Key Definitions under the Digital Personal Data Protection Act, 2023
Comprehensive analysis of fundamental terms including Data Principal, Data Fiduciary, Data Processor, Personal Data, Consent Manager, and Significant Data Fiduciary.
The Digital Personal Data Protection Act, 2023 ("DPDP Act") represents a significant stride in India's data protection framework. This legislation, officially notified in the gazette on August 11, 2023 establishes the rules for processing digital personal data within the country.
The aim of this article is to analyse the fundamental terms used within the legislation. Developing a comprehensive understanding of these terms is crucial for the individuals as well as the organisations to navigate through their rights and responsibilities in the digital age.
Key Definitions
Section 2(j) of the DPDP Act defines a Data Principal as an individual to whom the personal data relates. It includes the parents or lawful guardians of a child or a lawful guardian of a person with disabilities. Essentially, a natural person is the subject of the personal data which is being processed. Such Data Principals have primary rights and control over their personal information.
📝 Example:
A customer providing personal details on an e-commerce website for a purchase or an employee whose personal information is processed by their employer are Data Principals under the DPDP Act.
Section 2(i) of the DPDP Act, 2023 defines a Data Fiduciary as a person who either alone or in conjunction with others determines the purpose and means of processing the personal data of the Data Principal. In other words, the Data Fiduciary decides how and why the personal data will be processed.
📝 Example:
An online retailer collecting customer data for delivering the order of the customer or a university collecting the information of its students for academic purposes are Data Fiduciaries within this legislation.
Section 2(k) of the DPDP Act defines the Data Processor as a person who processes personal data of the Data Principal on behalf of a Data Fiduciary. Such a processor acts solely on the instructions of the Data Fiduciary.
📝 Example:
A cloud storage provider storing data for a company based on the company's instructions or marketing agency sending promotional emails on behalf of a retailer, following the retailer's guidelines are Data Processor within the ambit of this legislation.
Section 2(h) of the DPDP Act, 2023 defines data as a representation of information, facts, opinions, concepts, or instructions which are required for the purposes of communication, interpretation, or processing by humans or automated means. The scope of data within the legislation is broad enough to encompass various digital information including factual data, opinions, concepts and instructions for computer systems.
📝 Example:
Records of financial transactions, biometrics, contact details will also fall within the ambit of data.
Section 2(n) of the DPDP Act defines digital personal data as the personal data which is maintained in a digital form. In other words, personal data recorded in a hard copy or in a physical form is excluded.
The term "digital personal data" includes personal data which might initially be collected physically but was later digitised.
📝 Example:
Details of the customers in a CRM System or the electronic health records of the patients in a hospital.
A Data Protection Officer is defined under Section 2(l) of the DPDP Act as an individual appointed by a Significant Data Fiduciary (SDF). He serves as a point of contact within the organization and is responsible for managing the organization's overall privacy compliance operations. The Data Protection Officer is required to be based in India and report to the highest level of management. Every entity classified as a Significant Data Fiduciary must mandatorily appoint such an officer.
Personal data is defined under Section 2(t) of the DPDP Act as any data about an individual who is identifiable by or in relation to such data. The scope of the definition is wide and it includes direct and indirect identifiers. However, the DPDP Act does not explicitly categorise the data into "sensitive" and "non-sensitive" personal data.
📝 Example:
Name, email address (direct identifiers) and vehicle registration number, employee ID (indirect identifiers when linked) fall within the definition of personal data. The definition also includes within its ambit sensitive personal data including biometric information.
A Consent Manager is defined under Section 2(g) of the DPDP Act as a person registered with the Data Protection Board. He acts as a single point of contact for Data Principals to manage their consents. In other words, the Consent Managers provides a platform to the Data Principals to manage, review, and withdraw consent. The aim of establishing the position of the Consent Managers was to ensure that the process is transparent and the ultimate authority vests with the Data Principals.
A Significant Data Fiduciary is defined under Section 2(z) of the DPDP Act as Data Fiduciaries notified by the Central Government. They are classified as Significant Data Fiduciaries on the basis of the volume and sensitivity of data being processed, the risk caused to Data Principal and their rights by such processing, impact on national interests, etc.
For instance, banking institutions and hospitals may be categorised as Significant Data Fiduciaries. These entities have additional obligations including mandatory appointment of a Data Protection Officer, appointment of an independent data auditor, periodic audits and implementation of Data Protection Impact Assessments (DPIAs).
As per Section 2(za) of the DPDP Act, a specified purpose is the purpose provided for in the notice issued to the Data Principal by the Data Fiduciary. The Data Fiduciaries are under a mandatory obligation to communicate the specific purposes of processing data to the Data Principals before obtaining their consent.
📝 Example:
Collecting an address for shipping and then using it for marketing without separate consent is a violation.
Conclusion
Understanding the key definitions outlined in the DPDP Act is fundamental for both individuals seeking to exercise their rights and organizations striving for compliance. The legislation establishes a framework that emphasizes individual empowerment, transparency, and accountability in the processing of digital personal data.
While these definitions provide a solid foundation, it is important to note that the implementation and interpretation of the DPDP Act are ongoing processes. Staying up to date with these developments will be crucial for navigating the evolving landscape of data protection in India.
Related Resources
Need Expert DPDPA Implementation Support?
While our resources provide comprehensive analysis, implementing DPDPA compliance requires expert guidance tailored to your organization's specific needs.