DATA PROTECTION UNDER DPDP ACT
Introduction:
India being the fourth largest growing economy in the world has become a preferred market by various companies to invest and conduct their business. Being a mixed economy, a number of investors prefer india for business investments. Due to this sudden rise, Data Protection has become the core issue arising. Companies have taken various measures to protect their data which include data access controls, data mapping and audits, developing privacy policies, staff training and establishment of data breach notification procedures. The purpose of this is to ensure legal compliance, customer trust, operational stability, and risk mitigation. In simple words, the main purpose of this is to protect the companies from the threats in the corporate world.
Legislation:
The major legislation under this is the Digital Personal Data Protection Act 2023 (Furtherly referred to the DPDP Act). This is India’s first comprehensive data protection law, offering a legal framework for handling digital personal data, with the goal of safeguarding individual privacy while permitting lawful data processing. It was initiated Six years after the Supreme Court Landmark KS Puttaswamy Case which recognised right to privacy also being a fundamental right as per Article 21 of the Constitution.
Applicability:
Being inspired from various foreign legislations including EUs General Data Protection Regulation enacted as on 25th may 2018 (Relatively called the GDPR) this act includes digital personal data processed within India, whether collected digitally or digitized later, and to data processing outside India if done for offering goods or services in India. It is not applicable to personal data or any other data that has been made public by the principal under legal obligation. This legislation also includes consent under Section-9 under which authorised parental consent is required before processing children's data prohibiting harmful advertisement or production of any such data which harms the children below the age of 18 years. For example, If X an inventor creates Y an online video game Y, which requires the personal information of the player being a minor, such information can only be precessed with parental guidance under Section 9 of the DPDP act. Furtherly, if X breaches such data, he would be eligible for a fine upto rupees 200 crore.
Importance Of Data Protection Under Fintech Companies:
Considering the core analysis of our research, the aforesaid legislation has also become an important concept for the protection of Data within Fintech Companies. Considering Fintech companies, they are companies in the financial sector that focus on various capabilities, including retail banking, financial education, fundraising, cryptocurrencies, investment management and more. Some examples of Fintech companies are Paytm, Phone Pay, Cred, Policy Bazar. As specified above, Fintech are at the forefront of reshaping financial services through technological advancements and innovative solutions. These companies thoroughly operate on basis of customer trust. Under this, customers blindly trust these industries and give their bank account details, transactional details. A single data breach for the same can implement high legal obligations upon the company. So to insure data protection, Fintech Companies can initiate the following legal measures:
Issuance Of Notice: The first and foremost measure for the protection of data is the issuance of notice. Under this, the data fiduciary must also issue a notice intimating the data principle, facilitating for what purpose such information is exercised under the ambit of Section 5 of the act. Such notice also includes upto what extent such right is to be exercised the same as viewed under the ambit of Section 6(4) along with Section 13.
Informed Consent: The next measure being consent which lies within the ambits of Section 6 of the act under which the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data being such information only necessary for such data. Fintech companies, must obtain explicit consent from individuals before collecting and processing their personal data under the ambit of Section-4 of the act. This ensures that customers are aware of how their data will be used and have control over their information. This also includes data Minimization under which the companies are entitled to collect only relevant data under the purpose of this act. It furtherly also includes Right to access information specifically under section 11 of the act about personal data being processed under which the Data principal preferably has such right to check what personal information is being accessed and upto what extent it has to be accessed.
Accountability: In furtherance of informed consent, companies must also check the accountability of data protection under the ambit of section 8 of the act which includes implementing appropriate technical and organisational measures to protect personal data, This provision also includes the erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose of the same is no longer be served. Futherly, the central government can also notify the data fiduciary to protect personal data in case of security of state, public order or either to protect the basic right of the data principal under the ambit of Section 10 of the act. Furtherly a Data Protection Officer must also be appointed to protect such personal data representing the Data Fiduciary who is bound to carry upon the erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served.
Rights Of Data Principle: Furtherly considering the rights of the Data Principle the same are mentioned under the ambit of Section 12 to 15 of the act. Firstly, being the right to either correct or erase any personal data under the ambit of section 12 under which the data principle has the right to correct the inaccurate or misleading personal data; followed by the completion of such personal data followed by the updation of such personal data. Furtherly the Data principle also has a right to grievance redressal under the ambit of Section 13 regarding the performance of the obligations of the data fiduciary in relation to exercising his personal data. Furtherly the Data principle also having the right to nominate any other party under the ambit of Section 14 of the act provided such person must exercise his rights in case of death or incapacity of the data principal. Furtherly we also have the duties the data principle is bound to follow under the ambit of Section 15 of the act under which his data can be protected from public disclosure.
Penalties:
Considering the penalties for the same, these are covered under various schedules of the act. Firstly being the duty to breach any obligation under section 8(5) of the act can be summed upto a penalty of 250 crores. Followingly Any penalty under Section 9 can also impose a fine of rupees 200 crores thereby. In case of any breach in observance any such data by the data fiduciary under the ambit of Section 10 of the act, the fine so imposed may be extended upon to 150 crores. Followingly breach in observation of any such duty under Section 15, the penalty may be extended upon to 10,000 crores. Lastly the breach of any other obligation must be extended for a fine upto 50 crores.
Exceptional Cases (In Case Of Facebooks Policy Of Sharing Personal Information With Third Parties):
As we had already reviewed above that this act was introduced as an extension to Puttaswamy Case 2017 which considered that right to privacy is also a fundamental right under the ambit of Article 21 of the constitution. But in case of facebook, the story is completely different. Under this, while we open an account on facebook it expressly mentions that the personal information which we share may be shared to the third party which is applicable only on basis of the user operating the same. Furtherly we had also reviewed that the Data Principle can also control the information he accesses under section 12 of the act in case he feels such information is not relevant. So the same scenario cannot be applied upon facebook as the personal information so shared is only by the voluntary consent of the user operating it and facebook expressly mentioning the same under the ambit of Section 5 and 6 of the act.
Point Of Action:
The point of action in my personal view is that the Data principle must also be vigilant while accessing or putting any personal information. The act needs a broader scope inclining more upon the awareness of the data principal other than maintaining obligations with respect to data fiduciaries. This will lead to more compliance and maintainability of personal data by the data principal. The same being applied to Fintech companies in the emerging modern world providing services to customer, customer awareness is the key core of the same.
Conclusion:
Coming to the conclusion of the same, In the rapidly expanding digital financial ecosystem, data protection is no longer a matter of choice but a legal and strategic necessity. FinTech companies, as custodians of vast volumes of sensitive financial and personal data, bear the responsibility of ensuring lawful processing, transparency, and accountability in line with the Digital Personal Data Protection Act, 2023. By complying with the core principles of notice, consent, accountability, user rights, and security safeguards, these companies not only avoid heavy penalties prescribed under Section 28 and the Schedule but also strengthen consumer trust and confidence. The Act’s strict penalty regime, going up to ₹250 crore, reflects India’s intent to place individual privacy at the centre of its digital economy. For FinTech players, adherence to the DPDP Act is thus both a compliance mandate and a competitive advantage, ensuring sustainable growth in a secure and trustworthy digital financial ecosystem.