Section 23 Indian Data Protection Act 2019

Transparency in processing of personal data

23. (1) Every data fiduciary shall take necessary steps to maintain transparency in processing personal data and shall make the following information available in such form and manner as may be specified by regulations

(a) the categories of personal data generally collected and the manner of such collection;

(b) the purposes for which personal data is generally processed;

(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;

(d) the existence of and the procedure for exercise of rights of data principal under Chapter V and any related contact details for the same;

(e) the right of data principal to file complaint against the data fiduciary to the Authority;

(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under sub-section (5) of section 29;

(g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.
Privacy by design policy.

(2) The data fiduciary shall notify, from time to time, the important operations in the processing of personal data related to the data principal in such manner as may be specified by regulations.

(3) The data principal may give or withdraw his consent to the data fiduciary through a consent manager.

(4) Where the data principal gives or withdraws consent to the data fiduciary through a consent manager, such consent or its withdrawal shall be deemed to have been communicated directly by the data principal.

(5) The consent manager under sub-section (3), shall be registered with the Authority in such manner and subject to such technical, operational, financial and other conditions as may be specified by regulations. Explanation.—For the purposes of this section, a “consent manager” is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.