DPDP Examples Explained

n the given example, X is an individual who wants to open a bank account with Y, a bank. To comply with the legal requirements of Know-Your-Customer (KYC) procedures for opening a bank account, X chooses to undergo a live, video-based customer identification process offered by Y. This process involves X providing her personal data to Y for verification purposes. 

To ensure transparency and inform X about the processing of her personal data, Y is required to follow certain steps:

 

  1. Notice to X: Before initiating the video-based customer identification process, Y must provide X with a notice. This notice serves as a communication to X, informing her about the details of the personal data that will be collected, processed, and used by Y, as well as the specific purpose for which the data will be processed. This notice is essential to ensure that X is aware of how her personal data will be handled and for what purpose.
  2. Description of Personal Data: The notice from Y should include a clear description of the types of personal data that will be collected during the video-based process. This may include details such as X’s name, address, date of birth, identification documents (like Aadhar, passport, etc.), and any other information necessary for completing the KYC process.
  3. Purpose of Processing: Along with describing the personal data, the notice should also specify the purpose for which Y will be processing X’s personal data. In this case, the primary purpose is to verify X’s identity and fulfill the KYC requirements as mandated by law. Y should clearly state that the collected data will only be used for this specific purpose and will not be used for any other unrelated activities.

In the given example, let’s break down the scenario step by step:

  1. X, an Individual: X is a person who uses an online shopping app or website operated by Y, an e-commerce service provider.
  2. Consent Before the Commencement of the Act: Before the Digital Personal Data Protection Act came into effect, X had already given her consent to Y for the processing of her personal data on the online shopping app. This consent was likely obtained in accordance with the terms and conditions provided by Y’s platform at that time.
  3. Commencement of the Act: The Digital Personal Data Protection Act, 2023 came into effect on a specific date.
  4. Obligation of Y After Commencement: Upon the Act’s commencement, Y, the e-commerce service provider, is required to take certain actions:
    • Provide Information to X: Y needs to provide information to X about the personal data that they have collected or are processing. This information should include details about the specific personal data that Y has about X, as well as the purpose for which this data is being processed.
    • Communication Methods: Y must inform X about this through appropriate means, such as email, in-app notifications, or any other effective method that ensures X receives this information.
    • Timing: Y should do this “as soon as practicable,” which means they should provide this information promptly after the commencement of the Act.

In this example, there are two key actions involved: X downloading a telemedicine app called Y and providing consent for data processing.

  1. Downloading Telemedicine App Y: X, an individual, downloads a telemedicine app named Y. This app likely provides medical consultation services remotely through digital means, such as video calls or chat.
  2. Consent for Data Processing:
    • Telemedicine Services: The app Y requests consent from X to process her personal data for the purpose of making available telemedicine services. This means that the app will require access to X’s personal information to provide medical consultation and related services.
    • Accessing Mobile Phone Contact List: The app Y also requests X’s consent to access her mobile phone’s contact list. This access to her contact list is not necessary for providing telemedicine services, as it doesn’t directly contribute to the medical consultation process.

 

Issue with Consent: X provides her consent for both the processing of her personal data for telemedicine services and accessing her mobile phone’s contact list. However, it’s mentioned that the contact list access is not necessary for providing the telemedicine services.

Resolution: Given that the access to the phone contact list is not required for telemedicine services, X’s consent should have been limited to only the processing of her personal data for the purpose of making available telemedicine services. This means that the consent she provides should only cover the necessary data processing actions directly related to providing medical consultation. Access to her phone’s contact list should not have been included in the consent scope.

In this example, X is an individual who purchases an insurance policy from Y, an insurance company, using their mobile app or website. As part of the process, X provides her consent for Y to process her personal data. Specifically, she consents to Y using her personal data for the purpose of issuing the insurance policy. However, X also includes a clause in her consent where she waives her right to file a complaint with the Data Protection Board of India.

The Data Protection Board of India is a regulatory body responsible for overseeing and enforcing the provisions of the Digital Personal Data Protection Act, 2023. This Act aims to protect individuals’ personal data and establishes various rights and obligations for data fiduciaries (entities that collect and process personal data) and data principals (individuals whose data is being collected).

