Data Principal are the individual to whom the private or personal data relates and where such individual is:
- Child, including the lawful guardian or parents of such child
- Also, a person with a disability, including their lawful guardian, acting on their
Digital Data Protection Act, 2023 (“Act”) provides several rights to the data principals, these rights include the right to know what personal/private data is processed, the right to erasure, right to correction but these right is only the available to them when the personal data is provided with free consent.
Consent is the primary legal ground of the Data Protection Act for the collection or processing of the Data. This mechanism is divided into 2 parts; the first is General Consent which is defined under Section 6 of the Act and the second mechanism is given under Section 7 of the Act which is General Legitimate Uses earlier known as deemed consent.
Before processing of the data of an individual consent must be taken from them and the consent must be free from coercion, fraud, misrepresentation, undue influence, and mistake. Also, the consent that is collected must be informed, specific, and in a revocable manner.
Once the consent has been revoked by the Data Principal, the processing of their data may continue if such processing without their consent is required or authorized under the provision of the Act or any other laws in India.
- Right to Access
- Right to Nominate
- Right to Grievance Redressal
- Right to Correction
- Right to Access
Data principals have the right to seek a summary of their data provided by Data Fiduciary. Also, the processing activities in which their data is being utilized. They have also the right to seek the identities of those data fiduciaries with whom their data is shared. Any other information which is related to the personal data of such principal as may be prescribed by the Central Government.
Right to Nominate
In case of death or uncertainty or being incapable the data principal may appoint their nominee to exercise their rights.
Right to Grievance Redressal
The data principal can raise their grievances relating to the performance of obligations by Data Fiduciaries, with timelines and manner of redressal yet to be specified. Further, grievances must be raised before the Data Fiduciary before approaching the Board.
Right to correction
A Data Principal may request the correction, completeness, updating, or deletion of personal data obtained by the Data Fiduciary through permission or lawful use. The method of such adjustment has yet to be determined. Personal data, on the other hand, must be preserved if ‘essential’ for the specified purpose or compliance with any legislation.
Notably, this gives the Data Fiduciary broad freedom to determine whether data retention is ‘essential’ in the absence of any other standards or criteria. The data principal may also request the data fiduciary for erasure of their personal data which is no longer serving the purpose for which it is taken.
Duties of Data Principal
Great power comes with great responsibility so where there is a right is also a duty. The act imposes many duties upon the Data Principal and also the fine for violating such imposed duties. Section 15 of the Data Protection Act talks about the duties of the Data Principal such duties are mentioned below:
- Duty to comply with legal requirements
- Duty to provide correct and authentic information
- Duty not to register a false grievance
- No impersonation while providing personal
- Duty not to suppress any material information while submitting personal data for unique identifiers, documents, addresses, or identity
Noncompliance with duty may lead to a Data Principal fine of up to INR 10,000.
In conclusion, the Data Protection Act recognizes and safeguards the rights of data principals, particularly children and individuals with disabilities. It emphasizes the significance of informed, free, and revocable consent as the primary legal ground for data collection and processing. Data principals have a range of rights, including the right to access, nominate representatives, seek grievance redressal, and request corrections to their personal data.
However, these rights are coupled with duties, and non-compliance may result in fines. This framework aims to strike a balance between protecting personal data and ensuring responsible behavior by data principals and fiduciaries in India.
Disclaimer: The above article is based on the personal interpretation of the related orders and laws. The readers are expected to take expert opinions before relying upon the article. For more information, please contact us