Sign in
Schedule A Demo

Rule 12: Additional obligations of Significant Data Fiduciary

This provision outlines additional obligations imposed on a Significant Data Fiduciary (SDF)—a category of Data Fiduciary that handles large volumes of sensitive personal data or has a high impact on national or public interest.

 

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including:

(a) the volume and sensitivity of personal data processed;

(b) risk to the rights of Data Principal;

(c) potential impact on the sovereignty and integrity of India;

(d) risk to electoral democracy;

(e) security of the State; and

(f) public order

 

Obligations of Significant Data Fiduciary (SDF): 

  1. Annual Data Protection Impact Assessment (DPIA) and Audit
  • An SDF must conduct a DPIA and an audit every 12 months from the date it is classified as such.
  • Purpose: To ensure ongoing compliance with the law and applicable rules.
  • This assessment should analyze:
    • Risks to personal data processing,
    • Mitigation strategies,
    • Adherence to principles of data protection (such as purpose limitation, storage limitation, etc.).

2. Reporting to the Data Protection Board

  • The person or entity conducting the DPIA and audit must submit a report to the Data Protection Board.
  • The report should include significant observations, helping regulators monitor compliance.

3. Algorithmic Risk Mitigation

  • The SDF must verify algorithmic software used for processing personal data—e.g., for uploading, sharing, storing, modifying, etc.
  • The goal is to ensure the software does not endanger the rights of Data Principals (i.e., individuals whose data is being processed).
  • This includes examining:
    • Bias or discrimination risks,
    • Lack of transparency in automated decision-making,
    • Infringement of privacy rights.

4. Data Localization for Specified Categories

  • The Central Government, upon recommendation from a designated committee, may specify certain personal data.
  • Such data must be:
    • Stored and processed in India, and
    • Not transferred outside India, including its traffic data.
  • This obligation aims to:
    • Enhance data sovereignty,
    • Protect national interests, and
    • Limit exposure to foreign jurisdictions.

 

Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article. 

To stay updated Subscribe to our newsletter today

Explore other Legal updates on the 1-Comply and follow us on LinkedIn to stay updated 

Post Views: 69

Stay Connected

X-twitter Linkedin Youtube

Stay Connected

X-twitter Linkedin Youtube

Subscribe Newsletter

Quick Links

Explore Links

Contact info

  • Head Office:
    9, Dwarikapuri, Jamnalal Bajaj Marg,
    C-Scheme, Jaipur
  • Branches: Anand,Vadodara
  • +91 63778 80064
  • hello@1-comply.com
© 2024,  Compezz Solutions Pvt. Ltd. All Rights Reserved.

Schedule A Demo