Personal Data Protection Act 2018 of India

PART 2: GENERAL REQUIREMENTS

Part 2A: Requirements for legitimate and lawful Processing

9. General requirements

(1) Personal Data shall be:
(a) Processed in accordance with Article 10;
(b) Processed lawfully, fairly and in a transparent manner in relation to a Data Subject;
(c) Processed for specified, explicit and legitimate purposes determined at the time of collection of Personal Data;
(d) Processed in a way that is not incompatible with the purposes described in Article 9(1)(c);
(e) relevant and limited to what is necessary in relation to the purposes described in Article 9(1)(c);
(f) Processed in accordance with the application of Data Subject rights under this Law;
(g) accurate and, where necessary, kept up to date, including via erasure or rectification, without undue delay;
(h) kept in a form that permits identification of a Data Subject for no longer than is necessary for the purposes described in Article 9(1)(c); and
(i) kept secure, including being protected against unauthorised or unlawful Processing (including transfers), and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
(2) A Controller or Processor shall be responsible for, and must be able to demonstrate to the Commissioner its compliance with, Article 9(1).

10. Lawfulness of Processing

(1) Any one (1) or more of the following shall constitute a lawful basis for Processing Personal Data:
(a) a Data Subject has given consent, which complies with Article 12, to the Processing of that Personal Data for specific purposes;
(b) Processing is necessary for the performance of a contract to which a Data Subject is a party, or in order to take steps at the request of a Data Subject prior to entering into such contract;
(c) Processing is necessary for compliance with Applicable Law that a Controller is subject to;
(d) Processing is necessary in order to protect the vital interests of a Data Subject or of another natural person;
(e) Processing is necessary for:
(i) performance of a task carried out by a DIFC Body in the interests of the DIFC;
(ii) exercise of a DIFC Body’s powers and functions; or
(iii) the exercise of powers or functions vested by a DIFC Body in a Third Party to whom Personal Data is disclosed by the DIFC Body; or
(f) Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.

Part 2B: Processing of Special Categories of Personal Data

11. Processing of Special Categories of Personal Data

In addition to general obligations set out in Article 9 and lawful Processing in accordance with a basis set out in Article 10, and regardless of the Controller's other Processing obligations, Special Categories of Personal Data shall not be Processed unless one (1) or more of the following applies:
(a) a Data Subject has given explicit consent that complies with Article 12, to the Processing of those Special Categories of Personal Data for one (1) or more specified purposes;
(b) Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or a Data Subject in the context of the Data Subject's employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme;
(c) Processing is necessary to protect the vital interests of a Data Subject or of another natural person, where the Data Subject is physically or legally incapable of giving consent;
(d) Processing is carried out by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities, subject to appropriate assurances and provided that the Processing relates:
(i) solely to the members or former members of such an entity; or
(ii) to other persons who have regular contact with such a body in connection with its purpose, and the Personal Data is not disclosed to a Third Party without the consent of a Data Subject;
(e) Processing relates to Personal Data that has been made public by a Data Subject;
(f) Processing is necessary for the establishment, exercise or defence of legal claims (including, without limitation, arbitration and other structured and commonly recognised alternative dispute resolution procedures, such as mediation) or is performed by the Court acting in its judicial capacity;
(g) Processing is necessary for compliance with a specific requirement of Applicable Law to which a Controller is subject, and in such circumstances the Controller must provide a Data Subject with clear notice of such Processing as soon as reasonably practicable unless the obligation in question prohibits such notice being given;
(h) Processing is necessary to comply with Applicable Law that applies to a Controller in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime;
(i) Processing is required for the purposes of preventive or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems and services, provided that the Personal Data is processed by or under the responsibility of a health professional subject to an obligation of professional secrecy under Applicable Law or by another person also subject to an obligation of secrecy under Applicable Law;
(j) Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other improper conduct of persons providing banking, insurance, investment, management consultancy, information technology services, accounting or other services or commercial activities (either in person or indirectly by means of outsourcing), including any resulting financial loss; or
(k) Processing is proportional and necessary to protect a Data Subject from potential bias or inaccurate decision making, where such risk would be increased regardless of whether Special Category Personal Data is Processed.
(l) Processing is necessary for Substantial Public Interest reasons that are proportionate to the aim(s) pursued, respect the principles of data protection and provide for suitable and specific measures to safeguard the rights of the Data Subject.

