Digital Personal Data Protection Act 2022/23 of India

Rule 5

5. Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.—

(1) Processing the personal data of a Data Principal under this rule shall be done following the standards specified in Second Schedule.

(2) In this rule and the Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued—

(a) under law shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit in exercise of any power of or the performance of any function by the State or any of its instrumentalities under any law for the time being in force;

(b) under policy shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit under any policy or instruction issued by the Central Government or a State Government in exercise of its executive power; and

(c) using public funds shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit by incurring expenditure on the same from, or with accrual of receipts to, —

(i)in case of the Central Government or a State Government, the Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or

(ii) in case of any local or other authority within the territory of India or under the control of the Government of India or of any State, the fund or funds of such authority.

SECOND SCHEDULE

[See rules 5(1) and 16]

Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of subsection (2) of section 17

Implementation of appropriate technical and organisational measures to ensure effective observance of the following, in accordance with applicable law, for the processing of personal data, namely: —

(a) Processing is carried out in a lawful manner;

(b) Processing is done for the uses specified in clause (b) of section 7 of the Act or for the purposes specified in clause (b) of sub-section (2) of section 17 of the Act, as the case may be; (Ed: (b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.)

(c) Processing is limited to such personal data as is necessary for such uses or achieving such purposes, as the case may be;

(d) Processing is done while making reasonable efforts to ensure the completeness, accuracy and consistency of personal data;

(e) Personal data is retained till required for such uses or achieving such purposes, as the case may be, or for compliance with any law for the time being in force;

(f) Reasonable security safeguards to prevent personal data breach to protect personal data in the possession or under control of the Data Fiduciary, including in respect of any processing undertaken by it or on its behalf by a Data Processor;

(g) Where processing is to be done under clause (b) of section 7 of the Act, (Ed: for any subsidy, benefit, service, certificate, licence or permit) the same is undertaken while giving the Data Principal an intimation in respect of the same and—

(i) giving the business contact information of a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data;

(ii) specifying the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may exercise her rights under the Act; and

(iii)is carried on in a manner consistent with such other standards as may be applicable to the processing of such personal data under policy issued by the Central Government or any law for the time being in force; and

(h) Accountability of the person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, for effective observance of these standards.