Code
8. (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of
a Data Principal to carry out the duties provided under this Act, be responsible for complying
with the provisions of this Act and the rules made thereunder in respect of any processing
undertaken by it or on its behalf by a Data Processor.
(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor
to process personal data on its behalf for any activity related to offering of goods or
services to Data Principals only under a valid contract.
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness,
accuracy and consistency.
(4) A Data Fiduciary shall implement appropriate technical and organisational measures
to ensure effective observance of the provisions of this Act and the rules made thereunder.
(5) A Data Fiduciary shall protect personal data in its possession or under its control,
including in respect of any processing undertaken by it or on its behalf by a Data Processor,
by taking reasonable security safeguards to prevent personal data breach.
(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and
each affected Data Principal, intimation of such breach in such form and manner as may be
prescribed.
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law
for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being
served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available
by the Data Fiduciary for processing to such Data Processor.
Illustrations.
(I) X, an individual, registers herself on an online marketplace operated by Y, an
e-commerce service provider. X gives her consent to Y for the processing of her personal
data for selling her used car. The online marketplace helps conclude the sale. Y shall no
longer retain her personal data.
(II) X, an individual, decides to close her savings account with Y, a bank. Y is required
by law applicable to banks to maintain the record of the identity of its clients for a period of
ten years beyond closing of accounts. Since retention is necessary for compliance with law,
Y shall retain X’s personal data for the said period.
(8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no
longer be served, if the Data Principal does not––
(a) approach the Data Fiduciary for the performance of the specified purpose;
and
(b) exercise any of her rights in relation to such processing,
for such time period as may be prescribed, and different time periods may be prescribed for
different classes of Data Fiduciaries and for different purposes.
(9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business
contact information of a Data Protection Officer, if applicable, or a person who is able to
answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal
about the processing of her personal data.
(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances
of Data Principals.
(11) For the purposes of this section, it is hereby clarified that a Data Principal shall be
considered as not having approached the Data Fiduciary for the performance of the specified
purpose, in any period during which she has not initiated contact with the Data Fiduciary
for such performance, in person or by way of communication in electronic or physical form.
