印度 2023 年數(shù)字個(gè)人數(shù)據(jù)保護(hù)法_第1頁(yè)
印度 2023 年數(shù)字個(gè)人數(shù)據(jù)保護(hù)法_第2頁(yè)
印度 2023 年數(shù)字個(gè)人數(shù)據(jù)保護(hù)法_第3頁(yè)
印度 2023 年數(shù)字個(gè)人數(shù)據(jù)保護(hù)法_第4頁(yè)
印度 2023 年數(shù)字個(gè)人數(shù)據(jù)保護(hù)法_第5頁(yè)
已閱讀5頁(yè),還剩22頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

India’sDigitalPersonalDataProtectionAct2023

vs.theGDPR:AComparison

December2023

OrganisationsdoingbusinessinIndiashouldnotedifferencesbetweenGDPRandDPDPArequirements,includingpotentialprogrammesthatmayneeduplifttoensurecompliance.

TheIndianparliamentenactedIndia’sfirstcomprehensivedataprotectionlawon11August2023,namelytheDigitalPersonalDataProtectionAct2023(theDPDPA).TheDPDPAwillreplaceIndia’sexistingpatchworkofdataprotectionrules

1

andisexpectedtotriggersignificantchangesinhowcompaniessubjecttoIndiandataprotectionlawsprocesspersonaldata.However,thelawisnotyetoperational;noeffectivedatehasbeenestablishedandthereisnoofficialtimelinefortheoverallimplementation.Stakeholdersexpectthelawtocomeintoforceinaphasedmannerinthenextsixto12months,after:(i)anindependentagencyresponsibleforenforcingtheDPDPA—theDataProtectionBoardofIndia(theDataProtectionBoard)—isestablished;and(ii)theIndiangovernmenthasframedthesubordinaterules(whichareexpectedtoprovideinterpretativeguidanceonproceduralstepsandenforcementmethodology).TheDPDPAis“umbrella”legislation,asitsetsoutonlyahigh-levelframeworkforIndia’snewdataprotectionregime,withsupplementaryrulesexpectedinduecourse.Thoughthenewlawisnotyetoperational,companiessubjecttothenewlawareadvisedtobeginassessingpotentialpracticalimplicationsatanearlystage.

TheDPDPAistriggeredwhendigitalpersonaldataisprocessedwithinIndia.ThelawalsohasanextraterritorialeffectinthatitappliestodigitalpersonaldataprocessingoutsideofIndiaifsuchprocessingrelatestotheofferingofgoodsorservicestoindividuals(knownas“dataprincipals”,whichareequivalentto“datasubjects”undertheEUandUKGeneralDataProtectionRegulations(theGDPR))withinIndia.TheDPDPAfollowsbroadlysimilarprinciplestothosesetoutintheGDPRandspecifiesrulesfordatafiduciaries(equivalentto“controllers”undertheGDPR)anddataprocessors,andrightsfordataprincipals(equivalentto“datasubjects”undertheGDPR).Penaltiesfornon-complianceundertheDPDPArangefromINR500million(€5.7million)toINR2.5billion(€28million).TheDataProtectionBoardisalsoempoweredtoimposeurgentremedialormitigationmeasuresintheeventofapersonaldatabreach.

PracticalImpactonExistingPrivacyComplianceProgrammes

TheDPDPAsignalsamajorchangeinthewaypersonaldataisprocessedinIndia.OrganisationsoperatinginortargetingindividualsinIndiashouldconsiderpreemptivestepstobringtheirprivacycomplianceinlinewiththeDPDPA,includingasregardsdatacollectionandconsentmappingpractices.KeydifferencesbetweentheDPDPAandtheGDPRinclude:

Scope:TheDPDPAregulatestheprocessingofdigitalpersonaldata,i.e.,personaldatacollectedindigitalform,orcollectedinnon-digitalformandsubsequentlydigitised.WhilsttheDPDPA’spersonaldatadefinitionissimilartothatprovidedundertheGDPR,itexcludesfromitsscopepersonaldatamadepubliclyavailablebythedataprincipalorbyanyotherpersonunderalegalobligationtomakethatdatapubliclyavailable.

