Recognizing the need to protect privacy rights of the individuals (“Data Principal”), the Digital Personal Data Protection Act, 2023 (DPDPA) provides the Data Principals with the following rights: (i) right to obtain information on personal data processing by the Data Fiduciary; (ii) right to correct, update or erase her personal data; (iii) right to nominate someone else in the event of her death or incapacity to exercise her rights; and (iv) right to withdraw consent.
Besides the rights, the Data Principals may also have other grievances related to Data Fiduciary’s performance of its obligations under the DPDPA.
DPDPA, in consideration of the above purposes, mandates the establishment of a mechanism by a Data Fiduciary to redress the grievances of Data Principals and to enable them to exercise their rights.
Whether the Data Protection Officer (DPO) can be the go-to person for the grievance redressal mechanism, or should there be a separate grievance officer? Where the Data Fiduciary is a significant data fiduciary under the DPDPA, the Data Protection Officer should be the point of contact for the grievance redressal mechanism.
In case of non-significant data fiduciary, there would be no obligation for the Data Fiduciary to appoint a DPO, which negates the need to have the DPO as the point of contact for grievance redressal mechanism.
That said, in lieu of the DPO, DPDPA requires such data fiduciary to publish the contact details of the person who can (i) communicate with the Data Principals to assist with their rights; and (ii) handle the queries of Data Principals on processing of their personal data by Data Fiduciary and assist with the rights under the DPDPA (Privacy Officer).
DPDPA clarifies that DPO should be based in India as a representative of a significant data fiduciary and be an individual responsible to its Board of Directors or similar governing body. DPDPA, however, does not specify similar requirements for a Privacy Officer.