Blog Details

Author: Advocate Prerna Oberoi and Associate Ankit Ahuja

GDPR Compliance by companies

Indian companies that handle 'personal data' of EU residents are required to comply with GDPR. The companies dealing with data of EU residents are needed to restructure their privacy policies and contractual arrangements with EU companies and those organizations that provide data of EU residents. Here are certain key GDPR provisions which must be fulfilled by companies which are dealing with said data:

1. Lawful and Legitimate Purpose: Processing of personal information is to be undertaken in compliance with the following principles:
   1. a) Processing should be done lawfully and with full transparency. For lawful processing, at least one of the requirements under GDPR must be met, such as where the Data Subject has given consent to data processing; or processing is necessary for the execution of a contract to which the Data Subject is a party; or processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority etc.
   2. b) Personal Data should be collected for specified legitimate and explicit purposes and not further processed if incompatible with those purposes (except where specifically permitted under GDPR), and it should be adequate, accurate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
2. Consent must be obtained: Where processing is based on consent, obtaining of consent should be specific, informed and unambiguous. This compliance can be done by providing checkbox when visiting an internet website such as obtaining consent for cookies, but silence, pre-ticked checkboxes or any inactivity would not constitute consent. If the processing has multiple purposes then the consent should be given for all of them. If the consent is given in the context of a written declaration concerning other matters, the consent request should be provided separately from other content, in an intelligible and easily accessible form, using clear and plain language.

3. Data Minimalisation: GDPR supports the data minimalization principle, requiring companies to only use and keep the personal data that is needed at any time for the required purpose. If it’s not needed for that intended purpose and duration, it should be removed from the database of the company. The people who have consented to data can withdraw their consent any time and can ask to the company to delete their data. Companies must then remove all data related to that person from its database, as well as any other database such as archives or anywhere downstream where the data may have been shared and stored.
4. Special Categories of Personal Data: There are extra requirements that are to be complied with while processing of special categories of personal data. Personal data is subject to much more care as any breach of such data would make the privacy of such people vulnerable. Processing of personal data relating to criminal convictions and offenses and processing which does not require identification.
5. Information to be provided to Data Subject:The controller at the time of obtaining the personal data has to provide the Data Subject with all the required information such as contact details and identity and contact details of the data protection officer (only required in some cases), purposes and legal basis of processing, existence of the data subject's rights such as right to access, recipients or categories of recipients of the personal data, period of storage of personal data, rectification or erasure of personal data, right to withdraw consent, the right to lodge a complaint with a supervisory authority, right to data portability etc. Information on similar lines is also to be provided to the data subject (where personal data has not been obtained from the data subject) under Article 14 of GDPR, except in certain prescribed circumstances which enumerate following rights of data subjects:
   1. The right of access: Right to obtain from the controller confirmation regarding the processing of their personal data, and also access to their personal data and information.
   2. Right to rectification:Right to obtain from the controller rectification of inaccurate personal data, also they have a right to have incomplete personal data completed.
   3. Right to get their data removed:Right to obtain from the controller erasure of personal data and the controller is required to remove personal data where one of the grounds applies such as: (a) the personal data is no longer necessary in relation to the purposes for which it was collected (b) the Data Subject withdraws their consent on which the processing was based (c) the Data Subject objects to the processing and there are no legitimate grounds for the processing, etc.
   4. Right to restriction of processing:Right to obtain from the controller restriction of processing in circumstances(prescribed) such as where the accuracy of the personal data is contested by the data subject; the processing is unlawful etc.
   5. Right to data portability:Right to receive the personal data provided to a controller, in a structured, commonly used and computer/laptop/mobile phone readable format and the right to transmit that data to another controller. This right does not apply to a task carried out in the public interest or in the exercise of official authority by the controller.
6. Whereas, there are some responsibilities of the controller of data:

Responsibilities of the Controller and Processor:

1. The controller should implement the required technical and organizational measures to ensure and to be able to demonstrate that processing is performed in as required by GDPR. Adherence to approved codes of conduct or approved certification mechanisms as specified in GDPR may be used as an element to demonstrate such compliance.
2. Where processing is to be carried out by a processor on behalf of a controller, the controller is to use only processors providing sufficient grounds to guarantee to implement appropriate technical and organizational measures such that processing is GDPR compliant. The GDPR lists various requirements that must be met by such a processor.
3. A controller is required to maintain records of processing activities under its responsibility containing specific information which is necessary (prescribed). Each processor is also expected to keep records of all categories of data processing activities carried out by him on behalf of a controller.

7. Personal Data Breach:

In case where there is a personal data breach, the controller is to without undue delay (and where feasible, but not later than 72 hours becoming aware of it), notify the breach to the supervisory authority in terms of GDPR, unless the personal data breach is unlikely to result in a risk to the rights of any person. When the personal data breach is likely to result in a high risk to the rights of any person, the controller had to communicate the personal data breach to the data subject without undue delay. The controller is also required to prepare report/document on any personal data breaches, comprising the facts relating to the personal data breach and its effects along with the remedial action taken. The processor is also required to notify the controller without undue delay after becoming aware of a personal data breach.

8. Perform A Data Protection Impact Assessment (DPIA)

If a company stores personal data in permanent storage, it needs to perform a data protection impact assessment (DPIA) before each project that involves the use of such personal data. A DPIA is an audit of a company's processes and procedures that measure how these processes might affect or might compromise the privacy of the individuals whose data it stores, collects or processes.

9. Data Protection Officer

Data protection officer (DPO) is the right person who can ensure GDPR compliance. Public authorities or companies are more massive than 10 to 15 employees that process personal data are required to appoint a DPO. And DPO conducts regular and systematic monitoring of data subject on a larger scale and processes data of special categories of data in order to make it GDPR complaint

Conclusion:

Companies who have business dealings with EU companies must be GDPR compliant is ordered to escape any legal consequences. Currently, in India, there is only the Information Technology Act, 2002 which provides only minimal data protection. Indian Government is seeking to introduce a more robust regulatory framework for data protection and privacy within India. Therefore, companies having a business interest in EU should take measures to ensure data protection not just to be GDPR compliant but also in preparation for a more stringent data protection regulatory framework which is internationally compliant along with the legal framework which is most probably going to be established in India based on existing international data protection policies.