Section 8 DPDPA

General obligations of Data Fiduciary.


8.(1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.
(3) Where personal data processed by a Data Fiduciary is likely to be—
(a) used to make a decision that affects the Data Principal; or
(b) disclosed to another Data Fiduciary,
the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency.
(4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.
(5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.

Illustrations.

(I) X, an individual, registers herself on an online marketplace operated by Y, an e-commerce service provider. X gives her consent to Y for the processing of her personal data for selling her used car. The online marketplace helps conclude the sale. Y shall no longer retain her personal data.
(II X, an individual, decides to close her savings account with Y, a bank. Y is required by law applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond closing of accounts. Since retention is necessary for compliance with law, Y shall retain X’s personal data for the said period.
(8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not––
(a) approach the Data Fiduciary for the performance of the specified purpose;
and
(b) exercise any of her rights in relation to such processing,for such time period as may be prescribed, and different time periods may be prescribed for different classes of Data Fiduciaries and for different purposes.
(9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
(10)A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.
(11)For the purposes of this section, it is hereby clarified that a Data Principal shall be considered as not having approached the Data Fiduciary for the performance of the specified purpose, in any period during which she has not initiated contact with the Data Fiduciary for such performance, in person or by way of communication in electronic or physical form.

Applicable DPDP Rule 2025

Rule 6: Reasonable Security Safeguards
Rule 7: Intimation of Personal Data Breach
Rule 8: Time Period for Specified Purpose to be Deemed as No Longer Being Served
Rule 9: Contact Information of Person to Answer Questions About Processing

Section 9 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 8 of the Digital Personal Data Protection Act, 2023 (DPDPA)

1. Purpose and Scope of Section 8

Purpose: Section 8 establishes clear accountability standards for Data Fiduciaries, ensuring lawful and fair data processing practices while protecting the rights of Data Principals.

Scope: This section applies to all Data Fiduciaries and outlines obligations such as purpose limitation, data minimization, accuracy, security, retention, and transparency.

2. Alignment with Constitutional Principles and Case Laws

Right to Privacy: As recognized in Justice K.S. Puttaswamy v. Union of India (2017), privacy is a fundamental right, and data processing must adhere to principles of necessity, proportionality, and transparency.

Proportionality: The Aadhaar Case (*Puttaswamy-II*) emphasizes the need for proportionality in data processing, ensuring minimal intrusion.

Transparency: Cases like Anuradha Bhasin v. Union of India (2020) highlight the importance of fairness and transparency in decision-making, applicable here for data practices.

3. Practical Examples and Illustrations

  • Purpose Limitation: An e-commerce platform uses customer data solely for delivering goods, not for unsolicited marketing.
  • Data Minimization: A job portal collects only necessary data, like qualifications, avoiding sensitive personal details.
  • Accuracy: Banks periodically update KYC details to ensure financial records are accurate.
  • Security: Health-tech companies encrypt patient data to prevent unauthorized access.
  • Retention Restrictions: Organizations delete employee data 90 days post-resignation, avoiding unnecessary retention risks.
  • Transparency: A food delivery app clearly explains data usage policies in its terms and conditions.
  • Children’s Data: Gaming apps seek parental consent before collecting data from minors.

4. Implications for Data Fiduciaries and Data Principals

For Data Fiduciaries:

  • Accountability: Implement measures to comply with Section 8 obligations.
  • Transparency: Ensure clear communication with Data Principals.
  • Compliance Costs: Adopt security measures, audit practices, and provide employee training.

For Data Principals:

  • Enhanced Rights: Greater control over personal data with transparency and access rights.
  • Data Protection Assurance: Reduced risk of misuse through fiduciaries’ adherence to safeguards.
  • Redress Mechanisms: Ability to lodge complaints for non-compliance.

5. Summary of Safeguards to Prevent Misuse

  • Purpose Limitation: Process data only for specific and lawful purposes.
  • Data Minimization: Limit data collection to what is strictly necessary.
  • Accuracy: Maintain accurate records and provide mechanisms for corrections.
  • Security Measures: Implement encryption, firewalls, and regular audits.
  • Retention Policies: Delete data when its purpose is fulfilled.
  • Transparency: Communicate processing policies clearly to Data Principals.
  • Special Protections for Children: Additional safeguards for processing minors’ data.
  • Documentation: Maintain records of processing activities for accountability.

Conclusion

Section 8 of the DPDPA provides a robust framework for responsible data processing. By aligning with constitutional principles and implementing safeguards, it ensures a balance between data utility and privacy protection. This fosters trust between Data Fiduciaries and Principals, ensuring lawful and fair data practices.

© 2024 Advocate (Dr.) Prashant Mali