WÜRTH ELEKTRONIK INDIA PVT LTD WEBSITE CONTENT LEGAL FRAMEWORK

Personal Data protection Act (Bill)

8. Notice

(1) The data fiduciary shall provide the data principal with the following information, no later than at the time of collection of the personal data or, if the data is not collected from the data principal, as soon as is reasonably practicable

  • (a) the purposes for which the personal data is to be processed;
  • (b) the categories of personal data being collected;
  • (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
  • (d) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
  • (e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds in section 12 to section 17, and section 18 to section 22;
  • (f) the source of such collection, if the personal data is not collected from the data principal;
  • (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
  • (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
  • (i) the period for which the personal data will be retained in terms of section 10 or where such period is not known, the criteria for determining such period;
  • (j) the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI and any related contact details for the same;
  • (k) the procedure for grievance redressal under section 39;
  • (l) the existence of a right to file complaints to the Authority;
  • (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under section 35; and
  • (n) any other information as may be specified by the Authority.

(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.

(3) Sub-section (1) shall not apply where the provision of notice under this section would substantially prejudice the purpose of processing of personal data under sections 15 or 21 of this Act.

Section 24

Right to confirmation and access

(1) The data principal shall have the right to obtain from the data fiduciary

  • (a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal;
  • (b) a brief summary of the personal data of the data principal being processed or that has been processed by the data fiduciary;
  • (c) a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal, including any information provided in the notice under section 8 in relation to such processing activities.

(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

Section 25

Right to correction, etc.

(1) Where necessary, having regard to the purposes for which personal data is being processed, the data principal shall have the right to obtain from the data fiduciary processing personal data of the data principal

  • (a) the correction of inaccurate or misleading personal data;
  • (b) the completion of incomplete personal data; and
  • (c) the updating of personal data that is out of date.

(2) Where the data fiduciary receives a request under sub-section (1), and the data fiduciary does not agree with the need for such correction, completion or updating having regard to the purposes of processing, the data fiduciary shall provide the data principal with adequate justification in writing for rejecting the application.

(3) Where the data principal is not satisfied with the justification provided by the data fiduciary under sub-section (2), the data principal may require that the data fiduciary take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the data principal.

(4) Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

Section 29

29. Privacy by Design

Every data fiduciary shall implement policies and measures to ensure that

  • (a) managerial, organisational, business practices and technical systems are designed in a manner to anticipate, identify and avoid harm to the data principal;
  • (b) the obligations mentioned in Chapter II are embedded in organisational and business practices;
  • (c) technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
  • (d) legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
  • (e) privacy is protected throughout processing from the point of collection to deletion of personal data;
  • (a) processing of personal data is carried out in a transparent manner; and
  • (f) the interest of the data principal is accounted for at every stage of processing of personal data.

Section 30

30. Transparency

(1) The data fiduciary shall take reasonable steps to maintain transparency regarding its general practices related to processing personal data and shall make the following information available in an easily accessible form as may be specified—

  • (a) the categories of personal data generally collected and the manner of such collection;
  • (b) the purposes for which personal data is generally processed;
  • (c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;
  • (d) the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI, and any related contact details for the same;
  • (e) the existence of a right to file complaints to the Authority;
  • (f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35;
  • (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out and
  • (h) any other information as may be specified by the Authority.

(2) The data fiduciary shall notify the data principal of important operations in the processing of personal data related to the data principal through periodic notifications in such manner as may be specified.

Information Technology Act

Section 72

Penalty for Breach of confidentiality and privacy.–Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Section 72A

Punishment for disclosure of information in breach of lawful contract.–Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.