DLS LAW OFFICES Strictly Privileged &

Confidential

COMPLIANCE LIST: THE DIGITAL PERSONAL DATA PROTECTION, 2023

Section 2 of DPDPA: Definitions

(h) “data” means a representation of information, facts, concepts, opinions or instructions in

a manner suitable for communication, interpretation or processing by human beings or by
automated means;

(t) “personal data” means any data about an individual who is identifiable by or in relation
to such data;

(n) “digital personal data” means personal data in digital form;

(x) “processing” in relation to personal data, means a wholly or partly automated operation
or set of operations performed on digital personal data, and includes operations such as
collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment
or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise
making available, restriction, erasure or destruction;

(b) “automated” means any digital process capable of operating automatically in response
to instructions given or otherwise for the purpose of processing data;

(u) “personal data breach” means any unauthorised processing of personal data or
accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to
personal data, that compromises the confidentiality, integrity or availability of personal data;

(i) “Data Fiduciary” means any person who alone or in conjunction with other persons
determines the purpose and means of processing of personal data;

(j) “Data Principal” means the individual to whom the personal data relates and where
such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a
person with disability, includes her lawful guardian, acting on her behalf;

(k) “Data Processor” means any person who processes personal data on behalf of a Data
Fiduciary (ref Section 8 for appointment of Data Processor);

(g) “Consent Manager” means a person registered with the Board, who acts as a single
point of contact to enable a Data Principal to give, manage, review and withdraw her
consent through an accessible, transparent and interoperable platform;

(za) “specified purpose” means the purpose mentioned in the notice given by the Data
Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules
made thereunder; and

(d) “certain legitimate uses” means the uses referred to in section 7.

DLS LAW OFFICES Strictly Privileged &
Confidential

Compliance Checklist:

S Section Header Compliance required

No.
Section 4 Grounds for A person may process the personal data of a Data Principal
processing - only in accordance with the provisions of this Act;
personal data - for a lawful purpose (“lawful purpose” means any
purpose which is not expressly forbidden by law.)
- for which the Data Principal has given her consent;
- for certain legitimate uses
Section 5 Notice Every request made to a Data Principal under section 6 for
consent shall be
- accompanied or preceded by a notice given by the
Data Fiduciary to the Data Principal,
- informing her:
(i) the personal data and the purpose for which the
same is proposed to be processed;
(ii) the manner in which she may exercise her rights
under sub-section (4) of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a
complaint to the Board, in such manner and as may
be prescribed.
(The Data Fiduciary may continue to process the
personal data until and unless the Data Principal
withdraws her consent.)
Section 6 Consent The consent given by the Data Principal shall be
- free, specific, informed, unconditional and
unambiguous with a clear affirmative action, and
- consent shall signify an agreement to the processing
of her personal data for the specified purpose, and
- be limited to such personal data as is necessary for
such specified purpose.
Consent which constitutes an infringement of the provisions
of this Act or the rules made thereunder or any other law for
the time being in force shall be invalid to the extent of such
infringement.

The request for consent shall

- provide the contact details of any person authorised
by the Data Fiduciary to respond to any
communication from the Data Principal for the
purpose of exercise of her rights under the provisions
of this Act.
Section 6 Withdrawal of Data Principal shall have the right to withdraw her consent
Consent at any time, with the ease of doing so being comparable to
the ease with which such consent was given.
- The consequences of the withdrawal shall be borne
by the Data Principal, and
- Such withdrawal shall not affect the legality of
processing of the personal data based on consent
before its withdrawal.
DLS LAW OFFICES Strictly Privileged &
Confidential

