Code: Section 10 DPDP
(1) The Central Government may notify any Data Fiduciary or class of Data
Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant
factors as it may determine, including—
(a) the volume and sensitivity of personal data processed;
(b) risk to the rights of Data Principal;
(c) potential impact on the sovereignty and integrity of India;
(d) risk to electoral democracy;
(e) security of the State; and
(f) public order.
(2) The Significant Data Fiduciary shall—
(a) appoint a Data Protection Officer who shall—
(i) represent the Significant Data Fiduciary under the provisions of this
Act;
(ii) be based in India;
(iii) be an individual responsible to the Board of Directors or similar
governing body of the Significant Data Fiduciary; and
(iv) be the point of contact for the grievance redressal mechanism under
the provisions of this Act;
(b) appoint an independent data auditor to carry out data audit, who shall
evaluate the compliance of the Significant Data Fiduciary in accordance with the
provisions of this Act; and
(c) undertake the following other measures, namely:—
(i) periodic Data Protection Impact Assessment, which shall be a process
comprising a description of the rights of Data Principals and the purpose of
processing of their personal data, assessment and management of the risk to
the rights of the Data Principals, and such other matters regarding such process
as may be prescribed;
(ii) periodic audit; and
(iii) such other measures, consistent with the provisions of this Act, as
may be prescribed.
Explanation of Section 10 DPDP
Section 10 of the Digital Personal Data Protection Act (DPDP) imposes additional requirements on Significant Data Fiduciaries. These are entities designated by the Central Government due to their large-scale data processing activities, potential impact on national security, or other significant factors. The section aims to ensure that these entities follow stricter data protection practices.
Key Provisions:
- Notification of Significant Data Fiduciaries (Sub-section 1):
The Central Government can designate a Data Fiduciary as Significant based on various factors, including the amount and sensitivity of data processed. This designation is made to safeguard the rights of Data Principals and national interests. - Additional Responsibilities (Sub-section 2):
Significant Data Fiduciaries must meet specific requirements, such as appointing a Data Protection Officer (DPO), ensuring compliance through independent audits, and conducting Data Protection Impact Assessments (DPIAs).- Data Protection Officer (DPO):
The DPO represents the Data Fiduciary in data protection matters and ensures compliance with the DPDP Act. The DPO must be based in India and report to the governing body of the entity. - Independent Data Auditor:
This auditor evaluates the compliance of the Data Fiduciary with the DPDP Act, ensuring transparency and accountability. - Data Protection Impact Assessment (DPIA):
A DPIA identifies and evaluates the risks involved in processing personal data, helping to ensure that the rights of Data Principals are protected. - Periodic Audits:
Regular audits are required to assess ongoing compliance with the DPDP Act.
- Data Protection Officer (DPO):
Illustration
Example 1: Appointment of Data Protection Officer (DPO)
A Significant Data Fiduciary, such as a popular e-commerce platform, processes a large volume of personal data. To comply with Section 10, the platform appoints a Data Protection Officer (DPO) based in India. The DPO ensures the company follows data protection laws and addresses privacy-related concerns raised by users.
Example 2: Conducting a Data Protection Impact Assessment (DPIA)
An online medical services provider handles sensitive health data. As a Significant Data Fiduciary, the provider must conduct a Data Protection Impact Assessment (DPIA). This process evaluates the risks of data processing and ensures the company complies with DPDP standards, protecting the privacy of its users.
Common Questions and Answers on Section 10 DPDP
1. How does the government identify Significant Data Fiduciaries?
- Answer: The Central Government considers factors like data volume, sensitivity, and potential national impact. This ensures that high-risk data processing activities are closely regulated.
2. What does a Data Protection Officer (DPO) do?
- Answer: The DPO ensures that a Significant Data Fiduciary complies with the DPDP Act. They act as the main point of contact for all data protection matters and are responsible for managing data privacy concerns.
3. What is a Data Protection Impact Assessment (DPIA)?
- Answer: A DPIA is a process to identify and assess the risks of processing personal data. It helps ensure that the processing does not harm the rights of Data Principals and complies with the DPDP Act.
4. Who must appoint an independent data auditor?
- Answer: Only Significant Data Fiduciaries must appoint an independent data auditor. This ensures that the entity follows the necessary compliance measures and maintains transparency in its data processing practices.
5. What happens if a Data Fiduciary fails to meet these obligations?
- Answer: Non-compliance with these obligations can result in penalties, regulatory actions, or other legal consequences as specified under the DPDP Act.
Conclusion
Section 10 of the Digital Personal Data Protection Act (DPDP) lays down specific obligations for Significant Data Fiduciaries. These entities must appoint a Data Protection Officer, undergo periodic Data Protection Impact Assessments, and ensure independent audits. The purpose of these measures is to protect the rights of individuals and ensure data privacy, especially when large amounts of sensitive personal data are processed.
