King Stubb and Kasiva ( December 2023)

1. Drafted numerous recovery notices

Client Leads had to draft over 500 legal loan recovery notices sort of clerical work.

2. Assisted the firm in the preparation of Legal Advisory under the Legal
Meteorology Act pertaining to E-Waste (Management) Rules, 2022.
Client Pegion - Electric Rice Cookers - Their Roles and Responsibilities pertaining to this act
Under the E-Waste Management Rules, these rules are applicable to apply to every
manufacturer, producer refurbisher, dismantler and recycler involved in manufacture, sale,
transfer, and purchase.
Sec 4 - Entities need to register on the portal of the Central Pollution Control Board
Sec 5. Responsibilities of the manufacturer. – All manufacturers shall have to, - (1) register
on the portal; (2) collect e-waste generated during the manufacture of any electrical and
electronic equipment and ensure its recycling or disposal; (3) file annual and quarterly returns
in the laid down form on the portal on or before end of the month succeeding the quarter or
year, as the case may be, to which the return relates.
Sec 11 - Every Manufacturer can store E-Waste for not more than 180 days
Sec 13- Modalities of the extended producer responsibility Regime.
Producers are responsible for recycling their electronic waste (e-waste). They can use helpers
like recyclers or collection centres, but the ultimate responsibility remains theirs.The
government decides how much recycling each producer needs to do based on product life and
targets. Producers can buy recycling certificates online from certified recyclers to meet their
goals. The government checks both sides' info to prevent cheating. If there's a mismatch, the
lower amount counts.
Sec 14 - Extended producer responsibility Certificate Generation.
Recycling Certificates:

1. Earning Certificates: Recyclers get "certificates" based on the weight of e-waste they properly
recycle. It's like getting points for completing your chore.
2. Calculating Points: There's a formula to consider how much processing a product needs (like
extra points for difficult-to-recycle items).
3. Certificate Details: Each certificate has a unique code and comes in different "sizes" (like 100
kg or 1000 kg certificates).
 4. Deferring the Chore (Refurbishing):
1. Refurbishing Option: If you can fix an e-waste item to extend its life (like refurbishing a
phone), you can get a special certificate.
2. Postponing the Chore: This certificate lets you delay your recycling responsibility for that
item for the extra lifespan it gets.
3. Bonus for Refurbishing: To encourage fixing things, you only have to "re-do" 75% of the
chore (recycling) later when the refurbished item finally dies

3. Researched upon the vicarious liability of an organisation in case of accidents

under the Motor Vehicles Act.
Section 161. Special provisions as to compensation in case of hit-and-run motor accident
(2) Subject to the provisions of this Act and the scheme made under sub-section (3), there
shall be paid as compensation
(a) in respect of the death of any person resulting from a hit-and-run motor accident, a fixed
sum of two lakh rupees or such higher amount as may be prescribed by the Central
Government;
Section 164. Payment of compensation in case of death or grievous hurt, etc. —
(1)Notwithstanding anything contained in this Act or in any other law for the time being in
force or instrument having the force of law, the owner of the motor vehicle or the the
authorised insurer shall be liable to pay in the case of death or grievous hurt due to any
accident arising out of the use of a motor vehicle, a compensation of a sum of five lakh
rupees in case of death or of two and a half lakh rupees in case of grievous hurt to the legal
heirs or the victim as the case may be
Section 166 - Application for Compensation 166(3)- No compensation shall be entertained
unless made within six months of the occurrence of accidents

Vijaysing Shirke v. Government of Maharashtra, 1991

Citation - SCC OnLine Bom 507 Court - Supreme Court of India
Facts of the Case - Vijay Singh was driving the scooter, and the jeep belonged to the State
Government; dashed against the scooter because of which the victim sustained serious
injuries, and he ultimately succumbed to those injuries in the hospital.
Calculation of Compensation - Deceased 35 years of age — Monthly earnings about Rs.
1,000 to Rs. 1,200 — Considering that the deceased could have survived till 65 years of age,
dependency of claimants taken at ⅔rd of income, i.e. 700 per month — Compensation
calculated Rs. 2,52,000 and 20 p.c. Deducted for lump sum payment and uncertainties of life
— Damages also awarded for loss of consortium/love and affection at Rs. 5,000/- — Also,
interest granted at 12% p.a. from date of application till date of deposit realisation