The example highlights two components of X’s consent:

 

  1. Processing of Personal Data for Insurance Policy: X’s consent for Y to process her personal data for the purpose of issuing the insurance policy is valid. When individuals engage with companies like insurance providers, they often need to provide personal data for various purposes, such as policy issuance, claims processing, and customer support. This is a legitimate use of personal data and is aligned with the purpose for which X is interacting with Y.
  2. Waiver of Right to File Complaint: X’s inclusion of a clause that waives her right to file a complaint with the Data Protection Board of India is invalid. The right to file complaints and seek redressal is an essential feature of data protection regulations. Individuals have the right to raise concerns about the misuse of their personal data and seek resolution through regulatory mechanisms. By waiving this right, X is attempting to give up a safeguard that ensures her data protection rights are upheld. Such a waiver is contrary to the principles of data protection laws, as these laws are designed to ensure individuals have a way to address any violations of their data rights.

In this example, X represents an individual who is using an online shopping app or website operated by Y, an e-commerce service provider. When X uses the app or website, she agrees (consents) to Y processing her personal data for the purpose of fulfilling her supply order. This personal data could include information like her name, contact details, payment information, and order details.

X places an order for a product through the app or website and also makes the required payment. This means that X has provided her consent for Y to process her personal data for the specific purpose of delivering the product she ordered. Y needs to process this personal data to ensure the successful delivery of the ordered product.

Now, let’s consider two scenarios:

1. X Does Not Withdraw Consent:

  • If X does not withdraw her consent, Y can continue to process her personal data to fulfill the supply order as agreed upon.
  • Y will deliver the ordered product to X’s provided address and complete the transaction as usual.

 

2. X Withdraws Consent:

  • If X decides to withdraw her consent for Y to process her personal data, Y may have to stop processing her data for future purposes like sending promotional offers or updates through the app or website.
  • However, in this specific scenario, Y still has a legitimate reason to process X’s personal data to fulfill the supply order that X has already placed and paid for. Therefore, Y can continue processing her data for this specific purpose.
  • Y may disable or limit X’s ability to use the app or website for placing new orders or accessing certain features that require data processing consent. However, since X’s order is already in progress, Y can’t stop processing the necessary personal data related to that specific order.

The provided example involves the interaction between different entities and the processing of personal data under the Digital Personal Data Protection Act, 2023. Here’s a breakdown of the example:

 

  • X: X is a telecom service provider that provides telephone services to its customers. In this context, X is considered a Data Fiduciary as it collects and processes personal data of its customers for various purposes, including sending telephone bills.
  • Y: Y is a Data Processor that has a contract with X to handle certain processing activities on behalf of X. In this case, Y is responsible for emailing telephone bills to the customers of X. Y acts as a processor of personal data on behalf of X.
  • Z: Z is a customer of X, and her personal data is being processed for the purpose of sending telephone bills. Z had previously given her consent to X for the processing of her personal data for the specific purpose of emailing bills.
  • Mobile App: X has a mobile app that allows its customers to manage their telecom services and billing preferences. Z downloads the app and opts to receive her bills exclusively through the app.

 

The scenario mentioned in the example can be explained as follows:

 

  1. Initially, Z had given her consent to X for the processing of her personal data (such as email address) for the purpose of emailing telephone bills.
  2. Later, Z decides to change her preferences and opts to receive her bills only through the mobile app. This means she no longer wants to receive bills via email.
  3. In response to Z’s change in preference, X must ensure that the processing of Z’s personal data for emailing bills ceases immediately. This also applies to Y, the Data Processor that was handling the emailing of bills on behalf of X. Both X and Y are required to stop processing Z’s personal data for emailing bills, as per her updated preferences.

In the example provided, X is an individual who makes a purchase at Y, a pharmacy. X voluntarily provides her personal data to Y and requests Y to acknowledge the receipt of the payment she made for the purchase by sending a message to her mobile phone. In this scenario, Y, the pharmacy, may process the personal data of X for the specific purpose of sending the receipt to her mobile phone.

