consent; or
for certain legitimate uses.
CONCEPT OF ‘NOTICE
Illustration: X, an individual, opens a bank account using the mobile app or
website of Y, a bank. To complete the Know-Your-Customer requirements under
law for opening of bank account, X opts for processing of her personal data by Y
in a live, video-based customer identification process. Y shall accompany or
precede the request for the personal data with notice to X, describing the
personal data and the purpose of its processing.
Consent has to be accompanied by NOTICE under Section 5, informing the Data Principal about the
personal data which is to be processed and the purpose of such processing. The Notice should also
contain about the information about the right of withdrawing consent and grievance redressal available
to Data Principal and the manner in which the complaint can be made to the Board.
PROVISIONS OF CHAPTER II
13. The DPDP Act under Section 6 provides for free, specific, informed, unambiguous and
unconditional CONSENT to be taken by the Data Fiduciary of the Data Principal before
processing personal digital data .
Consent taken for a specified purpose needs to be utilized for that purpose ONLY.
Illustration: X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for the
processing of her personal data for making available telemedicine services, and accessing her mobile
phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for
making available telemedicine services, her consent shall be limited to the processing of her personal
data for making available telemedicine services
Request for consent should-
a) Be presented to Data Principal in clear and plain language.
b) Contain option to access such request in any language.
c) Provide for contact details of Data Protection Officer or any other
person authorized by Data Fiduciary to respond to communication of
Data Principal in order to able him to exercise his rights.
CONSENT PROVISIONS
14. o Where the consent of the Data Principal has been obtained prior to the commencement of
the DPDP Act for processing of her personal data, the Data Fiduciary shall, as soon as it is
reasonably practicable, give to the Data Principal a fresh NOTICE.
o Data Fiduciary may continue to process the personal data until and unless the Data
Principal withdraws her consent.
WITHDRAWAL OF CONSENT
o Availability of ‘Right to withdraw consent’ with the Data Principal.
o However, withdrawal of consent shall NOT affect the legality of
processing of the personal data based on such consent before
such withdrawal.
o Data Fiduciary shall CEASE and cause its Data Processors to
CEASE PROCESSING of such personal data.
• UNLESS, such processing is necessary according to some
provision of law which is for time being is in force.
ISSUANCE OF FRESH NOTICE WHERE
CONSENT IS OBTAINED PRIOR TO THE
COMMENCEMENT OF DPDP ACT
15. The some of the legitimate uses provided in the DPDP Act are as under:
A. VOLUNTARY PROVISION OF DATA
If the users voluntarily provide their personal data to the Data Fiduciary for a specified purpose and has not
indicated to the Data Fiduciary that they do not consent to the use of their personal data.
B. FOR STATE TO PROVIDE ANY BENEFIT/SUBSIDY TO THE DATA PRINCIPAL
For the State or its agencies to perform any function under any law or in the interest of sovereignty
and integrity of India or security of the State;
or
to provide any subsidy, service, benefit, certificate, license, or permit to the Data Principal, where
Data Principal has previously consented, or such personal data is already available to the
government in digital or non-digital form and is notified by the Central Government.
C. FOR FULFILING OBLIGATIONS UNDER THE LAW
D. FOR COMPLIANCE OF COURT ORDERS
E. DURING THE MEDICAL EMERGENCIES
F. DURING THE SPREAD OF EPIDEMIC
G. DURING THE DISASTERS
H. FOR EMPLOYMENT PURPOSES
I. FOR SAFEGUARDING THE EMPLOYER FROM LOSS OR LIABILITY
CERTAIN LEGITIMATE USES
16. GENERAL OBLIGATIONS OF DATA FIDUCIARY
• Appointment of Data Processor to process personal data of the Data Principal on his behalf
only under a valid contract.
• Ensure completeness, accuracy and consistency of the personal data where the data
processing is likely to be used to make a decision that affects the Data Principal or disclosed
to another Data Fiduciary.
• Erase or cause to erase personal data as soon as the purpose has been met and retention
is not necessary for legal purposes.
• To implement appropriate technical and organizational measures for proper observance of
the provisions.
• To build reasonable security safeguards to prevent a data breach to protect the personal
data in its possession.
• Inform the Data Protection Board of India and affected persons in the event of a breach
• To establish an effective mechanism for redressal of the grievances.
• Publish contact information of Data Protection Officer or any other person acting on behalf
of Data Fiduciary.
17. PROCESSING OF CHILDREN’S
PERSONAL DATA
• A ‘Child’ has been defined under S. 2(f) as an individual who has not yet
completed the age of 18 years.
• A Data Fiduciary, before processing any personal data of a ‘child’ or a person with
disabilities MUST OBTAIN VERIFIABLE CONSENT of the parent of the child or of the
lawful guardian, as the case may be.
