# Privacy by design policy

# Bare Act

# Section 22(1)

Every data fiduciary shall prepare a privacy by design policy, containing

(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;

(b) the obligations of data fiduciaries;

(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;

(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;

(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;

(f) the processing of personal data in a transparent manner; and

(g) the interest of the data principal is accounted for at every stage of processing of personal data.

# Section 22(2)

Subject to the regulations made by the Authority, the data fiduciary may submit its privacy by design policy prepared under sub-section (1) to the Authority for certification within such period and in such manner as may be specified by regulations.

# Section 22(3)

The Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1).

# Section 22(4)

The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.

# Explanation

# Exemption

  1. Section 22 is not applicable to "small entity" (Ref:Section 39(1))
Last Updated: 12 Dec 2019