Rule 5
Registration, Accountability and Obligations of a Consent Manager
[u/s 6(8),6(9]
| No | Description |
| (1) | Registration of a Consent Manager with the Board shall be subject to fulfilment of the following conditions, namely |
| (a) The consent Manager shall be a company other than a foreign company | |
| (b) The directors, key managerial personnel and senior management of the Consent Manager shall be individuals with a general reputation and record of fairness and integrity | |
| (c) In the
discharge of its obligations as a consent manager, it shall at all
times - (i) act in a fiduciary capacity in relation to the Data Principal (ii) avoid conflict of interest with data fiduciaries, including in respect of its promoters and key managerial personnel (iii) ensure that measures are in place to avoid conflicts of interest between its directors, key managerial personnel and senior management and data fiduciaries on account of any directorships held, financial interest, employment or beneficial ownership in data fiduciaries or any material pecuniary relationship with them |
|
| (d) publish
on her website or app or both as the case may be information regarding- (i) the promoters, directors and key managerial personnel of the company (ii)every person who holds shares in excess of two percent of the shareholding of the company (iii) every body corporate in whose shareholding any promoter, director or key managerial personnel of the Consent manager holds shares in excess of two percent; and (iv) such other information as the Board may direct the Consent Manager to disclose in the interests of transparency |
|
| (e)Networth of not less than two crores rupees | |
|
(f) independent certification that the interoperable platform that
(i) enables the data principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as the Board may specify; and (ii) the Consent manager has implemented appropriate technical and organizational measures to ensure effective observance of the obligations under sub-rule (3) and |
|
| (g)Such other conditions as the Board may specify | |
| (2) | Information under clause (d) of sub rule (1) shall, in relation to a- |
| (a)app, be published in an easily accessible manner on the home screen of the app or on an app screen directly accessible from the home screen; and | |
| (b)website, be published in an easily accessible manner on the home page of the website or on a web page directly accessible from the home page | |
| 3 | Every Consent Manager shall have the following obligations , namely: - |
| (a) To establish an accessible, transparent and interoperable platform that enables a data principal to give, manage, review and withdraw her consent to herself obtain her personal data from a data fiduciary or to ensure that such personal details shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data | |
| (b)to
maintain a digital record of and offer to a data principal digital access
to (i) every request for consent approved or rejected by her and (ii) every data fiduciary who has shared her personal data in response to a request for consent approved by her. |
|
| (c) to retain the digital record referred to in clause (b) for a period of seven years unless the data principal and the consent manager agree to retain for a longer period or compliance with any law for the time being in force requires retention | |
| (d) to make the digital record referred to in clause (b) available to the data principal, on her request, in a machine-readable electronic form, in accordance with the terms of service of the Consent Manager | |
| (e) to develop and maintain a website or app as the primary means through which a data principal may access the services provided by the Consent Manager | |
| (f) to not sub-contract or assign the performance of any of its obligations as a consent manager | |
| (g)to take reasonable security safeguards to prevent personal data breach and | |
| (h)to have in place effective audit mechanisms to review, monitor and evaluate technical and organizational controls, systems, procedures and safeguards and report the outcome of such audit to the Board periodically and on such other occasions as the Board may direct | |
| 4 | Where the Board is of the view that a consent manager is not adhering to the condition under sub-rule(1) or has not fulfilled the obligations under sub-rule (3), the Board may, after giving opportunity of being heard, shall inform the Consent Manager of such non-adherence and direct that the Consent Manager take measures to ensure adherence |
| 5 | The Board may, if it is satisfied that it is necessary so to do in the interests of data principals, after giving the consent manager an opportunity of being heard, by order, for reasons to be recorded in writing,- |
| (a)Suspend or cancel the registration fo such consent manager ; and | |
| (b)give such directions as it may deem fit to that consent manager, to protect the interests of the data principals | |
| 6 | The board may, for the purposes of this rule require the Consent Manager to furnish such information as the Board may call for. |
| 7 | In this rule,- |
| (a)the expression "body corporate" shall include a company, a body corporate as defined under clause (11) of Section 2 of the Companies Act 203 (18 of 2013), a firm, a financial institution or a scheduled bank or a public sector enterprise established or constituted by or under any central act or state act and any other incorporated association of persons or body of individuals | |
| (b)the expression "company", "Director", "Foreign Company" and "Key managerial personnel" shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 of 2013) | |
| (c)expression "networth" shall mean the aggregate value of total assts as reduced by the value of liabilities of the consent manager as appearing in her books of accounts and | |
| (d)the expressions "Promoter" and "senior management" shall have the same meanings as are assigned to them in the Companies act, 2013 (18 of 2013) | |
| P.S: Extracts from DPDPA on Consent Manager : Section 6 |
| (7) The Data Principal may give, manage, review
or withdraw her consent to the Data Fiduciary through a Consent Manager. (8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. (9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. (10) Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. |