版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
India’sDigitalPersonalDataProtectionAct2023
vs.theGDPR:AComparison
December2023
OrganisationsdoingbusinessinIndiashouldnotedifferencesbetweenGDPRandDPDPArequirements,includingpotentialprogrammesthatmayneeduplifttoensurecompliance.
TheIndianparliamentenactedIndia’sfirstcomprehensivedataprotectionlawon11August2023,namelytheDigitalPersonalDataProtectionAct2023(theDPDPA).TheDPDPAwillreplaceIndia’sexistingpatchworkofdataprotectionrules
1
andisexpectedtotriggersignificantchangesinhowcompaniessubjecttoIndiandataprotectionlawsprocesspersonaldata.However,thelawisnotyetoperational;noeffectivedatehasbeenestablishedandthereisnoofficialtimelinefortheoverallimplementation.Stakeholdersexpectthelawtocomeintoforceinaphasedmannerinthenextsixto12months,after:(i)anindependentagencyresponsibleforenforcingtheDPDPA—theDataProtectionBoardofIndia(theDataProtectionBoard)—isestablished;and(ii)theIndiangovernmenthasframedthesubordinaterules(whichareexpectedtoprovideinterpretativeguidanceonproceduralstepsandenforcementmethodology).TheDPDPAis“umbrella”legislation,asitsetsoutonlyahigh-levelframeworkforIndia’snewdataprotectionregime,withsupplementaryrulesexpectedinduecourse.Thoughthenewlawisnotyetoperational,companiessubjecttothenewlawareadvisedtobeginassessingpotentialpracticalimplicationsatanearlystage.
TheDPDPAistriggeredwhendigitalpersonaldataisprocessedwithinIndia.ThelawalsohasanextraterritorialeffectinthatitappliestodigitalpersonaldataprocessingoutsideofIndiaifsuchprocessingrelatestotheofferingofgoodsorservicestoindividuals(knownas“dataprincipals”,whichareequivalentto“datasubjects”undertheEUandUKGeneralDataProtectionRegulations(theGDPR))withinIndia.TheDPDPAfollowsbroadlysimilarprinciplestothosesetoutintheGDPRandspecifiesrulesfordatafiduciaries(equivalentto“controllers”undertheGDPR)anddataprocessors,andrightsfordataprincipals(equivalentto“datasubjects”undertheGDPR).Penaltiesfornon-complianceundertheDPDPArangefromINR500million(€5.7million)toINR2.5billion(€28million).TheDataProtectionBoardisalsoempoweredtoimposeurgentremedialormitigationmeasuresintheeventofapersonaldatabreach.
PracticalImpactonExistingPrivacyComplianceProgrammes
TheDPDPAsignalsamajorchangeinthewaypersonaldataisprocessedinIndia.OrganisationsoperatinginortargetingindividualsinIndiashouldconsiderpreemptivestepstobringtheirprivacycomplianceinlinewiththeDPDPA,includingasregardsdatacollectionandconsentmappingpractices.KeydifferencesbetweentheDPDPAandtheGDPRinclude:
Scope:TheDPDPAregulatestheprocessingofdigitalpersonaldata,i.e.,personaldatacollectedindigitalform,orcollectedinnon-digitalformandsubsequentlydigitised.WhilsttheDPDPA’spersonaldatadefinitionissimilartothatprovidedundertheGDPR,itexcludesfromitsscopepersonaldatamadepubliclyavailablebythedataprincipalorbyanyotherpersonunderalegalobligationtomakethatdatapubliclyavailable.
Legalbasisforprocessingofpersonaldata:TheDPDPAprovidesthatdatafiduciariesmaylawfullyprocesspersonaldataonlywiththeconsentofthedataprincipalsorforcertainspecified“legitimateuses”.Suchlegitimateusesinclude:processingofpersonaldatavoluntarilysharedbythedataprincipalforaspecifiedpurpose(providedthatthedataprincipaldoesnotobject);processingtocomplywiththelaworcourtorders;foremploymentpurposes;ortorespondtomedicalemergencies,epidemics,ordisasters.TheDPDPA’sconsentstandardissimilartothatoftheGDPR,requiringconsenttobe“free,
specific,informed,unconditionalandunambiguouswithaclearaffirmativeaction”and,unliketheGDPR,itdoesnotpermitprocessingunderthelawfulbasesofcontractualnecessityorlegitimateinterests.
