Data Protection Act 2023 – A primer

Explore the key aspects of the Data Protection Act, 2023 (DPA) in India. Understand its extraterritorial applicability, rights of individuals, obligations on organizations, and types of organizations affected. Learn about due diligence, compliance, and the impact on various sectors.

The Data Protection Act, 2023 (DPA) is the main law governing the processing of personal data in India. DPDP Act does not have a sunrise provision and is likely to be implemented in a phased manner, through separate notifications in the Official Gazette

Extraterritorial applicability

Like its global counterpart GDPR, the Indian version of data protection has limited extraterritorial applicability and will extend to processing of digital personal data outside India, if such processing is in connection with an activity related to offering of goods or services to data principals within India.

The DPA applies to all organizations that process personal data of individuals located in India, regardless of the organization’s location. It also applies to organizations that process personal data of individuals located outside India, if the processing activities relate to:

• The offering of goods or services to individuals located in India; or
• The monitoring of the behavior of individuals located in India.

• Rights to individuals under Data Protection Act, 2023
• Other Key provisions of the Data Protection Act, 2023:
• Type of organizations which are required to comply with the Data Protection Act.
• Whether employer covered under Data Protection Act, 2023

Rights to individuals under Data Protection Act, 2023

The DPA gives individuals certain rights with respect to their personal data, including the right to:

• Access their personal data;
• Rectify their personal data;
• Erase their personal data;
• Object to the processing of their personal data;
• Port their personal data;
• Restrict the processing of their personal data;
• File a complaint with the Data Protection Authority (DPA).

Obligations on the organizations using Personal Data Data Protection Act, 2023

The DPA also imposes certain obligations on organizations that process personal data, including the obligation to:

• Obtain consent from individuals before processing their personal data;
• Use personal data only for the purposes for which it was collected;
• Keep personal data secure;
• Notify the DPA of data breaches; and
• Appoint a data protection officer (DPO).

The DPA is a comprehensive law that provides strong protections for the privacy of individuals. It is important for organizations that process personal data to comply with the DPA to avoid legal liability.

Other Key provisions of the Data Protection Act, 2023:

• The DPA defines personal data as any information that relates to an identified or identifiable natural person.
• The DPA gives individuals certain rights with respect to their personal data, including the right to access, rectify, erase, object to, port, and restrict the processing of their personal data.
• The DPA imposes certain obligations on organizations that process personal data, including the obligation to obtain consent from individuals before processing their personal data, use personal data only for the purposes for which it was collected, keep personal data secure, notify the DPA of data breaches, and appoint a data protection officer (DPO).
• The DPA establishes the Data Protection Authority (DPA), which is responsible for enforcing the DPA.

Type of organizations which are required to comply with the Data Protection Act.

The DPA is a significant development in data protection law in India. It is important for organizations that process personal data to understand the DPA and comply with its requirement.

The Data Protection Act, 2023 (DPA) applies to all organizations that process personal data of individuals located in India, regardless of the organization’s location. It also applies to organizations that process personal data of individuals located outside India, if the processing activities relate to:

• The offering of goods or services to individuals located in India; or
• The monitoring of the behavior of individuals located in India.

Some of the types of organizations that are likely to be affected by the DPA include:

• Central, State and Municipal / local Government agencies
• Banks and financial institutions
• Telecom companies
• E-commerce companies (like Naukri.com, shaadi.com, amazon, paytm magicbricks.com etc.)
• Technology companies
• Share Broking Companies
• Mutual Funds and Asset Management Companies
• Registrar and Transfer Agents (like Karvy, Alankit etc.)
• Healthcare organizations
• Depositories viz NSDL & CDSL
• Educational institutions
• Retail companies
• Media companies
• Non-profit organizations
• Marketing Companies who uses the data for marketing purposes (Companies who approach consumers like us through calls/ sms / email/ digital means like whatsapp or Telegram are likely to be covered under this act.

Any organization that collects, stores, or uses personal data of individuals located in India must comply with the DPA. The DPA imposes a number of obligations on organizations, including the obligation to:

• Obtain consent from individuals before processing their personal data;
• Use personal data only for the purposes for which it was collected;
• Keep personal data secure;
• Notify the DPA of data breaches; and
• Appoint a data protection officer (DPO).

Organizations that fail to comply with the DPA may be subject to fines, penalties, and other enforcement actions.

Here are some specific examples of organizations that are likely to be affected by the DPA:

• A bank that collects personal data of its customers, such as their names, addresses, PAN, and account numbers.
• A telecom company that collects personal data of its subscribers, such as their phone numbers, call records and possibly KYC documents.
• An e-commerce company that collects personal data of its customers, such as their names, addresses, order history and payment details.
• A technology company that collects personal data of its users, such as their browsing history and location data.
• A healthcare organization that collects personal data of its patients, such as their names, contact number, address, medical records and test results.
• An educational institution that collects personal data of its students, such as their names, addresses, date of birth and academic records.
• A retail company that collects personal data of its customers, such as their names, addresses, contact details, and purchase history.
• A media company that collects personal data of its users, such as their names, addresses, KYC details and viewing habits.
• A non-profit organization that collects personal data of its donors, such as their names, addresses, contact details and donation history.

These are just a few examples of the many types of organizations that are likely to be affected by the DPA. If your organization collects, stores, or uses personal data of individuals located in India, you should take steps to understand the DPA and comply with its requirements.

Whether employer covered under Data Protection Act, 2023

An important question if the employers collecting the data for processing of salary and maintaining employment records be covered under the Act, since they need details like name, father name, address, contact details (including email and residential address, KYC details like PAN / Aadhar and bank details to process the salary and other relevant purposes relating to employment?

Different uses have been provided as a safeguard under Section 7 mentioned as “certain legitimate uses” for which personal data can be used includes all lawful grounds for processing such data.

This inter-alia includes

1) data provided voluntarily for the specified purposes and

2) data provided for the purposes of employment or those relating to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.

According to the above, apparently the employer may be able to process personal data for the specified purpose for which volitional consent has been provided. The employer may also process personal data without consent for purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service to employees.

In other words, at the employment, the details provided by an employee and data collected and processed in relation to employment will qualify as a legitimate use for aforesaid purposes.

It is advisable that employers must provide complete information regarding the reason for collection of personal data and how it will be used and handled to all employees falling within the Act as Data Principal.

We are yet to see the applicability of rules which will clarify more details on the captioned subject