Code: Section 40
(1) The Central Government may, by notification, and subject to the condition of
previous publication, make rules not inconsistent with the provisions of this Act, to carry
out the purposes of this Act.
(2) In particular and without prejudice to the generality of the foregoing power, such
rules may provide for all or any of the following matters, namely:—
(a) the manner in which the notice given by the Data Fiduciary to a Data Principal
shall inform her, under sub-section (1) of section 5;
(b) the manner in which the notice given by the Data Fiduciary to a Data Principal
shall inform her, under sub-section (2) of section 5;
(c) the manner of accountability and the obligations of Consent Manager under
sub-section (8) of section 6;
(d) the manner of registration of Consent Manager and the conditions relating
thereto, under sub-section (9) of section 6;
(e) the subsidy, benefit, service, certificate, licence or permit for the provision or
issuance of which, personal data may be processed under clause (b) of section 7;
(f) the form and manner of intimation of personal data breach to the Board under
sub-section (6) of section 8;
(g) the time period for the specified purpose to be deemed as no longer being
served, under sub-section (8) of section 8;
(h) the manner of publishing the business contact information of a Data
Protection Officer under sub-section (9) of section 8;
(i) the manner of obtaining verifiable consent under sub-section (1) of
section 9;
(j) the classes of Data Fiduciaries, the purposes of processing of personal data
of a child and the conditions relating thereto, under sub-section (4) of section 9;
(k) the other matters comprising the process of Data Protection Impact
Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;
(l) the other measures that the Significant Data Fiduciary shall undertake under
sub-clause (iii) of clause (c) of sub-section (2) of section 10;
(m) the manner in which a Data Principal shall make a request to the Data
Fiduciary to obtain information and any other information related to the personal data
of such Data Principal and its processing, under sub-section (1) of section 11;
(n) the manner in which a Data Principal shall make a request to the Data
Fiduciary for erasure of her personal data under sub-section (3) of section 12;
(o) the period within which the Data Fiduciary shall respond to any grievances
under sub-section (2) of section 13;
(p) the manner of nomination of any other individual by the Data Principal
under sub-section (1) of section 14;
(q) the standards for processing the personal data for exemption under clause (b)
of sub-section (2) of section 17;
(r) the manner of appointment of the Chairperson and other Members of the
Board under sub-section (2) of section 19;
(s) the salary, allowances and other terms and conditions of services of the
Chairperson and other Members of the Board under sub-section (1) of section 20;
(t) the manner of authentication of orders, directions and instruments under
sub-section (1) of section 23;
(u) the terms and conditions of appointment and service of officers and
employees of the Board under section 24;
(v) the techno-legal measures to be adopted by the Board under sub-section (1)
of section 28;
(w) the other matters under clause (d) of sub-section (7) of section 28;
(x) the form, manner and fee for filing an appeal under sub-section (2) of
section 29;
(y) the procedure for dealing an appeal under sub-section (8) of section 29;
(z) any other matter which is to be or may be prescribed or in respect of which
provision is to be, or may be, made by rules.
Explanation of Section 40 DPDP
Section 40 of the Digital Personal Data Protection Act (DPDP) grants the Central Government the power to create rules to further enforce the provisions of this Act. These rules are essential for ensuring that the law is applied smoothly and consistently.
Key Points:
- Rule-Making Authority: The Central Government has the authority to develop rules that guide how the provisions of the DPDP Act are implemented, ensuring the law’s objectives are met.
- Detailed Regulations: The rules cover various aspects, such as the process for data breach notifications, the registration of Consent Managers, and the conditions for handling sensitive personal data. These ensure the law operates effectively in various contexts.
- Ensuring Compliance: Through these rules, the government ensures both Data Fiduciaries and Data Principals understand their responsibilities and rights, fostering a transparent data protection framework.
Illustration
Example 1: Consent Manager Registration
Under Section 40(2)(d), the Central Government can make rules regarding the registration of Consent Managers. These rules will specify the requirements and conditions for managing consent from Data Principals, ensuring their compliance with the Act.
Example 2: Data Breach Notification
Section 40(2)(f) allows the government to define the form and manner of reporting data breaches to the Board. For example, a Data Fiduciary must report any breach to the Board in a prescribed format within a specified time frame, ensuring the incident is handled effectively.
Common Questions & Answers on Section 40 DPDP
1. What is the power of the Central Government under Section 40?
- Answer: The Central Government can issue rules to operationalize the DPDP Act. These rules will cover various processes, ensuring the effective enforcement of the Act.
2. Can the rules made under Section 40 contradict the DPDP Act?
- Answer: No, the rules must align with the provisions of the DPDP Act and cannot override its core principles.
3. What areas do these rules cover?
- Answer: The rules address multiple areas, including consent management, data breach notifications, grievance handling, and more, to ensure smooth execution of the Act.
4. Are these rules optional?
- Answer: No, the rules are mandatory for stakeholders, including Data Fiduciaries and Data Protection Officers, who must comply with them.
Conclusion
Section 40 of the DPDP Act empowers the Central Government to create rules to implement the provisions of the Act effectively. These rules will address a range of matters, such as data breach notifications, data processing requirements, and the appointment of officials to the Data Protection Board. This framework ensures compliance and provides clear guidelines for all stakeholders involved.
For more insights into the DPDP Act and its provisions, visit ApniLaw, your trusted source for legal knowledge.
