{"id":1028,"date":"2022-10-14T20:41:25","date_gmt":"2022-10-14T20:41:25","guid":{"rendered":"http:\/\/sh007.global.temp.domains\/~studiobh\/veritaslegal\/?p=1028"},"modified":"2023-04-13T14:33:43","modified_gmt":"2023-04-13T14:33:43","slug":"elements-of-a-privacy-policy-in-india","status":"publish","type":"post","link":"https:\/\/veritaslegal.in\/staging\/elements-of-a-privacy-policy-in-india\/","title":{"rendered":"Elements of a Privacy Policy in India"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>Co-authored by Rahul Dwarkadas (Partner) | Rohini Jaiswal (Senior Associate)\u00a0<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Legal background&nbsp;<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Data Privacy and Protection regime in India is presently regulated by the Information Technology Act, 2000 (\u201c<strong>IT Act 2000<\/strong>\u201d) in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (&#8220;<strong>SPDI Rules<\/strong>&#8220;).&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. Privacy Policy&nbsp;<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In compliance with the IT Act 2000 and SPDI Rules, an organization is mandated to demonstrate its intent to receive, collect, store, process, transmit, protect and utilize personal data (\u201c<strong>PI<\/strong>\u201d) or sensitive personal data (\u201c<strong>SPDI<\/strong>\u201d) provided by its users during the course of its commercial activities&nbsp;<em>via&nbsp;<\/em>a privacy policy<a href=\"applewebdata:\/\/2E0B26C2-D3DC-4AB6-A461-C2F84A1A80EF#_ftn1\"><sup>[1]<\/sup><\/a>. The privacy policy must be easily accessible for such user&nbsp;<em>via<\/em>&nbsp;publication on the website.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. Fundamental factors of a Privacy Policy<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A few fundamental factors and pre-conditions to be kept in mind while drafting a privacy policy are as follows:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>i.&nbsp;<em>Consent, Notice and Transparency<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A privacy policy must be clear, unambiguous and must contain comprehensible statements of practices and policies adopted by the organization. The&nbsp;organization must obtain consent before collecting or using such information. Consent includes notions of \u2018<em>notice<\/em>\u2019 and \u2018<em>choice<\/em>\u2019. \u2018<em>Notice<\/em>\u2019 denotes the manner in which the privacy policy is presented to the users whereas a \u2018<em>Choice<\/em>\u2019 is expressly provided to opt-in and\/or opt-out of the information sharing requirements.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>ii.&nbsp;<em>Definition Clause&nbsp;<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A privacy policy should have comprehensive and explicit definitions of the general terms (such as data, users, SPDI etc.) used in the policy.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>iii.&nbsp;<em>User Information<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A privacy policy should illustrate the type of PI or SPDI being collected.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>iv.&nbsp;<em>Purpose<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A privacy policy must clearly identify, in unambiguous terms, the purpose of data collection. Further, it should have a data minimization clause to limit collection and processing to that which is relevant and reasonably necessary to accomplish legitimate commercial purposes. A change in the purpose triggers the requirement of notifying the users of such change.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>v. Sharing and storage of user data<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An organization&nbsp;must obtain permission from users prior to disclosure of the collected PI \/ SPDI to third parties and\/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention&nbsp;and the manner of disposal once<em>&nbsp;<\/em>the purpose is served.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>vi. Data security<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The privacy policy must inculcate reasonable security practices and procedures adopted by the organization, including electronic and physical safeguards to maintain security and confidentiality of data through authorized access, browser encryption etc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>vii.&nbsp;<em>Notification of change&nbsp;<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Additionally, an announcement&nbsp;<em>via<\/em>&nbsp;email or website popups is required to reflect periodic reviews and updates in the policy.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>viii.&nbsp;<em>Contact information<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The privacy policy should contain email, postal and telephonic coordinates of the organization to address queries or exercise of the user\u2019s data protection rights.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>ix.&nbsp;<em>Dispute Resolution<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SPDI Rules require appointment of a Grievance Officer<a href=\"applewebdata:\/\/2E0B26C2-D3DC-4AB6-A461-C2F84A1A80EF#_ftn2\"><sup>[2]<\/sup><\/a>&nbsp;for users to report complaints or unsatisfactory reparation of the same by the organization.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>4. Conclusion<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the growing digital transformations in the manner conducting businesses, organizations must be prudent while drafting, designing and reviewing their privacy policy and should have a policy tailored to its business requirements which is in compliance with the law.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"applewebdata:\/\/2E0B26C2-D3DC-4AB6-A461-C2F84A1A80EF#_ftnref1\"><sup>[1]<\/sup><\/a>&nbsp;Section 43 A, IT Act 2000.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"applewebdata:\/\/2E0B26C2-D3DC-4AB6-A461-C2F84A1A80EF#_ftnref2\"><sup>[2]<\/sup><\/a>&nbsp;Section 5(9), SPDI Rules.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Co-authored by Rahul Dwarkadas (Partner) | Rohini Jaiswal (Senior Associate)\u00a0 1. Legal background&nbsp; Data Privacy and Protection regime in India is presently regulated by the Information Technology Act, 2000 (\u201cIT Act 2000\u201d) in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (&#8220;SPDI Rules&#8220;).&nbsp; 2. Privacy&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[],"class_list":["post-1028","post","type-post","status-publish","format-standard","hentry","category-insights","entry","no-media"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/posts\/1028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/comments?post=1028"}],"version-history":[{"count":2,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/posts\/1028\/revisions"}],"predecessor-version":[{"id":1080,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/posts\/1028\/revisions\/1080"}],"wp:attachment":[{"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/media?parent=1028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/categories?post=1028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/veritaslegal.in\/staging\/wp-json\/wp\/v2\/tags?post=1028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}