The document provides feedback on gaps and issues in definitions and provisions of the Personal Data Protection Bill 2019 of India.
It identifies 14 gaps in definitions related to data principal, financial data, health data, intra-group schemes, official identifiers, personal data, sensitive personal data and issues in notices under Section 7. It also points out gaps in provisions regarding consent, employment related processing, and reasonable purposes that could lead to confusion and litigation if not clarified. Remedies and explanations are suggested to address each gap.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
Draft Bill on the Protection of Personal DataRenato Monteiro
Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will finally go into effect. It will be the most dramatic change in EU data security and privacy law in over 20 years. Building on the existing Data Protection Directive, the GDPR will enhance existing data security and privacy protections and adds some significant new requirements, including 72-hour breach notification and mandatory fines.
The Personal Data Protection Bill 2018 is to be presented before the Parliament shortly with necessary amendments .This is bill applicable to India in lines of GDPR of the European uinion
Draft Bill on the Protection of Personal DataRenato Monteiro
Presentation given at the DataGuidance´s webinar "Brazil: Towards Privacy Compliance", about the Brazlian Draft Bill for the Protection of Personal Data (Anteprojeto de Lei para a Proteção de Dados Pessoais) issued in January 2015, which introduced concepts such as Data Protection Officer and Binding Corporate Rules.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will finally go into effect. It will be the most dramatic change in EU data security and privacy law in over 20 years. Building on the existing Data Protection Directive, the GDPR will enhance existing data security and privacy protections and adds some significant new requirements, including 72-hour breach notification and mandatory fines.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
2020 was a year full of twists and turns that brought a number of privacy issues to the forefront across the globe. While there were many events that were expected, there were others that no one could have predicted and that made the lives of privacy professionals very interesting. As the year comes to an end, we’re bringing together industry experts to provide a 2020 privacy recap along with 2021 predictions.
Join us for a lively conversation around privacy topics that include CCPA enforcement, the effects of Covid-19, Schrems II implications, and US election outcomes.
-Industry leaders discussion
-2020 privacy recap
-2021 privacy predictions
Protection of personal data in Belarus/ Абарона персанальных дадзеных / Защита персональных данных
Overview of the situation with the protection of personal data in Belarus.
Презентация на русском языке - http://www.slideshare.net/belhelcom/ss-43981455
The General Data Protection Regulation (GDPR) that becomes effective end of May this year will have great impact on how companies and government organizations manage digital information when dealing with information from citizens and other subject in the European Union. As data is the life blood of most organizations, it is no exaggeration to state that the GDPR will require fundamental changes in organizational behavior.
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...TrustArc
There are some interesting developments in the world of case law. With so much focus on the CCPA enforcement date implications, many may have forgotten about the forthcoming decision in the Schrems II case, which could decide the fate of the Standard Contractual Clauses and the Privacy Shield for data transfers from Europe to the United States and elsewhere.
At the same time, the European Commission is working on the evaluation of all EU adequacy decisions and encouraging various countries to update their data protection laws. As to cookies, the Planet-49 case last year put clear boundaries around the issue of cookie consent. What has happened with this ruling of the European Court of Justice and how does it impact cookie compliance around the world?
Join us as we discuss the various international cross-border data transfer updates and how to navigate the potential significant changes.
This webinar will review:
-Implications of the Schrems II case decision
-The status of Privacy Shield and next steps
-European Commission adequacy re-assessment
-EDPB Guidelines on Consent and the revised IAB Framework updates
This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
It’s no surprise that a US federal privacy law is the current talk of the privacy community. There have been MANY recent developments with individual US state privacy laws, along with numerous additional legislation on the horizon. With the advent of the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (CDPA) plus activity with the Washington Privacy Act (WPA) and Oklahoma Computer Privacy Safety Act, there's a lot to focus on.
The changing privacy landscape can make it tricky for privacy leaders to stay up to date as they manage their privacy programs. And there's no indication US privacy regulation changes will slow down in 2021. While it may feel like a bad game of "Whack-a-Mole," there are ways to keep your company in-the-know and empowered as more regulations pop up.
This webinar will review:
-Recent developments in US state privacy laws
-US federal privacy law predictions
-Best practices and tips on how your company can keep up
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
This interactive session will include a brief discussion of the HMIS data standards revisions and will allow participants to ask questions about these revisions as well as changes due to the American Reinvestment and Recovery Act, changes to the Universal and Program-Specific data elements, and other topics such as privacy, security, and data quality.