Dataprincipalrights:WhilstdataprincipalswillhavecertainrightssimilartothoseundertheGDPRfordatasubjects(i.e.,rightsofaccess,correction,orerasure),theywillalsobenefitfromanumberofnewrightswhichareuniquetotheDPDPA,i.e.,therighttoareadilyavailableandeffectivemeansof
PAGE
10
grievanceredressal(e.g.,viaagrievanceredressalofficer),andtherighttonominateanindividualwhowillbeabletoexercisetherightsofthedataprincipalintheeventofdeathorincapacityofthedataprincipal.
Cross-borderdatatransfers:TheDPDPApermitscross-borderdatatransferstojurisdictionsoutsideofIndiaotherthanthosejurisdictionsspecificallyidentifiedbytheIndiangovernmentonitslistofcountriestowhichdatatransfersarerestricted(tobepublished);otherwise,theDPDPAdoesnotrequiretheimplementationofatransfermechanism.
Databreachnotification:DatafiduciariesarerequiredtonotifypersonaldatabreachestothenewlycreatedDataProtectionBoardandtoimpacteddatasubjects,regardlessofthemagnitudeofthebreachorriskofharm.Further,theDPDPAdoesnotprescribespecificdeadlinesforreporting.
Significantdatafiduciaries:TheIndiangovernmentwillhavethepowertoclassifycertaindatafiduciariesassignificantdatafiduciariesbasedonfactorssuchasthesensitivityandvolumeofdataprocessed,theimpactofprocessingontherightsofdataprincipals,andtheimpactonthesovereignty,security,andintegrityofIndia.Thesesignificantdatafiduciarieswillhaveadditionalobligations,includingtheappointmentofanindependentauditorandundertakingdataprotectionimpactassessments.
ThetablebelowcomparestherequirementsoftheGDPRandtheDPDPAinfurtherdetail,highlightingpotentialgapsinGDPR-basedcomplianceprogrammesandoutliningpossiblestepstoupliftsuchprogrammesforDPDPAcompliancepurposes.AsadditionalrulestosupplementtheDPDPAprovisionsareissued,organisationsmayneedtoadjusttheircomplianceapproachesaccordingly.
Thetableiscolour-codedasbelow,foreaseofreference:
Minimaldifference:TherequirementundertheDPDPAismateriallyconsistentwiththerequirementundertheGDPR—nofurtheractionrequiredtocomplywiththeDPDPA.
No-actiongaps:DPDPAisgenerallyconsistentwithGDPR,butwithnoticeabledifferences/GDPRstandardishigherormorecomprehensive—additionalcomplianceactionswillnotberequiredtocomplywiththeDPDPA.
Manageablegaps:DPDPAisgenerallyconsistentwithGDPR,butwithnoticeabledifferences—minoradditionalcomplianceactionswillneedtobetakentocomplywiththeDPDPA.
Materialgaps:DPDPAismateriallydifferentfromGDPR/thereareelementsunderonelawthatarenotfoundundertheother—significantadditionalcomplianceactionswillneedtobetakentocomplywiththeDPDPA.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
ScopeofApplication
1.
PersonalData
Anyinformationrelatingtoanidentifiedoridentifiablenaturalperson.
Anydataaboutanindividual,whoisidentifiableby,orinrelationto,suchdata.
TheDPDPAappliesonlyto“digitalpersonaldata”,whichmeanspersonaldatacollectedindigitalformandpersonaldatacollectedorstoredinanon-digitalformthatissubsequentlydigitised.
PersonaldatathatismadepubliclyavailablebythedataprincipalsorpursuanttoalegalrequirementisoutofscopeoftheDPDPA.
No-actiongaps:TheDPDPAappliesonlyto“digitalpersonaldata”,whereastheGDPRappliestopersonaldataevenifthatdataisnon-digital.Inaddition,personaldatathatismadepubliclyavailableisexemptfromDPDPAobligations.
N/A.
2.
Sensitive/SpecialCategoryData
Personaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,ortradeunionmembership,andtheprocessingofgeneticdata,biometricdataforthepurposeofuniquelyidentifyinganaturalperson,dataconcerninghealth,ordataconcerninganaturalperson’ssexlifeorsexualorientation.
TheDPDPAdoesnotdifferentiatebetweenpersonaldataandsensitivepersonaldata/specialcategoriesofdata.
