Data Fiduciaries Presence in the PDP Bill 2019: How it impacts the Processing of Personal Data?
Under the Indian Personal Data Protection (PDP) Bill 2019, controllers are referred to as ‘data fiduciaries.’ These data fiduciaries signify any individual, including the State, an organization, any juristic element, or any person who alone or related to others decides the reason and methods for preparing of individual information. As well as following the standards of information handling, data fiduciaries are needed to execute security shields, report data breaches that influence huge harm to data principals to the DPA and, have set up successful complaint redressal components.
Does any other authority in the absence of a Data Fiduciary could perform his roles and responsibilities?
Under the PDP Bill, it is required for a data processor (whose responsibility is to process the personal data on behalf of a data fiduciary) to enter into a valid contract with the data fiduciary for the purpose of processing the personal data of an individual on behalf of the data fiduciary. Speaking of the mode and form of the contract, the latter has not been introduced comprehensively under the Bill. Only, the requirement of a contract is mentioned which makes the reader to interpret the clause in a limited approach.
Interpreting and analysing the roles and responsibilities of a data fiduciary, the main responsibility bestowed by the PDP Bill upon him is to process the personal data of an individual while taking and adopting all the necessary measures. The limitation to the processing of personal data is that the data fiduciary could only process the personal data of the individual for the purpose for which the data has been transferred. In furtherance to this, the personal data cannot be retained beyond the period necessary to process the personal data.
Now, the question that arises is, whose personal data should be processed by the data fiduciary?
Interpreting the individual by a specific term, the PDP Bill recognizes the same as ‘data principal’. A data principal is the individual whose personal data should be protected and processed by the data fiduciary. It should be noted down that the processing of personal data of the data principal is subjected to a valid and free consent been provided to the data fiduciary.
The rights of a data principal lie in the sense that the data principal has been conferred certain rights under the Bill according to which the purpose for which the personal data is been used, the withdrawing of consent to use the personal data, the right to restrict the continued disclosure of personal data could be performed.
Concludingly, it could be laid down that the processing of personal data highly depends on the factor of consent and other rights being bestowed on the data principal under the Bill. The data fiduciary could be considered as a collective entity upon which the regularity and legality of personal data processing depends. Therefore, both the data fiduciary and data principal has been interlinked together in terms of roles and responsibilities under the PDP Bill 2019.
Sasha Atolia
Privacy and data protection expert with Privacy Consultancy Services (PCS)
Research & Development associate with Privacy Academy (Privacad)
RECOMMENDATIONS
Recommended readings for the topic:
- Handbook Certified Data Protection Officer: Practical Work PlanGuidance (for the EU DPO)
- Soft Skills of a Data Protection Officer (DPO), Privacad Whitepaper 21-081
Recommended courses for the topic:
- India Registered Data Protection Professional (RDPP), EU-INDIA Data Protection
- Certified Indian Data Protection Officer (CIDPO) – Indian Validation & Registration
- Certified Data Protection Officer (CDPO) Soft Skills Training– European Validation and Registration
- Certified Data Protection Officers (CDPO)– European Validation & Registration
- Indonesia Registered Data Protection Professional– Indonesian Validation
See also website of Privacy Consultancy Services (PCS):