Conditions of registration of Consent Manager

PART A Conditions of registration of Consent Manager
1. The applicant is a company incorporated in India.
2. The applicant has sufficient capacity, including technical, operational and financial capacity, to fulfil its obligations as a Consent Manager.
3. The financial condition and the general character of management of the applicant are sound.
4. The net worth of the applicant is not less than two crore rupees.
5. The volume of business likely to be available to and the capital structure and earning prospects of the applicant are adequate.
6. The directors, key managerial personnel and senior management of the applicant company are individuals with a general reputation and record of fairness and integrity.
7. The memorandum of association and articles of association of the applicant company contain provisions requiring that the obligations under items 9 and 10 of Part B are adhered to, that policies and procedures are in place to ensure such adherence, and that such provisions may be amended only with the previous approval of the Board.
8. The operations proposed to be undertaken by the applicant are in the interests of Data Principals.
9. It is independently certified that—
(a) the interoperable platform of the applicant to enable the Data Principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as may be published by the Board on its website from time to time; and
(b) appropriate technical and organisational measures are in place to ensure adherence to such standards and framework and effective observance of the obligations under item 11 of Part B.
PART B Obligations of Consent Manager
1. The Consent Manager shall enable a Data Principal using its platform to give consent to the processing of her personal data by a Data Fiduciary onboarded onto such platform either directly to such Data Fiduciary or through another Data Fiduciary onboarded onto such platform, who maintains such personal data with the consent of that Data Principal.
Illustration.
Individuals are enabled to give, manage, review and withdraw their consent to the processing of their personal data through P, a platform maintained by a Consent Manager. X, an individual, is a registered user on P. B1 and B2 are banks onboarded onto P.
Case 1: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains the bank account statement as a digital record in her digital locker. X uses P to directly give her consent to B1, and proceeds to give B1 access to her bank account statement.
Case 2: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains her bank account with B2. X uses P to route her consent through B2 to B1, while also digitally instructing B2 to send her bank account statement to B1. B2 proceeds to send the bank account statement to B1.
2. The Consent Manager shall ensure that the manner of making available the personal data or its sharing is such that the contents thereof are not readable by it. 3. The Consent Manager shall maintain on its platform a record of the following, namely:—
(a) Consents given, denied or withdrawn by her;
(b) Notices preceding or accompanying requests for consent; and
(c) Sharing of her personal data with a transferee Data Fiduciary.
4. The Consent Manager—
(a) shall give the Data Principal using such platform access to such record;
(b) shall, on the request of the Data Principal and in accordance with its terms of service, make available to her the information contained in such record, in machine-readable form; and
(c) shall maintain such record for at least seven years, or for such longer period as the Data Principal and Consent Manager may agree upon or as may be required by law.
5. The Consent Manager shall develop and maintain a website or app, or both, as the primary means through which a Data Principal may access the services provided by the Consent Manager.
6. The Consent Manager shall not sub-contract or assign the performance of any of its obligations under the Act and these rules.
7. The Consent Manager shall take reasonable security safeguards to prevent personal data breach.
8. The Consent Manager shall act in a fiduciary capacity in relation to the Data Principal.
9. The Consent Manager shall avoid conflict of interest with Data Fiduciaries, including in respect of their promoters and key managerial personnel.
10. The Consent Manager shall have in place measures to ensure that no conflict of interest arises on account of its directors, key managerial personnel and senior
management holding a directorship, financial interest, employment or beneficial ownership in Data Fiduciaries, or having a material pecuniary relationship with them.
11. The Consent Manager shall publish in an easily accessible manner, on its website or app, or both, as the case may be, information regarding—
(a) the promoters, directors, key managerial personnel and senior management of the company registered as Consent Manager;
(b) every person who holds shares in excess of two per cent of the shareholding of the company registered as Consent Manager;
(c) every body corporate in whose shareholding any promoter, director, key managerial personnel or senior management of the Consent Manager holds shares in excess of two per cent. as on the first day of the preceding calendar month; and
(d) such other information as the Board may direct the Consent Manager to disclose in the interests of transparency.
12. The Consent Manager shall have in place effective audit mechanisms to review, monitor, evaluate and report the outcome of such audit to the Board, periodically and on such other occasions as the Board may direct, in respect of—
(a) technical and organisational controls, systems, procedures and safeguards;
(b) continued fulfilment of the conditions of registration; and
(c) adherence to its obligations under the Act and these rules.
13. The control of the company registered as the Consent Manager shall not be transferred by way of sale, merger or otherwise, except with the previous approval of the Board and subject to fulfilment of such conditions as the Board may specify in this behalf.
Note: In this Schedule,—
(a) the expression “body corporate” shall include a company, a body corporate as defined under clause (11) of section 2 of the Companies Act, 2013 (18 of 2013), a firm, a financial institution, a scheduled bank or a public sector enterprise established or constituted by or under any Central Act, Provincial Act or State Act, and any other incorporated association of persons or body of individuals;
(b) the expressions “company”, “control”, “director” and “key managerial personnel” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013);
(c) the expression “net worth” shall mean the aggregate value of total assets as reduced by the value of liabilities of the Consent Manager as appearing in its books of accounts; and
(d) the expressions “promoter” and “senior management” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013).