2. Sitaram Motilal Kalal v. Santannuprasad Jaishankar Bhatt.

Citation - AIR 1966 SC 1697,
Court - Supreme Court
Facts of the case - In the said case owner of the vehicle entrusted it to A — for plying it
as a taxi. B used to clean the taxi. A trained B to assist him in driving the taxi. B took the
taxi to obtain a licence for driving for himself. While taking the test, B caused bodily
injury to the respondent. At that time, A was not present in the vehicle. The question
arose whether the owner was liable or not.
Held - The majority held that the owner was not liable as it was held that it was not proved
that the act was impliedly authorised by the owner and it cannot come within the extended
doctrine of ‘in the course of employment’. It was observed as follows: “In other words, for
the master's liability to arise, the act must be a wrongful act authorised by the master or a
wrongful and unauthorised mode of doing some act authorised by the master.”

3. Oriental Insurance Co. Ltd. v. Meena Variyal

Citation - 2007 ACJ 1284 (SC)
Court - Supreme Court of India
Facts of the Case - Suresh Chandra Variyal was employed as a Regional Manager in M/s
Apace Savings and Mutual Benefits (India) Ltd., the owner of a motor vehicle, respondent
No.3 herein. Variyal was provided with a car by the employer. The vehicle was insured with
the appellant company in terms of the Motor Vehicles Act, 1988. There was no special
contract. On 14.6.1999, the vehicle met with an accident. Suresh Chandra Variyal died.

Held - When a car belonging to an owner is insured with the insurance company and it is
being driven by a driver employed by the insured, when it meets with an accident, the
primary liability under law for payment of compensation is that of the driver. Once the driver
is liable, the owner of the vehicle becomes vicariously liable for payment of compensation. It
is this vicarious liability of the owner that is indemnified by the insurance company. A third
party for whose benefit the insurance is taken is therefore entitled to show when he moves
under Section 166 of the Motor Vehicles Act, that the driver was negligent in driving the
vehicle resulting in the accident, that the owner was vicariously liable and that the insurance
company was bound to indemnify the owner and consequently, satisfy the award made.
 4. Researched upon the delay in filing for a suit of arbitration from the date of
cause of action.

The Supreme Court while adjudicating an application filed under Section 11(6) of the
Arbitration and Conciliation Act, 1996 for appointment of arbitrator, has held that the
limitation period of three years for filing such application would commence from the date
when the cause of action arose.

IN RE: COGNIZANCE FOR EXTENSION OF LIMITATION

Due to the outbreak of COVID-19 pandemic in March, 2020, this Court took Suo Motu
cognizance of the difficulties that might be faced by the litigants in filing petitions/
applications/ suits/ appeals/ all other proceedings within the period of limitation prescribed
under the general law of limitation or under any special laws (both Central and/or State). On
23.03.2020, this Court directed extension of the period of limitation in all proceedings before
the Courts/Tribunals including this Court w.e.f. 15.03.2020 till further orders. 2. Considering
the reduction in prevalence of COVID-19 virus and normalcy being restored, the following
order was passed in the Suo Motu proceedings on 08.03.2021: “1. In computing the period of
limitation for any suit, appeal, application or proceeding, the period from 15.03.2020 till
14.03.2021 shall stand excluded. Consequently, the balance period of limitation remaining
as on 15.03.2020, if any, shall become available with effect from 15.03.2021.

5. Attended hearings before the Hon'ble High Court of Delhi in a matter pertaining
to the selection process and selection criterion in the EFI (Equestrian Federation
of India).