Here’s a breakdown of the example:

 

  1. X’s Purchase: X makes a purchase at the pharmacy Y. This transaction involves X buying products or services from the pharmacy.
  2. Voluntary Sharing of Personal Data: X voluntarily provides her personal data to Y. This personal data could include information such as her name, contact number (including mobile phone), and details of the purchase she made.
  3. Acknowledgment of Payment: X requests Y to acknowledge the receipt of the payment she made for the purchase. This acknowledgment is expected to be sent to her mobile phone in the form of a message.
  4. Purpose of Processing: Y processes X’s personal data for the specific purpose of sending her the receipt and acknowledgment of payment. This processing is done to fulfill X’s request and to provide her with the necessary information about her transaction.

 

In this scenario, the pharmacy Y is considered a Data Fiduciary, and X is the Data Principal. The processing of X’s personal data by Y for the purpose of sending the receipt falls within the scope of the Digital Personal Data Protection Act. Y is obligated to ensure that it processes X’s personal data in a lawful, fair, and transparent manner, adhering to the principles of data protection and privacy outlined in the Act.

In this scenario, X is an individual seeking assistance from Y, a real estate broker, to find a suitable rented accommodation. X electronically messages Y and provides her personal data for the purpose of identifying such an accommodation. Y, as a real estate broker, may process this personal data to fulfill X’s request and provide her with details about available rental properties.

The Digital Personal Data Protection Act, 2023, emphasizes the protection of personal data and establishes certain rules and obligations for entities handling such data. In this context:

 

  • X is the “Data Principal” since her personal data is being processed.
  • Y is the “Data Fiduciary” as it is responsible for processing X’s personal data for the purpose of finding suitable rented accommodations.

 

Here’s how the process unfolds:

 

  1. Consent: X provides her personal data to Y with the intention of finding a rented accommodation. This sharing of data is based on X’s consent, which is a fundamental requirement under the Act. The Data Fiduciary (Y) must obtain verifiable consent from the Data Principal (X) before processing her personal data.
  2. Purpose Limitation: Y may process X’s personal data to identify suitable rental accommodations and communicate these details to X. This processing is aligned with the purpose for which X provided her data.
  3. Storage and Processing: Y should ensure the security of X’s personal data during storage and processing. It should take reasonable security safeguards to prevent any personal data breaches.
  4. Data Retention: Since X informs Y that she no longer needs assistance, Y should cease processing X’s personal data. This is in line with the Data Fiduciary’s obligation to stop processing personal data when the purpose for which it was collected no longer exists.
  5. Erasure: Additionally, Y should consider erasing or anonymizing X’s personal data, provided there are no legal requirements to retain the data.

In this example, let’s break down the scenario involving a pregnant woman referred to as “X” and her interaction with an app or website for government maternity benefits:

  1. Enrolling for Maternity Benefits Program: X, a pregnant woman, registers on an app or website provided by the government. She does so with the intention of availing benefits offered under the government’s maternity benefits program. This program is designed to provide support and assistance to pregnant women during their pregnancy and postpartum period.
  2. Consenting to Provide Personal Data: During the registration process, X agrees to share her personal data. Personal data could include information such as her name, age, address, medical history, and other relevant details. She consents to the processing of her personal data by the government for the specific purpose of availing maternity benefits.
  3. Processing for Eligibility Determination: The government, upon receiving X’s personal data, processes it to assess her eligibility for the maternity benefits program. This processing involves analyzing her personal information to determine if she meets the criteria set by the government to receive these benefits. Eligibility criteria could include factors like income level, pregnancy stage, medical condition, and more.
  4. Potential Processing for Other Benefits: The scenario also mentions that the government may use the personal data collected from X to assess her eligibility for other prescribed benefits. This indicates that the government may use the same set of personal data for different government assistance programs, beyond just maternity benefits. For example, if there are other programs related to childcare, healthcare, or social welfare, X’s data may be used to determine her eligibility for those programs as well.