Legalbasisforprocessingofpersonaldata:TheDPDPAprovidesthatdatafiduciariesmaylawfullyprocesspersonaldataonlywiththeconsentofthedataprincipalsorforcertainspecified“l(fā)egitimateuses”.Suchlegitimateusesinclude:processingofpersonaldatavoluntarilysharedbythedataprincipalforaspecifiedpurpose(providedthatthedataprincipaldoesnotobject);processingtocomplywiththelaworcourtorders;foremploymentpurposes;ortorespondtomedicalemergencies,epidemics,ordisasters.TheDPDPA’sconsentstandardissimilartothatoftheGDPR,requiringconsenttobe“free,

specific,informed,unconditionalandunambiguouswithaclearaffirmativeaction”and,unliketheGDPR,itdoesnotpermitprocessingunderthelawfulbasesofcontractualnecessityorlegitimateinterests.

Dataprincipalrights:WhilstdataprincipalswillhavecertainrightssimilartothoseundertheGDPRfordatasubjects(i.e.,rightsofaccess,correction,orerasure),theywillalsobenefitfromanumberofnewrightswhichareuniquetotheDPDPA,i.e.,therighttoareadilyavailableandeffectivemeansof

PAGE

10

grievanceredressal(e.g.,viaagrievanceredressalofficer),andtherighttonominateanindividualwhowillbeabletoexercisetherightsofthedataprincipalintheeventofdeathorincapacityofthedataprincipal.

Cross-borderdatatransfers:TheDPDPApermitscross-borderdatatransferstojurisdictionsoutsideofIndiaotherthanthosejurisdictionsspecificallyidentifiedbytheIndiangovernmentonitslistofcountriestowhichdatatransfersarerestricted(tobepublished);otherwise,theDPDPAdoesnotrequiretheimplementationofatransfermechanism.

Databreachnotification:DatafiduciariesarerequiredtonotifypersonaldatabreachestothenewlycreatedDataProtectionBoardandtoimpacteddatasubjects,regardlessofthemagnitudeofthebreachorriskofharm.Further,theDPDPAdoesnotprescribespecificdeadlinesforreporting.

Significantdatafiduciaries:TheIndiangovernmentwillhavethepowertoclassifycertaindatafiduciariesassignificantdatafiduciariesbasedonfactorssuchasthesensitivityandvolumeofdataprocessed,theimpactofprocessingontherightsofdataprincipals,andtheimpactonthesovereignty,security,andintegrityofIndia.Thesesignificantdatafiduciarieswillhaveadditionalobligations,includingtheappointmentofanindependentauditorandundertakingdataprotectionimpactassessments.

ThetablebelowcomparestherequirementsoftheGDPRandtheDPDPAinfurtherdetail,highlightingpotentialgapsinGDPR-basedcomplianceprogrammesandoutliningpossiblestepstoupliftsuchprogrammesforDPDPAcompliancepurposes.AsadditionalrulestosupplementtheDPDPAprovisionsareissued,organisationsmayneedtoadjusttheircomplianceapproachesaccordingly.

Thetableiscolour-codedasbelow,foreaseofreference:

Minimaldifference:TherequirementundertheDPDPAismateriallyconsistentwiththerequirementundertheGDPR—nofurtheractionrequiredtocomplywiththeDPDPA.

No-actiongaps:DPDPAisgenerallyconsistentwithGDPR,butwithnoticeabledifferences/GDPRstandardishigherormorecomprehensive—additionalcomplianceactionswillnotberequiredtocomplywiththeDPDPA.

Manageablegaps:DPDPAisgenerallyconsistentwithGDPR,butwithnoticeabledifferences—minoradditionalcomplianceactionswillneedtobetakentocomplywiththeDPDPA.

Materialgaps:DPDPAismateriallydifferentfromGDPR/thereareelementsunderonelawthatarenotfoundundertheother—significantadditionalcomplianceactionswillneedtobetakentocomplywiththeDPDPA.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

ScopeofApplication

1.

PersonalData

Anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.

Anydataaboutanindividual,whoisidentifiableby,orinrelationto,suchdata.

TheDPDPAappliesonlyto“digitalpersonaldata”,whichmeanspersonaldatacollectedindigitalformandpersonaldatacollectedorstoredinanon-digitalformthatissubsequentlydigitised.

PersonaldatathatismadepubliclyavailablebythedataprincipalsorpursuanttoalegalrequirementisoutofscopeoftheDPDPA.