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
2020 was a year full of twists and turns that brought a number of privacy issues to the forefront across the globe. While there were many events that were expected, there were others that no one could have predicted and that made the lives of privacy professionals very interesting. As the year comes to an end, we’re bringing together industry experts to provide a 2020 privacy recap along with 2021 predictions.
Join us for a lively conversation around privacy topics that include CCPA enforcement, the effects of Covid-19, Schrems II implications, and US election outcomes.
-Industry leaders discussion
-2020 privacy recap
-2021 privacy predictions
Protection of personal data in Belarus/ Абарона персанальных дадзеных / Защита персональных данных
Overview of the situation with the protection of personal data in Belarus.
Презентация на русском языке - http://www.slideshare.net/belhelcom/ss-43981455
The General Data Protection Regulation (GDPR) that becomes effective end of May this year will have great impact on how companies and government organizations manage digital information when dealing with information from citizens and other subject in the European Union. As data is the life blood of most organizations, it is no exaggeration to state that the GDPR will require fundamental changes in organizational behavior.
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...TrustArc
There are some interesting developments in the world of case law. With so much focus on the CCPA enforcement date implications, many may have forgotten about the forthcoming decision in the Schrems II case, which could decide the fate of the Standard Contractual Clauses and the Privacy Shield for data transfers from Europe to the United States and elsewhere.
At the same time, the European Commission is working on the evaluation of all EU adequacy decisions and encouraging various countries to update their data protection laws. As to cookies, the Planet-49 case last year put clear boundaries around the issue of cookie consent. What has happened with this ruling of the European Court of Justice and how does it impact cookie compliance around the world?
Join us as we discuss the various international cross-border data transfer updates and how to navigate the potential significant changes.
This webinar will review:
-Implications of the Schrems II case decision
-The status of Privacy Shield and next steps
-European Commission adequacy re-assessment
-EDPB Guidelines on Consent and the revised IAB Framework updates
This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
It’s no surprise that a US federal privacy law is the current talk of the privacy community. There have been MANY recent developments with individual US state privacy laws, along with numerous additional legislation on the horizon. With the advent of the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (CDPA) plus activity with the Washington Privacy Act (WPA) and Oklahoma Computer Privacy Safety Act, there's a lot to focus on.
The changing privacy landscape can make it tricky for privacy leaders to stay up to date as they manage their privacy programs. And there's no indication US privacy regulation changes will slow down in 2021. While it may feel like a bad game of "Whack-a-Mole," there are ways to keep your company in-the-know and empowered as more regulations pop up.
This webinar will review:
-Recent developments in US state privacy laws
-US federal privacy law predictions
-Best practices and tips on how your company can keep up
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
This interactive session will include a brief discussion of the HMIS data standards revisions and will allow participants to ask questions about these revisions as well as changes due to the American Reinvestment and Recovery Act, changes to the Universal and Program-Specific data elements, and other topics such as privacy, security, and data quality.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
An Overview of the new GDPR regulations including:
• Data Protection Frame Work
• GDPR – Responsibilities
• GDPR – Changes
• GDPR - Exemptions
• GDPR – Rights
• Penalty
• Ten High Level Steps
An Overview of the new GDPR regulations including:
• Data Protection Frame Work
• GDPR – Responsibilities
• GDPR – Changes
• GDPR - Exemptions
• GDPR – Rights
• Penalty
• Ten High Level Steps
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
Webcast title : GDPR: Protecting Your Data
Description : Find out why data protection and encryption is an essential component of preparing for your GDPR readiness process.
Specifically, we will cover:
What is considered "Personal Data" and why it needs to be "protected"
The Legal Aspects of Data Protection under GDPR.
The technical ways to protect/pseudonymization
In this Session you will learn from the leading experts:
- Ulf Mattsson: The father of database Encryption.
- Martyn Hope: The Co-Founder of the GDPR Institut.
- Mark Rasch: Former Chief Cybersecurity Evangelist at Verizon and led the DOJ's Cyber Crime Unit.
