The Government of India Gazetted the DPDPA on August 11 2023. The Minister of IT Sri Rajeev Chandrashekar has announced that the DPB will be constituted and some rules will be notified within the next 3 weeks.
Under the DPDPA at least 26 rules are required to be notified. Not all of these may be notified immediately but they may come in stages.
The set of rules that can be expected are as follows
Sl No | Section 40 | Description |
1 | (r) | the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19; |
2 | (s) | the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20; |
3 | (t) | the manner of authentication of orders, directions and instruments under sub-section (1) of section 23; |
4 | (u) | the terms and conditions of appointment and service of officers and employees of the Board under section 24 |
5 | (v) | the techno-legal measures to be adopted by the Board under sub-section (1) of section 28; |
6 | (w) | the other matters under clause (d) of sub-section (7) of section 28; |
7 | (a) | the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5; (purpose) |
8 | (b) | the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5; ( Rights) |
9 | (h) | the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8; |
10 | (g) | the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8; |
11 | (k) | the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10; |
12 | (l) | the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10; |
13 | (m) | the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11; |
14 | (n) | the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12; |
15 | (p) | the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14; |
16 | (o) | the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 13 |
17 | (x) | the form, manner and fee for filing an appeal under sub-section (2) of section 29 |
18 | (y) | the procedure for dealing an appeal under sub-section (8) of section 29; |
19 | (c) | the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6; |
20 | (d) | the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6; |
21 | (e) | the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7; |
22 | (f) | the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 8 |
23 | (i) | the manner of obtaining verifiable consent under sub-section (1) of section 9; |
24 | (j) | the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9; |
25 | (q) | the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17; |
26 | (z) | any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules…including who is a Significant Data Fiduciary |
Naavi