Data Protection & Privacy

Statutory Compliance

We regularly advise clients on Indian privacy and data protection issues relating to data management processes, transfer of sensitive and personal data to an overseas cloud service providers, contractual provisions with the data recipients, consent requirements under Indian data privacy laws, employees’ data protection and data privacy, data security, handling and transfer of sensitive employee data outside India, drafting Indian law compliant data privacy policies for the companies, etc.

The Indian law governing the collection, processing and transfer of personal information and sensitive personal information is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Data Protection Rules“) under the Information Technology Act, 2000 (the “IT Act“). The Data Protection Rules prescribe certain restrictions and processes to be complied with by the data controllers and the data processors. The Data Protection Rules are applicable to any information transferred within India or outside India.

The Data Protection Rules apply to “body corporates“ (i.e., controllers) in India, but most provisions do not apply to the companies who merely process data pursuant to a contract with another entity.

Some of the requirements / restrictions prescribed under the Indian data privacy law include:

  • A company that collects, receives, stores, processes or handles personal or sensitive personal information must provide a privacy policy on the company’s website which should be accessible to the information providers.
  • Companies must obtain express consent from the information provider regarding the purpose and use of the information.
  • The company should ensure that the information provider is made aware of the purpose for which the information is collected, the intended recipients of the information, the agency collecting the information, the agency retaining the information, etc.
  • The company must not disclose the sensitive personal information to a third party without the information provider’s consent.
  • An entity can transfer sensitive personal data or information to another entity or a person in India, or located in any other country, provided the recipient entity (i) ensures adherence to the same level of data protection, and (ii) only if the transfer of information is necessary to comply with a lawful contract, or (iii) with the prior consent of the data provider.
  • The Data Protection Rules provide that the entities holding sensitive personal data should not retain the information longer than required for the purpose for which it was collected.
  • The companies must have “reasonable security practices and procedures.“ The companies are deemed in compliance if they have a documented security program with managerial, technical, organizational and physical controls. ISO 27001 is provided as a reference standard.