No-actiongaps:TheDPDPAappliesonlyto“digitalpersonaldata”,whereastheGDPRappliestopersonaldataevenifthatdataisnon-digital.Inaddition,personaldatathatismadepubliclyavailableisexemptfromDPDPAobligations.

N/A.

2.

Sensitive/SpecialCategoryData

Personaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,ortradeunionmembership,andtheprocessingofgeneticdata,biometricdataforthepurposeofuniquelyidentifyinganaturalperson,dataconcerninghealth,ordataconcerninganaturalperson’ssexlifeorsexualorientation.

TheDPDPAdoesnotdifferentiatebetweenpersonaldataandsensitivepersonaldata/specialcategoriesofdata.

No-actiongaps:NoadditionalcomplianceobligationswillneedtobeundertakentocomplywiththeDPDPA.GDPR-

compliantcontrollersarelikelytomeettherequirementsundertheDPDPA,asahigherdegreeofprotectionisofferedto“specialcategoriesofpersonaldata”undertheGDPR.

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

3.

DataSubjects

Theidentifiedoridentifiablenaturalperson,towhompersonaldatarelates.

DataPrincipal:Theindividualtowhomthepersonaldatarelates,and,ifsuchindividual:

(i)isachild,theconceptincludestheparent/lawfulguardianofsuchchild;and(ii)isapersonwithadisability,theconceptincludesthelawfulguardianactingonbehalfofsuchanindividual.

Minimaldifference

N/A.

4.

DataController

Thenaturalorlegalperson,publicauthority,agency,orotherbodythat,aloneorjointlywithothers,determinesthepurposesandmeansofprocessingpersonaldata.

DataFiduciary(i.e.,datacontroller):Anyperson/entitywho,aloneorinconjunctionwithotherpersons,determinesthepurposeandmeansofprocessinganindividual’spersonaldata.

Minimaldifference

N/A.

5.

SignificantDataFiduciary(SDF)

ThereisnoequivalentconceptundertheGDPR.

AdatafiduciaryorclassofdatafiduciariesdesignatedbytheIndiangovernmentbasedon:(a)volumeandsensitivityofpersonaldataprocessed;

(b)risktotherightsofthedataprincipal;(c)potentialimpactonthesovereigntyandintegrityofIndia;(d)risktoelectoraldemocracy;(e)securityoftheState;and(f)publicorder.

Materialgaps:TheDPDPAidentifiesaclassofdatafiduciariesasSDFsbasedontheaforesaidparameters,andappliesadditionalobligationstothoseSDFs.ThereisnoequivalentconceptundertheGDPR.

IfclassifiedasanSDFbytheIndiangovernment,additionalcomplianceobligationswillapply,suchasappointingaresidentdataprotectionofficer(DPO)whoreportstotheboardofdirectors,conductsperiodicaudits,carriesoutperiodicDPIAs,anddeploysriskmitigationmeasures.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

6.

DataProcessor

Anaturalorlegalperson,publicauthority,agency,orotherbodythatprocessespersonaldataonbehalfofthecontroller.

Apersonwhoprocessespersonaldataonbehalfofthedatafiduciary.

Minimaldifference

N/A.

7.

ConsentManager

ThereisnoequivalentconceptundertheGDPR.

ConsentmanagersareentitiesregisteredwiththeDataProtectionBoardundertheDPDPAandactonbehalfofdataprincipalstoreview,provide,manage,andwithdrawconsent.

Materialgaps:ThereisnoequivalentconceptundertheGDPR.

Organisationsmayberequiredtoeither:(i)registerasconsentmanagers(subjecttoadditionalguidanceprovidedbytherulesframedpursuanttotheDPDPA),or(ii)givedataprincipalstheoption(throughtheiruserinterface)tonominatearegisteredconsentmanagerontheirplatform,app,website,etc.

8.

Processing

Anyoperationorsetofoperationsthatisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording,organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,dissemination,orotherwisemakingavailable,alignmentorcombination,restriction,erasure,ordestruction.

Awhollyorpartlyautomatedoperationorsetofoperationsperformedondigitalpersonaldataandincludesoperationssuchascollection,recording,organisation,structuring,storage,adaptation,retrieval,use,alignment,combination,indexing,sharing,disclosurebytransmission,dissemination,orotherwisemakingavailable,restriction,erasure,ordestruction.

