Digital Personal Data Protection Act 2023
Digital Personal Data Protection Act 2023
Digital Personal Data Protection Act 2023
DL—(N)04/0007/2003—23
सी.जी.-डी.एल.-अ.-12082023-248045
xxxGIDHxxx
CG-DL-E-12082023-248045
xxxGIDExxx
vlk/kkj.k
EXTRAORDINARY
Hkkx II — [k.M 1
PART II — Section
1 izkf/kdkj ls izdkf'kr
PUBLISHED BY AUTHORITY
lañ 25] ubZ fnYyh] 'kqØ okj] vxLr 11] 2023@ Jko.k 20] 1945 ¼'kd½
No. 25] NEW DELHI, FRIDAY, AUGUST 11, 2023/SRAVANA 20, 1945 (SAKA)
bl Hkkx esa fHkUu i`"B la[;k nh tkrh gS ftlls fd ;g vyx ladyu ds :i esa j[kk tk ldsA
Separate paging is given to this Part in order that it may be filed as a separate compilation.
The following Act of Parliament received the assent of the President on the
11th August, 2023 and is hereby published for general information:—
Right to
14. (1) A Data Principal shall have the right to nominate, in such manner as may be
nominate. prescribed, any other individual, who shall, in the event of death or incapacity of the Data
Principal, exercise the rights of the Data Principal in accordance with the provisions of
this Act and the rules made thereunder.
(2) For the purposes of this section, the expression “incapacity” means inability to
exercise the rights of the Data Principal under the provisions of this Act or the rules made
thereunder due to unsoundness of mind or infirmity of body.
Duties of Data 15. A Data Principal shall perform the following duties, namely:—
Principal.
(a) comply with the provisions of all applicable laws for the time being in
force while exercising rights under the provisions of this Act;
(b) to ensure not to impersonate another person while providing her personal
data for a specified purpose;
(c) to ensure not to suppress any material information while providing her
personal data for any document, unique identifier, proof of identity or proof of
address issued by the State or any of its instrumentalities;
(d) to ensure not to register a false or frivolous grievance or complaint with a
Data Fiduciary or the Board; and
(e) to furnish only such information as is verifiably authentic, while
exercising the right to correction or erasure under the provisions of this Act or the
rules made thereunder.
SEC. 1] THE GAZETTE OF INDIA 11
EXTRAORDINARY
CHAPTER IV
SPECIAL PROVISIONS
16. (1) The Central Government may, by notification, restrict the transfer of
Processing of
personal data by a Data Fiduciary for processing to such country or territory outside India personal data
as may be so notified. outside India.
(2) Nothing contained in this section shall restrict the applicability of any law for
the time being in force in India that provides for a higher degree of protection for or
restriction on transfer of personal data by a Data Fiduciary outside India in relation to any
personal data or Data Fiduciary or class thereof.
17. (1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, Exemptions.
and those of Chapter III and section 16 shall not apply where—
(a) the processing of personal data is necessary for enforcing any legal right
or
claim;
(b) the processing of personal data by any court or tribunal or any other body
in India which is entrusted by law with the performance of any judicial or quasi-judicial
or regulatory or supervisory function, where such processing is necessary for the
performance of such function;
(c) personal data is processed in the interest of prevention, detection,
investigation or prosecution of any offence or contravention of any law for the time
being in force in India;
(d) personal data of Data Principals not within the territory of India is
processed pursuant to any contract entered into with any person outside the territory
of India by any person based in India;
(e) the processing is necessary for a scheme of compromise or arrangement or
merger or amalgamation of two or more companies or a reconstruction by way of
demerger or otherwise of a company, or transfer of undertaking of one or more
company to another company, or involving division of one or more companies,
approved by a court or tribunal or other authority competent to do so by any law for
the time being in force; and
(f) the processing is for the purpose of ascertaining the financial information
and assets and liabilities of any person who has defaulted in payment due on
account of a loan or advance taken from a financial institution, subject to such
processing being in accordance with the provisions regarding disclosure of
information or data in any other law for the time being in force.
