Differences observed under the IT Rules and DPDPA
On a comparison of the privacy or consent notice requirements under the DPDPA with those under the IT Rules, it is observed that a privacy policy published pursuant to the IT Rules may not contain information on DPBI, grievance redressal, or exercise of rights of Data Principals. A Data Principal has a separate right under the DPDPA to obtain, from a Data Fiduciary, information on the recipients of the former’s personal data, including the categories of personal data disclosed to recipients.
It the absence of a mention of the Data Principals’ rights under the DPDPA in a Privacy Notice, specifying the way Data Principals may reach out to the grievance redressal mechanism of a Data Fiduciary, the notice may not fulfill the intent and/or purpose of the Privacy Notice. Thus, familiarizing the Data Principals with information on their rights via a Privacy Notice could be one of the key considerations while drafting/modifying a Privacy Notice.
Additionally, DPDPA (Section 5) does not explicitly mandate the Data Fiduciaries to provide information in the Privacy Notice on data retention, data processing locations, personal data processing to comply with legal requirements, the manner in which changes to the existing privacy notice may take place, and the use of consent managers. It is a good industry practice to include these items as additional information to ensure greater transparency about an organization’s data processing practices. Perhaps, the upcoming Rules under the DPDPA may enunciate details.
In addition to the above, DPDPA obligates the Data Fiduciary to provide an option to the Data Principals to access the Privacy Notice in English or any other regional language specified in the Eighth Schedule of the Constitution.
An organization in compliance to the DPDPA is expected to consider all the above-mentioned aspects while constructing a new or modifying the existing privacy policy to align it with the requirements under the DPDPA, 2023.
Source: Barandbench
