Scribd Logo
Upload

Welcome to Scribd!

  • DPDP Act

    Uploaded by

    shalinityagi112
    8 views11 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views11 pages

    DPDP Act

    Uploaded by

    shalinityagi112

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 11

    Keynote Presentation

    The Digital Personal Data


    Protection Act, 2023
    Adv. (Dr.) Prashant Mali
    Cyber & Data Protection Lawyer
    www.prashantmali.com
    Applicability of The DPDP 2023 Personal data
    processed by an
    individual for
    domestic purpose Data Principal
    Not Applicable
    Personal data that is
    made or cause to be
    made publicly Authorised Person
    available by:

    Digital Personal Data


    Protection Act 2023
    Applies to the processing
    of Digital personal data
    outside the territory of
    India
    In Digital Form
    Applicable

    In Non-Digital To the processing of digital


    personal data within the
    form which is
    territory of India where
    later digitised. Source: Cyber Law Consulting
    personal data is collected.
    (Advocates & Attorneys)
    What is Personal Data?
    The Digital Personal Data
    Protection Act, 2023
    The provisions of the DPDP Act are
    applicable to all types of personal data
    defines “Personal Data”
    and do not distinguish between
    sensitive personal data and critical
    personal data. Consequently, the
    as any data about an
    requirements of the DPDP Act will be
    applicable to all forms of personal
    data, regardless of their nature or
    individual who is
    classification. This approach departs
    from the current Indian data
    protection law contained in the SPDI
    identifiable by or in
    Rules, which distinguishes between
    "personal information" and "sensitive relation to such data.
    personal data or information" and
    prescribes progressive compliance
    requirements for the processing of
    sensitive personal data or information.
    Source: Cyber Law Consulting
    (Advocates & Attorneys)
    Source: Cyber Law Consulting

    COMPARISON
    (Advocates & Attorneys)

    General Data Protection Regulation (GDPR) Digital Personal Data Protection Act (DPDP)

    All kinds of Personal Data is covered Only Digital Personal Data is covered
    Applicability
    by the GDPR. by the DPDP.

    13-16 years, depending on the According to DPDP the minimum


    Age for Consent age for consent is 18 years
    member state laws.

    Sensitive Personal data is covered by Sensitive Personal Data is not defined


    the GDPR. It is defined by Art. 9 Sensitive Data in the DPDP.

    Art. 5 of GDPR lays down 7 data


    Data Processing Principles DPDP mentions no such principles
    processing principles.

    GDPR mandates strict Data The concept of Data Localisation is


    Data Localisation
    Localisation. no longer included in the DPDP.

    2-4% of worldwide annual turnover or Penalties under the DPDP are capped
    Penalties
    10-20 million EUR (whichever is higher) at 250 crores.

    Penalties credited to affected data subjects Penalties credited to Government of India


    OBLIGATIONS OF
    DATA FIDUCIARY AND SIGNIFICANT DATA FIDUCIARY

    ENSURE ACCURACY OBLIGATIONS OF


    DATA BREACH: APPOINTMENT OF
    OF DATA DATA FIDUCIARY
    PREVENTION & DATA PROTECTION
    NOTIFICATION OFFICER

    DEVELOPE AN DATA SIGNIFICANT


    EFFECTIVE FIDUCIARY CONDUCT DATA DATA
    GRIEVANCE OBLIGATIONS PROTECTION FIDUCIARY
    REDRESSAL DATA IMPACT OBLIGATIONS APPOINTMENT
    MECHANISM RETENTION FOR ASSESSMENT OF
    ONLY AS LONG INDIPENDENT
    AS REQUIRED DATA AUDITOR
    PUBLISH CONTACT
    DETAILS OF PERSON PERIODIC
    RESPONSIBLE FOR INDEPENDENT DATA
    HANDLING DATA AUDIT
    PRINCIPAL REQUESTS

    DIGITAL PERSONAL DATA PROTECTION ACT 2023


    Source: Cyber Law Consulting
    (Advocates & Attorneys)
    Significant Data Fiduciaries
    THE CENTRAL GOVERNMENT MAY NOTIFY
    ANY DATA FIDUCIARY OR A CLASS OF DATA FIDUCIARIES AS SIGNIFICANT DATA FIDUCIARIES

    Factors considered are:

    The volume Risks to the Potential Risk to Security of Public Order


    and rights of Data impact on the Electoral the State
    sensitivity of Principal sovereignty democracy
    personal data and integrity
    processed of India

    Source: Cyber Law Consulting


    (Advocates & Attorneys)
    Sec. 4 (1) (a)

    When the Data Principal provides consent.

    Sec. 4 (1) (b)

    For any legitimate use mentioned in Sec. 7


    Grounds for Processing of the Act.

    Personal Data Sec. 4 (2)

    For a “lawful purpose” in other terms for


    any purpose that is not expressly
    forbidden by law.
    Source: Cyber Law Consulting
    (Advocates & Attorneys)
    Conditions for Notice under DPDPA 2023

    Where consent was


    The notice must obtained before the
    SEC. commencement of the
    inform the data
    principal about:
    5(1) Act:
    (1) The personal data (a) the Data Fiduciary
    and proposed purpose must as soon as
    SEC. for processing. SEC. reasonably
    5(1) Notice 5 (2)
    (2) The manner in practicable provide a
    which she might notice to the Data
    exercise her rights.
    SEC. SEC. Principal
    (3) The manner in 5 (2) 5 (3) (b) Data fiduciary may
    which a compliant can continue to process
    be made to the Board personal data unless
    the consent is
    withdrawn
    The Data Principal must be given the option to access
    SEC. 5
    the contents of the notice in English or any language (3)
    Cyber Law Consulting
    Source:
    mentioned in the 8Th schedule of the Constitution (Advocates & Attorneys)
    Source: Cyber Law Consulting Failure to take
    (Advocates & Attorneys)
    reasonable security
    01 May extend to 250 Crores
    safeguards to prevent
    personal data breach
    [Sec. 8 (5)]

    Failure to notify the

    Penalties under Board or the Data


    02 Principal about May extend to 200 Crores

    DPDPA 2023
    personal data breach
    [Sec. 8 (6)]

    Failure to observe
    03 additional obligations May extend to 200 Crores
    Note: Definition of Personal Data Breach: regarding children’s
    data [Sec. 9]
    Any unauthorized processing of personal
    data or accidental disclosure, acquisition,
    sharing, use, alteration, destruction or loss of Failure to observe
    access to personal data, that comprises the 04 additional obligations May extend to 150 Crores
    of Significant Data
    confidentiality, integrity or availability of
    Fiduciary [Sec.10]
    personal data.
    Breach in observing May extend to INR. 10,000
    05
    duties under Sec. 15

    Penalties under Breach of any term of


    Upto the extent applicable
    for the breach in respect
    DPDPA 2023 06 voluntary undertaking
    accepted by the Board
    of which the proceedings
    under Sec. 28 were
    under Sec. 32 instituted

    Breach of any other


    07 provision or rule of the May extend to 50 Crores
    Act

    Source: Cyber Law Consulting


    (Advocates & Attorneys)
    Thank You
    Email: prashant.mali@cyberlawconsulting.com
    privacy@cyberlawconsulting.com
    Contact No.: +91 9821763157

    https://in.linkedin.com/in/prashantmali
    @AdvPrashantMali

    advprashantmali
    @AdvPrashantMali

    You might also like