Part 2C: Conditions of consent and reliance on legitimate interests

12. Consent

(1) Consent must be freely given by a clear affirmative act that shows an unambiguous indication of consent if it is to be relied on as a basis for Processing under Article 10(1)(a) or under Article 11(1)(a). If the performance of an act by a Controller, a Data Subject or any other party, (including the performance of contractual obligations), is conditional on the provision of consent to Process Personal Data, then such consent will not be considered to be freely given with respect to any Processing that is not reasonably necessary for the performance of such act or where the consent relates to excessive categories of Personal Data.
(2) Where Processing is based on consent, a Controller must be able to demonstrate that consent has been freely given.
(3) If the Processing is intended to cover multiple purposes, consent must be obtained for each purpose in a manner that is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language.
(4) If a Controller seeks to obtain consent for one (1) or more other matters not expressly concerned with the Processing of Personal Data, the request for consent for the Processing of Personal Data must be clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
(5) A Data Subject may withdraw consent at any time in accordance with the right afforded to Data Subjects under Article 32. A Data Subject must be informed of this right and how to exercise it as set out in Article 40 at the time consent is obtained. Withdrawing consent should not require undue effort on the part of the Data Subject and should be at least as easy as the process of giving consent. Withdrawal of consent does not affect the lawfulness of Processing carried out before the date of withdrawal. Where consent is withdrawn a Controller must comply with Article 3232(3).
(6) Other than for the purpose of a Single Discrete Incident, where a Controller relies on a Data Subject’s consent for Processing, the Controller should implement appropriate and proportionate measures to assess the ongoing validity of the consent. This includes considering whether the Data Subject, acting reasonably, would expect Processing to continue based on the consent given, taking into account the circumstances and the terms of such consent.
(7) Where such ongoing assessment conducted in accordance with Article 12(6) concludes that a Data Subject would no longer reasonably expect the Processing to be continuing, he must be contacted without delay and asked to re-affirm consent.
(8) In the circumstances referred to in Article 12(7), consent shall be deemed to be withdrawn if there is no positive act of re-affirmation of consent within a reasonable period after a Data Subject has been contacted.
(9) A Controller must be able to demonstrate to the Commissioner that appropriate methods and procedures are in place to manage the recording of consent and the withdrawal of consent, and that periodic evaluations of the same are conducted.
(10) Where Processing is not a Single Discrete Incident and continues on the basis of consent, a Data
Subject should be given the opportunity to re-affirm or withdraw consent on a periodic basis.
(11) A "Single Discrete Incident" means a Processing operation or a collection of Processing operations that relate to a:

(a) single, non-recurring transaction; or
(b) non-recurring and clearly defined purpose that a Data Subject is seeking to achieve, in each case, with a definable end point.

(12) For the avoidance of doubt, consent given for Processing to perform a Single Discrete Incident remains subject to all foregoing provisions of this Article except for Article 12(6) and Article 12(10).

13. Legitimate interests

(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.

(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.
(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.

Part 2D: General requirements

14. Accountability and notification

(1) A Controller or Processor is required to establish a program to demonstrate compliance with this Law, the level and detail of which will depend on the scale and resources of the Controller or the Processor, the categories of Personal Data being Processed and the risks to the Data Subjects.
(2) A Controller or Processor is required to implement appropriate technical and organisational measures to demonstrate that Processing is performed in accordance with this Law, including:

(a) taking into account:

(i) the nature, scope, context and purpose of the Processing;
(ii) the risks presented by the Processing to a relevant Data Subject; and
(iii) prevailing information security good industry practice.