High Court of Delhi on 11.04.2023, primarily focusing on matters related to the Rajasthan
Equestrian Association, Equestrian Federation of India (EFI), and the Union of India. The
cases revolve around compliance with the Sports Code by the EFI to gain recognition as a
National Sports Federation. The court noted that despite repeated extensions and assurances,
the EFI failed to align its constitution with the Sports Code, leading to concerns about civilian
participation in governing the EFI. There were discussions about the need for an
Administrator to oversee the affairs of the EFI due to non-compliance with the Sports Code.
The court also addressed issues related to conducting elections within the EFI and
determining the Electoral College. Various legal counsels presented arguments regarding the
exemptions granted by the Union Government and the need for amendments to bring the
EFI's constitution in line with the Sports Code. The court issued directions for conducting
elections for the Executive Committee and Selection Committee of the EFI under the
supervision of an Election Officer.
● The National Sports Development Code of India (Sports Code): This code mandates
how National Sports Federations (NSFs) like the EFI should be governed and
function. It emphasizes democratic elections and adherence to specific guidelines.
● The EFI hasn't amended its constitution to align with the Sports Code. It also grants
voting rights to individual members and clubs, which is against the code's
requirements. 髷 mage (mage) - (Japanese pronunciation: [mage])
 ● despite non-compliance, the Ministry of Youth Affairs & Sports granted the EFI
exemptions from certain provisions of the Sports Code. This is a point of contention.
● The petitioner argues that the Ministry's exemptions are unfair and violate the spirit of
the Sports Code. They claim the EFI hasn't made a genuine effort to comply and the
exemptions aren't in the best interest of the sport or athletes.
● EFI's Arguments: The EFI argues that equestrian sports are unique due to the high
cost of horses and limited state associations. They claim the exemptions are necessary
until they can fully comply with the code. They also emphasize the importance of
holding elections soon to have a duly elected body manage the sport.
● Ministry's Arguments: The Ministry defends its power to grant exemptions under
special circumstances. They argue that holding elections with the current electoral
college is the best course of action for now.

Bajaj Housing Finance Limited (June 2023)

● Drafted various Legal Notice’s under Section 13(2) and 13(4) of the SARFAESI Act for
Loan Recoveries.
Section 13 SARFESI- Title: Understanding Sarfaesi Notice under Section 13(2) and 13(4) of
the Sarfaesi Act in Indian Law The Securitization and Reconstruction of Financial Assets and
Enforcement of Security Interest (Sarfaesi) Act, enacted in 2002, is a crucial legislation that
empowers financial institutions to enforce their security interests without the intervention of
the court. One of the pivotal aspects of the Sarfaesi Act is the issuance of notices under
Section 13(2) and 13(4), which plays a significant role in the recovery process. In this post,
we delve into the details of Sarfaesi notices, exploring their purpose, content, and legal
implications.

Section 13(2) Notice: The Section 13(2) notice is the initial step taken by a secured creditor
when a borrower defaults on repayment. This notice serves as a warning to the borrower,
notifying them of the default and providing an opportunity to rectify the situation. The notice
outlines the outstanding amount, the nature of the default, and a 60-day period for the
borrower to regularize the payment. Failure to comply within this stipulated timeframe
empowers the creditor to take further actions under the Sarfaesi Act.

Key Elements of Section 13(2) Notice:

1. Identification of the borrower and the secured assets.

2. Details of the default, specifying the amount overdue and the nature of the default.
3. A demand for payment within 60 days from the date of the notice.

4. Consequences of non-compliance, including the intention to enforce security.

Section 13(4) Notice: If the borrower fails to comply with the Section 13(2) notice, the
secured creditor proceeds to issue a Section 13(4) notice. This notice signifies the creditor's
intent to take possession of the secured assets and sell them to recover the outstanding dues.
Issued after the expiration of the 60-day period mentioned in the Section 13(2) notice, the
Section 13(4) notice is a critical step in the enforcement process.

