Co-authored by Rahul Dwarkadas (Partner) | Rohini Jaiswal (Senior Associate)
1. Legal background
Data Privacy and Protection regime in India is presently regulated by the Information Technology Act, 2000 (“IT Act 2000”) in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“).
i. Consent, Notice and Transparency
ii. Definition Clause
iii. User Information
v. Sharing and storage of user data
An organization must obtain permission from users prior to disclosure of the collected PI / SPDI to third parties and/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention and the manner of disposal once the purpose is served.
vi. Data security
vii. Notification of change
Additionally, an announcement via email or website popups is required to reflect periodic reviews and updates in the policy.
viii. Contact information
ix. Dispute Resolution
The SPDI Rules require appointment of a Grievance Officer for users to report complaints or unsatisfactory reparation of the same by the organization.
 Section 43 A, IT Act 2000.
 Section 5(9), SPDI Rules.