Minimaldifference

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

9.

ProcessingChildren’sData

TheGDPRcontainsprovisionstoenhancetheprotectionofchildren’spersonaldata:

iftransparencyinformationisintendedtobereadbyachild,itshouldbeinclearandplainlanguagethatiseasilycomprehensibleforthechild;and

ifaninformationsocietyserviceisofferedtoachild,consentshouldbeobtainedfromaparent/guardian,subjecttocertainagecriteria.

TheageofmajorityisnotdefinedundertheGDPR,anditvariesacrossEUMemberStates.However,certainprovisionsareapplicabletochildrenundertheageof16.

Whenprocessingachild’spersonaldata(personundertheageof18)orapersonwithadisability,verifiableconsentoftheparentorthelawfulguardianofsuchchild/personwithadisabilitymustbeobtained.

Withrespecttochildren’spersonaldata:

donotundertakeprocessingofpersonaldatathatislikelytocauseanydetrimentaleffecttothewell-beingofachild;and

donottrackorengageinbehaviouralmonitoringofchildrenorusetargetedadvertisingdirectedatchildren.

Materialgaps:TheDPDPAprescribesadditionalobligationswithrespecttoprocessingchildren’sdata.ItisalsopertinentthattherelevantageofthechildvariesundertheGDPRandnationalEUMemberStatelawandUKlawimplementations(i.e.,16yearsorless)andtheDPDPA(18years).

ToensurecompliancewiththeDPDPA’sobligationsforprocessingchildren’sdata,nodataprocessingthatisdetrimentaltochildren,orprocessingofdatathatinanymannerwouldaidtargetedadvertisingdirectedatchildrenshouldbeundertaken.Tothisend,topreventinadvertentprocessingofchildren’sdata,methodsthatinvolveverifiableparentalconsenttoprocesschildren’sdata(suchasage-gatingormulti-factorauthentication)arerecommended.

DoestheGDPR

DoestheDPDPA

Potentialstep(s)for

#

Issue

coverthisissue? Scope

coverthisissue?

Scope

Keygaps

2

DPDPAcompliance

Transparency

10.

PrivacyPolicyDisclosures

Datasubjectsmustbeinformedofthefollowingatthetimeofcollectionofpersonaldata:

nameandcontactdetailsofthedatacontrollerandlocalrepresentative(ifapplicable);

contactdetailsoftheDataProtectionOfficer;

purposesofprocessing;

lawfulbasisforprocessingandlegitimateinterestsforprocessing(ifapplicable);

categoriesofpersonaldataobtained;

recipientsofpersonaldata;

detailsoftransfersofpersonaldatatoanythirdcountriesorinternationalorganisations;

retentionperiodsforpersonaldata;

datasubjectrights;

righttowithdrawconsent(ifapplicable);

righttolodgeacomplaintwithasupervisoryauthority;

Anoticemustbeprovidedtodataprincipalsforobtainingtheirpersonaldataeitheratthetimeoforbeforeseekingsuchconsent.Thenoticemustinclude:

thepersonaldataandthepurposeforwhichitisbeingprocessed;

themannerinwhichtheymayexercisetheirrightsundertheDPDPAwithrespecttothepersonaldata;and

themannerinwhichtheymaymakeacomplainttotheDataProtectionBoardestablishedundertheDPDPA.

No-actiongaps:TheGDPRprovidesamoredetailedsetofrequirementsregardingnotice.

Generally,theDPDPAmakesiteasierforGDPR-compliantcontrollerstoprocesspersonaldatawithnoticeforconsent.

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

sourceofpersonaldata(ifpersonaldataisnotobtainedfromtheindividualitrelatesto);

detailsofwhetherindividualsareunderastatutoryorcontractualobligationtoprovidethepersonaldata(ifapplicable,andifthepersonaldataiscollectedfromtheindividualitrelatesto);and

thedetailsoftheexistenceofautomateddecision-making,includingprofiling(ifapplicable).

11.

LanguageRequirements

Informationprovidedtodatasubjectsmustbeinclearandplainlanguage(includingthenativelanguageofthedatasubject,whenrequired).