Explanation.—For the purposes of this clause, the expressions “default” and
“financial institution” shall have the meanings respectively assigned to them in
31 of 2016. sub-sections (12) and (14) of section 3 of the Insolvency and Bankruptcy Code,
2016.
Illustration.
X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly
loan repayment instalment on the date on which it falls due. Y may process the personal
data of X for ascertaining her financial information and assets and liabilities.
(2) The provisions of this Act shall not apply in respect of the processing of
personal data—
(a) by such instrumentality of the State as the Central Government may
notify, in the interests of sovereignty and integrity of India, security of the State,
friendly relations with foreign States, maintenance of public order or preventing
incitement to any cognizable offence relating to any of these, and the processing by
the Central Government of any personal data that such instrumentality may furnish
to it; and
12 THE GAZETTE OF INDIA [PART II—
EXTRAORDINARY
(b) necessary for research, archiving or statistical purposes if the personal
data is not to be used to take any decision specific to a Data Principal and such
processing is carried on in accordance with such standards as may be prescribed.
(3) The Central Government may, having regard to the volume and nature of
personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including
startups, as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7)
of section 8 and sections 10 and 11 shall not apply.
Explanation.—For the purposes of this sub-section, the term “startup” means a
private limited company or a partnership firm or a limited liability partnership
incorporated in India, which is eligible to be and is recognised as such in accordance with
the criteria and process notified by the department to which matters relating to startups
are allocated in the Central Government.
(4) In respect of processing by the State or any instrumentality of the State, the
provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where
such processing is for a purpose that does not include making of a decision that affects
the Data Principal, sub-section (2) of section 12 shall not apply.
(5) The Central Government may, before expiry of five years from the date of
commencement of this Act, by notification, declare that any provision of this Act shall
not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be
specified in the notification.
CHAPTER V
DATA PROTECTION BOARD OF
INDIA
Establishment
of Board. 18. (1) With effect from such date as the Central Government may, by notification,
appoint, there shall be established, for the purposes of this Act, a Board to be called the
Data Protection Board of India.
(2) The Board shall be a body corporate by the name aforesaid, having perpetual
succession and a common seal, with power, subject to the provisions of this Act, to
acquire, hold and dispose of property, both movable and immovable, and to contract and
shall, by the said name, sue or be sued.
(3) The headquarters of the Board shall be at such place as the Central Government
may notify.
Composition
and 19. (1) The Board shall consist of a Chairperson and such number of other
qualifications Members as the Central Government may notify.
for
appointment (2) The Chairperson and other Members shall be appointed by the Central
of
Chairperson Government in such manner as may be prescribed.
and Members.
(3) The Chairperson and other Members shall be a person of ability, integrity and
standing who possesses special knowledge or practical experience in the fields of data
governance, administration or implementation of laws related to social or consumer
protection, dispute resolution, information and communication technology, digital
economy, law, regulation or techno-regulation, or in any other field which in the opinion of
the Central Government may be useful to the Board, and at least one among them shall be
an expert in the field of law.
Salary,
allowances 20. (1) The salary, allowances and other terms and conditions of service of the
payable to and Chairperson and other Members shall be such as may be prescribed, and shall not be
term of
office.
varied to their disadvantage after their appointment.
(2) The Chairperson and other Members shall hold office for a term of two years
and shall be eligible for re-appointment.
SEC. 1] THE GAZETTE OF INDIA 13
EXTRAORDINARY
21. (1) A person shall be disqualified for being appointed and continued as the Disqualifications
Chairperson or a Member, if she— for
appointment
(a) has been adjudged as an insolvent; and
continuation
(b) has been convicted of an offence, which in the opinion of the Central as
Government, involves moral turpitude; Chairperson
and Members
(c) has become physically or mentally incapable of acting as a Member; of Board.
CHAPTER IX
MISCELLANEOUS
35. No suit, prosecution or other legal proceedings shall lie against the Central Protection of
Government, the Board, its Chairperson and any Member, officer or employee thereof for action taken
in good faith.
anything which is done or intended to be done in good faith under the provisions of this
Act or the rules made thereunder.