If a Data Principal withdraws her consent to the processing

of personal, the Data Fiduciary shall, within a reasonable
time, cease and cause its Data Processors to cease
processing the personal data of such Data Principal
- unless such processing without her consent is
required or authorised under the provisions of this Act
Consent. or the rules made thereunder or any other
law for the time being in force in India.
Section 6 Consent Manager - The Data Principal may give, manage, review or
withdraw her consent to the Data Fiduciary through a
Consent Manager.
- The Consent Manager shall be accountable to the
Data Principal and shall act on her behalf in such
manner and subject to such obligations as may be
prescribed.
Every Consent Manager shall be registered with the Board in
such manner and subject to such technical, operational,
financial and other conditions as may be prescribed.
Section 6 Burden of Proof Where a consent given by the Data Principal is the basis of
processing of personal data and a question arises in this
regard in a proceeding, the Data Fiduciary shall be obliged to
prove
- that a notice was given by her to the Data Principal
and
- consent was given by such Data Principal to the Data
Fiduciary in accordance with the provisions of this Act
and the rules made thereunder.
Section 7 Certain A Data Fiduciary may process personal data of a Data
Legitimate Uses Principal for any of following uses, namely:
a. for the specified purpose for which the Data
Principal has voluntarily provided her personal
data to the Data Fiduciary, and in respect of
which she has not indicated to the Data
Fiduciary that she does not consent to the use
of her personal data.
b. For the State and any of its instrumentalities to
provide or issue to the Data Principal such subsidy,
benefit, service, certificate, licence or permit as may
be prescribed, where–
- she has previously consented to the processing of her
personal data by the State or any of its
instrumentalities; or
- such personal data is available in digital form in, or in
non-digital form and digitised subsequently from, any
database, register, book or other document which is
maintained by the State or any of its
instrumentalities and is notified by the Central
Government,
subject to standards followed for processing being in
accordance with the policy issued by the Central
Government or any law for the time being in force for
governance of personal data.
c. for the performance by the State or any of its
instrumentalities of any function under any law for
DLS LAW OFFICES Strictly Privileged &
Confidential

the time being in force in India or in the interest of

sovereignty and integrity of India or security of the
State;
d. for fulfilling any obligation under any law for the time
being in force in India on any person to disclose any
information to the State or any of its
instrumentalities, subject to such processing being in
accordance with the provisions regarding disclosure
of such information in any other law for the time
being in force;
e. for compliance with any judgment or decree or order
issued under any law for the time being in force in
India, or any judgment or order relating to claims of a
contractual or civil nature under any law for the time
being in force outside India;
f. for responding to a medical emergency involving a
threat to the life or immediate threat to the health of
the Data Principal or any other individual;
g. for taking measures to provide medical treatment or
health services to any individual during an epidemic,
outbreak of disease, or any other threat to public
health;
h. for taking measures to ensure safety of, or provide
assistance or services to, any individual during any
disaster, or any breakdown of public order. 53 of
2005.
i. for the purposes of employment or those related to
safeguarding the employer from loss or liability, such
as prevention of corporate espionage, maintenance of
confidentiality of trade secrets, intellectual property,
classified information or provision of any service or
benefit sought by a Data Principal who is an
employee.
Section 8 Data Fiduciary’s - A Data Fiduciary shall (irrespective of any agreement
Compliance to the contrary or failure of a Data Principal to carry
responsibility out the duties provided under this Act) be
irrespective of responsible for complying with the provisions of this
contrary Act and the rules in respect of any processing
agreement undertaken by it or on its behalf by a Data Processor.

- A Data Fiduciary shall implement appropriate

technical and organisational measures to ensure
effective observance of the provisions of this Act and
the rules made thereunder.

Section 8 Processing - Where personal data processed by a Data Fiduciary is

requirements on likely to be— (a) used to make a decision that affects
part of Data the Data Principal; or (b) disclosed to another Data
Fiduciary Fiduciary, the Data Fiduciary processing such
personal data shall ensure its completeness,
accuracy and consistency.

Section 8 Safety Measures - A Data Fiduciary shall protect personal data in its
possession or under its control, including in respect of
any processing undertaken by it or on its behalf by a
DLS LAW OFFICES Strictly Privileged &
Confidential

Data Processor, by taking reasonable security

safeguards to prevent personal data breach.

Section 8 Personal Data - In the event of a personal data breach, the Data
Breach Fiduciary shall give the Board and each affected
Data Principal, intimation of such breach in such
form and manner as may be prescribed.

Section 8 Data Fiduciary’s A Data Fiduciary shall, unless retention is necessary for
Obligation to compliance with any law for the time being in force:
erase personal - erase personal data, upon the Data Principal
data withdrawing her consent or as General obligations of
Data Fiduciary as soon as it is reasonable to assume
that the specified purpose is no longer being served,
whichever is earlier; and
- cause its Data Processor to erase any personal data
that was made available by the Data Fiduciary for
processing to such Data Processor.

The purpose shall be deemed to no longer be served, if the

Data Principal does not––
- approach the Data Fiduciary for the performance of
the specified purpose; and
- exercise any of her rights in relation to such
processing, for such time period as may be
prescribed, and different time periods may be
prescribed for different classes of Data Fiduciaries
and for different purposes.