No-actiongaps:NoadditionalcomplianceobligationswillneedtobeundertakentocomplywiththeDPDPA.GDPR-
compliantcontrollersarelikelytomeettherequirementsundertheDPDPA,asahigherdegreeofprotectionisofferedto“specialcategoriesofpersonaldata”undertheGDPR.
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
3.
DataSubjects
Theidentifiedoridentifiablenaturalperson,towhompersonaldatarelates.
DataPrincipal:Theindividualtowhomthepersonaldatarelates,and,ifsuchindividual:
(i)isachild,theconceptincludestheparent/lawfulguardianofsuchchild;and(ii)isapersonwithadisability,theconceptincludesthelawfulguardianactingonbehalfofsuchanindividual.
Minimaldifference
N/A.
4.
DataController
Thenaturalorlegalperson,publicauthority,agency,orotherbodythat,aloneorjointlywithothers,determinesthepurposesandmeansofprocessingpersonaldata.
DataFiduciary(i.e.,datacontroller):Anyperson/entitywho,aloneorinconjunctionwithotherpersons,determinesthepurposeandmeansofprocessinganindividual’spersonaldata.
Minimaldifference
N/A.
5.
SignificantDataFiduciary(SDF)
ThereisnoequivalentconceptundertheGDPR.
AdatafiduciaryorclassofdatafiduciariesdesignatedbytheIndiangovernmentbasedon:(a)volumeandsensitivityofpersonaldataprocessed;
(b)risktotherightsofthedataprincipal;(c)potentialimpactonthesovereigntyandintegrityofIndia;(d)risktoelectoraldemocracy;(e)securityoftheState;and(f)publicorder.
Materialgaps:TheDPDPAidentifiesaclassofdatafiduciariesasSDFsbasedontheaforesaidparameters,andappliesadditionalobligationstothoseSDFs.ThereisnoequivalentconceptundertheGDPR.
IfclassifiedasanSDFbytheIndiangovernment,additionalcomplianceobligationswillapply,suchasappointingaresidentdataprotectionofficer(DPO)whoreportstotheboardofdirectors,conductsperiodicaudits,carriesoutperiodicDPIAs,anddeploysriskmitigationmeasures.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
6.
DataProcessor
Anaturalorlegalperson,publicauthority,agency,orotherbodythatprocessespersonaldataonbehalfofthecontroller.
Apersonwhoprocessespersonaldataonbehalfofthedatafiduciary.
Minimaldifference
N/A.
7.
ConsentManager
ThereisnoequivalentconceptundertheGDPR.
ConsentmanagersareentitiesregisteredwiththeDataProtectionBoardundertheDPDPAandactonbehalfofdataprincipalstoreview,provide,manage,andwithdrawconsent.
Materialgaps:ThereisnoequivalentconceptundertheGDPR.
Organisationsmayberequiredtoeither:(i)registerasconsentmanagers(subjecttoadditionalguidanceprovidedbytherulesframedpursuanttotheDPDPA),or(ii)givedataprincipalstheoption(throughtheiruserinterface)tonominatearegisteredconsentmanagerontheirplatform,app,website,etc.
8.
Processing
Anyoperationorsetofoperationsthatisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording,organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,dissemination,orotherwisemakingavailable,alignmentorcombination,restriction,erasure,ordestruction.
Awhollyorpartlyautomatedoperationorsetofoperationsperformedondigitalpersonaldataandincludesoperationssuchascollection,recording,organisation,structuring,storage,adaptation,retrieval,use,alignment,combination,indexing,sharing,disclosurebytransmission,dissemination,orotherwisemakingavailable,restriction,erasure,ordestruction.
Minimaldifference
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
9.
ProcessingChildren’sData
TheGDPRcontainsprovisionstoenhancetheprotectionofchildren’spersonaldata:
iftransparencyinformationisintendedtobereadbyachild,itshouldbeinclearandplainlanguagethatiseasilycomprehensibleforthechild;and
ifaninformationsocietyserviceisofferedtoachild,consentshouldbeobtainedfromaparent/guardian,subjecttocertainagecriteria.
TheageofmajorityisnotdefinedundertheGDPR,anditvariesacrossEUMemberStates.However,certainprovisionsareapplicabletochildrenundertheageof16.
Whenprocessingachild’spersonaldata(personundertheageof18)orapersonwithadisability,verifiableconsentoftheparentorthelawfulguardianofsuchchild/personwithadisabilitymustbeobtained.
