Code: Section 5 DPDP Act
(1) Every request made to a Data Principal under section 6 for consent shall be
accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal,
informing her,—
(i) the personal data and the purpose for which the same is proposed to be
processed;
(ii) the manner in which she may exercise her rights under sub-section (4) of
section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the Board,
in such manner and as may be prescribed.
Illustration.
X, an individual, opens a bank account using the mobile app or website of Y, a bank.
To complete the Know-Your-Customer requirements under law for opening of bank account,
X opts for processing of her personal data by Y in a live, video-based customer identification
process. Y shall accompany or precede the request for the personal data with notice to X,
describing the personal data and the purpose of its processing.
(2) Where a Data Principal has given her consent for the processing of her personal
data before the date of commencement of this Act,—
(a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the
Data Principal a notice informing her,––
(i) the personal data and the purpose for which the same has been
processed;
(ii) the manner in which she may exercise her rights under sub-section (4)
of section 6 and section 13; and
(iii) the manner in which the Data Principal may make a complaint to the
Board, in such manner and as may be prescribed.
(b) the Data Fiduciary may continue to process the personal data until and
unless the Data Principal withdraws her consent.
Illustration.
X, an individual, gave her consent to the processing of her personal data for an online
shopping app or website operated by Y, an e-commerce service provider, before the
commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable,
give through email, in-app notification or other effective method information to X, describing
the personal data and the purpose of its processing.
(3) The Data Fiduciary shall give the Data Principal the option to access the contents
of the notice referred to in sub-sections (1) and (2) in English or any language specified in
the Eighth Schedule to the Constitution.
Explanation of Section 5 DPDP Act
Section 5 of the DPDP Act mandates that Data Fiduciaries must provide a clear and comprehensive notice to Data Principals before requesting consent for processing personal data. This ensures transparency and allows individuals to make informed decisions.
Key Provisions:
- A notice must be given before or at the time of requesting consent under Section 6.
- The notice must explain:
- What data is being collected.
- The purpose of processing.
- How the Data Principal can exercise rights under Section 6(4) and Section 13.
- How to file a complaint with the Data Protection Board.
- For consent obtained before the Act’s commencement, notice must still be provided within a reasonable time.
- Data Fiduciaries can continue processing until consent is withdrawn.
- The notice must be available in English or any of the languages listed in the Eighth Schedule of the Constitution.
Illustration
Example 1: Banking Scenario
X applies for a bank account using a mobile app. Y Bank asks for X’s personal data to complete a video-based KYC process. Before collecting this data, Y must provide a notice outlining what data will be processed, why it is needed, and how X can exercise her rights or raise a complaint.
Example 2: Existing Consent from E-Commerce App
X gave her data to Y, an e-commerce platform, before the DPDP Act came into force. After the Act’s commencement, Y must provide X with a notice (via email, in-app notification, etc.) detailing what data it has, why it’s being used, and how X can manage her rights or submit a complaint.
Common Questions and Answers on Section 5 DPDP
1. Is it mandatory to provide a notice before taking consent?
Yes, as per Section 5(1), every request for consent under Section 6 must be preceded or accompanied by a notice.
2. What if consent was given before the DPDP Act came into force?
The Data Fiduciary must send a notice to the Data Principal as soon as reasonably practicable after the Act comes into effect, as per Section 5(2).
3. What languages must the notice be available in?
The Data Principal must be given the option to access the notice in English or any language listed under the Eighth Schedule of the Constitution, as per Section 5(3).
4. Can data processing continue if no new consent is obtained post-commencement?
Yes, processing may continue under Section 5(2)(b) until the Data Principal explicitly withdraws her consent.
Conclusion
Section 5 of the Digital Personal Data Protection Act, 2023, plays a vital role in ensuring informed consent and transparency. It establishes that Data Fiduciaries must notify Data Principals of the purpose and nature of data processing, their rights, and how to seek redress. This section reinforces accountability and empowers individuals to take control of their personal data.
Stay updated on the latest developments in data privacy law with ApniLaw.
