Section 94 Indian Data Protection Act 2019
Power to make regulations
94. (1) The Authority may, by notification, make regulations consistent with this Act and the rules made thereunder to carry out the provisions of this Act.
(2) In particular and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:
(a) information required to be provided by the data fiduciary to the data principal in its notice under clause (n) of sub-section (1) of section 7;
(b) manner in which the personal data retained by the data fiduciary must be deleted under sub-section (4) of section 9;
(c) the safeguards for protecting the rights of data principals under sub-section (3) of section 14;
(d) the additional safeguards or restrictions under sub-section (2) of section 15;
(e) the manner of obtaining consent of the parent or guardian of a child under sub-section (2), the manner of verification of age of a child under sub-section (3), application of provision in modified form to data fiduciaries offering counselling or child protection services under sub-section (6) of section 16;
(f) the period within which a data fiduciary must acknowledge the receipt of request under sub-section (1), the fee to be charged under sub-section (2), the period within which request is to be complied with under sub-section (3), and the manner and the period within which a data principal may file a complaint under sub-section (4) of section 21;
(g) the manner for submission of privacy by design policy under sub-section (2) of section 22;
(h) the manner and the technical, operation, financial and other conditions for registration of the consent manager and its compliance under sub-section (5) of section 23;
(i) the manner of registration of significant data fiduciaries under sub-section (2) of section 26;
(j) the circumstances or classes of data fiduciaries or processing operations where data protection impact assessments shall be mandatory and instances where data auditor shall be appointed under sub-section (2), and the manner in which data protection officer shall review the data protection impact assessment and submit to the Authority under sub-section (4) of section 27;
(k) the form and manner for maintaining the records, and any other aspect of processing for which records shall be maintained under sub-section (1) of section 28;
(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;
(m) the qualification and experience of a data protection officer under sub-section (1) of section 30;
(n) the period within which transfer of personal data shall be notified to the Authority under sub-section (3) of section 34;
(o) the provisions of the Act and the class of research, archival or statistical purposes which may be exempted under section 38;
(p) the remuneration, salary or allowances and other terms and conditions of service of such officers, employees, consultants and experts under sub-section (2) of section 48;
(q) the code of practice under sub-section (1) of section 50;
(r) the form and manner for providing information to the Authority by the data fiduciary under sub-section (3) of section 52;
(s) any other matter which is required to be, or may be specified, or in respect of which provision is to be or may be made by regulations.