Section 2 DPDPA

Definitions.


2.In this Act, unless the context otherwise requires,—

(a) “Appellate Tribunal” means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997;
(b) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
(c) “Board” means the Data Protection Board of India established by the Central Government under section 18;
(d) “certain legitimate uses” means the uses referred to in section 7;
(e) “Chairperson” means the Chairperson of the Board;
(f) “child” means an individual who has not completed the age of eighteen years;
(g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
(h) “data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
(i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
(j) “Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;
(l) “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;
(m) “digital office” means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;
(n) “digital personal data” means personal data in digital form;
(o) “gain” means—
(i) a gain in property or supply of services, whether temporary or permanent; or
(ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
(p) “loss” means—
(i) a loss in property or interruption in supply of services, whether temporary or permanent; or
(ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
(q) “Member” means a Member of the Board and includes the Chairperson;
(r) “notification” means a notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly;
(s) “person” includes—
(i) an individual;
(ii) a Hindu undivided family;
(iii) a company;
(iv) a firm;
(v) an association of persons or a body of individuals, whether incorporated or not;
(vi) the State; and
(vii) every artificial juristic person, not falling within any of the preceding sub-clauses;
(t) “personal data” means any data about an individual who is identifiable by or in relation to such data;
(u) “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;
(v) “prescribed” means prescribed by rules made under this Act;
(w) “proceeding” means any action taken by the Board under the provisions of this Act;
(x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
(y) “she” in relation to an individual includes the reference to such individual irrespective of gender;
(z) “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10;
(za) “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder; and
(zb) “State” means the State as defined under article 12 of the Constitution.

Section 3 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 2 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Based on the exact definitions provided in Section 2 of the Digital Personal Data Protection Act, 2023, here is a detailed interpretation of each term, including practical examples and comparisons with Indian laws and GDPR where applicable.

Interpretation of Section 2 Definitions

1. Appellate Tribunal
Definition:
The Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997.
Illustrations:
1. A Data Fiduciary appeals against a penalty imposed by the Data Protection Board to the Appellate Tribunal.
2. A Data Principal seeks redressal at the Tribunal for a rejected grievance by the Board.
Comparison:
No equivalent tribunal under GDPR; supervisory authorities are the highest appellate bodies.

2. Automated
Definition:
Any digital process capable of operating automatically in response to instructions given or otherwise for processing data.
Illustrations:
1. A chatbot responding to user queries is an automated process.
2. An email filter sorting spam messages without manual intervention is automated.
Comparison:
GDPR includes profiling and automated decision-making under its scope, emphasizing transparency.

3. Board
Definition:
The Data Protection Board of India established by the Central Government under Section 18.
Illustrations:
1. The Board investigates a major data breach affecting millions of users.
2. The Board adjudicates disputes related to privacy violations by a social media platform.
Comparison:
Equivalent to GDPR’s Supervisory Authorities but less autonomous.

4. Certain Legitimate Uses
Definition:
The uses referred to in Section 7 of the Act.
Illustrations:
1. Using data for network security purposes constitutes a legitimate use.
2. Processing customer data to prevent fraud is a legitimate use under this section.
Comparison:
Similar to GDPR’s lawful processing grounds, including legitimate interests.

5. Chairperson
Definition:
The Chairperson of the Data Protection Board.
Illustrations:
1. The Chairperson presides over hearings on a high-profile data breach case.
2. The Chairperson issues directives to improve compliance measures for fiduciaries.

6. Child
Definition:
An individual who has not completed the age of eighteen years.
Illustrations:
1. A 16-year-old using a social media platform is considered a child under DPDPA.
2. A school app collecting student data must comply with additional safeguards for children.
Comparison:
GDPR defines children under 16, with member states allowed to lower it to 13.

7. Consent Manager
Definition:
A person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent.
Illustrations:
1. A Consent Manager enables users to withdraw their location-sharing permissions from multiple apps.
2. Users can review and modify their marketing preferences through a Consent Manager platform.
Comparison:
Unique to DPDPA; GDPR emphasizes consent management but does not define a specific manager role.

8. Data
Definition:
A representation of information, facts, concepts, opinions, or instructions suitable for communication, interpretation, or processing.
Illustrations:
1. A spreadsheet containing employee records is data.
2. A JSON file storing user preferences is also data.
Comparison:
Broadly aligned with GDPR’s scope of data but explicitly articulated in DPDPA.

9. Data Fiduciary
Definition:
A person who determines the purpose and means of processing personal data.
Illustrations:
1. An online retailer deciding how to store customer information is a Data Fiduciary.
2. A bank handling loan applicants’ data for credit assessment is a Data Fiduciary.
Comparison:
Equivalent to GDPR’s “Data Controller.”

10. Data Principal
Definition:
The individual to whom personal data relates. For children or persons with disabilities, it includes their lawful guardians.
Illustrations:
1. A customer providing their contact information for a service is a Data Principal.
2. A parent acting on behalf of a child to register for an educational service is a Data Principal.
Comparison:
Equivalent to GDPR’s “Data Subject.”

11. Data Processor
Definition:
A person who processes personal data on behalf of a Data Fiduciary.
Illustrations:
1. A cloud provider storing customer data for an e-commerce site is a Data Processor.
2. A third-party payroll service processing employee salaries is a Data Processor.
Comparison:
Equivalent to GDPR’s “Data Processor.”

12. Data Protection Officer
Definition:
An individual appointed by a Significant Data Fiduciary under Section 10(2)(a).
Illustrations:
1. A bank appoints a Data Protection Officer to oversee compliance.
2. A healthcare app designates a Data Protection Officer to address grievances related to sensitive health data.
Comparison:
Similar to GDPR’s Data Protection Officer but mandated only for Significant Data Fiduciaries.

