Rule 3: Notice by Data Fiduciary to Data Principal
Statutory Text — Rule 3: Notice given by Data Fiduciary to Data Principal. (click to expand)
- Notice given by Data Fiduciary to Data Principal.—The notice given by the Data Fiduciary to the Data Principal shall— (a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary; (b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,— (i) an itemised description of such personal data; and (ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing; and the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may— (i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given; (ii) exercise her rights under the Act; and (iii) make a complaint to the Board.
This rule outlines the obligation of a Data Fiduciary to provide a clear and comprehensive notice to every Data Principal before collecting or using personal data. The objective is to ensure that individuals are properly informed about how their data will be handled and the rights available to them under the law.
The notice must be written in clear, plain, and independent language—that is, it should be easily understood without requiring reference to other documents or policies. It must include:
- A detailed list of the personal data being collected.
- The purpose for which the data will be processed.
- The specific services or functions that rely on such data.
- A link or description of how individuals can withdraw consent, exercise their rights, or submit a complaint to the Data Protection Board.
Privacy Notice (Free Template) — click to expand
Effective Date: [DD Month YYYY]
Issued By: [Organisation Name]
Version: [v1.0]
1. Objective
This Privacy Notice explains how [Organisation Name] (“we”, “us”, or “our”) collects, uses, stores, and protects personal data through our websites, mobile applications, digital services, and offline operations.
It also outlines the purposes of data processing, categories of personal data involved, lawful bases for processing, and the rights available to individuals under applicable law.
This Notice applies to all users, customers, employees, vendors, and partners interacting with our services.
2. Categories of Personal Data Collected
Depending on the interaction, we may collect and process the following categories of personal data:
| Category | Examples | Purpose of Processing |
|---|---|---|
| Identification Data | Full Name, Date of Birth, Customer ID, Employee Code | Account creation and verification |
| Contact Data | Mobile Number, Email Address, Postal Address | Communication and customer support |
| Financial and Transaction Data | Bank Account, Card Details, UPI ID, Transaction History | Payments, billing, and reconciliation |
| Technical and Device Data | IP Address, Browser Type, Device ID | Security monitoring and diagnostics |
| Usage and Interaction Data | Pages Visited, App Activity, Click Behaviour | Analytics and user experience improvement |
| Cookie and Tracking Data | Cookies, Pixels, Tags | Service personalisation and advertising |
| Location Data | GPS Coordinates, Network Location | Geo-specific services and fraud prevention |
| Employment Data (if applicable) | Résumé, Job History, Education | Recruitment and HR administration |
| Sensitive Personal Data | Health or Biometric Information | Specialised lawful processing with explicit consent |
| Marketing and Preference Data | Interests, Feedback, Preferences | Marketing communication and updates |
| Third-Party Data | Data from vendors, affiliates, or partners | Fulfilment of business and operational functions |
3. Purpose of Processing
Personal data is processed for lawful and legitimate purposes including:
- Provision of goods or services requested by the individual.
- Verification of identity and prevention of fraud.
- Fulfilment of contracts and regulatory obligations.
- Delivery of updates, notifications, and customer support.
- Security monitoring, risk management, and compliance.
- Conduct of analytics, service optimisation, and research.
- Recruitment, employment, and internal administration.
- Marketing, communication, and service improvement.
- Lawful sharing with third parties for operational requirements.
4. Sources of Data Collection
Personal data may be collected:
- Directly from individuals through online forms, apps, or physical documentation.
- Automatically through cookies, analytics tools, and system logs.
- Indirectly from authorised partners, affiliates, or vendors.
- From publicly available sources or lawful disclosures.
5. Use of Cookies and Analytics
We use cookies and analytics technologies to support functionality, security, and continuous improvement.
- Essential Cookies: Enable secure access and core site operations.
- Analytics Cookies: Measure usage patterns and performance.
- Advertising Cookies: Deliver relevant promotions and measure campaign reach.
- Preference Cookies: Remember user settings and preferences.
Users may adjust cookie preferences via their browser or device settings. Disabling certain cookies may limit functionality.
6. Third-Party Sharing and Disclosure
Personal data may be shared with:
- Service Providers: IT, hosting, payment, or logistics partners under confidentiality agreements.