Key Elements of Section 13(4) Notice:

1. Explicit mention of the borrower's failure to comply with the Section 13(2) notice.

2. Declaration of the creditor's intent to take possession of the secured assets.

3. A notice period allowing the borrower to make representations against the intended action.

4. The manner in which the possession will be taken and the assets will be sold.

Legal Implications:

13(2) Notice - Purpose: To notify a borrower who has defaulted on a secured loan and
demand full repayment within 60 days.

Key Points:

● Issued by the secured creditor (usually a bank or financial institution).

● Served after the borrower's account is classified as a Non-Performing Asset (NPA).
● Provides a 60-day window for the borrower to repay the outstanding dues.
● Failure to comply may lead to the initiation of Section 13(4) proceedings.

Section 13(4) Notice:

Purpose: To inform a borrower that the secured creditor intends to take possession of the
secured assets to recover outstanding dues.

Key Points:

● Issued after the borrower fails to repay within the 60-day period of Section 13(2)
notice.
● Authorizes the secured creditor to take possession of the secured assets.
 ● Methods of possession can include: Physical takeover of the assets. Appointment of a
Receiver to manage the assets.
● The secured creditor can then sell or lease the assets to recover the dues.

Implications for Borrowers:

● Receiving these notices signals a serious stage of debt recovery.

● It's crucial to seek legal advice promptly to understand your rights and options.
● You may have grounds to challenge the notices in certain circumstances.
● The Debts Recovery Tribunal (DRT) is the authority to approach for such challenges.

Key Considerations:

● Secured creditors must exercise their powers under these sections reasonably and
fairly.
● Borrowers have the right to notice and an opportunity to be heard before any action is
taken.
● The DRT provides a mechanism for redressal if borrowers feel their rights have been
violated.

● Prepared a Process Note of the Corporate Insolvency Resolution Process under the
Insolvency and Bankruptcy Act.

● Prepared case note on the landmark case of Anuj Jain vs Axis Bank Limited and Ors.
This is a judgment summary about the case between the Insolvency Resolution Professional
(IRP) and the lenders of Jaiprakash Associates Limited (JAL) on whether they can be
classified as financial creditors of Jaypee Infratech Limited (JIL). The NCLT and NCLAT
disagreed on the classification, and this case reached the Supreme Court.

Facts

● JIL provided collateral (mortgaged properties) to secure loans given by lenders to

JAL, its holding company.
● The IRP argued that the lenders were not financial creditors of JIL because there was
no disbursal of funds to JIL.
● The lenders argued that the mortgage they held on JIL's property made them financial
creditors.

Supreme Court Holding

The Supreme Court sided with the IRP. In order to be a financial creditor, there must be a
disbursal of funds against the time value of money. Here, the lenders did not disburse funds
directly to JIL, so they are not financial creditors.

Implications

This decision may have a significant impact on insolvency proceedings in India. Secured
creditors who do not directly disburse funds to the corporate debtor may not be considered
financial creditors. This could affect their rights to participate in the insolvency resolution
process.

Unanswered Questions

The judgment raises a question about creditors invoking a guarantee provided by a corporate
debtor. The court did not directly address this, but based on the reasoning of the judgment, it
seems unlikely that such creditors would be considered financial creditors either.

This interpretation could lead to challenges against past actions taken by secured creditors
who were previously considered financial creditors. It will be interesting to see how courts
handle these situations.

