DPDPA-Rules: Publishing the Business Contact Information of DPO

It is amusing to observe that while draftng the rules of DPDPA, MeitY has gone over board to use the feminine gender in the law which was considered a unique aspect of the drafting of the law.

In the law, the data principal who is an individual was referred to as “She” or “her” instead of the normal use of the term “he” or “him” used in other laws.

Now those who drafted the rules have gone a step further to depict even the organziations in a feminine gender.

For example, while indicating the rules regarding the publishing of the business contact information of a Data Protection Officer, the draft rules meant for discussion states,

(1) A Data Fiduciary shall-

(a) publish on her website or app or both as the case may be and

(b) intimate the data principal through in-app notification and every piece of correspondence with her, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any raised by the Data Principal about the processing of her personal data.

(2) If the Data fiduciary is a significant Data fiducairy, the business contact information published under sub-rule (1) shall be that of its Data Protection officer,

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5 (Ed: on the home page).

In majority of cases, the Data Fiduciary is an organziation and the appropriate use of pronoun would have been “It” or simply the Data Fiducairy.

There is one benefit however that has arisen on account of this unatural use of the pronoun “her” to a “Data Fiducairy”. It has focussed on the fact that even an individual can be a “Data Fiduciary” in the context of processing of personal data for “Non Domestic use”. Hence theoretically a Data Fiduciary can also be an individual and therefore the use of the pronoun “Her/she” can be justified.

Leaving this minor observation, this rule is important from the perspective of an indirect admission that “Business Contact Information” is actually “Personal Information” which the data principal out of his “Choice” decides to use for business use.

There are many who consider Naavi9 @gmail.com as personal information and refuse to accept it in some forms. On the other hand naavi @naavi.org is considered as an acceptable business use. This is in my view incorrect since it is the prerogative of naavi to hold out naavi @naavi.org as a business address or personal address and naavi9 @gmail.com as personal email address or business email address.

Under DGPSI framework we have been always recommending to leave the choice of declaring if any e-mail or mobile number is a personal information or business information and many companies have started accepting this argument and incorporating this in their personal information gathering exercise.

I hope after the use of the “her/She” to Data Fiduciary and business contact information of a DPO as “her” information confirms that “Business Contact Information” can contain personal name as part of the e-mail.

…..More discussions will follow.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.