17…
Chapter 5- Rights of data principal
Section 19- Right to data portability
19. (1) Where the processing has been carried out through automated means, t The data principal shall have the right to—
(a) receive the following personal data in a structured, commonly used and machine-readable format—
(i) the personal data provided to the data fiduciary;
(ii) the data which has been generated in the course of provision of services or use of goods by the data fiduciary; or
(iii) the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained; and
(b) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.[/wpdiscuz-feedback]
(2) The provisions of sub-section (1) shall not apply where—
(a) processing is necessary for functions of the State or in compliance of law or order of a court under section 12;
(b) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.
(b) compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary
Section 20A- Right to clear, plain and understandable notice for data collection
(We suggest inserting this new provision in the Bill)
20A. A data principal shall have the right to notice that is in the form required pursuant to section 7 of this Act.
Section 20B- Right to be asked for consent prior to data collection
(We suggest inserting this new provision in the Bill)
20B. Where consent is the basis for processing personal data under this Act pursuant to section 11, consent must be obtained from the data principal—
(a) in close proximity to the time of the collection of personal data, and
(b) and in a form and manner required pursuant to section 7 of this Act.
Section 20C- Right relating to automated decision-making
(We suggest inserting this new provision in the Bill)
20C. If an automated tool is used by the entity in whole or part to make decisions regarding an individual, the entity:
(a) must provide meaningful information to the data principal about the basis on which the decision was made at, as well as the significance and envisaged consequences of such processing for the individual;
(b) has a duty to disclose reasons for decisions;
(c) must demonstrate through a prior assessment that the tool is predictive for a legitimate purpose and non-discriminatory against protected characteristics;
(d) must be subject to data audits by the Authority.
Section 20D- Right against harm
(We suggest inserting this new provision in the Bill)
20D. Every data fiduciary shall make reasonable efforts to ensure that personal data is not used, disclosed or retained in ways that cause harm or risk to interests of data fiduciaries.
Section 20E- Right to adequate data security
(We suggest inserting this new provision in the Bill)
20E. A data principal shall have a right to security safeguards from a data fiduciary and data processor according to section 24, that are necessary for safeguarding and securing the personal data in the custody of the data fiduciary or data processor.
Section 21- General conditions for the exercise of rights in this Chapter
21. (1) The data principal, for exercising any right under this Chapter, except the right under section 20, shall make a request to the data fiduciary either directly in person, through any electronic or telephonic means, or through a consent manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations.
Provided that the data fiduciary shall ensure at all times that the ease of making such a request is comparable to the ease with which consent may be given or withdrawn for collection of personal data.
(2) For complying with the request made under sub-section (1), the data fiduciary may charge such a nominal fees as may be specified by regulations;
Provided that no fee shall be required for any request in respect of rights referred to in clause (a) or (b) of sub-section (1) of section 17 or section 18.
(3) The data fiduciary shall comply with the request under this Chapter and communicate the same to the data principal, within such period as may be specified by regulations which shall not exceed ten business days.
(4) Where any request made under this Chapter is refused by the data fiduciary, it shall provide the data principal the reasons in writing for such refusal in accordance with section 7(2) to ensure it is easily comprehensible for the data principal and shall inform the data principal regarding the right to refer the rejection for internal grievance redressal in section 32 of this Act.
(5) If the grievance in sub-section (4) is not resolved within thirty days of its referral, the data fiduciary shall inform the data principals regarding the right to file a complaint with the Authority against the refusal along with complete details relating to filing of the complaint through various means specified under sub-section (1), within such period and in such manner as may be specified by regulations.
(6) The data fiduciary is not obliged to shall comply with any all requests under this Chapter, where such compliance shall harm the rights of any other data principle under this Act.
(a) after balancing the interests of the data principal making the request and the interests of other data principals, it is found that complying with the request will prejudice the interests of such other data principals; and
(b) the data fiduciary cannot protect the interests of such other data principals by anonymising, deidentifying or removing their personal data.