SCRIBOARD
[43A. Compensation for failure to protect data.–Where a body corporate, possessing,
dealing or handling any sensitive personal data or information in a computer resource which
it owns, controls or operates, is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or wrongful gain to any
person, such body corporate shall be liable to pay damages by way of compensation to the
person so affected

A & A Law Firm

Researched upon the misuse of sections 506 and 509 of the Indian penal code
In the case of State of Punjab v. Major Singh (1967), Hon’ble Justice R.S. Bachawat
succinctly defined ‘woman’s modesty’ as the essence of her sex. He succinctly observed that
“the modesty of an adult female is writ large on her body. Young or old, intelligent or
imbecile, awake or sleeping, the woman possesses a modesty capable of being outraged”.
The English Oxford dictionary further defines the word ‘modesty” as “womanly propriety
behaviour.” It is, therefore, clear that the legislature deliberately used the word “modesty” in
Sections 509 and 354 of the Indian Penal Code, 1860 to extend protection to an automatic
attribute that is peculiar to women. Whether an act outrages or insults the modesty of a
woman is seen according to the standards of morality prevailing at that time in society. Such
kinds of sections are largely based on the concept of public morality; thereby, the acts and
words falling within the ambit of the sections will differ throughout time, country, and
society.

In the landmark case of Ram Kripal v. State of Madhya Pradesh (2007), wherein the court
held that in cases relating to outraging or insulting the modesty of a woman, the intention of
the accused is the crux of the matter, and even the reaction of the victim is relevant; however,
the absence of reaction is not always a decisive factor. Thereby, in cases of outraging or
insulting the modesty of a woman, the reaction of the woman to such outraging or insulting
conduct is always a relevant fact, but the fact of her omission to react may or may not be a
relevant fact. The court observed that in a case where the accused with malign intentions
touches the flesh of a sleeping woman or where the victim is a person who is unable to
communicate verbally, under the spell of anesthesia, or an infant, the accused will be liable
under Section 354 or 509 as the case may be irrespective of the absence of any reaction by
the victim.

In the recent case of Varun Bhatia v. State and Anr. (2023), the Delhi High Court unfolded
various connotations related to Section 509. In the given case, the contention levied against
the accused was that he addressed the complainant as ‘gandi aurat’ in front of all the staff,
which amounted to insulting her modesty. The court held that the words ‘gandi aurat’ when
objectively assessed, seem to be impolite and offensive but are insufficient to provoke shock
in a woman to invoke Section 509. The court in the given case also took into account the
reaction of the complainant in light of the background to which the complainant belonged and
held that the given words would not amount to insulting the modesty of the woman. The
court also held that due to the lack of intention on the part of the accused to insult the
modesty of the complainant, the court acquitted the accused.

The court also held that merely insulting the woman, misbehaving with her, being rude to her,
or not behaving chivalrously as she expects you to behave will not amount to insulting the
modesty of a woman. The court clarified that intent is the linchpin of this offence, wherein a
deliberate remark or an action to demean the woman’s modesty will amount to the offence
under Section 509. The court observed that this is this ‘intent’ that separates ordinary speech
and expression from those actions that fall within the ambit of Section 509.

The court in the given case also held that the mere reason that a provision of law is gender
specific does not mandate that a presumption be raised in favour of the given gender as well.
Such a presumption can only be raised if it is specifically articulated in the given legislation.
The court, based on the given legal proposition, held that the court should keep an impartial
and neutral approach while deciding cases related to Section 509 and should follow
well-established legal principles to adjudicate such matters. The court succinctly held that
while dealing with any case, the court should be tipped in favor of justice and not towards
any one party.

Conclusion

Section 509 of the Indian Penal Code aims to curb the menace of eve teasing and protect
women from such conduct that affronts their modesty without the use of assault or criminal
force but only through words or actions. The word “modesty” has been used deliberately by
the legislators. A woman’s modesty is inherently linked to her gender, and thereby, all such
conducts that are demeaning to the femininity of the woman are covered under the provision.
The section is wide enough to include all such demeaning acts; however, it is the intention of
the accused that becomes the crux of the matter. The accused to be made liable under the
given provision should have a specific intention to use his words or actions to insult the
woman’s modesty. In the absence of the given intention, the words or actions of the accused
will be indifferentiable from normal speech and expression. To understand whether a word or
action is capable of insulting a woman’s modesty, the test of reasonableness is to be applied.
Apart from that, the social and cultural background of the victim and the prevailing standards
of morality in society are considered.
Hon’ble Justice J.S Verma on 26th December 2012, while discussing the need for amendment
in sections relating to offences against women, said, “The humiliating aspect of the crime
against a woman is that her status in the hierarchical structure of society also obstructs the
way of securing justice for her. Thus, her social status compounds her gender injustice”.
Thereby, in all the offences against the woman, the judicial machinery and the investigation
agencies should help the aggrieved woman seek justice and implement the provisions for
their protection in the true spirit of the law.

