PRIVACY NOTICE FOR INDIA USERS

This Notice supplements our general Milgo Privacy Policy [LINK TO GENERAL POLICY] (our “Privacy Policy”). Digital transactions have transformed economic as well as social interactions. The use of personal data for provision of services and other purposes is a common aspect of such transactions. Therefore, protection of personal data has become a pre-requisite for the growth of digital economy. The Digital Personal Data Protection Act, 2023 (DPDPA) was introduced in India on August 11, 2023 aiming to safeguard personal data in the digital age, however, the same has not come into force (As on April 25, 2024) and the Rules that will implement the DPDPA are in the process of being framed.

The DPDPA envisages the processing of digital personal data in a manner that recognizes both the right of the individuals to protect their personal data and the need to process personal data for lawful purposes; and for matters connected therewith. Specifically, the DPDPA is a legislation that frames the rights and duties of the citizen on one hand and the obligations to use data collated lawfully on the other.

Before the introduction of the DPDPA, India did not have a standalone legislation on data protection and use of personal data was regulated under the Information Technology Act, 2000 and its Rules. As and when the DPDPA will come into effect, it will have implications on relevant provisions of the Information Technology Act, 2000 [including omitting of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; {‘the Rules’}] and the Right to Information Act, 2005 vis-à-vis personal data/information.

The DPDPA will also omit the extant provision of the Information Technology Act, 2000 which provides for ‘Compensation for failure to protect data’. The said provision and the Rules made to implement reasonable security practices and procedures envisage the following:

1. A body corporate (any company/firm/sole proprietorship/association of individuals engaged in commercial or professional activities) possessing, dealing or handling any sensitive personal data or information (prescribed in the Rules; e.g. password, financial information, health condition, sexual orientation, medical records, biometrics) which is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, shall be liable to pay damages by way of compensation to the person so affected.
2. The relevant body corporate shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data and ensure that the same is available for view by such providers of information. Such policy shall be published on website of the body corporate and provide for, among others, purpose of collection and usage of such information. The body corporate shall obtain consent in writing from the provider of sensitive personal data or information regarding purpose of usage before collection of such information. Collection ought to be for lawful purpose and necessary for the contemplated purpose. The information so collected should not be retained for longer than required and used only for the purpose it is collected.
3. The provider of information should have the option of not sharing data/personal information and also the option to withdraw consent given earlier. Disclosure of data/personal information shall require prior permission from the provider unless agreed to in a contract or necessary for compliance of a legal obligation.
4. With respect to paragraph 1 above, reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties/in any law.
5. A body corporate will be considered to have complied with reasonable security practices and procedures, if it has implemented the same and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.
6. In the event of an information security breach, the body corporate shall be required to demonstrate that it has implemented security control measures as per its documented information security programme and information security policies. The International Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques - Information Security Management System - Requirements" is one such standard.
7. The body corporate which has implemented either IS/ISO/IEC 27001 standard or the approved codes of best practices for data protection shall be deemed to have complied with reasonable security practices and procedures provided such standard or the codes have been certified or audited on a regular basis through independent auditor, duly approved by the Central Government. The audit shall be carried out at least once a year or as and when the body corporate undertakes significant upgradation of its process and computer resource.

• The provisions of the DPDPA shall be in addition to and not in derogation of any other law and in the event of a conflict with any other law, the provisions of the DPDPA will prevail. Under the DPDPA, consent is the essence and will serve businesses’ primary basis for data processing.
• The Data Principal (individual to whom the personal data relates) shall comply with all applicable laws and ensure not to impersonate another person, suppress any material information, register a false or frivolous grievance or complaint and will furnish only such information which is verifiably authentic.
• A Data Fiduciary (person determining the purpose and means of processing data) - subject to exceptions - shall not process personal data that is likely to cause any detrimental effect on the well-being of a child and will not undertake tracking or behavioral monitoring of children or targeted advertising directed at children. ‘Child’ means an individual who has not completed the age of eighteen years.
• Request for consent for sharing personal data has to be made to the Data Principal outlining the purpose for processing the data. The request should be in a clear and plain language (English or any other official language) providing details of the Data Protection Officer or any other person authorized to respond to any communication from the Data Principal. The consent so provided should be specific, informed, unconditional and unambiguous for the specified purpose.
• The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager [a person registered with the Data Protection Board of India {to be established under the DPDPA; ‘the Board’}. The Consent Manager will act as a single point of contact and interact with the Data Principal through an accessible, transparent and interoperable platform. The Consent Manager shall be accountable to the Data Principal.
• Where data processing of personal data is on the basis of consent of the Data Principal, the Data Principal shall have the right to withdraw her consent at any time with the ease of doing so being comparable to the ease with which such consent was given. In case of withdrawal, the consequences shall be borne by the Data Principal. If any question vis-à-vis consent for processing of personal data arises in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given to the Data Principal and consent was given by her in accordance with the provisions of the DPDPA.
• Where personal data processed by the Data Fiduciary is likely to be used to make a decision that affects the Data Principal or is to be disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. Moreover, the Data Fiduciary shall implement appropriate technical and organizational measures to ensure effective observance of the provisions of the DPDPA and/or its Rules (as and when framed). Additionally, the Data Fiduciary shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
• In the event of a personal data breach, the Data Fiduciary shall give intimation of such breach to the Board and each affected Data Principal.
• Data Fiduciary shall erase personal data and cause its Data Processor (any person who processes personal data on behalf of Data Fiduciary) to erase personal data upon withdrawal of consent by the Data Principal or as soon as the specified purpose is no longer being served, whichever is earlier.
• Data Principal shall have the right to obtain from the Data Fiduciary, a summary of the personal data and identities of all other Data Fiduciaries/Data Processors with whom data has been shared and any other information relating to the personal data and its processing.
• Data Principal shall have the right to correction, completion, updation and erasure of her personal data for which consent has been given.
• Grievance redressal mechanism to be made readily available to the Data Principal in respect of any act or omission of the Data Fiduciary/Consent Manager regarding the performance of their obligations in relation to the personal data of such Data Principal or exercise of her rights.
• The Data Principal shall have the right to nominate any other individual in the event of death or incapacity of the Data Principal, who shall exercise the rights of the Data Principal.