Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 37
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
provide data subjects with a right to receive
a summary of personal data which is being
processed by the data fiduciary and the
processing activities undertaken by that data
fiduciary, as well as the identities of all other
data fiduciaries and data processors with whom
their personal data has been shared. The DPDP
Act also includes certain other data subject
rights such as a right to grievance redressal,
and right to nominate another individual who
can exercise rights of such data subject under
the law in case of his/her death or incapacity.
Mandatory data breach notification:
The DPDP Act would require organisations to
notify the IDPB and impacted data subjects
of any breach in such form and in such
manner as may be prescribed by regulations.
Notably, there are no impact/harm thresholds
prescribed under the law for reporting breaches
and all breaches would need to be reported.
The Draft Rules, in fact, prescribe a two-stage
reporting to the DPBI, one immediately and
another within 72 hours. Along with existing
cybersecurity breach reporting, a data breach
would trigger four data breach notifications.
Data localisation/international
transfer regulation:
The DPDP Act significantly relaxes restrictions
on international transfers of personal data
proposed in earlier drafts of the law. As passed,
the DPDP Act allows for cross-border transfers
to all countries unless specifically restricted by
the Indian government. The law however does
not restrict the applicability of data localisation
restrictions under other sector specific laws in
India. The Draft Rules do however suggest the
government may impose conditions on the
transfer of personal data outside India.
Wide data access powers of the government:
The DPDP Act empowers the government to
call for information from any data fiduciary or
intermediary or the DPBI for purposes related
to the law. The government is also empowered
to exempt, in the interest of national security,
the applicability of the DPDP Act to processing
37