Withrespecttochildren’spersonaldata:
donotundertakeprocessingofpersonaldatathatislikelytocauseanydetrimentaleffecttothewell-beingofachild;and
donottrackorengageinbehaviouralmonitoringofchildrenorusetargetedadvertisingdirectedatchildren.
Materialgaps:TheDPDPAprescribesadditionalobligationswithrespecttoprocessingchildren’sdata.ItisalsopertinentthattherelevantageofthechildvariesundertheGDPRandnationalEUMemberStatelawandUKlawimplementations(i.e.,16yearsorless)andtheDPDPA(18years).
ToensurecompliancewiththeDPDPA’sobligationsforprocessingchildren’sdata,nodataprocessingthatisdetrimentaltochildren,orprocessingofdatathatinanymannerwouldaidtargetedadvertisingdirectedatchildrenshouldbeundertaken.Tothisend,topreventinadvertentprocessingofchildren’sdata,methodsthatinvolveverifiableparentalconsenttoprocesschildren’sdata(suchasage-gatingormulti-factorauthentication)arerecommended.
DoestheGDPR
DoestheDPDPA
Potentialstep(s)for
#
Issue
coverthisissue? Scope
coverthisissue?
Scope
Keygaps
2
DPDPAcompliance
Transparency
10.
PrivacyPolicyDisclosures
Datasubjectsmustbeinformedofthefollowingatthetimeofcollectionofpersonaldata:
nameandcontactdetailsofthedatacontrollerandlocalrepresentative(ifapplicable);
contactdetailsoftheDataProtectionOfficer;
purposesofprocessing;
lawfulbasisforprocessingandlegitimateinterestsforprocessing(ifapplicable);
categoriesofpersonaldataobtained;
recipientsofpersonaldata;
detailsoftransfersofpersonaldatatoanythirdcountriesorinternationalorganisations;
retentionperiodsforpersonaldata;
datasubjectrights;
righttowithdrawconsent(ifapplicable);
righttolodgeacomplaintwithasupervisoryauthority;
Anoticemustbeprovidedtodataprincipalsforobtainingtheirpersonaldataeitheratthetimeoforbeforeseekingsuchconsent.Thenoticemustinclude:
thepersonaldataandthepurposeforwhichitisbeingprocessed;
themannerinwhichtheymayexercisetheirrightsundertheDPDPAwithrespecttothepersonaldata;and
themannerinwhichtheymaymakeacomplainttotheDataProtectionBoardestablishedundertheDPDPA.
No-actiongaps:TheGDPRprovidesamoredetailedsetofrequirementsregardingnotice.
Generally,theDPDPAmakesiteasierforGDPR-compliantcontrollerstoprocesspersonaldatawithnoticeforconsent.
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
sourceofpersonaldata(ifpersonaldataisnotobtainedfromtheindividualitrelatesto);
detailsofwhetherindividualsareunderastatutoryorcontractualobligationtoprovidethepersonaldata(ifapplicable,andifthepersonaldataiscollectedfromtheindividualitrelatesto);and
thedetailsoftheexistenceofautomateddecision-making,includingprofiling(ifapplicable).
11.
LanguageRequirements
Informationprovidedtodatasubjectsmustbeinclearandplainlanguage(includingthenativelanguageofthedatasubject,whenrequired).
DataprincipalsmustbeprovidedwithanoptiontoaccessthecontentsofaconsentrequestinEnglishorinanyofthe
22languages
specifiedintheEighthScheduleoftheConstitutionofIndia.
Manageablegaps:BoththeGDPRandtheDPDPArequireinformationprovidedtodatasubjectstobeinalanguagetheyunderstand.
WhilstthelanguagerequirementsundertheGDPRandtheDPDPAarebroadlysimilar,giventhepotentialforalargenumberoflanguages(i.e.,22languagesspecifiedintheIndianConstitution),thepracticalimplicationsofprovidingmanylanguageoptionscouldbesignificant.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
LegalBasisofProcessing
12.
Consent
Consent
Anyfreelygiven,specific,informed,andunambiguousindicationofthedatasubject’swishesbywhichheorshe,byastatementorbyclearaffirmativeaction,signifiesagreementtotheprocessingofpersonaldatarelatingtohimorher.
Explicitconsent
Undefined,butmustbeaffirmedinaclearstatementandneedstospecificallyrefertotheelementoftheprocessingthatrequiresexplicitconsent.