DataprincipalsmustbeprovidedwithanoptiontoaccessthecontentsofaconsentrequestinEnglishorinanyofthe

22languages

specifiedintheEighthScheduleoftheConstitutionofIndia.

Manageablegaps:BoththeGDPRandtheDPDPArequireinformationprovidedtodatasubjectstobeinalanguagetheyunderstand.

WhilstthelanguagerequirementsundertheGDPRandtheDPDPAarebroadlysimilar,giventhepotentialforalargenumberoflanguages(i.e.,22languagesspecifiedintheIndianConstitution),thepracticalimplicationsofprovidingmanylanguageoptionscouldbesignificant.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

LegalBasisofProcessing

12.

Consent

Consent

Anyfreelygiven,specific,informed,andunambiguousindicationofthedatasubject’swishesbywhichheorshe,byastatementorbyclearaffirmativeaction,signifiesagreementtotheprocessingofpersonaldatarelatingtohimorher.

Explicitconsent

Undefined,butmustbeaffirmedinaclearstatementandneedstospecificallyrefertotheelementoftheprocessingthatrequiresexplicitconsent.

Consentgivenbythedataprincipalmustbe:

duress-free;

specific;

informed;

unconditional;

unambiguous;

withaclearaffirmativeactionsignifyinganagreementtotheprocessingofpersonaldataforthespecifiedpurpose;and

presentedinclearandplainlanguagewiththeoptiontoacceptsuchrequestsasperLanguageRequirements(see#

11

).

Minimaldifference

N/A.

13.

Contract

Processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectispartyorinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract.

Processingpersonaldatafortheperformanceofacontractisnotrecognisedasa“l(fā)egalbasisforprocessing”undertheDPDPA,whichreferstolegitimateuses.Theseusesincludecompliancewithlaws,ensuringthesafetyofaperson,performanceofstatutoryduties/functions,andemploymentpurposes.

CertainobligationsofthedatafiduciaryundertheDPDPAwillnotapplyifthedata

Materialgaps:ProcessingpersonaldatafortheperformanceofacontractisnotalegalbasisundertheDPDPA.Unlessanexemptionisgrantedbythesubordinaterulesthatareyettobeframed,thisexclusiondifferssignificantlyfromtheGDPR.

DeterminewhenpersonaldataisprocessedaccordingtoacontractandensurethatstepsaretakentocomplywithaDPDPAstatutorilyrecognisedlegalbasisforprocessing(i.e.,legitimateuseorconsent).

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

subjectsarenotwithintheterritoryofIndiaandtheirpersonaldataisprocessedpursuanttoacontractenteredintowithanypersonoutsidetheterritoryofIndia,byanypersoninIndia.

14.

LegalObligation

Processingisnecessaryforcompliancewithalegalobligationtowhichthecontrollerissubject.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataisrequiredtocomplywithanyjudgment,decree,ororderissuedunderIndianlaw,oranycontractualorcivilclaim-relatedjudgmentororderunderanylawinforceoutsideIndia.

Minimaldifference

N/A.

15.

PublicHealthEmergency/VitalInterests

Processingisnecessarytoprotectthevitalinterestsofthedatasubjectorofanothernaturalperson.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataisrequiredforrespondingtoamedicalemergencyinvolvingathreattolifeoranimmediatethreattothehealthofthedataprincipaloranyotherindividual.

Minimaldifference

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

16.

MedicalTreatmentorHealthServicesinanEpidemic

Processingisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanothernaturalperson;

or

Processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataisrequiredtoprovidemedicaltreatmentorhealthservicestoanindividualduringanepidemic,outbreakofdisease,orthreattopublichealth.

No-actiongaps:TheDPDPAspecificallyprovidesthatconsentisnotrequiredtoprocesspersonaldatatoprovidemedicaltreatment/healthservicestoindividualsduringanepidemic.ThereisnoexactequivalentundertheGDPR,buttheclosestlegalbasiswouldbe

foranindividual’svitalinterestsorforpublicinterestpurposes.

N/A.

17.

PublicInterest

Processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataisrequiredtoensurethesafetyofpersons,orprovideassistanceorservicestoanypersonduringanydisasteroranybreakdownofpublicorder.

Minimaldifference

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

18.

