Advisories on Data Protection

Data Protection Law FirmIIt is a legal requirement to maintain and protect data which is in possession of data controller. These legal requirements include need for personal data to be processed fairly and lawfully, to be accurate and up-to-date, to have measures in place against any kind of loss or destruction of data and for personal data to be transferred to countries only which offer adequate levels of data protection and have the requisite systems in place.

Followed by the Supreme Court in the case of Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (W.P. (Civil) No. 494 of 2012, which declared ‘Right to Privacy’ as a fundamental right and raised concerns over misuse of data, the Government of India introduced Data Protection Bill, 2019 before the Parliament, which is likely to get President’s assent and be implemented. The bill has succeeded in explaining various duties of data controller and have termed their relation with data principle as ‘fiduciary’. Data fiduciaries are those who determines the purpose and means of processing of personal data, whereas the data processors are the ones who processes personal data on behalf of a data fiduciary.

The bill has elaborately defined the following obligations of data fiduciaries:

  • Personal information must be lawfully processed.
  • Personal information must only be processed for absolutely essential and limited purposes.
  • Information regarding any data processing must essentially be notified to the Data principle.
  • This Notification must be comprehensible.
  • This Notification should also be in multiple languages, wherever necessary.
  • Personal information must be adequate, relevant.
  • Personal information must not be misleading.
  • Personal information must be up to date.
  • Personal information must not be stored longer than what might be necessary.
  • Personal data processing should be in compliance with the statute.


Anyone found in violation of the rules laid down, shall be liable for civil penalty (monetary penalty), which may extend up to Rupees 15 Cr or 4% of the total turnover of the Data fiduciary in the previous financial year. The Violators, who knowingly, intentionally, or recklessly obtain, disclose, transfer or sell Personal Data (or SPD) shall also be liable for imprisonment ranging from 3 to 5 years.

Khurana & Khurana extends its services to advise and for consultations on the Data Protection Issues. Some of the services that are offered by Khurana & Khurana are:

  • Structuring Data Protection Policy.
  • Advising the Data Controller for data processing.
  • Advisory in relation to obtaining insurance policies and risk management mechanism.
  • Advisory on strategies in order mitigate losses in cases of data breach.
  • Identifying the nature of data breach.
  • Advisory on transfer of data internationally.


Click here for downloading the presentation on Legal and Moral Debates Around AI.

For more information on Data Protection Bill, 2018: Click Here