Codes of practice
50. (1) The Authority shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under this Act.
(2) Notwithstanding anything contained in sub-section (1), the Authority may approve any code of practice submitted by an industry or trade association, an association representing the interest of data principals, any sectoral regulator or statutory Authority, or any departments or ministries of the Central or State Government.
(3) The Authority shall ensure transparency and compliance with the obligations of data fiduciary and the rights of the data principal under this Act while specifying or approving any code of practice under this section.
(4) A code of practice under sub-section (1) or sub-section (2), shall not be issued unless the Authority has made consultation with the sectoral regulators and other stakeholders including the public and has followed such procedure as may be prescribed.
(5) A code of practice issued under this section shall not derogate from the provisions of this Act or any other law for the time being in force.
(6) The code of practice under this Act may include the following matters, namely:
(a) requirements for notice under section 7 including any model forms or guidance relating to notice;
(b) measures for ensuring quality of personal data processed under section 8;
(c) measures pertaining to the retention of personal data under section 9;
(d) manner for obtaining valid consent under section 11;
(e) processing of personal data under section 12;
(f) activities where processing of personal data may be undertaken under section 14;
(g) processing of sensitive personal data under Chapter III;
(h) processing of personal data under any other ground for processing, including processing of personal data of children and age-verification under this Act;
(i) exercise of any right by data principals under Chapter V;
(j) the standards and means by which a data principal may avail the right to data portability under section 19;
(k) transparency and accountability measures including the standards thereof to be maintained by data fiduciaries and data processors under Chapter VI;
(l) standards for security safeguards to be maintained by data fiduciaries and data processors under section 24;
(m) methods of de-identification and anonymisation; (n) methods of destruction, deletion, or erasure of personal data where required under this Act;
(o) appropriate action to be taken by the data fiduciary or data processor in response to a personal data breach under section 25;
(p) manner in which data protection impact assessments may be carried out by the data fiduciary or a class thereof under section 27;
(q) transfer of personal data outside India pursuant to section 34;
(r) processing of any personal data or sensitive personal data to carry out any activity necessary for research, archiving or statistical purposes under section 38; and
(s) any other matter which, in the view of the Authority, may be necessary to be provided in the code of practice.
(7) The Authority may review, modify or revoke a code of practice issued under this section in such manner as may be prescribed.