DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
Connect With Us
DPDP Consultants, your trusted partner in ensuring Digital Personal Data Protection (DPDP Act 2023) compliance for businesses in India.
Contact Info
- Our Office : DPDP Consultants Privacyium Tech Pvt. Ltd. 4th floor, GM IT Park, Plot no 32-33, Sector 142, Noida, Uttar Pradesh 201305
- Landline : 0120-6930999
- Toll Free : 1800-5711333
- Write To Us : info@dpdpconsultants.com
- Our Timings : Mon-Sat: 10:00 – 19:00
-
Landline No. : 0120-6930999
-
Toll Free : 1800-5711333
-
Email Us : info@dpdpconsultants.com
Subcontractor And
Third Party Issues
Managing Subcontractor and Third Party Issues in Data Protection
Regulatory Obligation:
When a data fiduciary outsources personal data processing to a third-party processor, they are legally required to choose processors that provide sufficient guarantees of implementing appropriate technical and organisational measures. These measures must comply with the Digital Personal Data Protection Act (DPDP Act) and ensure the protection of data principals’ rights.
In simpler terms, data fiduciaries must ensure their subcontractors adhere to the DPDP Act. Failure to properly vet processors can result in penalties. To foster trust and compliance, processors may need independent certifications to reassure clients of their data protection standards.
Key Takeaways for Subcontractors and Processors under the DPDP Act:
Data Processing Agreement:
Similar to the GDPR, the DPDP Act mandates that data fiduciaries must enter into clear agreements with data processors. These agreements must outline:
- The scope, purpose, and duration of data processing.
- Responsibilities of each party, particularly regarding security measures and the rights of the data principal.
- Restrictions on how the processor can handle personal data, ensuring they only process it as per the fiduciary's instructions.
Subprocessors:
Processors under the DPDP Act are prohibited from outsourcing personal data processing to subcontractors without obtaining explicit written consent from the data fiduciary. The primary processor is fully accountable for any subcontractor’s failure to comply with the Act.
Liability for Data Breach:
The DPDP Act places liability on the data fiduciary for non-compliance by the processor. If a breach occurs due to the processor's actions, the fiduciary must demonstrate that they exercised due diligence in selecting the processor and imposed proper contractual obligations to ensure compliance.
Duty to Inform Breach:
Data processors are obligated to immediately notify the data fiduciary upon discovering any data breach. The fiduciary then has the responsibility to inform the Data Protection Board and the data principal as soon as possible, depending on the severity of the breach.
Compliance Audits:
Data fiduciaries are responsible for conducting regular compliance audits of their processors to ensure adherence to the Act. Processors must cooperate with these audits and provide the necessary documentation and evidence to demonstrate compliance.
Assisting in the Rights of Data Principals:
Processors must facilitate the fiduciary in enabling data principals to exercise their rights under the DPDP Act (such as the right to correction, erasure, or access to personal data). This includes promptly addressing any requests made by the fiduciary on behalf of data principals.
Data Transfer Safeguards:
The DPDP Act restricts the transfer of personal data outside India unless the receiving country ensures adequate data protection measures. Processors involved in cross-border data transfers must ensure that these legal safeguards are in place and are responsible for monitoring compliance throughout the transfer.
Penalties for Non-Compliance:
The DPDP Act imposes significant penalties for non-compliance by data processors, particularly if they fail to follow instructions from the data fiduciary or engage in unauthorized data processing activities. Penalties can extend up to ₹250 Crores for severe breaches.