VoluntaryDisclosure

TheGDPRdoesnothaveaspecificlegalbasisforvoluntarydisclosure.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataprincipalprovidestheirpersonaldatavoluntarilytothedatafiduciaryforaspecifiedpurposeanddoesnotobjecttotheprocessingofsuchpersonaldata.

No-actiongaps:TheGDPRdoesnothavetheequivalentlegalbasisforprocessing.However,asthisisanadditionallegalbasisandthereforeGDPR-compliantcontrollersarebetterabletoprocesspersonaldatawithoutconsent,noadditionalcompliancestepsareneeded.

N/A.

19.

LegitimateInterests

Processingisnecessaryforthepurposesoflegitimateinterestspursuedbythecontrollerorbyathirdparty,exceptwhensuchinterestsareoverriddenbytheinterestsorfundamentalrightsandfreedomsofthedatasubjectthatrequiresprotectionofpersonaldata,inparticularifthedatasubjectisachild.

TheDPDPAdoesnothavealegitimateinterestlegalbasis(theonlyavailablelegalbasesare“consent”orthe

“l(fā)egitimateuses”setoutin#

14,

#

18,

and#

20

).

Materialgaps:TheDPDPAdoesnotrecognisetheequivalentexemptionforlegitimateinterestsforprocessingwithoutconsent.

Determinewhenthepersonaldataprocessingisconductedunder“l(fā)egitimateinterest”andensurethatstepsaretakentoprocesspersonaldataaccordingtoanavailablelegalbasisforprocessingpersonaldataundertheDPDPA.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

20.

Employment

TheGDPRdoesnothaveaspecificlegalbasisforprocessingpersonaldatainanemploymentcontext(exceptforspecialcategoriesofpersonaldata).Instead,potentiallegalbasesthatcouldberelevantforprocessingnon-specialcategorydatainanemploymentcontextincludeprocessingfortheperformanceofacontract,necessitytocomplywithalegalobligation,orlegitimateinterests.

UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:

thedataisneededforemployment,orrelatedtosafeguardingtheemployerfromlossorliabilitysuchasofcorporateespionage,tomaintainconfidentialityoftradesecrets;intellectualproperty,classifiedinformation,orprovisionofanyserviceorbenefitsoughtbyadataprincipalwhoisanemployee.

No-actiongaps:TheGDPRdoesnothavetheequivalent“employment”legalbasisforprocessing.

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

DataProcessingAgreements

21.

DataProcessingAgreements

Processorsmustprocesspersonaldatainaccordancewithacontractthatrequiresthattheprocessor:

processespersonaldatainaccordancewithagreedpurpose(s);

returnsordestroyspersonaldataupontermination;

obtainsconsentpriortocontractingwithsub-processors;

implementsnecessarymeasurestoensurethesecurityofpersonaldata;

submitstoauditsandinspections;

providesassistancetothecontrollertofulfilobligationsundertheGDPR;and

notifiesthedatacontrollerassoonasreasonablypossibleupondiscoveringasecuritybreach.

TheDPDPArequiresthatifadatafiduciaryistoemployadataprocessorforundertakinganyprocessingactivityonitsbehalf,thensuchengagementshouldbethroughavalidcontractualrelationshipwiththedataprocessor.

Datafiduciariesarerequiredtoensurethattheengageddataprocessors:

complywiththeDPDPAandrulesthereunder;

ceaseprocessingof,anderasepersonaldataonceconsentiswithdrawn;and

takereasonablesecuritysafeguardstopreventdatabreach.

Minimaldifference

N/A.

#

Issue

DoestheGDPRcoverthisissue?

Scope

DoestheDPDPAcoverthisissue?

Scope

Keygaps

2

Potentialstep(s)forDPDPAcompliance

InternationalDataTransfers

22.

AdequacyDecision

TransfersofpersonaldatafromtheEuropeanEconomicArea(theEEA)towhitelistedcountries

3

subjecttoanadequacydecisionbytheEuropeanCommissiondonothavetocomplywithadditionalsafeguardrequirementsundertheGDPR.

Currently,theDPDPAprovidesonlyforthegovernment’sabilitytoprovidealistofcountrieswheredatatransfersarerestricted.

Manageablegaps:SubjecttoadditionalguidanceintheformofrulesfromtheIndiancentralgovernment,theDPDPAdoesnotprovideforanadequacydecision.

Ifandwhensuchlistofcountriesarepublish

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論