Presenter : Ulf Mattsson, Martyn Hope, Mark Rasch, David Morris
GDPR for public sector DPO's seminar, April 2018, ManchesterBrowne Jacobson LLP
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
From 25 May 2018 all public bodies must have a Data Protection Officer (DPO). The DPO must have ‘expert’ knowledge of both data protection law and practice. This session is directed at individuals within public sector organisations who will be acting as DPO, their deputies and those advising them.
Visit our website for more useful resources - https://www.brownejacobson.com/sectors-and-services/sectors/public-sector
On August 3, 2023, the Government of India, introduced the fifth iteration of India's proposed personal data protection
legislation, i.e., the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in Parliament. Previously, in December 2022,
the Ministry of Electronics and Information Technology had released a draft version of the bill (2022 Draft), inviting
public comments thereto.
Once in force, the DPDP Bill aims to amend and omit some of the
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data. The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
Similar to Feedback on Personal Data Protection Bill 2019 (20)
The Digital Personal Data Protection Bill 2022 has been released by the Government of India in November 2022 for public comments and feedback.
This is the feedback which has been submitted to the Government by Bestfit which is summarized in ppt form for easy comprehension
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
How to Obtain Permanent Residency in the Netherlands
Feedback on Personal Data Protection Bill 2019
1. Feedback on Personal Data Protection Bill 2019 (Bill No 373)
submitted to JPC-31 points -23/02/2020
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer
Director
1
2. Background
• Had submitted the feedback in Sep 2018
version
• Was also part of NASSCOM Committee in
Mumbai
• Following three recommendations were
accepted
• (14) "data principal" means the natural person
to whom the personal data referred to in sub-
clause (28) relates;
• (26) “Official identifier” means any number,
code, or other identifier, including Aadhaar
number, assigned to a data principal under a law
made by Parliament or any State Legislature
which may be used for the purpose of verifying
the identity of a data principal
• (23) "in writing" includes any communication in
electronic format as defined in clause (r) of sub-
section (1) of section 2 of the Information
Technology Act, 2000-this definition was added
2
3. Gap-1 Definition -Data Principal (14)
• Gap:
–Natural Person-What about Living or
Dead
• Impact
–Can lead to lot of litigation
• Remedy
–Definition of Natural Person to clarify the
same
• International examples
–See next slides
3
4. Gap-1
I. GDPR Recital 27 -This Regulation does not apply to the personal data of
deceased persons. Member States may provide for rules regarding the processing
of personal data of deceased persons
II. Bulgaria recognises that “in event of death of the natural person his/her rights
shall be exercised by his/her heirs", thus extending the right of access to personal
data not only to the natural person, but also to his or her family.
III. The Estonian Data Protection Act goes even further, giving a considerable amount
of freedom to an individual to decide on the use of personal data in the event of
processing personal data with the consent of a data subject In s 12 it states: “The
consent of a data subject shall be valid during the life of the data subject and thirty
years after the death of the data subject, unless the data subject has decided
otherwise.” Furthermore, in s 13 it entitles certain family members to permit
processing of personal data after the death of the data subject, but again for no
more than thirty years after death.
IV. The Swedish Data Protection Act explicitly refers to personal data of the living,
defining personal data as “all kinds of information that directly or indirectly may be
referable to a natural person who is alive.”
V. The UK Data Protection Act defines personal data as “data which relate to a living
individual". Other member states also predominantly use the term “natural person”;
understood generally as a person having legal capacity, starting with the birth and
ending with her death.
Source –II TO V
: https://script-ed.org/article/eu-data-protection-regime-protect-post-mortem-privacy-
potential-alternatives/#_ftn23
4
5. Gap -2 Definitions – Financial Data(18)
• Gap :
– means any number or other personal data
• Gap
– What is meant by other personal data ? No clarity
• Remedy
– Delete “ or Other personal data”
• Interpretation
– Can it be Customer id
– Can it be UPI Virtual id which is already de-
identified Financial data.
5
6. Gap -3 Definitions – Financial Data(18)
• Gap :
– Financial Status definition lacks clarity
• Impact
– Lead to interpretation
• Remedy
– Clarity required
• Logic
– If a loan is rejected does it come under the Financial
status?
– If the account turns NPA , is it Financial Status.
– Are Life Insurance Policy number Financial data as
it is issued by Financial Institution
– Are General Insurance policy number financial
data?
