General obligations of Data Fiduciary

Section 9(1)

A Data Fiduciary shall, irrespective of any agreement to the contrary, or noncompliance of a Data Principal with her duties specified in this Act, be responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.

Section 9(2)

A Data Fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete, if the personal data:

(a) is likely to be used by the Data Fiduciary to make a decision that affects the Data Principal to whom the personal data relates; or

(b) is likely to be disclosed by the Data Fiduciary to another Data Fiduciary.

Illustration 🎬

‘A’ has instructed her mobile service provider ‘B’ to mail physical copies of monthly bills to her postal address. Upon a change in her postal address, ‘A’ duly informs ‘B’ of her new postal address and completes necessary KYC formalities. ‘B’ should ensure that the postal address of ‘A’ is updated accurately in its records.

Section 9(3)

(3) A Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective adherence with the provisions of this Act.

Section 9(4)

(4) Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

Section 9(5)

(5) In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed.

Section 9(6)

(6) A Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:

(a) the purpose for which such personal data was collected is no longer being served by its retention; and

(b) retention is no longer necessary for legal or business purposes.

Illustration 🎬

‘A’ creates an account on ‘X’, a Social Media Platform. As part of the process of creating the account, ‘A’ shares her personal data with ‘X’. After three months, ‘A’ deletes the account. Once ‘A’ deletes the account, ‘X’ must stop retaining the personal data of ‘A’ or remove the means by which the personal data of ‘A’ can be associated with ‘A’.

Illustration 🎬

‘A’ opens a savings account with a bank. As part of KYC formalities, ‘A’ shares her personal data with the bank. After six months, ‘A’ closes the savings account with the bank. As per KYC rules, the bank is required to retain personal data for a period beyond six months. In this case, the bank may retain ‘A’s’ personal data for the period prescribed in KYC Rules because such retention is necessary for a legal purpose.

Section 9(7)

(7) Every Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the Data Principal’s questions about the processing of her personal data.

Section 9(8)

(8) Every Data Fiduciary shall have in place a procedure and effective mechanism to redress the grievances of Data Principals.

Section 9(9)

(9) The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.

Section Definitions 📓

For the purpose of this section “affected Data Principal” means any Data Principal to whom any personal data affected by a personal data breach relates.