{"id":229367,"date":"2020-05-12T11:15:03","date_gmt":"2020-05-12T05:45:03","guid":{"rendered":"https:\/\/www.scconline.com\/blog\/?p=229367"},"modified":"2020-07-14T19:31:51","modified_gmt":"2020-07-14T14:01:51","slug":"application-of-general-data-protection-regulation-on-indian-processor","status":"publish","type":"post","link":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","title":{"rendered":"Application of General Data Protection Regulation on Indian Processor\u00a0"},"content":{"rendered":"<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">The European Union (EU) continues to be a significant market for the IT\/BPO industry in India<a href=\"#_ftn1\"><strong>[1]<\/strong><\/a>. Currently, India\u2019s Data Protection Bill, 2019<a href=\"#_ftn2\"><strong>[2]<\/strong><\/a> (\u201cthe Bill\u201d) is still not enacted into a law, there are many challenges that India is facing while entering into data processing agreements with EU. EU has been one of the biggest markets for the Indian outsourcing sector and India\u2019s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Further, Article 3 (Territorial scope) of the <\/span><span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s3\"> (<\/span><span class=\"s2\">GDPR) makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so<a href=\"#_ftn3\"><strong>[3]<\/strong><\/a>. <\/span><span class=\"s1\">The focus of this article is on transfer of data outside EU to India and India\u2019s approach in dealing with such data transfer with respect to its obligation and extent of its liability. <\/span><\/p>\n<p class=\"p4\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #008000;\"><b>Data transfer and GDPR<\/b><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">Legitimacy of data transfer regarding personal data of data subjects under GDPR involves two stages<a href=\"#_ftn4\"><strong>[4]<\/strong><\/a>:<\/span><\/p>\n<ol class=\"ol1\" style=\"text-align: justify;\">\n<li class=\"li3\"><span class=\"s1\">Data transfer itself must be legal.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">Whether transfer to third country is permitted.<\/span><\/li>\n<\/ol>\n<ul class=\"ul1\" style=\"text-align: justify;\">\n<li class=\"li3\"><span class=\"s1\" style=\"color: #800080;\">DATA TRANSFER ITSELF MUST BE LEGAL<\/span><\/li>\n<\/ul>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\">Where a processor is situated in a third country, there must be separate mention that allocates the obligations of the controller and processor in every data processing agreement.The reason being that Article 82 of GDPR clearly states that a person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. <\/span><span class=\"s5\">A<\/span> <span class=\"s1\">controller involved in processing shall be liable for the damage caused by processing which infringes the regulations given under GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.<\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\"><i>The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller<\/i><a href=\"#_ftn5\"><strong>[5]<\/strong><\/a><i>.<\/i><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #008000;\"><b>Obligations of the Controller<\/b><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #0000ff;\"><b><i>Consent<\/i><\/b><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing<a href=\"#_ftn6\"><strong>[6]<\/strong><\/a>. The obligation is on the controller to show that consent of the data subject has been obtained as required under Article 7 of GDPR. Article 82 read with Article 7 of GDPR mandates the controller to be held liable for damages to the data subject in case of infringement of Article 7 of GDPR. <\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #0000ff;\"><b><i>Lawfulness and means of processing<\/i><\/b><\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\">Article 4(7) of GDPR defines controller as one who ascertains the purposes and means of the processing of personal data. The obligations of the controller as stated under Article 24 of GDPR are to be read with Article 5 of GDPR. Thus apart from lawfulness of processing and obtaining consent of the data subjects extended responsibilities which are imposed on the controller, for which the controller shall be held accountable, shall be fair and transparent processing, data collected must be for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Also, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate. Such data must have regard to the purposes for which they are processed, are erased or rectified without delay, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures<a href=\"#_ftn7\"><strong>[7]<\/strong><\/a>. