Section 5 DPDPA

Notice.


5.(1) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,—
(i) the personal data and the purpose for which the same is proposed to be processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.

Illustration.
X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.

(2) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,—
(a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,––
(i) the personal data and the purpose for which the same has been processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.
(b) the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.

Illustration.
X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method information to X, describing the personal data and the purpose of its processing.

(3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution.

Applicable DPDP Rule 2025

Rule 3: Notice given by Data Fiduciary to Data Principal

Section 6 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 5 of the Digital Personal Data Protection Act, 2023 (DPDPA)

1. Purpose and Scope of Section 5

Purpose: To ensure transparency and empower Data Principals to make informed decisions about their personal data through clear notices.

Scope: Applicable to all instances where personal data is collected directly or indirectly. Notices must include details about the purpose, data type, rights, and grievance mechanisms.

2. Alignment with Constitutional Principles and Case Laws

Right to Privacy: Aligns with the fundamental right to privacy as recognized in Justice K.S. Puttaswamy v. Union of India (2017), ensuring informed consent.

Transparency and Fairness: Reflects the principles of transparency upheld in Anuradha Bhasin v. Union of India (2020).

Proportionality: Ensures notices are proportional to the data being collected, following guidelines from the Aadhaar Case (*Puttaswamy-II*).

3. Practical Examples and Illustrations

  • E-Commerce: A platform informs users, “We collect your name and address to deliver your order.”
  • Healthcare: A hospital provides a notice: “Your medical history will be used for treatment purposes only.”
  • Social Media: An app states, “We collect location data to personalize your feed. You can disable this feature in settings.”
  • Finance: A bank notifies users: “KYC details are required for identity verification under the Prevention of Money Laundering Act.”

4. Implications for Data Fiduciaries and Data Principals

For Data Fiduciaries:

  • Transparency Obligation: Create detailed, user-friendly notices.
  • Legal Compliance: Avoid penalties by adhering to Section 5 requirements.
  • Operational Challenge: Maintain updated notices for varied data processing activities.

For Data Principals:

  • Informed Decisions: Understand how their data will be used.
  • Accountability: Hold Data Fiduciaries accountable for misuse.
  • Trust Building: Transparent notices enhance trust in data practices.

5. Summary of Safeguards to Prevent Misuse

  • Clear Language: Notices must be simple and comprehensible.
  • Comprehensive Content: Include purpose, rights, and grievance mechanisms.
  • Accessibility: Ensure notices are easily accessible across platforms.
  • Regular Updates: Reflect any changes in data processing practices.
  • Regulatory Oversight: Maintain records of notices for compliance audits.
  • Grievance Mechanisms: Provide clear contact details for complaints.

Conclusion

Section 5 of the DPDPA establishes a strong foundation for transparency and accountability in data collection. By empowering Data Principals with clear information, it upholds the principles of privacy and fairness while fostering trust and compliance in data processing activities.

© 2024 Advocate (Dr.) Prashant Mali