(b) ensuring a level of security:

(i) appropriate to the risks associated with Processing, taking account of any wilful, negligent, accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of or access to Personal Data; and
(ii) against all other unlawful forms of Processing;

(c) ensuring that, by default, only Personal Data necessary for each specific purpose is Processed. This obligation applies to the amount and type of Personal Data collected, the extent of the Processing, the period of storage and accessibility; and
(d) reviewing and updating such measures where necessary to reflect legal, operational and technical developments.
(3) A Controller or Processor shall integrate necessary measures into the Processing in order to meet the requirements of this Law, protect a Data Subject’s rights and follow the principle of "data protection by design and by default", which shall at least require assurances that:

(i) Processing is designed to reinforce data protection principles such as data minimisation at the time of determining the means for Processing and at the time of Processing itself; and
(ii) by default, only Personal Data that is necessary for each specific purpose is Processed, and that Personal Data is not made accessible to an indefinite number of persons without the Data Subject's intervention.

(4) Where a Controller is offering online services through a platform, the default privacy preferences of the platform shall be set such that no more than the minimum Personal Data necessary to deliver or receive the relevant services is obtained or collected, and a Data Subject should be:
(a) prompted to actively select his privacy preferences on first use; and
(b) able to easily change such preferences.
(5) A Controller or Processor that collects or Processes Personal Data shall implement and maintain a data protection policy in writing that is:

(a) proportionate to the extent and type of Processing of Personal Data undertaken; and
(b) consistent with this Law.

(6) Notwithstanding Article 14(5), any person that can demonstrate adherence to approved codes of conduct under Article 48 or approved certification schemes under Article 50 has complied with the obligations in this Article 14.
(7) A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.
(8) Notifications referred to in Article 14(7) shall be:

(a) kept on a publicly available register maintained by the Commissioner; and
(b) accompanied by such fee as may be prescribed in Regulations made by the DIFCA Board of Directors.

15. Records of Processing activities

(1) A Controller shall maintain a written record, which may be in electronic form, of Processing activities under its responsibility, which shall contain at least the following information:
(a) name and contact details of the Controller, its appointed DPO, where applicable, and Joint Controller, if any;
(b) the purpose(s) of the Processing;
(c) a description of the categories of Data Subjects;
(d) a description of the categories of Personal Data;
(e) categories of recipients to whom the Personal Data has been or will be disclosed, including recipients in Third Countries and International Organisations;
(f) where applicable, the identification of the Third Country or International Organisation that the Personal Data has or will be transferred to and, in the case of transfers under Article 27, the documentation of suitable safeguards;
(g) where possible, the time limits for erasure of the different categories of Personal Data; and
(h) where possible, a general description of the technical and organisational security measures referred to in Article 14(2).
(2) A Processor shall maintain a written record of all categories of Processing activities carried out on behalf of a Controller containing the information specified in Article 15(1).
(3) The DIFCA Board of Directors may make Regulations on the procedures relating to recording of Processing activities under this Article 15.

16. Designation of the DPO

(1) A Controller or Processor may elect to appoint a DPO that meets the requirements of Article 17.

(2) Notwithstanding Article 16(1), a DPO shall be appointed by:

(a) DIFC Bodies, other than the Courts acting in their judicial capacity; and
(b) a Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

(3) A Controller or Processor to which Article 16(2)(b) does not apply may be required to designate a DPO by the Commissioner.
(4) If a Controller or Processor is not required to appoint a DPO, it shall clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations under this Law, or any other applicable data protection law, within its organisation and be able to provide details of the persons with such responsibility to the Commissioner upon request.
(5) The role of a DPO may be performed by a member of a Controller’s or Processor’s staff, an individual employed within a Controller’s or Processor’s Group in accordance with Article 16(6) or by a third party under a service contract.
(6) A Group may appoint a single DPO provided that he is easily accessible from each entity in the Group.
(7) A DPO must reside in the UAE unless he is an individual employed within the organisation's Group and performs a similar function for the Group on an international basis.
(8) A Controller or Processor shall publish the contact details of its DPO in a manner that is readily accessible to third parties, such that a third party could determine how to contact the DPO without disproportionate effort. On request, a Controller or Processor shall confirm identity of its DPO to the Commissioner in writing.