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation<strong><a href=\"#_ftn8\">[8]<\/a><\/strong>.<\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #008000;\"><b>Obligations of the Processor<\/b><\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #0000ff;\"><b><i>What are the obligations and liability of the Processor is the next question <\/i><\/b><\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\">It is the responsibility of both the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk<a href=\"#_ftn9\"><strong>[9]<\/strong><\/a>. Further, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law<a href=\"#_ftn10\"><strong>[10]<\/strong><\/a>. If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing<a href=\"#_ftn11\"><strong>[11]<\/strong><\/a>.<\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\">In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller<a href=\"#_ftn12\"><strong>[12]<\/strong><\/a>. Thus the carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject<a href=\"#_ftn13\"><strong>[13]<\/strong><\/a>.<\/span><\/p>\n<p class=\"p7\" style=\"text-align: justify;\"><span class=\"s1\">Further, it is the responsibility of both the controller and the processor to maintain records of processing activities under their responsibility<a href=\"#_ftn14\"><strong>[14]<\/strong><\/a>.<\/span><\/p>\n<ul class=\"ul1\" style=\"text-align: justify;\">\n<li class=\"li3\"><span class=\"s1\" style=\"color: #800080;\">WHETHER TRANSFER TO THIRD COUNTRY IS PERMITTED?<\/span><\/li>\n<\/ul>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. There is a differentiation between secure and unsecure third countries<a href=\"#_ftn15\"><strong>[15]<\/strong><\/a>.<\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">GDPR allows transfer of personal data of data subjects situated in EU to countries outside EU for the purpose of processing and does not prohibit such transfer <i>per se, <\/i>whether it is a secure third country that has attained \u2018adequacy\u2019 status or an unsecure third country with no data protection law at all as in case of India. The principles embodied under the GDPR recognises the importance of international trade and cooperation in order to achieve economic growth. The Regulation tries to balance economic growth with individual privacy and national security.<\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">The secured third countries for the purpose of data transfer do not require any specific authorisation<a href=\"#_ftn16\"><strong>[16]<\/strong><\/a>. As India (third country) does not yet have a separate law dealing with data protection and is regarded as an unsecure third country by EU, the agreements with EU countries consist of a standard contractual clauses as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data. These standard contractual clauses cannot be amended to contradict the notification. The parties are free to add clauses so long as it is consonance with the standard contractual clauses as given in the notification.<\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">The EU Commission\u2019s decision dated 5 February 2010 <\/span><span class=\"s2\">deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95\/46\/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating: <\/span><\/p>\n<p class=\"p8\" style=\"text-align: justify;\"><span class=\"s1\"><i>Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.<\/i><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s2\">Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a <\/span><span class=\"s1\">Data Protection Act in place. <\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #008000;\"><b>What\u2019s next for India?<\/b><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\" style=\"color: #0000ff;\"><b><i>Is India Chapter V of GDPR compliant?\u00a0<\/i><\/b><\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">For the purpose of data transferred from a controller situated in EU and processed in India i.e. data transfer, without any necessary safeguard provisions, it is necessary that the Indian Data Protection Bill, 2019 comply with Chapter V of GDPR and be regarded as those countries providing adequate protection. India is gearing up to seek \u2018adequacy\u2019 status with the European Union\u2018s\u00a0<span class=\"s7\">General Data Protection Regulation<a href=\"#_ftn17\"><strong>[17]<\/strong> <\/a><\/span>.<\/span><\/p>\n<p class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">In conclusion, the author states that the purpose of this article is to create awareness among the processors regarding their obligations and subsequently its liability. A processor cannot be held liable for all data privacy breaches. Thus it\u2019s necessary to understand the obligations of the controller and the processor and separately allocate each entity their responsibility in the agreement entered between them. This article will also assist the data subjects who have been aggrieved by data privacy breach to approach the right entity and claim relief.