6
7. Gap-4 Definitions- Health Data (21)
• Gap :
– Exclusion of Blood Group needed in definition
• Impact
– Lead to delay in medical emergencies
• Remedy
– Exclude the Blood Group from health data
• Logic
– Many companies have printed the Blood
group on the Employee Id cards. Huge rework
– Medical emergency
7
8. Gap-5 Definitions- Health Data (21)
• Gap :
–Post Mortem data not covered
• Impact
–Harm and press publicity
• Remedy
–Need Clarity or include
• Logic
–Post mortem reports are often published
in the newspapers which may or may
not cause harm
8
9. Gap-6 Definitions- Intra-group schemes(22)
• Gap :
– Intra group
• Impact
– Clarity issues
• Remedy
– Need Clarity or include
• Logic
– Used in the context of Transborder .What
constitutes the Intra group is not know. If trans
border intra group is allowed why not domestic
Intra group
9
10. Gap7-Definitions- Official identifier(26)
• Gap :
– List of Official identifier as schedule
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– A separate schedule
• Example
– EPFO UIN is it Financial data or Official
identifier
– PRAN for NPS is it Financial data or Official
identifier
– Income TAX PAN
– GSTIN ?
10
11. Gap 8-Definitions- Personal Data
(28)
• Gap :
– Ambiguity in online identifiers
• Impact
– Avoid confusion and subjectivity for data
fiduciaries
• Remedy
– A separate schedule or explanation
• Example
– GDPR Recital 30 is as follows:
– (30) Natural persons may be associated with online identifiers provided by
their devices, applications, tools and protocols, such as internet protocol
addresses, cookie identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular when combined
with unique identifiers and other information received by the servers, may be
used to create profiles of the natural persons and identify them.
11
12. Gap-9 Definitions- Sensitive Personal
Data(36)
• Gap :
– 4 definitions missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Define the same or give note ( has the same meaning as defined
in the xxxx Act)
• Details
(iv) sex life;
(v) sexual orientation;
(x) caste or tribe;
(xi)Religious or Political Belief or Affiliation
12
13. 13
Gap-10 Definitions- Sensitive Personal
Data(36)
Gap :
How to protect SPDI on the cheque given below
Impact
Violation from Day 1 as confidentiality of the data cannot be
ensured as the Cheque passes through multiple layer at
Data Principal end as well as Fiduciaries/Processors
Remedy
Clarity required. May be exception for Physical cheques etc.
But challenge is it can be converted into electronic image
14. Notice –Sec 7
(1) Every data fiduciary shall give to the data principal a notice, at the time of
collection of the personal data, or if the data is not collected from the data
principal, as soon as reasonably practicable, containing the following
information, namely—
(a) the purposes for which the personal data is to be processed;
(b) the nature and the categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact
details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw such consent, and the
procedure for such withdrawal, if the personal data is intended to be
processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to
provide such personal data, if the processing of the personal data is based
on the grounds specified in section 12 to section 14;
(f) the source of such collection, if the personal data is not collected from the
data principal;
(g) The individuals or entities including other data fiduciaries or data
processors, with whom such personal data may be shared, if
applicable;
14
15. • Gap :
– Cases where Consent is not required
• Impact
– Avoid confusion for data principal
• Remedy
– Modify Clause (1) (e)
• Details
• (e) the right of the data fiduciary to process certain data without the
consent ,the basis for such processing, and the consequences of the
failure to provide such personal data, if the processing of the personal
data is based on the grounds specified in section 12 to section 14
Gap -11 Notice –Sec 7
15
16. • Gap :
– definition of the nature and the categories of
personal data missing
• Impact
– Avoid confusion for data fiduciaries
– Nature does it mean the data elements like gender ? Does category
mean personal, sensitive personal data critical personal data as
defined in the Bill?
• Remedy
– Explanation or rewording required .
• Details
• (b) the nature and the categories of personal data
being collected;
Gap -12 Notice –Sec 7
16
17. Notice –Sec 7
(h) information regarding any cross-border transfer of the personal data that
the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data will be retained in terms of section 9
or where such period is not known, the criteria for determining such period;
(j) the existence of and procedure for the exercise of data principal rights
mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be
assigned to the data fiduciary under sub section (5) of Sec 29 ; and
(n) any other information as may be specified by the Authority.
(2) Shall be clear ,concise and easily comprehensible to a
reasonable person and in multiple languages where
necessary and practicable.
