36. The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for.
Applicable DPDP Rule 2025
Rule 22: Calling for Information from Data Fiduciary or Intermediary
Please keep in mind that this form is only for feedback and suggestions for improvement. Unfortunately, questions will not be answered.
Section 36 of the Digital Personal Data Protection Act, 2023 (India) empowers the Data Protection Board to request and obtain information necessary for performing its duties. This provision ensures that the Board can access relevant data, documents, or explanations from Data Fiduciaries, Data Processors, or other concerned parties to evaluate compliance, investigate potential violations, and enforce the Act effectively.
Section 36 grants the Data Protection Board the statutory right to demand information related to the processing of personal data. This can include technical documents, security protocols, policies, audit reports, or any other data necessary to assess compliance with the Act’s provisions.
The Board’s requests are not limited to Data Fiduciaries alone. Any entity involved in personal data handling—Data Processors, third parties, or others holding relevant details— may be required to furnish the requested information. This broad scope ensures no critical data remains inaccessible during an investigation or compliance check.
The collected information aids the Board in:
Once the Board issues a notice or request, the recipient is legally obliged to respond. Refusal, undue delay, or providing misleading information can lead to enforcement actions, including penalties. This legal enforceability ensures the Board’s investigative powers are not undermined by non-cooperation.
While Section 36 provides broad powers, the Board must exercise these powers lawfully and reasonably. The Act’s procedural safeguards, including opportunities for representation, help prevent arbitrary or excessive demands.
Scenario:
The Board receives complaints that a social media platform is not properly protecting
user data or honoring erasure requests.
Application:
The Board issues a formal request for information about the platform’s data retention
policies, encryption standards, and records of how user deletion requests are handled.
This information determines whether the platform complies with the Act’s mandates.
Scenario:
A bank reports a suspected data breach involving customer account details.
Application:
The Board requests security audit reports, incident response plans, system access logs,
and vendor contracts to assess if the bank failed to implement reasonable security safeguards.
Scenario:
The Board wants to understand how EdTech companies handle children’s personal data.
Application:
It requests information from multiple EdTech providers about their age verification,
parental consent methods, and targeted advertising policies. The Board can then identify
common shortcomings and issue sector-wide guidance.
Empowering the Board’s Oversight Role:
Section 36 reinforces the Board’s capability as an effective regulator. It can uncover
hidden lapses and maintain accountability without relying solely on complaints or voluntary disclosures.
Deterrent Against Non-Compliance:
Knowing that the Board can scrutinize internal practices at any time encourages
organizations to maintain stronger compliance measures proactively.
Facilitating Transparency and Trust:
Access to information ensures regulators can act transparently and effectively,
boosting trust among consumers, businesses, and international stakeholders.
Section 36 of the DPDP Act, 2023 is a fundamental enforcement tool empowering the Data Protection Board to access crucial information needed for oversight. By compelling cooperation from Data Fiduciaries, Data Processors, and others, this provision enhances the Board’s ability to detect non-compliance, foster accountability, and support a trustworthy digital ecosystem.
© 2024 Advocate (Dr.) Prashant Mali