<\/span><\/p>\n<hr \/>\n<p><span style=\"color: #008000;\"><strong>* Advocate<\/strong><\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><a href=\"#_ftnref1\">[1]<\/a> India gets ready for EU\u2019s new data regime, Rahul Kumar, 25 April 2017<\/span><span class=\"s2\">, <a href=\"https:\/\/www.cioandleader.com\/article\/2017\/05\/02\/india-gets-ready-eu%e2%80%99s-new-data-regime\">https:\/\/www.cioandleader.com\/article\/2017\/05\/02\/india-gets-ready-eu%e2%80%99s-new-data-regime<\/a><\/span><\/p>\n<p><a href=\"#_ftnref2\">[2]<\/a> <span class=\"s1\"><a href=\"http:\/\/www.scconline.com\/DocumentLink\/A3yGRo3e\">Personal Data Protection Bill<\/a>, 2019\u00a0<\/span><\/p>\n<p><a href=\"#_ftnref3\">[3]<\/a> <span class=\"s1\"><a href=\"https:\/\/www.pwc.in\/consulting\/cyber-security\/blogs\/how-can-indian-organisations-prepare-for-the-gdpr-regime.html\">How can Indian organisations prepare for the GDPR regime?<\/a>, Sivarama Krishnan<\/span><\/p>\n<p><a href=\"#_ftnref4\">[4]<\/a> <a href=\"https:\/\/gdpr-info.eu\/issues\/third-countries\/\"><span class=\"s1\">General Data Protection Regulation<\/span><\/a><span class=\"s2\">, Key Issue, Third Country\u00a0<\/span><\/p>\n<p><a href=\"#_ftnref5\">[5]<\/a> <span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s2\">, Recital 79, Allocation of Responsibilities, <\/span><a href=\"https:\/\/gdpr-info.eu\/recitals\/no-79\/\"><span class=\"s2\">https:\/\/gdpr-info.eu\/recitals\/no-79\/<\/span><\/a><\/p>\n<p><a href=\"#_ftnref6\">[6]<\/a> <a href=\"https:\/\/gdpr-info.eu\/issues\/consent\/\"><span class=\"s1\">General Data Protection Regulation<\/span><\/a><span class=\"s2\">, Key Issue, Consent<\/span><\/p>\n<p><a href=\"#_ftnref7\">[7]<\/a> <span class=\"s1\">Article 5 of <\/span><span class=\"s2\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref8\">[8]<\/a> <span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s2\">, Key Issue, Processing, <a href=\"https:\/\/gdpr-info.eu\/issues\/processing\/\">https:\/\/gdpr-info.eu\/issues\/processing\/<\/a><\/span><\/p>\n<p><a href=\"#_ftnref9\">[9]<\/a> <span class=\"s1\">Article 32 of <\/span><span class=\"s2\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref10\">[10]<\/a> <span class=\"s1\">Article 29 of <\/span><span class=\"s2\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref11\">[11]<\/a> <span class=\"s1\">Article 28(10) of <\/span><span class=\"s2\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref12\">[12]<\/a> <span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s2\">, Key Issue, Processing, <a href=\"https:\/\/gdpr-info.eu\/issues\/processing\/\">https:\/\/gdpr-info.eu\/issues\/processing\/<\/a><\/span><\/p>\n<p><a href=\"#_ftnref13\">[13]<\/a> <span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s2\">, Recital 81, The Use of Processors, <a href=\"https:\/\/gdpr-info.eu\/recitals\/no-81\/\">https:\/\/gdpr-info.eu\/recitals\/no-81\/<\/a><\/span><\/p>\n<p><a href=\"#_ftnref14\">[14]<\/a> <span class=\"s1\">Article 30 of <\/span><span class=\"s2\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref15\">[15]<\/a> <span class=\"s1\">General Data Protection Regulation<\/span><span class=\"s2\">, Key Issue, Third Country, <a href=\"https:\/\/gdpr-info.eu\/issues\/third-countries\/\">https:\/\/gdpr-info.eu\/issues\/third-countries\/<\/a><\/span><\/p>\n<p><a href=\"#_ftnref16\">[16]<\/a> <span class=\"s1\" style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">Article 45 of <\/span><span class=\"s2\" style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">General Data Protection Regulation, 2018<\/span><\/p>\n<p><a href=\"#_ftnref17\">[17]<\/a> <span class=\"s1\">India to seek EU\u2019s approval on GDPR compliance for \u2018adequacy\u2019 status, <span class=\"s2\">Abhimanyu Ghoshal<\/span>, <\/span><a href=\"https:\/\/thenextweb.com\/asia\/2019\/07\/30\/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status\/\"><span class=\"s2\">https:\/\/thenextweb.com\/asia\/2019\/07\/30\/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status\/<\/span><\/a><\/p>\n<hr \/>\n<p><strong>[Image Credits: analyticsindiamag.com]<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>by Sharmin Godrej Irani*<\/p>\n","protected":false},"author":8808,"featured_media":229369,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[42503,1191],"tags":[41287,13481,41288,31140,41290],"class_list":["post-229367","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal-analysis","category-op-ed","tag-data-transfer","tag-european-union","tag-gdpr","tag-general-data-protection-regulation","tag-indias-data-protection-bill-2019"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.4 (Yoast SEO v26.4) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Application of General Data Protection Regulation on Indian Processor\u00a0 | SCC Times<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Application of General Data Protection Regulation on Indian Processor\u00a0\" \/>\n<meta property=\"og:description\" content=\"by Sharmin Godrej Irani*\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/\" \/>\n<meta property=\"og:site_name\" content=\"SCC Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/scc.online\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-12T05:45:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-07-14T14:01:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1330\" \/>\n\t<meta property=\"og:image:height\" content=\"887\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Bhumika Indulia\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bhumika Indulia\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/\",\"url\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/\",\"name\":\"Application of General Data Protection Regulation on Indian Processor\u00a0 | SCC Times\",\"isPartOf\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg\",\"datePublished\":\"2020-05-12T05:45:03+00:00\",\"dateModified\":\"2020-07-14T14:01:51+00:00\",\"author\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage\",\"url\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg\",\"contentUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg\",\"width\":1330,\"height\":887},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.scconline.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Application of General Data Protection Regulation on Indian Processor\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\",\"url\":\"https:\/\/www.scconline.com\/blog\/\",\"name\":\"SCC Times\",\"description\":\"Bringing you the Best Analytical Legal News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.scconline.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a\",\"name\":\"Bhumika Indulia\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg\",\"contentUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg\",\"caption\":\"Bhumika Indulia\"},\"url\":\"https:\/\/www.scconline.com\/blog\/post\/author\/editor_1\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Application of General Data Protection Regulation on Indian Processor\u00a0 | SCC Times","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","og_locale":"en_US","og_type":"article","og_title":"Application of General Data Protection Regulation on Indian Processor\u00a0","og_description":"by Sharmin Godrej Irani*","og_url":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","og_site_name":"SCC Times","article_publisher":"https:\/\/www.facebook.com\/scc.online\/","article_published_time":"2020-05-12T05:45:03+00:00","article_modified_time":"2020-07-14T14:01:51+00:00","og_image":[{"width":1330,"height":887,"url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg","type":"image\/jpeg"}],"author":"Bhumika Indulia","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Bhumika Indulia","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","url":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","name":"Application of General Data Protection Regulation on Indian Processor\u00a0 | SCC Times","isPartOf":{"@id":"https:\/\/www.scconline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage"},"image":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg","datePublished":"2020-05-12T05:45:03+00:00","dateModified":"2020-07-14T14:01:51+00:00","author":{"@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a"},"breadcrumb":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#primaryimage","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg","width":1330,"height":887},{"@type":"BreadcrumbList","@id":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.scconline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Application of General Data Protection Regulation on Indian Processor\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/www.scconline.com\/blog\/#website","url":"https:\/\/www.scconline.com\/blog\/","name":"SCC Times","description":"Bringing you the Best Analytical Legal News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.scconline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a","name":"Bhumika Indulia","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg","caption":"Bhumika Indulia"},"url":"https:\/\/www.scconline.com\/blog\/post\/author\/editor_1\/"}]}},"jetpack_featured_media_url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":282107,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/01\/21\/the-digital-personal-data-protection-bill-2022\/","url_meta":{"origin":229367,"position":0},"title":"The Digital Personal Data Protection Bill, 2022","author":"Bhumika Indulia","date":"January 21, 2023","format":false,"excerpt":"by Shiv Mehrotra\u2020","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/01\/MicrosoftTeams-image-149.