22 Privacy by design policy

Bare Act

Section 22(1)

Every data fiduciary shall prepare a privacy by design policy, containing

(a) the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;

(b) the obligations of data fiduciaries;

(c) the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;

(d) the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;

(e) the protection of privacy throughout processing from the point of collection to deletion of personal data;

(f) the processing of personal data in a transparent manner; and

(g) the interest of the data principal is accounted for at every stage of processing of personal data.

Section 22(2)

Subject to the regulations made by the Authority, the data fiduciary may submit its privacy by design policy prepared under sub-section (1) to the Authority for certification within such period and in such manner as may be specified by regulations.

Section 22(3)

The Authority, or an officer authorised by it, shall certify the privacy by design policy on being satisfied that it complies with the requirements of sub-section (1).

Section 22(4)

The privacy by design policy certified under sub-section (3) shall be published on the website of the data fiduciary and the Authority.



  1. Section 22 is not applicable to "small entity" (Ref:Section 39(1))

    The contents of the website is provided "as is", without warranty of any kind, express or Implied, including but not limited to the warranties of merchantability, Fitness for a particular purpose and noninfringement. In no event shall the Authors or copyright holders or sponsorers be liable for any claim, damages or other Liability, whether in an action of contract, tort or otherwise, arising from, Out of or in connection with the website or the use or other dealings in the website.