Last review date: 20 December 2024

☒  the identity and the contact details of the controller and, where applicable, of the controller's representative

☒  the purposes of the processing for which the personal data is intended

☒  the categories of personal data concerned

☒  the recipients or categories of recipients of the personal data, if any

☒  the security provided to the data

☒  other

Per the Privacy Rules, a body corporate is required to publish a privacy policy on its website that addresses its handling of personal information. Such a policy must contain clear and easily accessible statements of the controller's privacy practices and policies.

Per the DPDP Act, there is no express requirement to publish a privacy policy on its website. Instead, the DPDP Act requires a data fiduciary to give a data principal an itemized privacy notice in clear and plain language at the time of or prior to obtaining consent. A notice is required to be furnished to a data principal, conveying the following information:

1. the personal data intended for processing and the purpose for such processing
2. the manner in which data principals can exercise their rights under the DPDP Act
3. the manner of filing a complaint with the Data Protection Board of India, and
4. the contact details of the data protection officer or any other person responsible for addressing a data principal’s questions

Notably, such notice is to be made accessible in English or any language specified in the Eighth Schedule to the Constitution of India.

Last review date: 20 December 2024

Yes

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒  right to access the data subject's own personal data

☒  right to rectify/correct the data subject's own personal data where inaccurate or incomplete

☒  right to erasure of personal data

☒  right to withdraw consent

☒  other

The DPDP Act also provides data principals with the following additional rights:

1. The right to seek information on all data fiduciaries with whom personal data has been shared, along with the categories of personal data so shared, in one place
2. The right to seek redressal of grievances from the data fiduciary initially and then subsequently the DPBI, if necessary
3. The right to nominate another individual who will exercise the data principal's rights in the event of the data principal's death or incapacity

Last review date: 20 December 2024

Yes

There are accountability and governance requirements to:

☒  perform and document data protection impact assessments (DPIAs) for high-risk processing:

☒  implement appropriate measures to comply with data privacy and cybersecurity

☒  demonstrate compliance with data privacy and cybersecurity

☒  identify a specific individual as the data privacy contact for data subject or data protection authority inquiries

☒  other

Under the DPDP Act, significant data fiduciaries must appoint an independent data auditor to conduct periodic data protection impact assessments. This process includes describing the rights of data principals, the purpose of processing their personal data, and assessing and managing risks to these rights. The Government of India may provide further details on conducting these assessments in future legislations.