17. The DPO: competencies and status

(1) A DPO must have knowledge of this Law and its requirements and shall ensure a Controller or Processor monitors compliance with this Law.

(2) A DPO must:

(a) have the ability to fulfil the tasks in Article 18;
(b) be able to perform his duties and tasks in an independent manner, and be able to act on his own authority;
(c) have direct access and report to senior management of the Controller or Processor;
(d) have sufficient resources to perform his duties in an effective, objective and independent manner; and
(e) have timely and unrestricted access to information within the Controller or Processor organisation to carry out his duties and responsibilities under this Law.

(3) Without prejudice to the mandatory notification requirements under this Law, a DPO shall be transparent and cooperative with the Commissioner and shall notify the Commissioner of all relevant information within the Controller or Processor organisation, other than information that is subject to legal privilege or a conflicting obligation of non-disclosure under Applicable Law.
(4) Subject to Article 18(1)(c), a DPO may hold other roles or titles within a Controller or Processor or within each such Group, and may fulfil additional tasks and duties other than those described in this Law.

18. Role and tasks of the DPO

(1) A Controller or Processor shall ensure that:

(a) its DPO is properly involved in a timely manner, on all issues relating to the protection of Personal Data and is given sufficient resources necessary to carry out the role; (b) its DPO is free to act independently; and
(c) any additional tasks and duties fulfilled by its DPO, other than those required under this Law, do not result in a conflict of interest or otherwise prevent the proper performance of the role of the DPO.

(2) A Data Subject may contact the DPO of a Controller or Processor with regard to all issues related to Processing of his Personal Data and to the exercise of his rights under this Law.
(3) A DPO shall perform at least the following tasks:

(a) monitor a Controller or Processor’s compliance with:

(i) this Law;
(ii) any other data protection or privacy-related laws or regulations to which the organisation is subject within the DIFC; and
(iii) any policies relating to the protection of Personal Data, including the assignment of responsibilities, awareness-raising and training of staff involved in Processing operations, and the related audits;

(b) inform and advise a Controller or Processor and its employees who carry out Processing of its obligations pursuant to this Law and to other data protection provisions, including where the organisation is subject to overseas provisions with extra-territorial effect;
(c) provide advice where requested in relation to data protection impact assessments undertaken pursuant to Article 20;
(d) cooperate with the Commissioner in accordance with Article 17(3);
(e) act as the contact point for the Commissioner on issues relating to Processing; and
(f) receive and act upon any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions issued or made by the Commissioner.

19. DPO Controller assessment

(1) Where a Controller is required to appoint a DPO under Articles 16(2) or 16(3), the DPO shall undertake an assessment of the Controller's Processing activities, at least once per year ("the Annual Assessment"), which shall be submitted to the Commissioner.
(2) A Controller shall report on its Processing activities in the Annual Assessment and indicate whether it intends to perform High Risk Processing Activities in the following annual period.
(3) The Commissioner shall prescribe and make publically available the format, required content and deadline for submission of Annual Assessments.

