dpdpa.co.in

Menu

    DRAFT RULES

    Rule 1

    Rule 2

    Rule 3

    Rule 4

    Rule 5

    Rule 6

    Rule 7

    Rule 8

    Rule 9

    Rule 10

    Rule 11

    Rule 12

    Rule 13

    Rule 14

    Rule 15

    Rule 16

    Rule 17

    Rule 18

    Rule 19

    Rule 20

    Rule 21

    Rule 22

    First Schedule

    Second Schedule

    Third Schedule

    Fourth Schedule

    Fifth Schedule

    Sixth Schedule

    Seventh Schedule

    Rule 7

    Intimation of personal data breach

    1. On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,—
      a. a description of the breach, including its nature, extent and the timing and location of its occurrence; 
      b. the consequences relevant to her, that are likely to arise from the breach; 
      c. the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
      d. the safety measures that she may take to protect her interests; and
      e. business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal. 
    2. On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board,—
      a. without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
      b. within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,—
      i) updated and detailed information in respect of such description;
      ii) the broad facts related to the events, circumstances and reasons leading to the breach; 
      iii) measures implemented or proposed, if any, to mitigate risk; 
      iv) any findings regarding the person who caused the breach; 
      v) remedial measures taken to prevent recurrence of such breach; and
      vi) a report regarding the intimations given to affected Data Principals. 
    3. In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.
    Rule 6
    Rule 8
    Scroll to Top