Schedule IV: Exemptions for Certain Classes of Data Fiduciaries and Purposes
Schedule IV outlines situations where certain classes of Data Fiduciaries or specific purposes of processing are exempted from some of the obligations normally required under the Act. These exemptions are granted to ensure that compliance requirements remain practical, proportional, and risk-based.
The Schedule is divided into two parts:
- Part A – Classes of Data Fiduciaries exempt from certain obligations.
- Part B – Purposes of processing exempt from certain obligations.
Part A: Exemptions for Classes of Data Fiduciaries
Some organizations or entities may be exempted from obligations like publishing notices or responding to individual rights requests if the risks are low or if compliance would be impractical.
Small Businesses and Start-ups
Micro, small, or start-up enterprises handling very limited personal data may be exempted to avoid overburdening them with compliance costs.
A small neighborhood pharmacy that only records basic name and phone number details for home delivery might be exempt from publishing elaborate privacy notices.
Entities Handling Only Offline Data
If a business processes personal data only offline, with no digital storage or online transfers, some obligations may not apply.
A local school that keeps attendance registers and paper-based fee records, but does not digitize or transmit them, may qualify for exemption.
Low-Risk Processing Entities
Entities that process data in a way that poses minimal risk to individuals (such as processing business contact information only for billing) can be exempt.
Part B: Exemptions for Specified Purposes
In some cases, the purpose of processing itself is considered safe or essential enough to justify exemption.
Research and Archiving
Data processing carried out purely for academic research, statistical analysis, or archiving may be exempt from certain obligations like repeated consent, as long as safeguards such as anonymisation are applied.
A university medical department studying malaria trends can process anonymised patient data without being required to publish notices to every individual patient.
Compliance with Law
Processing required for legal obligations or by order of a court or regulator may be exempt.
An insurance company asked by IRDAI (Insurance Regulatory Authority) to provide customer data for compliance checks can do so without obtaining fresh consent.
National Security and State Functions
Certain exemptions may apply where processing is essential to protect sovereignty, integrity, defense, or public order.
A telecom provider may be directed by law enforcement to share call data records for investigating a national security threat.
Exemptions under Schedule IV are narrow, risk-based, and purpose-driven. They do not amount to blanket waivers — safeguards such as anonymisation, accountability, and proportionality still apply.
Importance of Schedule IV
Data protection laws must protect privacy but also remain practical. If every small kirana shop or low-risk entity had to follow the same obligations as a multinational bank, compliance would become unmanageable and innovation would be stifled.
Schedule IV ensures that the heaviest obligations fall on entities with the highest risks — such as banks, stockbrokers, e-commerce giants, and social media platforms — while small-scale or low-risk entities are given relief.