36. The Central Government may, for the purposes of this Act, require the Board Power to call
and any Data Fiduciary or intermediary to furnish such information as it may call for. for
information.
37. (1) The Central Government or any of its officers specially authorised by it in Power of
this behalf may, upon receipt of a reference in writing from the Board that— Central
Government
(a) intimates the imposition of monetary penalty by the Board on a Data to issue
Fiduciary in two or more instances; and directions.
(b) advises, in the interests of the general public, the blocking for access by
the public to any information generated, transmitted, received, stored or hosted, in
any computer resource that enables such Data Fiduciary to carry on any activity
relating to offering of goods or services to Data Principals within the territory of
India,
after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it
is necessary or expedient so to do, in the interests of the general public, for reasons to be
recorded in writing, by order, direct any agency of the Central Government or any intermediary
to block for access by the public or cause to be blocked for access by the public any such
information.
(2) Every intermediary who receives a direction issued under sub-section (1) shall
be bound to comply with the same.
(3) For the purposes of this section, the expressions “computer resource”,
21 of 2000. “information” and “intermediary” shall have the meanings respectively assigned to them
in the Information Technology Act, 2000.
18 THE GAZETTE OF INDIA [PART II—
EXTRAORDINARY
Consistency
with other 38. (1) The provisions of this Act shall be in addition to and not in derogation of
laws. any other law for the time being in force.
(2) In the event of any conflict between a provision of this Act and a provision of
any other law for the time being in force, the provision of this Act shall prevail to the
extent of such conflict.
Bar of
jurisdiction. 39. No civil court shall have the jurisdiction to entertain any suit or proceeding in
respect of any matter for which the Board is empowered under the provisions of this Act
and no injunction shall be granted by any court or other authority in respect of any action
taken or to be taken in pursuance of any power under the provisions of this Act.
Power to
make rules. 40. (1) The Central Government may, by notification, and subject to the condition
of previous publication, make rules not inconsistent with the provisions of this Act, to
carry out the purposes of this Act.
(2) In particular and without prejudice to the generality of the foregoing power,
such rules may provide for all or any of the following matters, namely:—
(a) the manner in which the notice given by the Data Fiduciary to a Data
Principal shall inform her, under sub-section (1) of section 5;
(b) the manner in which the notice given by the Data Fiduciary to a Data
Principal shall inform her, under sub-section (2) of section 5;
(c) the manner of accountability and the obligations of Consent Manager
under sub-section (8) of section 6;
(d) the manner of registration of Consent Manager and the conditions relating
thereto, under sub-section (9) of section 6;
(e) the subsidy, benefit, service, certificate, licence or permit for the provision
or issuance of which, personal data may be processed under clause (b) of section 7;
(f) the form and manner of intimation of personal data breach to the Board
under sub-section (6) of section 8;
(g) the time period for the specified purpose to be deemed as no longer being
served, under sub-section (8) of section 8;
(h) the manner of publishing the business contact information of a Data
Protection Officer under sub-section (9) of section 8;
(i) the manner of obtaining verifiable consent under sub-section (1) of
section 9;
(j) the classes of Data Fiduciaries, the purposes of processing of personal data
of a child and the conditions relating thereto, under sub-section (4) of section 9;
(k) the other matters comprising the process of Data Protection Impact
Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;
(l) the other measures that the Significant Data Fiduciary shall undertake
under sub-clause (iii) of clause (c) of sub-section (2) of section 10;
(m) the manner in which a Data Principal shall make a request to the Data
Fiduciary to obtain information and any other information related to the personal
data of such Data Principal and its processing, under sub-section (1) of section 11;
(n) the manner in which a Data Principal shall make a request to the Data
Fiduciary for erasure of her personal data under sub-section (3) of section 12;
(o) the period within which the Data Fiduciary shall respond to any
grievances under sub-section (2) of section 13;
SEC. 1] THE GAZETTE OF INDIA 19
EXTRAORDINARY
(p) the manner of nomination of any other individual by the Data Principal
under sub-section (1) of section 14;
(q) the standards for processing the personal data for exemption under clause
(b) of sub-section (2) of section 17;
(r) the manner of appointment of the Chairperson and other Members of the
Board under sub-section (2) of section 19;
(s) the salary, allowances and other terms and conditions of services of the
Chairperson and other Members of the Board under sub-section (1) of section 20;
(t) the manner of authentication of orders, directions and instruments under
sub-section (1) of section 23;
(u) the terms and conditions of appointment and service of officers and
employees of the Board under section 24;
(v) the techno-legal measures to be adopted by the Board under sub-section
(1) of section 28;
(w) the other matters under clause (d) of sub-section (7) of section 28;
(x) the form, manner and fee for filing an appeal under sub-section (2) of
section 29;
(y) the procedure for dealing an appeal under sub-section (8) of section 29;
(z) any other matter which is to be or may be prescribed or in respect of
which provision is to be, or may be, made by rules.
