Code: Section 11 DPDP
(1) The Data Principal shall have the right to obtain from the Data Fiduciary to
whom she has previously given consent, including consent as referred to in clause (a) of
section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal
data, upon making to it a request in such manner as may be prescribed,—
(a) a summary of personal data which is being processed by such Data Fiduciary
and the processing activities undertaken by that Data Fiduciary with respect to such
personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom
the personal data has been shared by such Data Fiduciary, along with a description of
the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and
its processing, as may be prescribed.
(2) Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in
respect of the sharing of any personal data by the said Data Fiduciary with any other Data
Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant
to a request made in writing by such other Data Fiduciary for the purpose of prevention or
detection or investigation of offences or cyber incidents, or for prosecution or punishment
of offences.
Explanation of Section 11 DPDP
Section 11 of the Digital Personal Data Protection Act (DPDP) provides Data Principals with the right to access information about how their personal data is processed. This right helps individuals understand how their data is used and shared, promoting transparency.
Key Provisions:
- Right to Access Data (Sub-section 1):
Data Principals can request a summary of their personal data from the Data Fiduciary. This includes details on how their data is processed, which third parties have access to it, and any other relevant information. - Legal Exemptions (Sub-section 2):
If the data is shared for legal reasons, such as law enforcement requests, the Data Fiduciary does not have to disclose this sharing. This ensures privacy while balancing legal and security needs.
Illustration
Example 1: Data Access Request for Transparency
John, a customer of a mobile service provider, requests a summary of his personal data that is being processed. The provider responds, sharing details on how his data is used, what third parties have access to it, and for what purposes.
Example 2: Exemption for Legal Purposes
A Data Fiduciary, such as an online payment system, shares Sara’s personal data with law enforcement to investigate a fraud case. The system is not required to disclose this sharing to Sara, as the data was shared for legal purposes under Section 11(2).
Common Questions and Answers on Section 11 DPDP
1. What rights does a Data Principal have under Section 11?
- Answer: A Data Principal can request information about the personal data being processed, including details on data sharing and processing activities.
2. When can a Data Fiduciary refuse to disclose data sharing details?
- Answer: If data is shared with another Data Fiduciary for legal purposes, such as crime investigation, the Data Fiduciary is not required to disclose the sharing under Section 11(2).
3. How can a Data Principal request access to their data?
- Answer: The Data Principal must submit a request to the Data Fiduciary in the prescribed manner, as outlined by the DPDP Act.
4. Are there any exceptions to the right of access?
- Answer: Yes, the right to access does not apply if the data is shared for law enforcement or legal purposes, as stated in Section 11(2).
5. What steps should a Data Fiduciary take when a Data Principal requests access?
- Answer: The Data Fiduciary must provide the requested information, unless a legal exemption applies.
Conclusion
Section 11 of the Digital Personal Data Protection Act (DPDP) empowers Data Principals with the right to access their personal data, fostering transparency in data processing. It allows individuals to understand how their data is used and shared, while also balancing legal and security requirements.