Does the mere use of abusive language with a woman culminate in an offence under Section
509? In a recent case of State v. Ankit Shukla (2022), the court held that if the complainant
merely alleges that the accused has hurled verbal abuses at her or that the accused has
targeted vulgar abusive comments at her, it will not be sufficient to attract Section 509. The
court held that the prosecution or the complainant is required to bring on record the exact
nature or wording of the abuse alleged to have been hurled at her. If such language is seen as
insulting to the femininity of the woman, then Section 509 will be attracted.

Can a woman be convicted under Section 509? Section 509 starts with the word ‘whoever’
and thereby, it is clear that even a woman can be accused and convicted under Section 509.
The section is gender-specific in the context of the victim. Thereby, only a woman can be a
victim under Section 509 because the term ‘modesty’ is inherently linked to the female
gender. However, modesty can be insulted or outraged by a woman as well as by a man.

What is the difference between Section 509 and Section 354? Sections 354 and 509 of the
Indian Penal Code are both aimed at protecting the modesty of a woman. However, Section
354 is graver than Section 509, as modesty under Section 354 is violated through actions like
assault or criminal force. Thereby, Section 354 includes physical force or apprehension of
physical force, whereas Section 509 only includes utterances, words, and objects and no
physical force. Section 354 provides for a punishment of imprisonment of at least one year,
which can be extended up to five years, and a fine, whereas Section 509 provides for a
punishment of simple imprisonment for a period of three years, a fine, or both. The difference
in the extent of punishment prescribed in both provisions also manifests the difference in the
graveness of both offences.
Is Section 509 incorporated in the Bhartiya Nyaya Sanhita Bill, 2023? Section 509 has been
suggested to be replaced by Section 78 in the Bhartiya Nyaya Sanhita Bill of 2023. The
Home Minister of India, Hon’ble Mr. Amit Shah, explained in his speech while introducing
the given bill that the bill aims to place the provisions relating to offences against women and
children before the offences against the state, unlike the Indian Penal Code. Thereby, the
given section is renumbered to Section 78 in Chapter V. The verbatim definition of the
offence and the extent of punishment remain unamended in the new bill. The given bill was
introduced in Lok Sabha on August 11, 2023, and has been referred to the standing
committee.

Impleadment of 3rd party in Arbitration Proceedings

Key Points

● The Court ruled that Arbitral Tribunals (ATs) cannot implead non-signatories to an
arbitration agreement.
● This means that ATs cannot force parties who did not sign the arbitration agreement to
be involved in the arbitration process.
● The Court's decision aligns with previous rulings by the Madras High Court.
● The power to implead parties lies with courts, not ATs.
● Arbitration agreements are based on consent, and parties must agree to be bound by
arbitration.

Background

● A dispute arose about whether an AT could add non-signatory parties to an arbitration

proceeding.
● The respondents argued that the AT has the authority to implead third parties to
effectively resolve disputes.
● However, the Court disagreed, finding no provision in the Arbitration and
Conciliation Act, 1996 (the Act) that grants ATs this power.

International Perspective

● The Court compared the Indian law to international arbitration rules, which typically
have specific provisions for joining additional parties.
● These rules require consent from all parties involved or evidence that the
non-signatory is bound by the agreement.

Group Companies and Alter Ego Doctrines

 ● The Court acknowledged these doctrines, used in some cases to bind non-signatories
to arbitration agreements.
● However, the Court emphasized that ATs cannot invoke these doctrines.