In this example, X is an individual who registers on an online marketplace operated by Y, which is an e-commerce service provider. X provides her consent to Y for the processing of her personal data, specifically for the purpose of selling her used car on the platform. The online marketplace facilitates the sale of X’s used car.

Here’s a breakdown of the situation:

 

  1. X’s Registration: X creates an account on the online marketplace, providing her personal details and agreeing to the platform’s terms and conditions.
  2. Consent for Processing: X gives her consent to Y, the e-commerce service provider, for the processing of her personal data. This means X allows Y to collect, store, and use her personal information for the specific purpose of selling her used car on the platform.
  3. Purpose of Processing: The purpose of processing X’s personal data is to facilitate the sale of her used car on the online marketplace. This involves sharing relevant information about the car with potential buyers.
  4. Data Processing by Y: Y, the e-commerce service provider, processes X’s personal data in line with her consent. This includes displaying information about the used car, its specifications, and any other relevant details to attract potential buyers.
  5. Sale of the Used Car: Using the information provided by X, the online marketplace helps connect her with potential buyers who are interested in purchasing her used car. The platform facilitates communication and interactions between X and the buyers.
  6. Conclusion of the Sale: With the assistance of the online marketplace, X successfully concludes the sale of her used car to a willing buyer. The sale transaction is completed through the platform.
  7. Retention of Personal Data: According to the scenario, once the sale is completed, Y, the e-commerce service provider, will no longer retain X’s personal data. This means that Y will delete or remove X’s personal information from its systems since the purpose for which the data was collected (selling the used car) has been achieved.

In this example, X is an individual who decides to close her savings account with Y, a bank. The scenario revolves around the retention of X’s personal data by the bank, Y, after she closes her account. The explanation provided is that the bank is required by a legal obligation applicable to banks to maintain the records of its clients’ identities for a specific duration, which in this case is ten years beyond the closing of the accounts.

Here’s a breakdown of the key points:

  1. X’s Decision: X, the individual, makes the decision to close her savings account with the bank, Y.
  2. Legal Requirement for Data Retention: The law applicable to banks mandates that they must retain records containing the identities of their clients for a specific period. In this case, the law requires Y to retain these records for ten years beyond the closing of accounts. This legal requirement is likely in place for various reasons, such as regulatory compliance, financial audits, legal investigations, and more.
  3. Retaining X’s Personal Data: Due to the legal obligation, Y, the bank, needs to retain X’s personal data (including her identity information) for the stipulated period. This data may include details such as X’s name, address, contact information, identification documents, and account-related information.
  4. Reason for Data Retention: The primary reason for retaining X’s personal data is to ensure compliance with the law that governs banks. By maintaining these records, the bank can fulfill its legal obligations, demonstrate transparency in its operations, and provide necessary documentation if required by regulatory authorities, auditors, or legal entities.
  5. Duration of Data Retention: Y, the bank, is required to retain X’s personal data for a period of ten years beyond the point when X closes her savings account. This extended retention period is specifically set by the law to ensure that the bank has access to client records for a reasonable duration even after the account has been closed.

In the given example, there is a situation involving two parties, X and Y. X is an individual who has taken a loan from Y, which is a bank. X, however, fails to make the monthly repayment instalment for the loan on the scheduled due date. As a result, Y, the bank, has the right to process X’s personal data for the purpose of assessing her financial information, including her assets and liabilities.

Processing personal data in this context refers to any activity related to X’s personal information that the bank undertakes. This can include collecting, storing, analyzing, and using X’s financial data to determine her financial health and ability to meet loan repayment obligations. The bank’s processing of X’s personal data is aimed at evaluating her creditworthiness and assessing the risk associated with her loan repayment.

Under the Digital Personal Data Protection Act, 2023, the bank (Y) would be considered a Data Fiduciary, and X’s personal data would be the data subject to protection. The bank is allowed to process X’s personal data for this specific purpose as part of its legitimate interests in managing its financial transactions and assessing the risk associated with loan repayments. However, the bank is also obligated to ensure the security and protection of X’s personal data throughout this process to prevent any data breaches or misuse.