Data Protection Duties Of Corporate Entities
Data Protection Duties of Corporate Entities
1. Legal Framework in India
Corporate data protection duties arise from multiple sources:
Digital Personal Data Protection Act, 2023 (DPDP Act)
Information Technology Act, 2000
IT (Reasonable Security Practices and Procedures & Sensitive Personal Data) Rules, 2011
Sectoral regulations (RBI, SEBI, IRDAI)
Contract law & consumer protection laws
2. Who Is Regulated?
Under DPDP Act:
| Role | Meaning |
|---|---|
| Data Fiduciary | Entity deciding purpose & means of processing (companies) |
| Data Processor | Processes data on behalf of fiduciary |
| Data Principal | Individual whose data is processed |
Corporates are typically Data Fiduciaries.
3. Core Duties of Corporate Entities
A. Lawful Processing
Personal data must be processed:
With consent, OR
For legitimate uses permitted by law.
B. Purpose Limitation
Data must be used only for the purpose for which it was collected.
C. Data Minimisation
Only necessary data should be collected.
D. Security Safeguards
Companies must implement reasonable security practices, including:
Encryption
Access controls
Data breach prevention measures
E. Data Breach Reporting
Mandatory reporting of personal data breaches to:
Data Protection Board
Affected individuals (if required)
F. Data Retention Limits
Data must be erased once purpose is fulfilled.
G. Children’s Data Protection
Parental consent required
No tracking or behavioral monitoring
H. Grievance Redressal
Appointment of grievance officer and complaint mechanism.
4. Rights of Individuals (Impacting Corporate Duties)
| Right | Corporate Obligation |
|---|---|
| Right to access | Provide data summary |
| Right to correction | Rectify inaccurate data |
| Right to erasure | Delete upon request |
| Right to withdraw consent | Stop processing |
| Right to grievance redressal | Provide response mechanism |
5. Sector-Specific Duties
| Sector | Additional Requirements |
|---|---|
| Banks | RBI cybersecurity framework |
| Listed companies | SEBI cyber disclosure norms |
| Insurance | IRDAI data security guidelines |
| Telecom | TRAI data privacy norms |
6. Key Case Laws
Case 1: Justice K.S. Puttaswamy v. Union of India (2017, Supreme Court)
Held: Right to privacy is a fundamental right.
Principle: Corporates must respect informational privacy.
Case 2: Aadhaar Judgment (2018, Supreme Court)
Held: Data minimisation and purpose limitation emphasized.
Principle: Excessive data collection unconstitutional.
Case 3: Shreya Singhal v. Union of India (2015)
Relevance: Free speech and intermediary responsibility.
Principle: Corporate intermediaries have legal compliance duties.
Case 4: WhatsApp Privacy Policy Case (CCI, 2021)
Held: Data sharing with parent company raised competition concerns.
Principle: Data exploitation can trigger regulatory action.
Case 5: Google Android Case (CCI, 2022)
Held: Data access and ecosystem leveraging scrutinized.
Principle: Control over data strengthens dominance.
Case 6: SBI Data Leak Incident (Regulatory scrutiny)
Relevance: Banking data security obligations.
Principle: Corporates liable for inadequate security practices.
Case 7: Cambridge Analytica – Global Proceedings (Referenced in Indian discussions)
Principle: Misuse of personal data creates corporate liability.
7. Penalties Under DPDP Act
| Violation | Penalty |
|---|---|
| Data breach | Up to ₹250 crore |
| Failure to safeguard | Heavy financial penalty |
| Children’s data misuse | Severe sanctions |
8. Corporate Compliance Checklist
| Area | Action |
|---|---|
| Consent management | Clear notices |
| Security controls | ISO/IT security framework |
| Vendor contracts | Data processor agreements |
| Breach response | Incident response plan |
| Training | Employee awareness |
| Data mapping | Record of processing activities |
9. Key Legal Principles
| Principle | Meaning |
|---|---|
| Privacy is fundamental right | Corporate processing must respect dignity |
| Consent is central | Except limited lawful uses |
| Security duty mandatory | Not optional |
| Accountability principle | Corporate responsibility for processors |
| Data minimisation | Avoid excessive collection |
| Transparency required | Clear privacy policies |
Conclusion
Corporate data protection is no longer just IT compliance — it is:
A legal, governance, and reputational obligation
Companies must embed privacy-by-design, strong cybersecurity, and transparent processing to avoid penalties and liability.
If you'd like, I can next ex
RELATED Blog
comments