Rajasthan

Core Objectives

Regulation: Governs the processing of digital personal data within India.
Rights vs. Utility: Balances an individual's right to protect personal data with the necessity of processing data for lawful purposes.
Scope: Applies to personal data collected digitally or digitized subsequently. It also applies to data processing outside India if it involves offering goods/services to individuals in India.

Key Stakeholders

Data Principal: The individual to whom the data belongs (includes parents/guardians for children or persons with disabilities).
Data Fiduciary: The entity (private or government) that determines the purpose and means of data processing.
Significant Data Fiduciary (SDF): Notified by the government based on factors like volume of data, risk to electoral democracy, or national security. SDFs must appoint a Data Protection Officer (DPO) and conduct periodic audits.

Consent and Data Rights

Notice: Fiduciaries must provide a clear notice before seeking consent, detailing the data collected and the purpose.
Consent: Must be free, specific, informed, unconditional, and an unambiguous indication of agreement.
Withdrawal: Principals have the right to withdraw consent at any time.
Right to Correction/Erasure: Individuals can request the correction of inaccurate data or the deletion of data no longer necessary for its original purpose.

Obligations of Data Fiduciaries

Security Safeguards: Must implement reasonable security measures to prevent data breaches.
Breach Notification: Mandatory reporting of data breaches to the Data Protection Board (DPB) and affected individuals.
Data Retention: Data must be erased once the purpose is served, unless retention is required for legal/business purposes.

The Data Protection Board of India (DPB)

Establishment: A nominated body by the Central Government.
Functions:
- Inquiry into data breaches.
- Imposing financial penalties.
- Directing fiduciaries to take remedial actions.
Appellate Process: Appeals against DPB decisions are handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Penalties for Non-Compliance

Nature of Violation	Maximum Penalty
Failure to take reasonable security safeguards	Up to ₹250 Crore
Failure to notify the Board/Principal of a breach	Up to ₹200 Crore
Non-fulfillment of obligations related to children	Up to ₹200 Crore
Breach of any other provision	Up to ₹50 Crore

Exemptions

State Interest: Processing by government agencies for national security, public order, and sovereignty.
Legal and Judicial: Processing for the prevention of offenses, legal rights, or judicial functions.
Research: Processing for research, archival, or statistical purposes, provided it is not used to make individual-specific decisions.

Processing Data of Children

Age Limit: Individuals under 18 years of age.
Consent: Requires verifiable parental/guardian consent.
Restrictions: Prohibits processing that causes "harmful effect" on children or involves tracking, behavioral monitoring, or targeted advertising.