Digital Personal Data Protection Act, 2023-Key Compliance Requirements under the Legal Framework

First, the consent must be free, specific, informed, unconditional, and unambiguous, and it must involve a clear affirmative action by the data principal. Such consent signifies that the data principal agrees to the processing of their personal data only for the specified purpose.

However, if the consent contradicts any provision of the Act or any other law currently in force in India, the consent will be invalid to the extent of such infringement.

The Act also requires that the request for consent must be communicated in clear and plain language. The data principal must have the option to access the request in English or in any of the languages specified in the Eighth Schedule of the Constitution of India. These languages include Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Nepali, Oriya, Punjabi, Sanskrit, Sindhi, Tamil, Telugu, Urdu, Bodo, Santhali, Maithili, and Dogri.

The consent request must also include contact details of a Data Protection Officer or another authorised person designated by the data fiduciary to respond to queries or communications from data principals regarding the exercise of their rights under the Act.

A Data Protection Officer (DPO) is an individual who represents Significant Data Fiduciaries (SDFs). The DPO must be based in India and is responsible to the Board of Directors or a similar governing body. The officer acts as the point of contact for data principals in case they face any grievances.

The Act further requires data fiduciaries to ensure that data principals can easily withdraw their consent whenever they wish. Once consent is withdrawn, the data fiduciary must stop processing the personal data within a reasonable time.

An exception exists where law permits continued processing of such data even after the withdrawal of consent. In such cases, the data fiduciary may continue the processing.

It is also important to note that when consent is withdrawn, the data principal must bear any resulting consequences, and the withdrawal does not affect the legality of data processing that occurred before the withdrawal.

Notice

Another crucial compliance requirement under the Act is the notice provided to the data principal.

The notice either accompanies or precedes the request for consent. Its purpose is to inform the data principal about important aspects of data processing.

The notice must inform the data principal of:

• Which personal data is being accessed and the purpose for processing it
• The manner in which the data principal can exercise their rights
• The process through which a complaint can be made to the Data Protection Board of India

Further requirements relating to notice are specified in the DPDP Rules.

According to these rules, the notice must be presented in an understandable form and independent of other information provided by the data fiduciary. It must provide clear and simple information enabling the data principal to give specific and informed consent for the processing of personal data.

The notice must include:

• A clear, item-by-item description of the personal data being collected
• The exact purpose for collecting such data, along with a clear explanation of the goods, services, or uses that the data will enable

Additionally, the notice must provide the specific link to the data fiduciary’s website or application and explain other available methods through which the data principal can:

• Withdraw consent as easily as it was given
• Exercise their rights under the Act
• File a complaint with the Data Protection Board of India

Through these provisions, the Digital Personal Data Protection Act, 2023 establishes structured compliance requirements governing how personal data may be processed and how data principals must be informed and empowered during the process.