Conclusion

● This decision clarifies the limited powers of ATs in India regarding impleading
parties.
● It reinforces the principle that arbitration is a consensual process.
● The judgment by the Supreme Court on the applicability of the group companies
doctrine in Cox & Kings Vs SAP India is still pending.

SCRIBOARD

Assisted the firm in preparing several opinions and advisories on legal compliance under the
Information Technology Act, General Data Protection Regulation, and the California
Consumer Privacy Act.

Any company which receives, stores or transmits data on behalf of another person has
an obligation to excercise "Due Diligence" which interalia includes

● a) Identifying which of the information is "Sensitive Personal Information" and

● b) Follow reasonable security practices to protect them (under Section 43-A of IT
Act,2000)
● c) Understand the data retention requirements and implement systems to comply
with them
● d) Understand that the GOI has the powers to block, intercept or ask for data
decryption keys, information on data traffic etc (under Section 69,69-A of IT
Act,2000)
● e) Expect you to conduct e-audit of all the documents you maintain in the e-form
● f) Adhere to the encryption policies as may be announced etc
● g) Ensure that without the permission of the owner of an information does not
even provide access to the information to others [ refer Section 72-A]
 ●
● h) Ensure that any security obligations agreed to in a contractual agreement are
not breached
●
● Failure to comply with the above may result in damages payable for which there
is no specified upper limit, besides possible imprisonment from 3 years to 7
years.

Prepared several case summaries on decisions relating to the Information Technology Act,
2000, Information Technology Rules, 2021 and the Indian Digital Personal Data Protection
Bill.

​ The organization is processing the data to pursue a legitimate interest.

​ A legitimate interest is a benefit the controller or another party could
gain by processing the data. Examples include conducting background
checks on employees or tracking IP addresses on a corporate network
for cybersecurity purposes. To claim a legitimate interest basis, the
organization must prove that the processing is necessary and does not
infringe on subjects’ rights.
The organization collects data for a specific purpose and only uses it for that
purpose.
According to the GDPR principle of purpose limitation, controllers must have an
identified and documented purpose for collecting data. The controller must
communicate this purpose to users at the point of collection, and it can only use the
data for this named purpose.
The organization only collects the minimum amount of data necessary.
Controllers can only collect the minimum amount of data necessary to fulfill their
stated purpose.
The organization keeps data accurate and up to date.
Controllers must take reasonable steps to ensure the personal data they hold is
accurate and current.
The organization deletes data when it is no longer needed.
The GDPR requires strict data retention and deletion policies. Companies can only
keep data until the specified purpose for collecting that data has been fulfilled, and
they must delete the data once they no longer need it.
The organization takes extra precautions when processing children’s data or special
category data.
Controllers and processors must apply additional protections to certain types of
personal data.
Special category data includes highly sensitive data like a person’s race and
biometrics. Organizations can only process special category data in very limited
circumstances, such as to prevent serious public health threats. Companies can also
process special category data with the subject’s explicit consent.
Criminal conviction data can only be controlled by public authorities. Processors can
only process this information at a public authority’s direction.
Controllers must obtain a parent’s consent before processing children’s data. They
must take reasonable steps to verify the ages of subjects and the identities of
parents. If collecting data from children, controllers must present privacy notices in
child-friendly language.
Each EEA state sets its own definition of “child” under the GDPR. These range from
“anyone under the age of 13” to “anyone under the age of 16.”
The organization documents all data processing activities.
Organizations with more than 250 employees must keep records of data processing.
Organizations with less than 250 employees must keep records if they process
highly sensitive data, process data regularly or process data in a way that poses a
significant risk to data subjects.
Controllers must document things like the data they collect, what they do with that
data, data flow maps and data safeguards. Processors must document the
controllers for which they work, the types of processing they do for each controller
and the security controls they use.
The controller is ultimately responsible for ensuring compliance.
Under the GDPR, ultimate responsibility for compliance rests with the data’s
controller. This means the controller must ensure—and be able to prove—that its
third-party processors meet all relevant GDPR requirements.

