29 Audit of policies and conduct of processing, etc

Bare Act

Section 29(1)

The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.

Section 29(2)

The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including—

(a) clarity and effectiveness of notices under section 7;

(b) effectiveness of measures adopted under section 22;

(c) transparency in relation to processing activities under section 23;

(d) security safeguards adopted pursuant to section 24;

(e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25;

(f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 29; and

(g) any other matter as may be specified by regulations.

Section 29(3)

The Authority shall specify, by regulations, the form and procedure for conducting audits under this section.

Section 29(4)

The Authority shall register in such manner, the persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability,as it may be specified by regulations, as data auditors under this Act.

Section 29(5)

A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.

Section 29(6)

The Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2).

Section 29(7)

Notwithstanding anything contained in sub-section (1), where the Authority is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the Authority may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.



  1. Section 29 is not applicable to "small entity" (Ref:Section 39(1))

    The contents of the website is provided "as is", without warranty of any kind, express or Implied, including but not limited to the warranties of merchantability, Fitness for a particular purpose and noninfringement. In no event shall the Authors or copyright holders or sponsorers be liable for any claim, damages or other Liability, whether in an action of contract, tort or otherwise, arising from, Out of or in connection with the website or the use or other dealings in the website.