Chapter 2 of the Digital Personal Data Protection Act 2023 is titled Obligations of Data Fiduciary
The purpose of this chapter is to define the duties and responsibilities of the data fiduciary, who is the entity that determines the means and purposes of processing personal data. The chapter also lays down the legal grounds and conditions for the processing of personal data, with special emphasis on the processing of sensitive personal data and personal data of children. The chapter also establishes the principles of data protection, such as notice, consent, purpose limitation, collection limitation, data quality, data storage limitation, data security, accountability, and transparency, that the data fiduciary must adhere to while processing personal data. The chapter also provides the framework for the data fiduciary to ensure compliance with the act and to demonstrate such compliance to the Authority and the data principal.
Section 4 – Conditions for Processing of Personal Data: This section lays down the conditions under which personal data can be processed, emphasizing the need for clear, lawful, and fair means.
Section 5 – Notice: It mandates that Data Fiduciaries must inform Data Principals about the purpose, nature, and recipients of the data being collected.
Section 6 – Consent: This section deals with the necessity of obtaining free, informed, specific, and clear consent from Data Principals for data processing.
Section 7 – Personal Data and Sensitive Personal Data: It delineates the conditions for processing both personal and sensitive personal data, specifying stricter conditions for the latter.
Section 8 – General Obligations of Data Fiduciary: Outlines the broader responsibilities of Data Fiduciaries, including data quality, storage limitation, and accountability.
Section 9 – Processing of Personal Data of Children: This section introduces special provisions for the processing of children’s personal data, demanding higher standards of protection.
Section 10 – Significant Data Fiduciary: Defines additional responsibilities for entities classified as Significant Data Fiduciaries, such as conducting data audits and appointing Data Protection Officers.