20. Data protection impact assessment

(1) Prior to undertaking High Risk Processing Activities a Controller shall carry out an assessment of the impact of the proposed Processing operations on the protection of Personal Data, considering the risks to the rights of the Data Subjects concerned. A Controller may also elect to carry out such assessment in relation to the Processing of Personal Data that is not a High Risk Processing Activity.
(2) A single assessment may address a set of similar Processing operations that present similar risks. If another member of a Controller's Group has conducted a data protection impact assessment, complying with the requirements of Article 20(6), in relation to substantially the same Processing that remains current and accurate, the Controller may rely on such data protection impact assessment for the purpose of this Article 20.
(3) A DPO, where appointed, shall be responsible for overseeing data protection impact assessments. (4) The Commissioner may at his discretion publish a non-exhaustive list of types or categories of
Processing operations that are considered to be High Risk Processing Activities. Such a list is not intended to be exhaustive and does not absolve a Controller from responsibility for complying with this Law in all respects with regard to High Risk Processing Activities.
(5) The Commissioner may also publish a list of the types or categories of Processing operations for which no data protection impact assessment is required.
(6) A data protection impact assessment shall contain at least:

(a) a systematic description of the foreseen Processing operations and the purpose(s) of the Processing, including, where applicable, the legitimate interest pursued by a Controller;
(b) an assessment of the necessity and proportionality of the Processing operations in relation to the purpose(s);
(c) identification and consideration of the lawful basis for the Processing, including:

(i) where legitimate interests are the basis for Processing, an analysis and explanation of why a Controller believes the interests or rights of a Data Subject do not override its interests; and
(ii) where consent is the basis for Processing, validation that such consent is validly obtained, consideration of the impact of the withdrawal of consent to such Processing and of how a Controller will ensure compliance with the exercise of a Data Subject's right to withdraw consent;

(d) an assessment of the risks to the rights of Data Subjects; and
(e) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data and to demonstrate compliance with this Law, taking into account the rights and legitimate interests of Data Subjects and other concerned persons.

(7) In assessing the impact of the Processing operations, compliance with approved codes of conduct referred to in Article 48 by a Controller or Processor shall be taken into account.
(8) Taking into account protection of commercial or public interests or the security of Processing operations, a Controller shall seek the input of Data Subjects or their representatives on the intended Processing, where appropriate.
(9) A new data protection impact assessment is not required unless Applicable Law requires that it is necessary to carry out such an assessment prior to undertaking Processing activities, where:

(a) Processing pursuant to Articles 10(1)(c) or 10(1)(e) has a lawful basis in Applicable Law to which a Controller is subject;
(b) Applicable Law regulates the specific Processing operation or set of operations in question; and
(c) a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that lawful basis.

(10) A Controller shall carry out a review to assess if Processing is performed in accordance with a data protection impact assessment:

(a) on a regular basis, proportionate to the extent and type of Processing the Controller conducts; or
(b) when there is a change in the risk related to the Processing operations.

(11) A Processor appointed, or in the process of being appointed, by a Controller to carry out a Processing activity shall assist the Controller by providing all information reasonably requested by the Controller in connection with the relevant data protection impact assessment.