(3) shall not apply where such notice substantially prejudices the
purpose of processing of personal data under section 12.
17
18. • Gap :
– Standardisation
• Impact
– Avoid confusion for data fiduciaries /Principals
• Remedy
– rewording required .
• Details
• j) the existence of and procedure for the exercise of
data principal rights mentioned in Chapter V in
terms of Section 17 to Section 21 and any related
contact details for the same
Gap -13 Notice –Sec 7
18
19. • Gap :
– Elements of Notice missing
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Add the same in the Act
• Explanation
– The right of the data fiduciary for anonymising the data and
using it for predictive analysis big data etc should be inserted
– Also the obligation of the Act does not apply to the anonymised
data
– No consent will be required for anonymising the data
– The obligation of the data fiduciary to apply the security
safeguards in terms of Section 24 .(The methods of de-
identification of data as to enhance the transparency and trust
,wherever applicable )
Gap -14 Notice –Sec 7
19
20. Gap -15 Notice –Sec 7
• (2) The data fiduciary shall provide the information as required under this section to
the data principal in a clear and concise manner that is easily comprehensible to a
reasonable person and in multiple languages where necessary and practicable
• Gap :
– Ambiguous statement
• Impact
– Avoid confusion for data fiduciaries
• Remedy
– Clarity required
• Explanation
– Who decides necessary or practicable ?
“multiple languages where necessary and
practicable”
20
21. Gap 16-Sec-9 - Data storage limitation
(4) Where it is not necessary for personal data to be retained by the data fiduciary under sub-
sections (1) and (2), then such personal data must be deleted in a manner as may be specified
• Gap :
– Implementation hurdle
• Impact
– Penalties at future date for non compliance
• Remedy
– Clarity required in the Act
• Explanation
– Physical deletion or logical deletion?
– Physical deletion ruled out in most of the cases and cost of implementation high
– Logical deletion will give rise to referential integrity checks
– What about deletion from all the backups taken say over the last n years and archived.
How ill that be achieved .
– Any cut off date for deletion related to the passing of the bill needs to be explored and
cannot be retrospective
– Everybody will be non complaint from day 1
– Right of the data fiduciary to store the data even if the service is not provided for
example a loan is rejected or an account opening is rejected , as per regulatory
requirement the data needs to be preserved for Audit purpose and the regulator comes
and checks that as well. This is not under any law
21
22. Gap-17 Sec 11. Consent
11. Processing of personal data on the basis of consent.—
(1) The personal data shall not be processed, except on the consent given by
the data principal at the commencement of its processing
• Gap :
– Can any person authorised by the Data Principal give the consent
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– Indian Contract Act has the concept of Power of Attorney
– The BFSI segment works on Power of Attorney
– No clarity whether the consent can be given by POA holder.
– In financial services industry there are two approaches
• 1.Banks open account based on the signature of POA
• 2. Depository accounts cannot be opened by POA holder
– Absolute clarity required on the same
22
23. Gap 18-Sec 11 . Consent
• Gap :
– processing includes ‘use’ of data which can lead to implementation hurdles
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– Four types of processing
1. Account opening (Non Financial Transaction)
2. Transaction (Financial Transaction –one time System generated/Fiduciary
induced )
3. Transaction (Financial Transaction – recurring System generated/Fiduciary
induced )
4. Transaction (Financial Transaction- Customer Induced)
– In case of 2 and 3 will consent be required every time for processing like
Recurring Deposits in Banks, SIP in Mutual Fund
– In case of 4 if the customer is signing a cheque and giving it to the bank ,
can it be construed as implied consent
– Similarly employees monthly salary and statutory payment processing
23
24. (1)Notwithstanding anything contained in section 11, and subject to sub-section
(2), any personal data, not being any sensitive personal data, may be
processed if such processing is necessary for -
(a) recruitment or termination of
employment of a data principal by the
data fiduciary;
(b) provision of any service to, or
benefit sought by, the data principal
who is an employee of the data
fiduciary
(c) verifying the attendance of the data
principal who is an employee of the
data fiduciary; or
(d) any other activity relating to the
assessment of the performance of the
data principal who is an employee of
the data fiduciary.
