Digital Personal Data Protection Bill - Implications for Civil Society Organisations



The Ministry of Electronics and Information Technology ("MEITY") has issued a draft of the Digital Personal Data Protection Bill, 2022 ("the Bill") available for public comment, along with a note that explains each provision and the principles behind them. The bill aims to ensure that digital personal data is handled in a way that protects a person's right to privacy. It regulates digital collection and processing personal data . 

This Pulse issue discusses the bill's potential impact on the nonprofit sector once it becomes law and outlines the broad compliances for which the sector must prepare. 

Obligations Under the Present Legislation

Refer to our earlier issue on Data Protection for Civil Society Organizationhere to know more about the existing compliances on upholding data privacy.

Currently, under Section 43A of the Information Technology Act of 2000, all body corporates are responsible for implementing and maintaining reasonable security measures to ensure that no one suffers an unreasonable loss or benefit as a result of the processing, dealing, or handling of sensitive personal information. Failure to do so may subject you to liability for damages. All non-profit organizations, including trusts, societies, Section 8 businesses, and any group of people involved in a profession, are covered by this provision. 

Application of the Bill

The bill will apply to the processing of personal data collected in India in two situations: 

(i) when personal data is collected online from data principals, and 

(ii) when personal data is collected offline and then transferred to a digital format. 

The DPDP Bill will also cover processing personal data outside of India if that processing is related to profiling people in India or offering goods and services to data principals in India.  

 So, if the bill is passed by the Parliament in its current form, it will apply to all nonprofits and charitable organizations that collect personal information from their stakeholders online or offline and then digitize it. 

Important Concepts and Definitions

Personal Data: Any information about a person who can be identified by or in connection with that information.

Data Principal: The individual to whom the personal data belongs, which includes the child's parents or legal guardians if the person is a child.

Data Fiduciary: Any person who, alone or in collaboration with others, determines the purpose and means of processing personal data are referred to as a data fiduciary.

Data Processor:  Any person who processes personal data on behalf of a data fiduciary.

So, the people who have an interest in the data would be the data principals, and the nonprofits or charities would be the data fiduciaries. 

Expected Compliances

Here are a few broad features of the bill that are likely to impact the nonprofit sector. 


The bill requires the data fiduciary to acquire the data principal's consent before or at the time of processing personal data and to provide detailed notice of the data sets sought to be collected and the purpose of processing. This is usually done through a privacy policy and terms of use.

The language of the privacy policy/ terms of use should be simple and clear. Free, specific, informed, and unambiguous consent is necessary. 

When a data principal has consented to the processing of her personal data before the commencement of the bill, the data fiduciary must, as soon as reasonably practicable, provide an itemized notice in simple language that describes the personal data collected and the purposes for which those purposes have been processed. 

Consent Manager

A consent manager is a data fiduciary who gives the data principal an easy-to-use, transparent, and interoperable platform for giving, managing, reviewing, and withdrawing consent. 

Deemed Consent

In certain circumstances, personal data can be processed by virtue of deemed consent from the data principal wherein the data principal voluntarily provides their personal data and it is reasonably expected that they would provide such personal data. In such cases, the data subject's explicit consent is not required. 

Right of the data principal

The bill grants the data principal the right to 

1) obtain such information from the data fiduciary, including a summary of the personal data that has been processed and the identities of the fiduciaries with whom the data has been shared; 

2) correct wrong or incomplete information; and erase their personal data from the data fiduciary, unless the retention is necessary for a legal purpose;

 3) register a grievance with the data fiduciary, and if unsatisfied with the response, register a complaint with the data protection board, and 

4) Nominate any individual to exercise his rights upon his death or incapacity.

Data Fiduciary’s Obligations

The data fiduciaries are required under the bill to take reasonable security precautions to prevent personal data breaches and ensure the protection of personal data. Some of the obligations are as follows: 

  1. If the personal data is likely to be used by the data fiduciary to make a decision that "affects" the data principal or if the personal information is likely to be shared with another data fiduciary, make reasonable efforts to make sure that the personal information processed by or on behalf of the data fiduciary is accurate and complete;
  2. Take reasonable security precautions to prevent a breach of the personal data it has in its possession or under its control;
  3. In the event of a personal data breach; notify the Board and each affected data principal;
  4. The contact information of a Data Protection Officer ("DPO"), if applicable, or a person who has the authority to communicate on behalf of the data fiduciary, shall be made available in a manner prescribed by the Government. 

Failure to take reasonable security safeguards to prevent personal data breaches is punishable by a penalty of up to Rs. 250 crores and the failure to notify the Board in case of a data breach is punishable by a penalty of up to Rs. 200 crores. 

Retention of Personal Details

It's important to keep in mind that personal data shouldn't be kept if it's no longer necessary for legal or business reasons or if it's no longer being used for the reason it was collected.

Cross-Border Transfer

Data fiduciaries can transfer data outside of India only to countries and territories that the Central Government may notify in the future.

Children’s Data

Data fiduciaries have the additional obligation to obtain verifiable parental consent while processing the personal data of a child and refrain from such processing that would cause harm to the child and from tracking, monitoring, and targeted advertising aimed at children. Failure to adhere to this is liable to a penalty of up to Rs. 200 crores. Nonprofit organizations working with children have the additional responsibility to comply with this provision. 


Depending on the volume and nature of data processed, the Central Government has been vested with the power to exempt certain fiduciaries from issuing notice before consent, ceasing to retain data after the purpose has been served, accuracy, the provision related to children, and the data principal's right to information about his personal data. However, the bill does not indicate what kind of fiduciaries will be granted the benefit of the exemption.

Voluntary Undertaking

At any time, anyone can give the Board a voluntary undertaking to follow any part of the bill. Such a voluntary undertaking may be publicized. The explanatory note published along with the bill considers this provision as a measure to encourage timely admission and rectification of lapses.  The focus of the bill is on enabling and facilitating compliance rather than penalizing non-compliance. So, it is a way for the data fiduciary to fix a data breach at any time after it has happened and keep the Board from taking action against them.  


The language of the bill has been kept clear and concise to make it accessible to the general public. The bill is drafted in a manner to make it easier for businesses to do business in India. The bill is open for public consultation until January 02, 2023, and nonprofit organizations can visit the website and give their comments on the provisions of the bill. It is an opportunity for the nonprofit sector to voice their operational concerns through this public consultation. 


A full service boutique law firm
On social networks
Pacta is a full-service boutique law-firm for the social and impact sector.

Pacta provides legal & company secretary services for the biggest philanthropies, family foundations, NGOs, CSR entities, public trusts, start-ups, social incubators/accelerators, schools & universities.
The Pulse is Pacta’s in-house periodic newsletter that carries legal updates for the social sector. We decrypt legalese into digestible, relevant & actionable content. In every issue, we pick a subject – a new law, amendment or judgement and contextualise it for non-profit founders and administrators.


Pacta upholds and strives to exceed the professional standards. This website is not an advertisement or solicitation of work. Legal information shared here are not and do not make up for professional legal advice. By visiting Pacta’s website you know what you are doing and you are doing it at your risk and cost. We disclaim any liability arising from the information or materials contained on this site.
Social | Impact | Legal
Copyright 2021 Pacta. Privacy Policy
New Version found. Installing.