Académique Documents
Professionnel Documents
Culture Documents
BA0150028
A. Under EU GDPR Sensitive personal data does not include financial data or
passwords: Article 9 (1) - special categories of personal data are data relating to racial
or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data concerning a
natural person’s sex life or sexual orientation.
B. Under the Data Protection Bill, 2018 Sensitive personal data includes financial
data and passwords: Section 3 (35)- “Sensitive Personal Data” means personal data
revealing, related to, or constituting, as may be applicable—
(i) passwords;
(ii) financial data;
(iii) health data;
(iv) official identifier;
(v) sex life;
(vi) sexual orientation;
(vii) biometric data;
(viii) genetic data;
(ix) transgender status;
(x) intersex status;
(xi) caste or tribe;
(xii) religiousor political belief or affiliation; or
(xiii) any other category of data specified by the Authority under section 22.
2. DATA CONTROLLER/FIDUCIARY
2
Nandhinee E
BA0150028
(1) Personal data other than those categories of sensitive personal data notified
under subsection (2) of section 40 may be transferred outside the territory of India
where—
(b) the Central Government, after consultation with the Authority, has prescribed
that transfers to a particular country, or to a sector within a country or to a particular
international organisation is permissible; or
(c) the Authority approves a particular transfer or set of transfers as permissible due
to a situation of necessity;
personal data. Without prejudice to any other administrative or judicial remedy, every
data subject has the right to lodge a complaint with a supervisory authority, in particular
in the Member State of his or her habitual residence, place of work or place of the
alleged infringement if the data subject considers that the processing of personal data
relating to him or her infringes this Regulation. Article 82 provides for compensation
as well.
B. Under the Data Protection Bill, 2018: Section 75 provides for compensation to a data
principal in case any of his rights under the Bill is violated. A data processor shall be
liable only where it has acted outside or contrary to the instructions of the data fiduciary
pursuant to section 37, or where the data processor is found to have acted in a negligent
manner, or where the data processor has not incorporated adequate security safeguards
under section 31, or where it has violated any provisions of this Act expressly applicable
3
Nandhinee E
BA0150028
to it. Any data principal who has suffered harm as a result of any violation of any
data fiduciary or a data processor, shall have the right to seek compensation from the
6. NOTICE
A. Under the EU GDPR notice is given under Article 12, 13 and 14 when data is
collected with all necessary details to ensure fair and transparent processing. Since
financial data is not included in sensitive personal data, notice is not given when
B. Under the Data Protection Bill, 2018: Under Section 8, notice is to be given to
the data principal at the time of the collection of all data including financial data.
7. CRIMINAL BREACH
A. Under the EU GDPR penalties under Article 84 does not provide for any
B. Under the Data Protection Bill, 2018 under Section 91 any person who knowingly
(d) sells or offers to sell sensitive personal data to another person shall be punishable
with imprisonment for a term not exceeding five years or shall be liable to a fine