24
S13 Employment Related
(2) Any personal data, not being
sensitive personal data, may be
processed under
sub-section (1),
where the consent of the data
principal is
– not appropriate having regard
to the employment relationship
between the data fiduciary and
the data principal ;or
– would involve a
disproportionate effort on the
part of the data fiduciary due to
the nature of the processing
activities under this section.
25. Gap 19-Sec 13- Employment related
• Gap :
– Clarity required
• Impact
– Room for violation and litigation
• Remedy
– Clarity required in the Act
• Explanation
– What is disproportionate effort
– Will monthly payroll processing require consent?
– Why specifically attendance record is mentioned?
– Whether one time consent is required from employees?
– The notice to employees we can make it clear that referral checks and
others do not need the consent as per this section. This section is also
part of the notice
– Does termination of an employee tantamount to withdrawal of consent
by default?
– What about Notice at the time of entering into contract. Is Notice
necessary for outsourcing activities like payroll processing to third
party?
– Will a separate notice as per sec 7 will be required for employment?
25
26. S14. Reasonable Purposes
(2) For the purpose of sub-section (1), the expression
"reasonable purposes" may include—
(a) prevention and detection of any unlawful activity including
fraud;
(b) whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data; and
(h) the operation of search engines
Under such circumstances Notice under section 8 would not
apply consent may not be required . Also consent may not
be possible
26
27. Gap 20-Sec 14- Reasonable Purpose
• Gap :
– The Nominee personal details shared should also be outside the
purview of Consent and treated as Reasonable Purpose. Addition
required
• Impact
– Room for violation and litigation
• Remedy
– Add the following clause
– “the consent of the Nominee is not required where the sharing of the
Nominee details by the Data principal where the nominee is mandated
by statute’
• Explanation
– Consent of the Nominee can lead to a huge social problem in the
country leading to Family disputes.
– Nobody informs the Nominee that he/she has been nominated
– Nominee is very popular in Banking/ Mutual Fund/Insurance
– In employment PF/Gratuity/NPS etc requires nominations
– Even housing societies are now insisting on nominations
27
28. Gap 21-Sec 14- Reasonable Purpose
• Gap :
– “(e) credit scoring” is very open
• Impact
– Every Fintech /NBFC/Financial Institution in the garb of Credit Scoring
will start collecting data
• Remedy
– Add the following clause
– “ Credit scoring as mandated by The Credit Information Companies
(Regulation) Act 2005 and related Rules and Regulations in this regard”
• Explanation
– Consent of the Nominee can lead to a huge social problem in the
country leading to Family disputes.
– Nobody informs the Nominee that he/she has been nominated
– Nominee is very popular in Banking/ Mutual Fund/Insurance/NBFC
– Even housing societies are now insisting on nominations
28
29. Gap 22-Sec 14- Reasonable Purpose
• Gap :
– “(h) the operation of search engines” is not correct
• Impact
– This will be a big technical loop hole
• Remedy
– Delete this
• Explanation
– Periodic action based consent will be required
– An off track example is Ola /Uber asking for consent every time
– This is the first step of Profiling by the search engines
29
30. Gap 23 Sec 16 (2)-Parental Consent
(2) The data fiduciary shall, before processing of any personal data of a
child, verify his age and obtain the consent of his parent or guardian, in such
manner as may be specified by regulations.
• Gap :
– What happens when child attains majority?
• Impact
– Room for violation and litigation
• Remedy
– Clarity required as to what happens to the consent once the child
attains majority ?
– What is the mechanism?
– Is the notice and consent freshly required from the Major?
• Explanation
– Something similar to Aadhaar Act can be implemented where the
minor has the right within 6 months of achieving the majority can
request to delete the Aadhaar
30
31. Gap 24 Sec 20-Right to be forgotten
• Gap :
– Section heading talks about Right to be forgotten but clause talks
about “the right to restrict or prevent”
• Impact
– Totally out of Sync
• Remedy
– Need to relook at the same
• Explanation
– GDPR Article 17 has more clarity .However the word erasure is
synonymously used there. In our bill erasure is a also mentioned in a
separate context.