21. Prior consultation

(1) A Controller shall consult the Commissioner where a data protection impact assessment under Article 20 indicates that, despite taking the measures referred to in Article 20(6)(e), the risks to the rights of Data Subjects remain particularly high and the Controller has already carried out or wishes to commence or continue carrying out a Processing activity.
(2) Where the Commissioner determines that a Processing activity referred to in Article 21(1) would or does breach this Law, the Commissioner shall provide written confirmation to the Controller and, where applicable, to the Processor, and may also use any of the powers referred to in Article 46
(3) A Controller may consult with the Commissioner before commencing a Processing activity. A Controller is not prohibited from commencing a Processing activity before or during a consultation period where there is insufficient time to complete such consultation in advance and there is a pressing business need to commence Processing, provided it is not likely to override the vital interests of Data Subjects whose Personal Data is being Processed. Such Processing shall comply with the Law at all times and the Controller shall remain liable for breaches of the Law prior to or during the consultation period.
(4) If the Commissioner makes a direction with respect to a Processing activity as a result of a consultation then a Controller shall implement such directions without delay including, if so directed, discontinuing the Processing activity.
(5) A Controller's decision regarding a consultation will be taken into account by the Commissioner when considering any applicable sanctions under this Law. Where Processing is determined to be in violation of the Law, a failure to consult with the Commissioner may result in the application of more severe penalties.
(6) A Controller may complete a data protection impact assessment or carry out prior consultation with other Controllers or Joint Controllers (as applicable), including where multiple Controllers wish to use a new technology or platform, or where there is an innovation in a particular industry that changes the way Personal Data is Processed.
(7) The Commissioner shall endeavour to provide its written confirmation within four (4) weeks of the beginning of the consultation period, but may notify a relevant Controller that the time period is being extended by up to a further four (4) weeks where the Processing in question is particularly complex.
(8) Where the Commissioner determines that the Processing is unlawful, a relevant Controller or Processor shall cease all such Processing immediately, unless otherwise directed by the Commissioner.
(9) When consulting with the Commissioner pursuant to Article 21(1), a Controller shall provide the Commissioner with:
(a) where applicable, its respective responsibilities and those of any Joint Controllers and Processors involved in the Processing, in particular for Processing within a Group; (b) the purposes and means of the intended Processing;
(c) the measures and safeguards provided to protect the rights of Data Subjects pursuant to this Law;
(d) where applicable, the contact details of its DPO;
(e) the relevant data protection impact assessment; and
(f) any other information requested by the Commissioner.
(10) A Processor appointed, or in the process of being appointed, by a Controller to carry out a Processing activity shall assist the Controller in any prior consultation process with the Commissioner.

22. Cessation of Processing

(1) Where the basis for Processing changes, ceases to exist or a Controller is required to cease Processing due to the exercise of a Data Subject’s rights, the Controller shall ensure that all Personal Data, including Personal Data held by Processors is:
(a) securely and permanently deleted;
(b) anonymised so that the data is no longer Personal Data and no Data Subject can be identified from the data including where the data is lost, damaged or accidentally released;
(c) pseudonymised;
(d) securely encrypted; or

(2) Where a Controller is unable to ensure that Personal Data is securely and permanently deleted, anonymised, pseudonynmised or securely encrypted, the Personal Data must be archived in a manner that ensures the data is put beyond further use.
(3) "Put beyond further use" in Article 22(2) means that:

(a) a Controller and a relevant Processor is unable to use the Personal Data to inform any decision with respect of the Data Subject or in a manner that affects the Data Subject in any way, other than where such Personal Data needs to be cross-checked by automated means solely in order to prevent further Processing of Personal Data related to the Data Subject;
(b) no party has access to the Personal Data other than the Controller and any relevant Processor;
(c) Personal Data is protected by appropriate technical and organisational security measures that are equivalent to those afforded to live Personal Data; and
(d) a Controller and any relevant Processor have in place and must comply with a strategy for the permanent deletion, anonymisation, pseudonymisation or secure encryption of the Personal Data, complies and can demonstrate compliance with such policy.

(4) Notwithstanding Article 22(1), a Controller and any relevant Processor is not required to securely and permanently delete, anonymise, pseudonymise or encrypt Personal Data or put it beyond further use, where such Personal Data:

(a) is necessary for the establishment or defence of legal claims or must be retained for compliance with Applicable Law; or
(b) is being used in scientific research activity conducted in the public interest or in the interests of the DIFC in accordance with all Applicable Laws, in a manner that does not present risks to the rights of Data Subjects; or
(c) is part of a dataset used to lawfully train or refine an artificial intelligence system in a manner that does not present risks to a Data Subject’s rights.

(5) A Controller or Processor seeking to rely on Articles 22(4)(b) or 22(4)(c) shall conduct a data protection impact assessment in accordance with Article 20 before doing so. Any Processing of Personal Data in accordance with Article 22(4) must be limited to the extent necessary for such purposes.
(6) A Controller or Processor shall have a policy and process for managing Personal Data that is subject to Article 22(4) when the grounds for retention no longer apply, and shall securely and permanently delete, anonymise, pseudonymise, encrypt Personal Data or to put it beyond further use when such grounds no longer apply.