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":225091,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/02\/07\/indian-data-protection-regime-the-future-of-fintechs-in-india\/","url_meta":{"origin":229367,"position":1},"title":"Indian Data Protection Regime &#038; the Future of Fintechs in India","author":"Bhumika Indulia","date":"February 7, 2020","format":false,"excerpt":"(Kritika Krishnamurthy, Director, Bridge Policy Think Tank and Aashrit Verma, Consultant, Bridge Policy Think Tank) The FinTech industry has grown out of strengthening of linkages between the financial services sector and the technology sector. With a surge of accessibility due to technological support, there is a considerable leap in progress\u2026","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":282772,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/01\/31\/can-india-take-a-page-out-of-the-eu-law-on-online-content\/","url_meta":{"origin":229367,"position":2},"title":"Can India Take a Page Out of the EU Law on Online Content","author":"Bhumika Indulia","date":"January 31, 2023","format":false,"excerpt":"by Dr Srikant Parthasarathy\u2020 and Dr Amirthalakshmi R\u2020\u2020 Cite as: 2023 SCC OnLine Blog Exp 13","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"EU Law on Online Content","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/01\/MicrosoftTeams-image-231.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":264616,"url":"https:\/\/www.scconline.com\/blog\/post\/2022\/03\/28\/personal-data-protection-bill\/","url_meta":{"origin":229367,"position":3},"title":"Civil Remedies for Data Protection: A Critical Analysis of the Tortious Provision in Personal Data Protection Bill, 2019","author":"Editor","date":"March 28, 2022","format":false,"excerpt":"by Kumar Aryan*","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/03\/Data-Protection.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/03\/Data-Protection.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/03\/Data-Protection.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/03\/Data-Protection.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/03\/Data-Protection.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":225268,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/02\/06\/evolution-of-data-privacy\/","url_meta":{"origin":229367,"position":4},"title":"Evolution of Data Privacy","author":"Bhumika Indulia","date":"February 6, 2020","format":false,"excerpt":"Bhumesh Verma, Managing Partner, Sayantan Dey, Legal and Compliance Professional and Ujjwal Agrawal, Student Researcher Corp Comm Legal Cite as: (2020) PL (CL) February 74","rel":"","context":"In &quot;OP. ED.&quot;","block_context":{"text":"OP. ED.","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":271505,"url":"https:\/\/www.scconline.com\/blog\/post\/2022\/08\/15\/yes-or-yes-the-reality-of-dark-patterns\/","url_meta":{"origin":229367,"position":5},"title":"Yes, Or Yes? The Reality of Dark Patterns","author":"Bhumika Indulia","date":"August 15, 2022","format":false,"excerpt":"by Siri Harish\u2020","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"Dark Patterns","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/08\/D2_MicrosoftTeams-image.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/08\/D2_MicrosoftTeams-image.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/08\/D2_MicrosoftTeams-image.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/08\/D2_MicrosoftTeams-image.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2022\/08\/D2_MicrosoftTeams-image.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/229367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/users\/8808"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/comments?post=229367"}],"version-history":[{"count":0,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/229367\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media\/229369"}],"wp:attachment":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media?parent=229367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/categories?post=229367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/tags?post=229367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}