Code: Section 17 DPDP Act
(1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and
those of Chapter III and section 16 shall not apply where—
(a) the processing of personal data is necessary for enforcing any legal right or
claim;
(b) the processing of personal data by any court or tribunal or any other body
in India which is entrusted by law with the performance of any judicial or quasi-judicial
or regulatory or supervisory function, where such processing is necessary for the
performance of such function;
(c) personal data is processed in the interest of prevention, detection,
investigation or prosecution of any offence or contravention of any law for the time
being in force in India;
(d) personal data of Data Principals not within the territory of India is processed
pursuant to any contract entered into with any person outside the territory of India
by any person based in India;
(e) the processing is necessary for a scheme of compromise or arrangement or
merger or amalgamation of two or more companies or a reconstruction by way of
demerger or otherwise of a company, or transfer of undertaking of one or more company
to another company, or involving division of one or more companies, approved by a
court or tribunal or other authority competent to do so by any law for the time being
in force; and
(f) the processing is for the purpose of ascertaining the financial information
and assets and liabilities of any person who has defaulted in payment due on account
of a loan or advance taken from a financial institution, subject to such processing
being in accordance with the provisions regarding disclosure of information or data
in any other law for the time being in force.
Explanation.—For the purposes of this clause, the expressions “default” and
“financial institution” shall have the meanings respectively assigned to them in
sub-sections (12) and (14) of section 3 of the Insolvency and Bankruptcy Code, 2016.
Illustration.
X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly loan
repayment instalment on the date on which it falls due. Y may process the personal data of
X for ascertaining her financial information and assets and liabilities.
(2) The provisions of this Act shall not apply in respect of the processing of personal
data—
(a) by such instrumentality of the State as the Central Government may notify,
in the interests of sovereignty and integrity of India, security of the State, friendly
relations with foreign States, maintenance of public order or preventing incitement to
any cognizable offence relating to any of these, and the processing by the Central
Government of any personal data that such instrumentality may furnish to it; and
(b) necessary for research, archiving or statistical purposes if the personal data
is not to be used to take any decision specific to a Data Principal and such processing
is carried on in accordance with such standards as may be prescribed.
(3) The Central Government may, having regard to the volume and nature of personal
data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups,
as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7) of
section 8 and sections 10 and 11 shall not apply.
Explanation.—For the purposes of this sub-section, the term “startup” means a
private limited company or a partnership firm or a limited liability partnership incorporated
in India, which is eligible to be and is recognised as such in accordance with the criteria and
process notified by the department to which matters relating to startups are allocated in the
Central Government.
(4) In respect of processing by the State or any instrumentality of the State, the
provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such
processing is for a purpose that does not include making of a decision that affects the Data
Principal, sub-section (2) of section 12 shall not apply.
(5) The Central Government may, before expiry of five years from the date of
commencement of this Act, by notification, declare that any provision of this Act shall not
apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be
specified in the notification.
Exemptions to the DPDP Act
1. Legal and Judicial Exemptions
Certain exemptions apply when personal data processing is necessary for:
- Enforcing legal rights or claims.
- Judicial or quasi-judicial functions—such as by courts or tribunals, where processing is needed to perform their duties.
- Law enforcement—for investigating, preventing, or prosecuting crimes.
- Corporate restructuring—such as mergers or acquisitions, when approved by a court.
2. Cross-Border Contracts
If personal data of individuals outside India is processed based on a contract, it is exempt from certain DPDP provisions.
3. Financial Default Data
Personal data may be processed to determine the financial status of someone who has defaulted on a loan, as long as it follows related laws, like those in the Insolvency and Bankruptcy Code, 2016.
Additional Exemptions:
- State Interests: Certain data processing by state agencies may be exempt if it’s related to national security, public order, or preventing offenses.
- Research and Statistics: Personal data can be processed for research or statistical purposes, as long as it’s not used to make decisions affecting individuals directly.
Examples
Example 1: Legal Rights Enforcement
If a lawyer or police officer needs to process personal data to pursue a legal case or enforce a legal claim, this processing is exempt from some provisions of the DPDP Act.
Example 2: Financial Default
If a person defaults on a bank loan, the bank can process their personal data to assess their financial situation, in line with relevant financial regulations.
Key Points to Remember:
- Can personal data be processed without consent?
- Yes, in cases like legal claims, judicial duties, law enforcement, or corporate restructuring.
- Does Section 17 apply to all types of personal data processing?
- No, it only applies to specific situations outlined in the section, such as legal, financial, or security-related cases.
- What role does the government play?
- The Central Government can exempt certain Data Fiduciaries, including startups, from some provisions based on data volume and nature.
Conclusion
Section 17 ensures that the DPDP Act allows for exceptions when processing personal data is necessary for legal, security, or financial purposes. It strikes a balance between protecting personal data and allowing essential processes like law enforcement, judicial proceedings, and corporate activities to function smoothly.
