Ready to use legal template

Drafted by experienced lawyers

Compliant with Indian law

Ready to use legal template

Drafted by lawyers

Compliant with Indian law

HomeIntellectual propertyPersonal data protection

Learn more about Personal Data Protection in India

On a daily basis, companies are required to collect data about their customers, which will then be processed and sorted. This information may be personal in nature as long as it relates to their identity. Thus, several legislations in India come to govern both the collection of this information and its processing by public and private organizations that process this type of data. It is important to establish legal standards to protect this data. Use this Data Protection Agreement to protect your company from disclosing personal data to a third party during the period of the Employment Contract or business relationship.

Table of contents


What is Personal Data Protection?

Every day, we transmit our data to different organizations such as the administration, our employer, commercial companies, etc. This data, called personal data, is any information relating to an identified or identifiable natural person.

This data can allow an individual to be identified directly (example: name, first name) or indirectly (example: by an identifier (customer number), a (telephone) number, a biometric data, etc.)
Once collected, this information is processed by software and/or employees. The processing of personal data is an operation, or set of operations, on personal data, whatever the process used (collection, recording, organization, conservation, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation).
As this information concerns the identity of individuals, it is essential to establish legal standards to protect this data. However, personal information refers only to data concerning a natural person. Legal entities are not affected by this protection.

The holder of a file containing personal data, computer or paper, must, in principle, provide you with the following information:

➤ The purpose of the file, i.e. for what purpose the file will be used
➤ On what legal basis is it founded, is it through a consent agreement, the execution of a contract or the respect of a legal obligation, that it is legally produced
➤ Who has access to the data
➤ How long the data will be kept, it must be reasonable, depending on the purpose of the file

Public and private bodies such as the government, companies, sole proprietorships or associations engaged in commercial or professional activities incorporated in India, as well as foreign companies processing personal data of individuals in India are covered by the legislation.

What is the PDP Bill 2019?

Introduced by the Ministry of Electronics and Information Technology, the Personal Data Protection Bill 2019 (PDP Bill 2019) will be in force in India in some time. This bill which covers personal data protection mechanisms aims at improving the Indian data protection legislation and proposes the establishment of a Data Protection Authority of India for this purpose.
As such, this bill aims to ensure the protection of the privacy of individuals with respect to their personal and non-personal data, to clarify the flow and use of personal data, to create a relationship of trust between persons and entities processing personal data, and to protect the fundamental rights of persons whose personal data is processed.

What are the Indian regulations regarding Data Protection?

Pending the enactment of the Personal Data Protection Act (PDP 2019), there are two main pieces of legislation that apply in this regard. These are the Information Technology Act 2000 (“the IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“the DIPS Rules”). Indeed, most businesses, regardless of their industry, are more affected by the Computer Law and the DIPS Rules.

For example, the Computer Law provides that legal entities that handle so-called sensitive personal data or information are liable for damages for any loss caused by their failure to implement and maintain reasonable security practices and procedures.

In order to improve data protection legislation, the PDP Bill proposes a broader application of data protection, applying to both manual and electronic records, as well as to non-personal data. However, not all personal data that is freely available or accessible in the public domain or provided under the Right to Information Act 2005 or any other applicable law is to be considered “sensitive personal data or information” (“SPDI”). In addition, DIPS may be disclosed to mandated government authorities for the purpose of obtaining information for identity verification or prevention, detection, investigation without obtaining the consent of the “information provider”.

What are the consents requirements of the PDP Bill 2019?

The PDP Bill requires that a data trustee only process personal data if it has a valid reason to do so. The most important aspect is to obtain the consent of the data controller. Section 11 of the Bill requires the data trustee to ensure that it obtains the “express” consent of the data principal before or at the time of collecting personal information.

According to the bill, for consent to be considered valid, it must be:

1. Free and informed i.e. not induced by fraud, misrepresentation, coercion, undue influence or mistake.

2. Informed: the data controller must be provided with the information listed in Article 7 of the bill, i.e. information on the purposes for which the data will be used, the types of data collected, information on how to withdraw consent, with whom the data will be shared, etc. This information must be provided in a clear and concise manner, reasonably understandable, and in multiple languages if necessary.

3. Specific and clear: the consent given must relate specifically to the purpose of the processing envisaged by the trustee. The consent clause should not be overly broad or ambiguous or encompass unrelated purposes.

4. Withdrawal must be possible: This means ensuring that withdrawal of consent is possible and under the same conditions as obtaining consent.

Finally, the bill introduced the concept of a “consent manager“, which is a data trustee responsible for facilitating the data controller’s management of the consents collected, via an interoperable platform. Withdrawal of consent can also take place via the consent manager.

What are the consequences of a Data Protection breach in India?

Any violation of the Data Protection Act and the “DIPS” rules may result in civil liability as well as criminal liability. It is also possible to be subject to administrative fines.

Section 72A of the IT Act provides for a fine of up to Rs. 200,000 for disclosing personal information in violation of a legal contract or without consent. The 2019 Bill also provides for revenue-related penalties for businesses that can range from 2% to 4% depending on the type of violation.

With respect to criminal liability, Section 72A of the IT Act provides for imprisonment of up to three years for disclosing personal information in breach of a legal contract or without consent.
Finally, Section 43A of the Computer Law provides that legal persons possessing, processing or handling sensitive personal data or information in a computer resource owned, controlled or operated by them would be liable to pay damages as compensation to the affected individuals in the event of negligence in implementing and maintaining reasonable security practices and procedures to protect sensitive personal data or information.

The PDP Bill also proposes that data controllers who have suffered harm as a result of a breach of the requirements of the PDP Bill may seek compensation from the data trustee or data processor.

How to ensure Personal Data Protection in your company?

Any organization’s compliance depends on its control of its computer applications and systems, in which they collect and process data.

Corporate espionage is a reality that no data manager can ignore. The consequences can be serious, such as leading the company to bankruptcy or legal proceedings. Secure storage of digital data is therefore a critical element for business survival.

To avoid this, there are several things to do. First of all, you need to be able to clearly identify your company’s data protection risks, in order to correctly target the actions to be taken to avoid these risks. For example, if the company records data from a website or software, the risk is of hacking, so the computer files must be protected against unauthorized access.

It is then necessary to set up an ultra-secure storage system. You should not hesitate to put the financial means for this. Otherwise, the company could be stolen, have its data destroyed or modified. Finally, it is advisable to regularly change the access codes and to regularly update the adapted software.

What is the scope ration loci of the Bill?

Cross-border flows of sensitive personal data or information may be permitted to any other legal entity or person located in India or any other country if the same levels of data protection as in India are met. However, this is only possible if such transfer is necessary for the performance of a legal contract or if such transfer has been consented to by the information provider.
There are no reservations regarding transborder data flows of information that is not sensitive personal data or information.

The PDP Bill proposes a new regime for the transborder transfer of personal data. There would be separate requirements for sensitive personal data and critical personal data. Sensitive personal data can only be transferred outside India with the express consent of the individual and in accordance with standard contractual clauses or intra-group programs approved by the Authority. Critical personal data may only be transferred to a person or entity providing emergency health services if such transfer is necessary for prompt action. Central government would define what constitutes critical personal data.

Share information

Why Themis Partner ?

Make documents forhundreds of purposes

Hundreds of documents

Instant access to our entire library of documents for India.

24/7 legal support

Free legal advice from our network of qualified lawyers.

Easily customized

Editable Word documents, unlimited revisions and copies.

Legal and Reliable

Documents written by lawyers that you can use with confidence.

DOWNLOAD NOW