Consentgivenbythedataprincipalmustbe:
duress-free;
specific;
informed;
unconditional;
unambiguous;
withaclearaffirmativeactionsignifyinganagreementtotheprocessingofpersonaldataforthespecifiedpurpose;and
presentedinclearandplainlanguagewiththeoptiontoacceptsuchrequestsasperLanguageRequirements(see#
11
).
Minimaldifference
N/A.
13.
Contract
Processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectispartyorinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract.
Processingpersonaldatafortheperformanceofacontractisnotrecognisedasa“legalbasisforprocessing”undertheDPDPA,whichreferstolegitimateuses.Theseusesincludecompliancewithlaws,ensuringthesafetyofaperson,performanceofstatutoryduties/functions,andemploymentpurposes.
CertainobligationsofthedatafiduciaryundertheDPDPAwillnotapplyifthedata
Materialgaps:ProcessingpersonaldatafortheperformanceofacontractisnotalegalbasisundertheDPDPA.Unlessanexemptionisgrantedbythesubordinaterulesthatareyettobeframed,thisexclusiondifferssignificantlyfromtheGDPR.
DeterminewhenpersonaldataisprocessedaccordingtoacontractandensurethatstepsaretakentocomplywithaDPDPAstatutorilyrecognisedlegalbasisforprocessing(i.e.,legitimateuseorconsent).
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
subjectsarenotwithintheterritoryofIndiaandtheirpersonaldataisprocessedpursuanttoacontractenteredintowithanypersonoutsidetheterritoryofIndia,byanypersoninIndia.
14.
LegalObligation
Processingisnecessaryforcompliancewithalegalobligationtowhichthecontrollerissubject.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataisrequiredtocomplywithanyjudgment,decree,ororderissuedunderIndianlaw,oranycontractualorcivilclaim-relatedjudgmentororderunderanylawinforceoutsideIndia.
Minimaldifference
N/A.
15.
PublicHealthEmergency/VitalInterests
Processingisnecessarytoprotectthevitalinterestsofthedatasubjectorofanothernaturalperson.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataisrequiredforrespondingtoamedicalemergencyinvolvingathreattolifeoranimmediatethreattothehealthofthedataprincipaloranyotherindividual.
Minimaldifference
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
16.
MedicalTreatmentorHealthServicesinanEpidemic
Processingisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanothernaturalperson;
or
Processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataisrequiredtoprovidemedicaltreatmentorhealthservicestoanindividualduringanepidemic,outbreakofdisease,orthreattopublichealth.
No-actiongaps:TheDPDPAspecificallyprovidesthatconsentisnotrequiredtoprocesspersonaldatatoprovidemedicaltreatment/healthservicestoindividualsduringanepidemic.ThereisnoexactequivalentundertheGDPR,buttheclosestlegalbasiswouldbe
foranindividual’svitalinterestsorforpublicinterestpurposes.
N/A.
17.
PublicInterest
Processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataisrequiredtoensurethesafetyofpersons,orprovideassistanceorservicestoanypersonduringanydisasteroranybreakdownofpublicorder.
Minimaldifference
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
18.
VoluntaryDisclosure
TheGDPRdoesnothaveaspecificlegalbasisforvoluntarydisclosure.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataprincipalprovidestheirpersonaldatavoluntarilytothedatafiduciaryforaspecifiedpurposeanddoesnotobjecttotheprocessingofsuchpersonaldata.
No-actiongaps:TheGDPRdoesnothavetheequivalentlegalbasisforprocessing.However,asthisisanadditionallegalbasisandthereforeGDPR-compliantcontrollersarebetterabletoprocesspersonaldatawithoutconsent,noadditionalcompliancestepsareneeded.
N/A.
19.
LegitimateInterests
Processingisnecessaryforthepurposesoflegitimateinterestspursuedbythecontrollerorbyathirdparty,exceptwhensuchinterestsareoverriddenbytheinterestsorfundamentalrightsandfreedomsofthedatasubjectthatrequiresprotectionofpersonaldata,inparticularifthedatasubjectisachild.
TheDPDPAdoesnothavealegitimateinterestlegalbasis(theonlyavailablelegalbasesare“consent”orthe
“legitimateuses”setoutin#
14,
#
18,
and#
20
).
Materialgaps:TheDPDPAdoesnotrecognisetheequivalentexemptionforlegitimateinterestsforprocessingwithoutconsent.
