Rajasthan

Overview and Scope

Purpose: To provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such data for lawful purposes.
Applicability:
- Applies to personal data collected in digital form or non-digital data that is subsequently digitized.
- Extraterritorial Reach: Applies to processing outside India if it involves offering goods or services to data principals (individuals) within India.
Exclusions: Does not apply to personal data processed by an individual for personal or domestic purposes, or data made publicly available by the data principal.

Key Stakeholders

Term	Definition
Data Principal	The individual to whom the personal data relates (includes parents/guardians for children or persons with disabilities).
Data Fiduciary	Any person or entity that determines the purpose and means of processing personal data.
Data Processor	Any person or entity that processes personal data on behalf of a Data Fiduciary.
Consent Manager	A registered entity that acts as a single point of contact for a Data Principal to give, manage, review, and withdraw consent.

Rights of the Data Principal

Right to Information: To obtain a summary of data being processed and the identities of all Data Fiduciaries/Processors with whom data is shared.
Right to Correction and Erasure: To request the correction of inaccurate data, completion of incomplete data, or updating of outdated information.
Right to Grievance Redressal: Access to a mechanism provided by the Data Fiduciary to resolve complaints.
Right to Nominate: To appoint a person to exercise rights in the event of the principal's death or incapacity.

Obligations of Data Fiduciaries

Lawful Processing: Data can only be processed based on clear, specific, and informed Consent or for "Certain Legitimate Uses" (e.g., medical emergencies, government subsidies).
Notice: Fiduciaries must provide a notice in English or any of the 22 languages specified in the 8th Schedule of the Constitution, detailing what data is collected and why.
Security Safeguards: Implementation of reasonable security practices to prevent data breaches.
Breach Notification: Mandatory reporting of data breaches to the Data Protection Board and affected individuals.
Significant Data Fiduciaries (SDFs): Entities handling high volumes of sensitive data must appoint a Data Protection Officer (DPO) and conduct periodic Data Protection Impact Assessments (DPIA).

Data Protection Board of India (DPB)

Function: An independent body established by the Central Government to monitor compliance, direct urgent measures during breaches, and adjudicate grievances.
Appeals: Decisions of the DPB can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Penalties

Penalties are determined based on the nature and gravity of the breach.
Maximum Limit: Up to ₹250 crore for failure to take reasonable security safeguards to prevent data breaches.
Minimum Limit: Up to ₹10,000 for Data Principals failing to perform their duties (e.g., providing false information).

Exemptions

State Instrumentalities: The Central Government may exempt government agencies in the interest of national security, public order, or sovereignty.
Legal Processes: Processing required for enforcing legal rights, claims, or performing judicial functions.
Research/Statistics: Processing for research, archival, or statistical purposes provided it is not used to make decisions regarding a specific individual.