64. (1) Any data principal who has suffered harm as a result of any violation of any provision under this Act or the rules or regulations made thereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be.
For the removal of doubts, it is hereby clarified that a data processor shall be liable only where it has acted outside or contrary to the instructions of the data fiduciary pursuant to section 31, or where the data processor is found to have acted in a negligent manner, or where the data processor has not incorporated adequate security safeguards under section 24, or where it has violated any provisions of this Act expressly applicable to it.
(2) The data principal may seek compensation under this section by making a complaint to the Adjudicating Officer in such form and manner as may be prescribed.
(3) Where there are one or more data principals or any identifiable class of data principals who have suffered harm as a result of any contravention by the same data fiduciary or data processor, one complaint may be instituted on behalf of all such data principals seeking compensation for the harm suffered.
(4) While deciding to award compensation and the amount of compensation under this section, the Adjudicating Officer shall have regard to the following factors, namely:
(a) nature, duration and extent of violation of the provisions of the Act, rules prescribed, or regulations specified thereunder;
(b) nature and extent of harm suffered by the data principal;
(c) intentional or negligent character of the violation;
(d) transparency and accountability measures implemented by the data fiduciary or the data processor, as the case may be, including adherence to any relevant code of practice relating to security safeguards;
(e) action taken by the data fiduciary or the data processor, as the case may be, to mitigate the damage suffered by the data principal;
(f) previous history of any, or such, violation by the data fiduciary or the data processor, as the case may be;
(g) whether the arrangement between the data fiduciary and data processor contains adequate transparency and accountability measures to safeguard the personal data being processed by the data processor on behalf of the data fiduciary;
(h) any other aggravating or mitigating factor relevant to the circumstances of the case, such as, the amount of disproportionate gain or unfair advantage, wherever quantifiable, made as a result of the default.
(5) Where more than one data fiduciary or data processor, or both a data fiduciary and a data processor are involved in the same processing activity and are found to have caused harm to the data principal, then, each data fiduciary or data processor may be ordered to pay the entire compensation for the harm to ensure effective and speedy compensation to the data principal.
(6) Where a data fiduciary or a data processor has, in accordance with sub-section (5), paid the entire amount of compensation for the harm suffered by the data principal, such data fiduciary or data processor shall be entitled to claim from the other data fiduciaries or data processors, as the case may be, that amount of compensation corresponding to their part of responsibility for the harm caused.
(7) Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.
(8) The Central Government may prescribe the procedure for hearing of a complaint under this section.