Key Takeaways for Subcontractors and Processors under the DPDP Act:

Data Processing Agreement: Similar to the GDPR, the DPDP Act mandates that data fiduciaries enter into clear and comprehensive agreements with data processors. These agreements must outline:

1. Scope, purpose, and duration of data processing: Clearly defining what data will be processed, for how long, and for what purpose.
2. Responsibilities of each party: Outlining the security measures each party is responsible for, as well as the rights of the data principal (the individual whose data is being processed).
3. Restrictions on how personal data can be handled: Ensuring that processors can only handle personal data in accordance with the data fiduciary's instructions.

Liability for Data Breach under the DPDP Act

The DPDP Act places liability on the data fiduciary for any non-compliance by the data processor. If a data breach occurs as a result of the processor's actions, the data fiduciary is responsible for ensuring they have:

1. Exercised due diligence in selecting the processor: The fiduciary must show that they took all reasonable steps to ensure the processor had adequate data protection measures in place.
2. Imposed proper contractual obligations: The fiduciary must have put in place a solid contract that ensures the processor complies with the provisions of the DPDP Act.

In simpler terms, if a data breach occurs, the fiduciary must prove they acted responsibly in choosing and managing their processors to prevent such breaches. Failing to do so can result in penalties under the DPDP Act.

Duty to Inform Breach under the DPDP Act

Data processors are obligated to immediately notify the data fiduciary upon discovering any data breach. The data fiduciary is then responsible for informing the Data Protection Board and the data principal as soon as possible, depending on the severity of the breach. This timely communication is crucial for maintaining compliance with the DPDP Act.

Compliance Audits for Data Processors

Under the DPDP Act, data fiduciaries must conduct regular compliance audits of their processors to ensure adherence to the Act. Processors must fully cooperate with these audits, providing necessary documentation and evidence to demonstrate compliance with data protection regulations.

Assisting Data Principals’ Rights under the DPDP Act

Processors are required to assist data fiduciaries in enabling data principals to exercise their rights under the DPDP Act, such as the right to correction, erasure, or access to personal data. This includes promptly addressing any requests made by the fiduciary on behalf of the data principals.

Penalties for Non-Compliance under the DPDP Act

The DPDP Act imposes significant penalties for non-compliance by data processors, especially if they fail to follow the instructions of the data fiduciary or engage in unauthorized data processing activities. Penalties can be severe, extending up to ₹250 Crores for severe breaches, highlighting the importance of strict compliance with data protection regulations.