Scope

• This Act applies to the processing of digital personal data within India,whether collected in digital or non-digital form and subsequently digitized.
• It also extends to processing outside India if related to offering goods or services to individuals within India.

Key Actors

• Data Principal: The individual to whom the personal data relates
• Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data
• Significant Data Fiduciary: The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of various key factors

Obligations of Data Fiduciary

• Data can only be processed if the Data Principal has given consent
• Must provide a notice to Data Principals, detailing the personal data processing, rights, and complaint procedures.
• Withdrawal of consent is also ensured with comparable ease.
• Must ensure compliance with the Act,engage Data Processors under valid contracts, implement security measures, and notify breaches.

Significant Data Fiduciary

The Central Government may notify any Data Fiduciary as Significant Data Fiduciary, on the basis of an assessment of below key factors

• The volume and sensitivity of personal data processed
• Risk to the rights of Data Principal;
• Potential impact on the sovereignty and integrity of India
• Risk to electoral democracy
• Security of the State
• Public order.

Significant Data Fiduciaries must appoint a Data Protection Officer, undergo data audits, and undertake impact assessments and other prescribed measures.

Rights and Duties of Data Principal

• Right to access a summary of their personal data, identities of involved parties, and related information.
• Request correction, completion,updating, or erasure of their personal data as necessary.
• Right to seek redressal for grievances related to the handling of their personal data
• Nominate individuals to exercise their rights in case of death or incapacity.
• Comply with applicable laws, provide authentic information, and not register false grievances.

Special Provisions

• The Central Government may restrict the transfer of personal data outside India through notification.
• Certain exemptions apply,including for legal enforcement, certain government functions, and specific purposes outlined in the Act.
• An appeal process is established for individuals aggrieved by orders or directions made by the Board under the Act.

Conclusion

The Digital Personal Data Protection Act,2023, establishes comprehensive guidelines for the processing and protection of personal data, ensuring transparency, consent, and rights for individuals while balancing legitimate uses and obligations for data handlers.