13. Digital Office
Definition:
An office that uses online mechanisms for proceedings, from receipt of complaints to disposal.
Illustrations:
1. A grievance filed digitally with the Data Protection Board is processed in a Digital Office.
2. Appeals and hearings conducted via video conferencing represent a Digital Office.

14. Digital Personal Data
Definition:
Personal data in digital form.
Illustrations:
1. A customer’s name and contact details stored in a cloud database represent Digital Personal Data.
2. A scanned copy of a government ID uploaded to an e-commerce platform is Digital Personal Data.
Comparison:
Specifically refers to data in digital form, a narrower concept than GDPR’s “Personal Data,” which includes manual records.

15. Gain
Definition:
Includes:
1. A gain in property or supply of services (temporary or permanent).
2. An opportunity to earn or gain a financial advantage other than legitimate remuneration.
Illustrations:
1. Unauthorized access to a payment system leading to fraudulent transfers constitutes Gain.
2. Using personal data to secure unlawful contracts represents Gain.
Comparison:
A unique term under DPDPA; GDPR focuses on “lawful processing” rather than quantifying gain.

16. Loss
Definition:
Includes:
1. Loss in property or interruption in service (temporary or permanent).
2. Loss of opportunity to earn or gain financial advantage other than legitimate remuneration.
Illustrations:
1. A data breach leading to downtime on a critical business system is Loss.
2. Misuse of a customer’s financial data causing monetary theft qualifies as Loss.
Comparison:
Explicitly addresses material and intangible losses, aligning with GDPR’s principles of compensation for harm.
17. Member
Definition:
A member of the Data Protection Board, including the Chairperson.
Illustrations:
1. A Member reviews and resolves grievances filed by Data Principals.
2. A Member participates in discussions about new compliance guidelines for Data Fiduciaries.

18. Notification
Definition:
A notification published in the Official Gazette, including its derivative terms “notify” and “notified.”
Illustrations:
1. A new rule regarding data localization is notified in the Gazette.
2. The government issues a notification declaring a company as a Significant Data Fiduciary.
Comparison:
Follows the standard definition under Indian statutory interpretation.

19. Person
Definition:
Includes:
1. Individuals.
2. Hindu undivided families.
3. Companies, firms, or associations.
4. Artificial juridical persons, including the State.
Illustrations:
1. A private company processing personal data qualifies as a Person.
2. A trust collecting donor details for charitable purposes is also a Person.
Comparison:
Similar to the Indian Contract Act, 1872, and broader than GDPR, which focuses on natural and legal persons.

20. Personal Data
Definition:
Any data about an individual who is identifiable by or in relation to such data.
Illustrations:
1. An email address linked to an individual is Personal Data.
2. A photo uploaded by a user on a social media platform is Personal Data.
Comparison:
Aligned with GDPR but excludes pseudonymized or anonymized data unless re-identifiable.

21. Personal Data Breach
Definition:
Unauthorized processing, disclosure, acquisition, or accidental loss or alteration of personal data that compromises its confidentiality, integrity, or availability.
Illustrations:
1. A hacker stealing credit card details from a payment gateway is a Personal Data Breach.
2. Accidental deletion of a customer database by an employee constitutes a Personal Data Breach.
Comparison:
GDPR mandates reporting breaches within 72 hours; DPDPA leaves timelines to Board discretion.

22. Prescribed
Definition:
Rules prescribed under the Act.
Illustrations:
1. The government prescribes rules on grievance redressal mechanisms for Data Principals.
2. Significant Data Fiduciaries follow prescribed guidelines for appointing Data Protection Officers.

23. Proceeding
Definition:
Any action taken by the Data Protection Board under the Act.
Illustrations:
1. A hearing conducted by the Board regarding non-compliance with data protection laws is a Proceeding.
2. The issuance of penalties for repeated violations is part of a Proceeding.

24. Processing
Definition:
A wholly or partly automated operation performed on personal data, including collection, storage, structuring, retrieval, sharing, or erasure.
Illustrations:
1. An organization storing customer data in a CRM system is Processing it.
2. Sharing data with third-party vendors for targeted marketing is also Processing.
Comparison:
Broadly aligned with GDPR but focuses on digital operations.

25. She
Definition:
Refers to any individual, irrespective of gender.
Illustrations:
1. The term “she” in legal notices applies to all individuals, irrespective of their gender identity.
2. “She” used in privacy notices includes male, female, and non-binary persons.
Comparison:
A progressive inclusion unique to DPDPA, ensuring gender-neutral interpretation.

26. Significant Data Fiduciary
Definition:
A Data Fiduciary or class of Data Fiduciaries notified by the Central Government under Section 10.
Illustrations:
1. A social media giant handling millions of users is designated as a Significant Data Fiduciary.
2. A fintech company processing sensitive payment data is categorized under this definition.
Comparison:
Similar to GDPR’s focus on entities with large-scale or high-risk processing but formally classified in DPDPA.

27. Specified Purpose
Definition:
The purpose mentioned in the notice given by the Data Fiduciary to the Data Principal.
Illustrations:
1. A notice specifying that email addresses will only be used for newsletter subscriptions is a Specified Purpose.
2. Collecting phone numbers for delivery notifications is part of a Specified Purpose.

28. State
Definition:
As defined under Article 12 of the Constitution of India.
Illustrations:
1. A state government collecting personal data for welfare schemes qualifies as the State.
2. A public sector entity processing data for official purposes represents the State.

Conclusion
Section 2 of the DPDPA provides detailed and exhaustive definitions that form the foundation of the Act. These definitions ensure clarity, consistency, and comprehensiveness in application. By combining Indian jurisprudence and global standards like GDPR, DPDPA aligns with the demands of a robust data protection framework.

© 2024 Advocate (Dr.) Prashant Mali