# The Personal Data Protection Bill, 2019

# Chapter I

PRELIMINARY

  1. Short title and commencement.
  2. Application of Act to processing of personal data.
  3. Definitions.

# Chapter II

OBLIGATIONS OF DATA FIDUCIARY

  1. Prohibition of processing of personal data.
  2. Limitation on purpose of processing of personal data.
  3. Limitation on collection of personal data.
  4. Requirement of notice for collection or processing of personal data.
  5. Quality of personal data processed.
  6. Restriction on retention of personal data.
  7. Accountability of data fiduciary.
  8. Consent necessary for processing of personal data.

# Chapter III

GROUNDS FOR PROCESSING OF PERSONAL DATA WITHOUT CONSENT

  1. Grounds for processing of personal data without consent in certain cases.
  2. Processing of personal data necessary for purposes related to employment, etc. 14. Processing of personal data for other reasonable purposes.
  3. Categorisation of personal data as sensitive personal data.

# Chapter IV

PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN

  1. Processing of personal data and sensitive personal data of children.

# Chapter V

RIGHTS OF DATA PRINCIPAL

  1. Right to confirmation and access.
  2. Right to correction and erasure.
  3. Right to data portability.
  4. Right to be forgotten.
  5. General conditions for the exercise of rights in this Chapter.

# Chapter VI

TRANSPARENCY AND ACCOUNTABILITY MEASURES

  1. Privacy by design policy.
  2. Transparency in processing of personal data.
  3. Security safeguards.
  4. Reporting of personal data breach.
  5. Classification of data fiduciaries as significant data fiduciaries.
  6. Data protection impact assessment.
  7. Maintenance of records.
  8. Audit of policies and conduct of processing, etc.
  9. Data protection officer.
  10. Processing by entities other than data fiduciaries.
  11. Grievance redressal by data fiduciary.

# Chapter VII

RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA

  1. Prohibition of processing of sensitive personal data and critical personal data outside India.
  2. Conditions for transfer of sensitive personal data and critical personal data.

# Chapter VIII

EXEMPTIONS

  1. Power of Central Government to exempt any agency of Government from application of the Act.
  2. Exemption of certain provisions for certain processing of personal data.
  3. Power of Central Government to exempt certain data processors.
  4. Exemption for research, archiving or statistical purposes.
  5. Exemption for manual processing by small entities.
  6. Sandbox for encouraging innovation, etc.

# Chapter IX

DATA PROTECTION AUTHORITY OF INDIA

  1. Establishment of Authority.
  2. Composition and qualifications for appointment of Members.
  3. Terms and conditions of appointment.
  4. Removal of Chairperson or other Members.
  5. Powers of Chairperson.
  6. Meetings of Authority.
  7. Vacancies, etc., not to invalidate proceedings of Authority.
  8. Officers and other employees of Authority.
  9. Powers and functions of Authority.
  10. Codes of practice.
  11. Power of Authority to issue directions.
  12. Power of Authority to call for information.
  13. Power of Authority to conduct inquiry.
  14. Action to be taken by Authority pursuant to an inquiry.
  15. Search and seizure.
  16. Co-ordination between Authority and other regulators or authorities.

# Chapter X

PENALTIES AND COMPENSATION

  1. Penalties for contravening certain provisions of the Act.
  2. Penalty for failure to comply with data principal requests under Chapter V.
  3. Penalty for failure to furnish report, returns, information, etc.
  4. Penalty for failure to comply with direction or order issued by Authority.
  5. Penalty for contravention where no separate penalty has been provided.
  6. Appointment of Adjudicating Officer.
  7. Procedure for adjudication by Adjudicating Officer.
  8. Compensation.
  9. Compensation or penalties not to interfere with other punishment.
  10. Recovery of amounts.

# Chapter XI

APPELLATE TRIBUNAL

  1. Establishment of Appellate Tribunal.
  2. Qualifications, appointment, term, conditions of service of Members.
  3. Vacancies.
  4. Staff of Appellate Tribunal.
  5. Distribution of business amongst Benches.
  6. Appeals to Appellate Tribunal.
  7. Procedure and powers of Appellate Tribunal.
  8. Orders passed by Appellate Tribunal to be executable as a decree.
  9. Appeal to Supreme Court.
  10. Right to legal representation.
  11. Civil court not to have jurisdiction.

# Chapter XII

FINANCE, ACCOUNTS AND AUDIT

  1. Grants by Central Government.
  2. Data Protection Authority of India Funds.
  3. Accounts and Audit.
  4. Furnishing of returns, etc., to Central Government.

# Chapter XIII

OFFENCES

  1. Re-identification and processing of de-identified personal data.
  2. Offences to be cognizable and non-bailable.
  3. Offences by companies. 85. Offences by State.

# Chapter XIV

MISCELLANEOUS

  1. Power of Central Government to issue directions.
  2. Members, etc., to be public servants.
  3. Protection of action taken in good faith.
  4. Exemption from tax on income.
  5. Delegation.
  6. Act to promote framing of policies for digital economy, etc.
  7. Bar on processing certain forms of biometric data.
  8. Power to make rules.
  9. Power to make regulations.
  10. Rules and regulations to be laid before Parliament.
  11. Overriding effect of this Act.
  12. Power to remove difficulties.
  13. Amendment of Act 21 of 2000.

# THE SCHEDULE.

Last Updated: 13 Dec 2019