41. Every rule made and every notification issued under section 16 and section 42 Laying of
of this Act shall be laid, as soon as may be after it is made, before each House of rules and
Parliament, while it is in session, for a total period of thirty days which may be comprised certain
notifications.
in one session or in two or more successive sessions, and if before the expiry of the
session immediately following the session or the successive sessions aforesaid, both
Houses agree in making any modification in the rule or notification or both Houses agree
that the rule or notification should not be made or issued, the rule or notification shall
thereafter have effect only in such modified form or be of no effect, as the case may be;
so, however, that any such modification or annulment shall be without prejudice to the
validity of anything previously done under that rule or notification.
42. (1) The Central Government may, by notification, amend the Schedule, subject Power to
to the restriction that no such notification shall have the effect of increasing any penalty amend
specified therein to more than twice of what was specified in it when this Act was Schedule.
originally enacted.
(2) Any amendment notified under sub-section (1) shall have effect as if enacted in
this Act and shall come into force on the date of the notification.
43. (1) If any difficulty arises in giving effect to the provisions of this Act, the Power to
Central Government may, by order published in the Official Gazette, make such remove
provisions not inconsistent with the provisions of this Act as may appear to it to be difficulties.
necessary or expedient for removing the difficulty.
(2) No order as referred to in sub-section (1) shall be made after the expiry of three
years from the date of commencement of this Act.
(3) Every order made under this section shall be laid, as soon as may be after it is
made, before each House of Parliament.
44. (1) In section 14 of the Telecom Regulatory Authority of India Act, 1997, in Amendments
24 of 1997.
clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, to certain
namely:— Acts.
20 THE GAZETTE OF INDIA [PART II—
EXTRAORDINARY
“(i) the Appellate Tribunal under the Information Technology Act, 2000; 21 of 2000.
(ii) the Appellate Tribunal under the Airports Economic Regulatory
Authority of India Act, 2008; and 27 of 2008.
(iii) the Appellate Tribunal under the Digital Personal Data Protection
Act, 2023.”.
(2) The Information Technology Act, 2000 shall be amended in the following
21 of 2000.
manner, namely:—
(a) section 43A shall be omitted;
(b) in section 81, in the proviso, after the words and figures “the Patents
Act, 1970”, the words and figures “or the Digital Personal Data Protection Act,
39 of 1970.
2023” shall be inserted; and
(c) in section 87, in sub-section (2), clause (ob) shall be omitted.
(3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause
22 of 2005.
(j), the following clause shall be substituted, namely:—
“(j) information which relates to personal information;”.
SEC. 1] THE GAZETTE OF INDIA 21
EXTRAORDINARY
THE SCHEDULE
[See section 33 (1)]
————
UPLOADED BY THE MANAGER, GOVERNMENT OF INDIA PRESS, MINTO ROAD, NEW DELHI–110002
AND PUBLISHED BY THE CONTROLLER OF PUBLICATIONS, DELHI–110054.
Kshitiz Digitally signed
by Kshitiz Mohan
Mohan
Date: 2023.08.12
MGIPMRND—288GI—11-08-2023. 02:14:35 +05'30'