Section 8 Data Fiduciary’s A Data Fiduciary shall publish, in such manner as may be
Duty to Publish prescribed, the business contact information of a Data
Contact Protection Officer (DPO), if applicable (See Sec 10.), or a
Information of person who is able to answer on behalf of the Data Fiduciary,
relevant person the questions, if any, raised by the Data Principal about
the processing of her personal data.

A Data Fiduciary shall establish an effective mechanism to

redress the grievances of Data Principals.

Section 9 Processing of The Date Fiduciary shall, before processing any personal
personal data of data of a child or a person with disability –
children (or - shall not undertake such processing of personal data
disabled) that is likely to cause any detrimental effect on
the well-being of a child.
- A Data Fiduciary shall not undertake tracking or
behavioural monitoring of children or targeted
advertising directed at children.

Section Data Principal’s The Data Principal shall have the right to obtain from the
11 Right to access Data Fiduciary to whom she has previously given consent,
information for processing of personal data, upon making to it a request-
DLS LAW OFFICES Strictly Privileged &
Confidential

about personal - a summary of personal data which is being

data processed by such Data Fiduciary and
- the processing activities undertaken by that Data
Fiduciary with respect to such personal data;
- the identities of all other Data Fiduciaries and Data
Processors with whom the personal data has
been shared by such Data Fiduciary, along with a
description of the personal data so shared; and
- any other information related to the personal data of
such Data Principal and its processing, as may be
prescribed.

(Nothing contained herein shall apply in respect of the

sharing of any personal data by the said Data Fiduciary with
any other Data Fiduciary authorised by law to obtain such
personal data, where such sharing is pursuant to a request
made in writing by such other Data Fiduciary for the purpose
of prevention or detection or investigation of offences or
cyber incidents, or for prosecution or punishment of
offences.)

Section Data Principal’s A Data Principal shall have the right to correction,
12 Right to completion, updating and erasure of her personal data
correction and for the processing of which she has previously given
erasure of consent.
personal data
A Data Fiduciary shall, upon receiving a request for
correction, completion, updating or erasure from a Data
Principal:
(i) correct the inaccurate or misleading personal data;
(ii) complete the incomplete personal data; and
(iii) update the personal data.
(iv) A Data Principal shall make a request in such manner
as may be prescribed to the Data Fiduciary for
erasure of her personal data, and upon receipt of
such a request, the Data Fiduciary shall erase her
personal data unless retention of the same is
necessary for the specified purpose or for compliance
with any law for the time being in force.
Section Data Principal’s A Data Principal shall have the right to have readily
13 Right of available means of grievance redressal provided by a
grievance Data Fiduciary or Consent Manager in respect of any act or
redressal omission of such Data Fiduciary or Consent Manager
regarding
- its obligations in relation to the personal data of such
Data Principal or
- the exercise of her rights under the provisions of this
Act and the rules made thereunder.
Additionally,
- The Data Fiduciary or Consent Manager shall respond
to any grievances within such period as may be for all
or any class of Data Fiduciaries.
- The Data Principal shall exhaust the opportunity of
redressing her grievance under this section before
DLS LAW OFFICES Strictly Privileged &
Confidential

approaching the Board.

Section Data Principal’s A Data Principal shall have the right to nominate any other
14 Right to individual, who shall,
nominate - in the event of death or incapacity of the Data
Principal,
- exercise the rights of the Data Principal in accordance
with the provisions of this Act and the rules made
thereunder.
For the purposes of this section, the expression “incapacity”
means inability to exercise the rights of the Data Principal
under the provisions of this Act or the rules made thereunder
due to unsoundness of mind or infirmity of body.
Section Data Principal’s A Data Principal shall perform the following duties, namely-
15 Duties - comply with the provisions of all applicable laws while
exercising rights under this Act;
- to ensure not to impersonate another person while
providing her personal data for a specified purpose;
- to ensure not to suppress any material information
while providing her personal data for any document,
unique identifier, proof of identity or proof of address
issued by the State or any of its instrumentalities;
- to ensure not to register a false or frivolous grievance
or complaint with a Data Fiduciary or the Board; and
- to furnish only such information as is verifiably
authentic, while exercising the right to correction or
erasure under the provisions of this Act or the rules
made thereunder.

Section Processing of The Central Government may restrict the transfer of

16 personal data personal data by a Data Fiduciary for processing to such
outside India country or territory outside India as may be so notified.

Nothing contained in this section shall restrict the

applicability of any law for the time being in force in India
that provides for a higher degree of protection for or
restriction on transfer of personal data by a Data Fiduciary
outside India in relation to any personal data or Data
Fiduciary or class thereof.

