Last review date: 20 December 2024

Yes

The following are potential legal bases for processing personal data:

☒  the data subject has provided consent to the processing for the identified purposes

☒  other

The DPDP Act permits the processing of personal data belonging to data principals for certain legitimate uses. For such uses, a data fiduciary may not be required to provide notice or obtain consent from a data principal. The prescribed legitimate uses under the DPDP Act include:

1. Where data principals voluntarily provide their personal data to the data fiduciary and if the data principal has not indicated to the data fiduciary that they do not consent to the use of such personal data
2. For the performance of any function or fulfilling any obligation under any law by government authorities
3. For compliance with any judgment, order or decree issued under any law
4. For responding to a medical emergency involving a threat to the life or immediate threat to the health of the data principal or any other individual
5. For taking measures to provide medical treatment or health service to any individual during an epidemic, outbreak of disease, or any other threat to public health
6. For taking measures to ensure the safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; and
7. For purposes related to employment.

Last review date: 20 December 2024

Yes

The following are potential legal bases for processing special categories of personal data:

☒  the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒  other

• The information is processed for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf, and
• The processing of sensitive personal data or information is considered necessary for that purpose.

The above-mentioned legal bases for processing sensitive personal data are provided under the Privacy Rules. The DPDP Act does not differentiate between sensitive and non-sensitive personal data. Therefore, no additional legal bases are required for the processing of sensitive personal data. 

Last review date: 20 December 2024

Yes

Last review date: 20 December 2024

Generally

Under the DPDP Act, minors or children are individuals under the age of 18.

Last review date: 20 December 2024

☒  consent must be given or authorized by the parent/ guardian of the minor

☒  other

The DPDP Act imposes the following additional obligations in relation to the processing of personal data of children:

1. Before processing a child's personal data, the data fiduciary must obtain verifiable parental consent (which includes the consent of a lawful guardian, wherever applicable) in a manner that will be prescribed
2. Data fiduciaries must not undertake such processing of personal data that is likely to have a detrimental effect on the well-being of a child, and
3. Data fiduciaries must not undertake tracking or behavioral monitoring of children or target advertising directed at children.

However, the Central Government may prescribe certain purposes for which (a) to (c) above will not apply.