– Too much of confusion in our bill regarding erasure. Please bring in
some clarity
31
32. Gap 25 Sec 26-Right to data portability
• Gap :
– There is no standard interoperable structure in the country to enable
the implementation of the data portability
• Impact
– Will remain good in paper only
• Remedy
– Add sub section 3 as follows:
– “(3) The Authority has the right to define the interoperable standards to
facilitate data portability “
• Explanation
– UIDAI has done a lot of work on the standardisation as far as
demographic standards are concerned. Refer
– http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Rep
ort_v1.0.pdf
– Even for consent MIETY has come out with the Electronic Consent
framework
32
33. Gap 26 Sec 28- Records of Processing
• Gap :
– Why only Fiduciaries ?It should include processors as well
• Impact
– Confusion
• Remedy
– Add processors as well
• Explanation
– GDPR Art 30 has two sections one for Controller and other for
processor
33
34. Gap 27 Sec 29. Data Audits Vs
Certification
• Gap :
– THE INFORMATION TECHNOLOGY (REASONABLE SECURITY
PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL
DATA OR INFORMATION) RULES, 2011 which is getting repealed due
to this ACT has provisions for both Audit and certification(refer rule-8
next slide)
• Remedy
– Implement Certification or Audit after necessary modification
• Explanation
– There is a new standard ISO 27701 for Privacy Management System
which is an extension of ISO 27001
34
35. Rule 8 -SPDI contd..
35
Rule-8
(1) if they have implemented such security practices and standards and have a
comprehensive documented information security programme and information
security policies that contain managerial, technical, operational and physical
security control measures that are commensurate with the information assets
being protected with the nature of business.
In the event of an information security breach, it shall be required to demonstrate,
as and when called upon to do so by the agency mandated under the law, that
they have implemented security control measures as per their documented
information security programme and information security policies.
(2) The International Standard IS/ISO/IEC 27001 on “Information Technology –
Security Techniques –
Information Security Management System – Requirements” is one such standard
referred to in sub-rule (1).
36. Rules-cont.
(3) Any industry
association or an entity
formed by such an
association, whose
members are self-
regulating by following
other than IS/ISO/IEC
codes of best practices
for data protection as
per sub-rule(1), shall
get its codes of best
practices duly
approved and notified
by the Central
Government for
effective
implementation.
36
(4) The body corporate or a person on its behalf
who have implemented either IS/ISO/IEC
27001 standard or the codes of best practices
for data protection as approved and notified
under sub-rule (3) shall be deemed to have
complied with reasonable security practices
and procedures provided that such standard
or the codes of best practices have been
certified or audited on a regular basis by
entities through independent auditor, duly
approved by the Central Government. The
audit of reasonable security practices and
procedures shall be carried out by an auditor
at least once a year or as and when
significant up gradation of its process and
computer resource
37. Gap 28 Sec 30. DPO
“30. (1) Every significant data fiduciary shall appoint a data protection officer
possessing such qualification and experience as may be specified by
regulations for carrying out the….”
• Gap :
• On roll or contract basis?
• Can there be a single DPO in case of group companies?
• Reporting structure of DPO-typically to Risk or Compliance
Department
• What about processors? Do they not need DPO? It should be there
also
• Remedy
– Include these aspects as sub clauses
• Explanation
– Refer Article 37 of GDPR which has lot of clarity
37
38. Gap 29 Sec 35. Exemption
• Gap :
• Fear /perception of the misuse of the Provisions of this Act
• Remedy
– the provision similar to Sec 33 Sub section 1 of the Aadhaar Act
wherein the Judge of the High Court can order the disclosure of
information. Similarly Sub Section (2) of Sec 33 which can be ordered
by the Secretary to the Government of India to be suitably substituted
38
39. Gap -30 Sec 57 Type of Penalties
• The fiduciary is categorized
– Significant
– Small Entity
– Guardian
– Normal (which does not fall in the three categories )
• The Personal data is categorized
– Personal data
– Sensitive Personal data
– Critical Data
• This means that are 12 types of data
breaches (4 *3)
– The penalty should also be logically split into 12 categories and not one size fits
all
39
40. Gap 31 Sec 91-Anoymised personal
data
• Gap :
– This anonymised data will be of junk value and cannot be used unless
the entire universe uses a common algorithm for anonymisations.
– Also the anonymisation algorithm will also have to be shared .
– Including Non Personal Data is opening a Pandora’s Box
• Impact
– Totally out of Sync
• Remedy
– Need to relook at the same
• Explanation
– More clarity required
40
https://www.youtube.com/watch?v=eMKieb
YrvhU