Section Exemptions The provisions of Chapter II, except sub-sections (1) and (5)
17 of section 8, and those of Chapter III and section 16 shall not
apply where-
- the processing of personal data is necessary for
enforcing any legal right or claim;
- the processing of personal data by any court or
tribunal or any other body in India which is entrusted
by law with the performance of any judicial or quasi-
judicial or regulatory or supervisory function, where
such processing is necessary for the performance of
such function;
- personal data is processed in the interest of
prevention, detection, investigation or prosecution of
any offence or contravention of any law for the time
DLS LAW OFFICES Strictly Privileged &
Confidential

being in force in India;

- personal data of Data Principals not within the
territory of India is processed pursuant to any
contract entered into with any person outside the
territory of India by any person based in India;
- the processing is necessary for a scheme of
compromise or arrangement or merger or
amalgamation of two or more companies or a
reconstruction by way of demerger or otherwise of a
company, or transfer of undertaking of one or more
company to another company, or involving division of
one or more companies, approved by a court or
tribunal or other authority competent to do so by any
law for the time being in force; and
- the processing is for the purpose of ascertaining the
financial information and assets and liabilities of any
person who has defaulted in payment due on account
of a loan or advance taken from a financial institution,
subject to such processing being in accordance with
the provisions regarding disclosure of information or
data in any other law for the time being in force.

For the purposes of this clause, the expressions “default”

and “financial institution” shall have the meanings
respectively assigned to them in sub-sections (12) and (14)
of section 3 of the Insolvency and Bankruptcy Code, 2016.
The provisions of this Act shall not apply in respect of the
processing of personal data-
- by such instrumentality of the State as the Central
Government may notify,
(i) in the interests of sovereignty and integrity of India,
security of the State,
(ii) friendly relations with foreign States,
(iii) maintenance of public order or preventing incitement
to any cognizable offence relating to any of these,
and
(iv) the processing by the Central Government of any
personal data that such instrumentality may furnish
to it; and
- necessary for research, archiving or statistical
purposes if the personal data is not to be used to take
any decision specific to a Data Principal and such
processing is carried on in accordance with such
standards as may be prescribed.
The Central Government may, having regard to the volume
and nature of personal data processed, notify certain Data
Fiduciaries or class of Data Fiduciaries, including startups, as
Data Fiduciaries to whom the provisions of section 5, sub-
sections (3) and (7) of section 8 and sections 10 and 11 shall
not apply.
In respect of processing by the State or any instrumentality
of the State, the provisions of sub-section (7) of section 8
and sub-section (3) of section 12 and, where such processing
is for a purpose that does not include making of a decision
DLS LAW OFFICES Strictly Privileged &
Confidential

that affects the Data Principal, sub-section (2) of section 12

shall not apply.
The Central Government may, before expiry of five years
from the date of commencement of this Act, by notification,
declare that any provision of this Act shall not apply to such
Data Fiduciary or classes of Data Fiduciaries for such period
as may be specified in the notification.
Section Significant Data The Central Government may notify any Data Fiduciary or
10 Fiduciary (SDF) class of Data Fiduciaries as Significant Data Fiduciary, and
such Significant Data Fiduciary comply with the
requirements of Section 10.

Factors for determination of SDF, including-

- the volume and sensitivity of personal data processed
- risk to the rights of Data Principal
- potential impact on the sovereignty and integrity of
India
- risk to electoral democracy
- security of the State; and
- public order

Section SDF must The Significant Data Fiduciary shall appoint a Data Protection
10 appoint DPO Officer (DPO) who shall-
(i) represent the Significant Data Fiduciary under the
provisions of this Act;
(ii) be based in India;
(iii) be an individual responsible to the Board of Directors
or similar governing body of the Significant Data
Fiduciary; and
(iv) be the point of contact for the grievance redressal
mechanism under the provisions of this Act;
(v) appoint an independent data auditor to carry out
data audit, who shall evaluate the compliance of the
Significant Data Fiduciary in accordance with the
provisions of this Act; and
(vi) undertake the following other measures, namely-
periodic Data Protection Impact Assessment, which
shall be a process comprising a description of the
rights of Data Principals and the purpose of
processing of their personal data, assessment and
management of the risk to the rights of the Data
Principals, and such other matters regarding such
process as may be prescribed periodic audit; and
such other measures, consistent with the provisions
of this Act, as may be prescribed.
DLS LAW OFFICES Strictly Privileged &
Confidential