Login
Digital Personal Data Protection Act 2023 (DPDP Act 23)

Data transfer from subsidiary company to holding company regulations as per Digital Personal Data Protection Act 2023 (DPDP Act 23)

By: Aman Khanna

I.Personal Data

a.Personal Data

It basically refers to the ‘Personal Data’ with whom an individual can be identified or any relation to such data. Let’s first understand what is Personal Data– It is any data which is very relatable to an individual like – A name, an address, an email id, an identification number, an Internet Protocol (IP) address; a cookie ID or that can be uniquely used to identify a person.

And going in a bit in detail to understand what all Data encompasses :

Data is a collection of information or observations that can be utilized to address questions, make decisions, or take action. It can be in quantitative form, involving numbers, or qualitative form, encompassing text, images, or sounds. Data can be obtained from various sources like surveys, experiments, or observations. In the field of computing, data refers to information that has been transformed into a format that is efficient for processing or transmission. There are diverse types of data.

In the ambit of the regulations of Digital Personal Data Protection Act 2023 (DPDP Act 23), the terms ‘Personal’ & ‘Data’ we are now going to look at some of the important perspectives of data exchange between Subsidiary and Holding company.

II.Need of holding company

The following variables determine whether a holding company can access consumer information from its subsidiary company:

  • The transfer of client data from the subsidiary firm must have a legal basis, which the holding company must have. This may be agreement, a contract, a justifiable interest, or a legal need.
  • The objective of the data transfer: The transfer of customer data must be done for a clear, justifiable reason. This might be done for marketing, risk management, or financial reporting.
  • The safety measures in place: To secure customer data during the transfer, the holding company must implement the necessary safety measures for both the types of Data (stationary and Transit). This might consist of audit trails, access limits, and encryption.

III.Handling of personal data by holding company

The handling of personal data in India is governed by the comprehensive DPDPA 23. The problem of data transfers between controlling companies and their subsidiaries is not specifically addressed by the PDPA. The PDPA does, however, offer a few overarching guidelines that apply to all data transfers.

For instance, the DPDPA mandates that data transfers be done based on a legal justification, such as permission, a contract, or a valid interest. The DPDPA mandates that data transfers be carried out securely and with the proper security measures in place.

Additionally, people have the right to view their personal data, have that data updated, and object to that data being processed. All data transfers, including those between holding companies and their subsidiaries, are subject to these rights.

IV.Why is Data Fiduciary role important in Data Transfer from Subsidiary to Holding Company?

A data fiduciary as someone who is in charge of handling personal information. Such an individual holds responsibility for managing, utilizing, and safeguarding the data of other people. Anybody – from an individual to a corporate entity – who determines how personal data should be processed and why they are being processed, either alone or in concert with other people.

As per the S4.b It is important that the Data Fiduciary ‘processes’ personal data of the data principal for a lawful purpose and certain legitimate uses. S5 lays emphasis on the notification to the Data principal by the Data Fiduciary to have her :

  1. Consent for the ‘purpose’ of processing of data
  2. The withdrawal of the Data Principal’s consent should be as easy as it was to give her consent before processing her personal data to Data Fiduciary.

S7-9 clearly articulate the functions, necessities and obligations of consent manager in this case of Data Relation between Data Principal & Data Fiduciary.

The following factors form an important part too in determining acquisition, processing  and control of personal data by the holding company::

  • The person whose data is being transferred should give it’s authorization, to the holding company. This consent needs to be freely given, specific, and informed.
  • The subsidiary company should transfer just the data required for the designated purpose.
  • When the data is no longer required, the holding company should destroy it. The holding firm should maintain the data secure and only use it for the purposes for which it was transferred.

To conclude, a holding company may only obtain customer information from a subsidiary firm if it has a legal basis for doing so, a clear and justifiable reason for doing so, and adequate measures in place to protect the data. Other DPDPA criteria, such as people’s rights to access and amend their personal data, must also be met by the holding company.

Aman Khanna
Linkedin-in

Other Blogs

Exploring Mindfulness Techniques

BlogLawResearch and law

A New Dawn for Muslim Women’s Rights

This blog post will explore the momentous judicial decision that

BlogLawResearch

Genetic Dating: The Intersection of Love and Legal Challenges

-Ms. Kavya Nayak 1.     Introduction  In the evolving landscape

Uncategorized

Underpaid Positions or Career Gap? The elephant in the room.

Every day, our social media feeds are flooded with the

It’s Time You Turn Your

Export Dream Into Reality!

Let’s Talk Your Mentors

Enroll Now
Gaining invaluable insights and guidance, an aspiring lawyer’s journey is greatly enhanced through the essential relationship with an expert mentor.
Read More...
Resources
Quick Links

Sign up for updates

Subscribe now to get latest insights on the trends that shape the legal industry, delivered directly to your inbox.

© 2024 Lexgenics
Facebook-f Linkedin-in Instagram