Determinewhenthepersonaldataprocessingisconductedunder“legitimateinterest”andensurethatstepsaretakentoprocesspersonaldataaccordingtoanavailablelegalbasisforprocessingpersonaldataundertheDPDPA.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
20.
Employment
TheGDPRdoesnothaveaspecificlegalbasisforprocessingpersonaldatainanemploymentcontext(exceptforspecialcategoriesofpersonaldata).Instead,potentiallegalbasesthatcouldberelevantforprocessingnon-specialcategorydatainanemploymentcontextincludeprocessingfortheperformanceofacontract,necessitytocomplywithalegalobligation,orlegitimateinterests.
UndertheDPDPA,adatafiduciaryoranSDFispermittedtoprocesspersonaldatawithoutdataprincipals’explicitconsentif:
thedataisneededforemployment,orrelatedtosafeguardingtheemployerfromlossorliabilitysuchasofcorporateespionage,tomaintainconfidentialityoftradesecrets;intellectualproperty,classifiedinformation,orprovisionofanyserviceorbenefitsoughtbyadataprincipalwhoisanemployee.
No-actiongaps:TheGDPRdoesnothavetheequivalent“employment”legalbasisforprocessing.
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
DataProcessingAgreements
21.
DataProcessingAgreements
Processorsmustprocesspersonaldatainaccordancewithacontractthatrequiresthattheprocessor:
processespersonaldatainaccordancewithagreedpurpose(s);
returnsordestroyspersonaldataupontermination;
obtainsconsentpriortocontractingwithsub-processors;
implementsnecessarymeasurestoensurethesecurityofpersonaldata;
submitstoauditsandinspections;
providesassistancetothecontrollertofulfilobligationsundertheGDPR;and
notifiesthedatacontrollerassoonasreasonablypossibleupondiscoveringasecuritybreach.
TheDPDPArequiresthatifadatafiduciaryistoemployadataprocessorforundertakinganyprocessingactivityonitsbehalf,thensuchengagementshouldbethroughavalidcontractualrelationshipwiththedataprocessor.
Datafiduciariesarerequiredtoensurethattheengageddataprocessors:
complywiththeDPDPAandrulesthereunder;
ceaseprocessingof,anderasepersonaldataonceconsentiswithdrawn;and
takereasonablesecuritysafeguardstopreventdatabreach.
Minimaldifference
N/A.
#
Issue
DoestheGDPRcoverthisissue?
Scope
DoestheDPDPAcoverthisissue?
Scope
Keygaps
2
Potentialstep(s)forDPDPAcompliance
InternationalDataTransfers
22.
AdequacyDecision
TransfersofpersonaldatafromtheEuropeanEconomicArea(theEEA)towhitelistedcountries
3
subjecttoanadequacydecisionbytheEuropeanCommissiondonothavetocomplywithadditionalsafeguardrequirementsundertheGDPR.
Currently,theDPDPAprovidesonlyforthegovernment’sabilitytoprovidealistofcountrieswheredatatransfersarerestricted.
Manageablegaps:SubjecttoadditionalguidanceintheformofrulesfromtheIndiancentralgovernment,theDPDPAdoesnotprovideforanadequacydecision.
Ifandwhensuchlistofcountriesarepublish
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- GB/T 47398-2026旋转接头试验方法
- 轧钢精整工岗前理论技能考核试卷含答案
- 棉胶液制备工8S执行考核试卷含答案
- 乙烯-醋酸乙烯共聚乳液(VAE)装置操作工安全生产意识强化考核试卷含答案
- 批碳工安全生产规范测试考核试卷含答案
- 机电系统控制试题及答案
- 9.1科学立法课件高中政治统编版必修三政治与法治
- 财务主管个人年终工作总结
- 4.2 基因表达与性状的关系课件高一下学期生物人教版必修2
- 2026道德与法治五年级阅读角 阅读刘流作品选段
- 《电容式电压互感器》课件
- 幼儿园小班美术示范课《小花伞》课件
- 物流行业员工试用期考核标准
- 安装通风管道安全协议书3
- 安全安全技术交底模板
- 初中数学优生(尖子生)培养策略
- 中国高血压防治指南2024
- WS∕T 391-2024 CT检查操作规程
- (高清版)JTST 325-2024 水下深层水泥搅拌桩法施工质量控制与检验标准
- MOOC 英文学术写作实战-北京大学 中国大学慕课答案
- T-BJCC 1003-2024 首店、首发活动、首发中心界定标准
评论
0/150
提交评论