Data subjects’ rights

The GDPR grants data subjects certain rights over their data. Controllers and
processors must honor these rights.
The organization offers data subjects easy ways to exercise their rights.
Organizations must give data subjects a simple means of asserting their rights over
their data. These rights include:

​ The right to access: Subjects must be able to request and receive copies of
their data, as well as relevant information about how the company uses the
data.
​ The right to rectification: Subjects must be able to correct or update their data.
​ The right to erasure: Subjects must be able to request deletion of their data.
​ The right to restrict processing: Subjects must be able to restrict how their
data is used if they suspect the data is inaccurate, no longer necessary or
being misused.
​ The right to object: Subjects must be able to object to processing. Subjects
who have previously granted their consent must be able to easily withdraw it
at any time.
​ The right to data portability: Subjects have the right to transfer their data, and
controllers and processors must facilitate these transfers.
In general, organizations must respond to all data subject access requests within 30
days. Companies must typically comply with a subject’s request unless the company
can prove it has a legitimate, overriding reason not to.
If an organization rejects a request, it must explain why. The organization must also
tell the subject how to appeal the decision to the company’s data protection officer or
the relevant supervisory authority.
The organization offers data subjects a way to contest automated decisions.
Under the GDPR, data subjects have a right not to be bound by automated
decision-making processes that could have a significant impact on them. This
includes profiling, which the GDPR defines as using automation to evaluate some
aspect of a person, such as predicting their work performance.
If an organization does use automated decisions, it must give data subjects a way to
contest those decisions. Subjects can also request that a human employee review
any automated decisions that impact them.
The organization is transparent about how it uses personal data.
Controllers and processors must proactively and clearly inform data subjects about
data processing activities, including the data they collect, what they do with it and
how subjects can exercise their rights over data.
This information must typically be communicated through a privacy notice presented
to the subject during data collection. If the company does not collect personal data
directly from subjects, privacy notices must be sent to the subjects within a month.
Companies may also include these details in privacy policies that are publicly
accessible on their websites.

Data privacy and protection measures

The GDPR requires controllers and processors to take steps to prevent the misuse
of personal data and protect data subjects from harm.
The organization has implemented appropriate cybersecurity controls.
Controllers and processors must deploy security measures to protect the
confidentiality and integrity of personal data. The GDPR does not require any
particular controls, but it does state that companies must adopt both technical and
organizational measures.
Technical measures include technology solutions, such as identity and access
management (IAM) platforms, automated backups and data security tools. While the
GDPR does not explicitly mandate encrypting data, it does recommend that
organizations use pseudonymization and anonymization wherever possible.
Organizational measures include employee training, ongoing risk assessments and
other security policies and processes. Companies must also follow the principle of
data protection by design and by default when creating or implementing new
systems and products.
The organization conducts data protection impact assessments (DPIAs) as required.
If a company plans to process data in a way that poses a high risk to the rights of
subjects, it must first conduct a data protection impact assessment (DPIA). Types of
processing that could trigger a DPIA include automated profiling and the large-scale
processing of special categories of personal data, among others.
A DPIA must describe the data being used, the intended processing and the purpose
of the processing. It must identify the risks of processing and ways to mitigate those
risks. If significant unmitigated risk exists, the organization must consult a
supervisory authority before moving forward.
The organization has appointed a data protection officer (DPO) if required.
An organization must appoint a data protection officer (DPO) if it monitors subjects
on a large scale or processes special category data as a core activity. All public
authorities must appoint DPOs as well.
The DPO is responsible for ensuring the organization remains GDPR compliant. Key
duties include coordinating with data protection authorities, advising the organization
on GDPR requirements and overseeing DPIAs.
The DPO must be an independent officer who reports directly to the highest level of
management. The organization cannot retaliate against the DPO for performing their
duties.
The organization notifies supervisory authorities and data subjects when data
breaches occur.