- Analytics or Marketing Partners: For aggregated and anonymised performance insights.
- Regulatory Authorities: When disclosure is required by law.
- Affiliates or Subsidiaries: To streamline operations, subject to contractual safeguards.
- Advisors or Auditors: Engaged under professional confidentiality obligations.
We do not sell personal data under any circumstances.
7. Legal Basis for Processing
Processing of personal data is carried out under one or more lawful bases:
- Valid and informed consent from the Data Principal.
- Fulfilment of a contractual or pre-contractual requirement.
- Compliance with legal obligations.
- Legitimate interest pursued by the organisation, balanced against individual rights.
8. Grievance Redressal and Point of Contact
Individuals may submit grievances, queries, or requests concerning personal data processing to the designated Grievance Officer / Data Protection Officer (DPO).
Grievance Officer / DPO: [Full Name]
Email: [privacy@yourdomain.com]
Telephone: [+91-XXXXXXXXXX]
Postal Address: [Registered Office / Corporate Office Address]
Grievances shall be acknowledged and addressed within the prescribed timelines under applicable law.
If the grievance remains unresolved, it may be escalated through the channels provided under the Digital Personal Data Protection Act.
9. Retention and Disposal
Personal data shall be retained only for as long as necessary to fulfil the purposes stated in this Notice or as required under applicable law.
After the retention period expires, data shall be securely deleted, anonymised, or archived following internal retention policies and security standards.
10. Rights of Individuals
Individuals have the right to:
- Access their personal data held by the organisation.
- Request correction or updating of inaccurate information.
- Request deletion of data no longer required.
- Withdraw consent at any time.
- File grievances concerning non-compliance.
Requests can be made via [privacy@yourdomain.com] or through [link to online request portal].
11. Security Safeguards
We apply technical and organisational controls to safeguard data, including encryption, access restriction, employee awareness programs, and periodic audits to prevent unauthorised access or misuse.
12. Cross-Border Data Transfers
Where data is transferred outside India, such transfer shall comply with applicable legal requirements and occur only to jurisdictions providing an adequate level of protection.
13. Updates to this Notice
This Notice may be reviewed and updated periodically to reflect regulatory changes or operational adjustments.
The latest version will be available at [link to privacy page]. Material updates will be communicated through appropriate channels.
Acknowledgement
By engaging with our services, you acknowledge that you have read and understood this Privacy Notice and consent to the processing of your personal data as described herein.
The process for withdrawing consent must be as simple as the process of giving consent. This ensures fairness and accessibility for all individuals, regardless of their technical understanding.
Compliance
Every organisation functioning as a Data Fiduciary must ensure that its notice is concise, transparent, and easily accessible. The content of the notice should enable the Data Principal to make an informed decision before sharing any personal information.
For compliance purposes, it is advisable that:
- The notice is placed prominently during registration, onboarding, or data collection.
- It is available in multiple languages where necessary.
- It includes clear references to how rights such as correction, erasure, or complaint filing can be exercised.
The notice should not contain complex legal language or require users to navigate through multiple documents to understand its meaning.
Examples
- A digital payments platform displays a short and precise notice before account creation.
- It states what data will be collected—such as name, phone number, and account details—and explains that this information is used for identity verification and transaction processing.
- The notice includes a direct link to withdraw consent or raise concerns with the regulatory authority.
- A hospital’s online portal informs patients that their health records and contact details are collected for appointment scheduling and medical consultations.
- It also provides clear instructions to access, correct, or delete their data through their patient profile, along with a contact link for grievance redressal.
- A social media application provides a concise explanation of the personal data collected—such as name, email, and usage preferences—and the reasons for collection.
- It includes an option within account settings to withdraw consent or deactivate the account at any time.
- The notice must always be clear, specific, and understandable on its own.
- Consent must be informed and unambiguous.
- The mechanism to withdraw consent must provide equal ease as the method used to give consent.
- Contact and complaint options must be active and accessible.
- Ambiguous or incomplete notices will be treated as non-compliance.
This rule establishes the foundation for transparency and informed participation in data processing.
It ensures that individuals have full knowledge of how their data is collected and used, while organisations fulfil their duty of clarity, fairness, and accountability.