How to Comply with Section 5 of the Digital Personal Data Protection Act, 2023?
Critical notice requirements that Data Fiduciaries must fulfill when requesting consent
Section 5 of the Digital Personal Data Protection Act (DPDP Act) establishes the critical notice requirements that Data Fiduciaries must fulfill when requesting consent from Data Principals under Section 6 of the DPDP Act. This provision serves as a foundation for ensuring transparent data processing practices. It ensures Data Principles have adequate information before giving consent to the processing of their personal data.
Key Notice Requirements for New Consent Requests
Section 5(1) of the DPDP Act clearly provides that whenever a Data Fiduciary requests consent from the Data Principal, he is bound to provide a clear notice with certain essential information before or at the time of requesting consent. The information to be provided for in the notice includes:
1. Specifying the Data Collected
The Data Fiduciary has to specify the specific personal data that is being collected from the Data Principal.
2. Disclosure of the Purpose of Collection
The Data Fiduciary is obligated to disclose the specific purpose for which the personal data is being collected and processed.
3. Information regarding the Data Principal's rights
The Data Fiduciary has to clearly provide information regarding the rights of the Data Principal. These include the right to withdraw consent as under Section 6(4), the right of grievance redressal under Section 13 and manner in which the Data Principal can make a complaint to the Data Protection Board.
Draft DPDP Rules Requirements
The Draft Digital Personal Data Protection Rules, 2025 (Rules) specify how the Data Fiduciaries are required to provide notice to the data principals for processing their data after obtaining consent. They are also required to explain what these notices entail.
As per Rule 3, the notice sent by the Data Fiduciary must be independently understood by the Data Principal and should be in a clear language. Do you know what this means for you as a consumer? You no longer have to rely on the existing practice of checking out the hyperlinks or the FAQs to know more. It is an obligation on the Data Fiduciary to answer all of your questions.
The notice must consist of a "fair account" of the following details:
- Itemised list of personal data
- Specified purpose of processing and itemised description of goods and services to be provided
- Communication link for accessing the website or app or both.
However, this list is not exhaustive.
Practical Example
Let us understand this with the help of a practical example. Whenever you approach the bank to open a new bank account in your name and the bank requires you to complete the KYC requirements, your bank is required to provide you a notice wherein it describes the personal data that is being collected and how it will be utilised before they can ask you to provide that personal data.
What Happens in Case of Pre-Existing Consent?
Have you ever wondered what would happen in all those cases wherein you gave your consent before the DPDP Act actually came into force. The Parliament has specifically dealt with this issue under Section 5(2) which provides:
1. Retrospective Application of the Notice Obligation
"As soon as reasonably practicable," the Data Fiduciaries are required to provide a notice to the Data Principals containing all the essential information as described above.
2. Continued Processing
Data Fiduciaries may continue processing previously collected personal data until the Data Principal explicitly withdraws consent.
Language Accessibility
Worried about whether the notice is in a language you can easily comprehend? The Government has clearly under Section 5(3) stipulated the requirements to ensure accessibility to the notice in languages provided for in the Eighth Schedule of the Constitution along with English language.
This requirement ensures that language barriers do not prevent individuals from understanding how their personal data will be processed.
Compliance with the DPDP Act
The notice requirements under Section 5 have several significant implications for organizations:
Organizations need to design clear, comprehensive notices that fulfill all requirements. They further need to ensure that the notice is easily comprehensible by the Data Principals.
Notices must be effectively delivered across all platforms and touchpoints where data is collected.
Organizations must identify all Data Principals whose data was collected before the Act and provide retrospective notices.
Technical systems must support notices in multiple Indian languages to comply with accessibility requirements.
Organizations should maintain records of all notices provided to demonstrate compliance.
Before sending in a notice it is important to understand the consent requirements under the Act. To know more about the same, read at How to Comply with Section 6 of the DPDP Act, 2023.
Conclusion
Section 5 of the DPDPA establishes notice requirements. They form the foundation of informed consent and keep your businesses free from hefty penalties. Organizations must adapt their consent collection practices to meet these requirements, potentially requiring significant changes to existing user interfaces, communication channels, and data management systems.
Get Started with Data>Nuance
Stay compliant, stay safe. Reach out to Data>Nuance to comply with Section 5 and the other provisions of the DPDPA. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!
Need Expert DPDPA Implementation Support?
Get personalized guidance on implementing Section 5 compliance requirements for your organization.