Use the Lexology Navigator tool to compare the anwers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
The Privacy Rules specify that a body corporate may collect sensitive personal data:
- for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
- if the collection of sensitive personal data or information is considered necessary for that purpose.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Yes, the Privacy Rules specify that sensitive personal data cannot be retained for longer than is required for the purpose for which it was lawfully collected or as otherwise required under another law. Under the data retention provisions set out in various laws, companies are generally required to retain data for eight financial years.
Do individuals have a right to access personal information about them that is held by an organisation?
Under the Privacy Rules, data subjects have a right to review the information provided by them. The data controller, at the request of the data subjects, must correct any deficiencies or inaccuracies in the information provided. Further, data controllers must address data subjects' grievances in a timely manner and in any event within one month of receiving the grievance.
Do individuals have a right to request deletion of their data?
The Privacy Rules do not specifically provide data subjects with the right to request deletion of their data. However, data subjects have the right to withdraw their consent to process data. Once consent is withdrawn, data controllers and processors cannot process the data subject's sensitive personal data. If a data subject withdraws his or her consent, the data processor can stop the provision of services.
Is consent required before processing personal data?
Under the Privacy Rules, the data subject’s consent is required before processing any sensitive personal data. Consent must be obtained in writing by letter, fax, email or any mode of electronic communication. Consent must be express and thus implied consent is not recognised.
If consent is not provided, are there other circumstances in which data processing is permitted?
Prior express consent must be obtained from the data subject, with no exceptions. However, notably, the Privacy Rules apply only if the parties have not agreed to their own reasonable security practices and procedures.
What information must be provided to individuals when personal data is collected?
The Privacy Rules require data controllers to provide data subjects with the following information:
- the fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- the name and address of the agency that is collecting the information and will retain it.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
The Privacy Rules permit the transfer of sensitive personal data or any information to a person outside India, provided that the person ensures the same level of data protection as that under the Privacy Rules. Further, transfers are permitted only if they are necessary for the performance of a lawful contract with the provider or where the provider has consented to the transfer.
Are there restrictions on the geographic transfer of data?
The Privacy Rules permit the transfer of sensitive personal data or any information to a person outside India, provided that the person maintains the same level of data protection as provided for under the Privacy Rules. Further, transfers are permitted only if they are necessary for the performance of a lawful contract with the provider or where the provider has consented to the transfer.
In accordance with a recent, little-known company law provision relating to maintenance of accounts, if a company’s books, papers and books of accounts are maintained in electronic form outside India, a backup must be stored on servers physically located in India. This rule has not been strictly enforced by the regulators, as it runs contrary to the increasingly common practice of multinationals, which use global accounting systems to maintain the accounts of entities worldwide, including Indian entities.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
The Privacy Rules regulate the disclosure or transfer of sensitive personal data to a third party. The disclosure of sensitive personal data or information is permitted if:
- it has been agreed in a contract with the provider;
- it is necessary to comply with a legal obligation; or
- the provider has given its prior consent.
Disclosures can be made only to a third party that observes the same level of data protection as provided by the Privacy Rules. Further, transfers are permitted only if they are necessary for the performance of a lawful contract with the provider or where the provider has consented to the transfer.
A clarification issued by the Ministry of Communications and Information Technology appears to suggest that some of the Privacy Rules apply only between a data subject and a data processor, and not between two entities. However, in accordance with the Privacy Rules, any third party that receives information must ensure the same level of protection as stated under the Privacy Rules. The two provisions are thus not entirely harmonious.
The Privacy Rules require data processors to disclose the name and address of every agency which will have access to personal information when collecting information from a data subject. This includes onward transfers. Since the transfer of sensitive personal data from a data subject to a data processor is subject to restrictions, these restrictions will also apply to a further transfer from one data processor to another.
Click here to view the full article.