NOT ALLOWED
a) NO processing of personal data which can have DETRIMENTAL EFFECT on the
well-being of the child.
b) Not to engage in targeted advertising, tracking or behavioral monitoring.
EXMEPTION
a) If the government is satisfied that a Data Fiduciary has ensured that the
processing of personal data of children is done in a manner that is “verifiably
safe”, then the government can exempt the fiduciary.
18. RIGHTS AND DUTIES OF DATA PRINCIPALS
[Chapter III]
1. Right to access information about personal data (S. 11)
• Right to get summary of personal data which is processed by the data fiduciary and processing
activities undertake by such Data Fiduciary.
• Right to receive identities of all other Data Fiduciaries and Data Processors with whom the personal
data has been shared and any other information.
2. Right to correction, completion, updating and erasure of personal data (S. 12)
3. Right of grievance redressal
• Through Data Fiduciary or Consent Manager
• The user can escalate their grievance to the Data Protection Board only after exhausting their options
with the Data Fiduciary or Consent Manager first.
4. Right to Nominate
• In case of his death or personal incapacity to exercise his right of being a Data Principal.
5. Right to withdraw consent
Duties of a Data Principal includes: complying with the present provisions
and other applicable laws, not to register a false and frivolous complaint,
not to suppress material information while providing personal data, to
furnish only verifiable information, etc.
19. CROSS BORDER DATA TRANSFERS
• The DPDP Act allows for the cross border transfers of personal data, for processing, by the Data Fiduciaries.
However, under Section 16 of the DPDP Act, Central Government can restrict the countries or territories
outside India to which the data can be transferred.
• As per Section 17 of the DPDP Act, provisions of Chapter II, except sub sections (1) and (5) of Section 8,
Chapter III and Section 16 of the DPDP Act will NOT apply for processing of personal data (i.e., exemptions):
For enforcement of legal right or claim
When processing is to be done by any court/tribunal for the performance of any judicial or quasi judicial
or supervisory or regulatory function.
For prevention, detection, investigation or prosecution of any offence, etc.
When personal data of Data Principals who are not within the territory of India processed outside India
under any contract.
When processing is required for scheme of compromise or arrangement or merger or amalgamation,
approved by Court or Tribunal.
For ascertaining the financial information of a person who has defaulted in payment to financial
institution
EXEMPTIONS PROVIDED UNDER DPDP ACT
20. OTHER EXEMPTIONS UNDER S. 17(2) & 17(3)
OF DPDP ACT
Central Government has the power to exempt any instrumentality of the State, under S. 17(2), from
the application of the present law via notification, in the interest of sovereignty and integrity of India,
security of the State, friendly relations with foreign States, maintenance of public order or preventing
incitement to any cognizable offence relating to any of these, and the processing by Central
Government of such personal data furnished to it by the aforesaid instrumentality.
The processing of personal data is also exempted from the application of the present law which is
necessary for research, archiving or statistical purposes if the personal data is not to be used to take
any decision specific to a Data Principal and such processing is carried on in accordance with
standards as may be prescribed.
Having regard to the volume and nature of personal data processed, the Central Government may also
notify certain Data Fiduciaries or classes of Data Fiduciaries, including start-ups, as exempt from
certain provisions of the law.
Within 5 years from the date of enactment of DPDP Act, the Central Government may notify any
provision that will not apply to certain Data Fiduciaries or classes of Data Fiduciaries for a specified
period.
21. PENALTIES
• Depending on the nature and significance of contravention, monetary penalties
up to INR 250 crores may be levied by the DPB on the conclusion of an inquiry
and after giving an opportunity of being heard to the defaulting person.
• Several factors shall be taken into account to determine the quantum of
penalties including – nature, gravity and duration of breach, type of personal
data affected, repetitive nature of breach, mitigation measures, impact of the
imposition of monetary penalty, etc.
• Penalty up to INR 10000 can be imposed on Data Principal for breach of the
duties.
• Under the DPDP Act, there is no provision to compensate the affected person
as provided under Section 43 A of the Information Technology Act, 2000.
• All sums realized by way of penalties shall be credited to the Consolidated Fund
of India.
22. AMENDMENTS AFTER THE ENACTMENT OF
THE DPDP ACT, 2023
According to S. 38(2) of the DPDP Act, “in the event of any conflict between a
provision of this law and a provision of any other law for the time being in force, the
provision of this law shall prevail to the extent of such conflict.”
The DPDP Act omitted the following provisions of the Information Technology Act,
2000 after its enactment [S. 44(2)] :-
• Section 43A: The said section provides for the compensation for failure to protect
sensitive personal data of information.
• Section 87(2)(ob): Under the said section, the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011 were framed.
The above Sections of the Information Technology Act, 2000 and IT Rules, 2011
governed the legal framework of data laws in India will be replaced by DPDP Act once
the provisions are notified.