File Copyright Online - File mutual Divorce in Delhi - Online Legal Advice - Lawyers in India

Implications of the PDP Bill on Financial Lenders

Chapter VI of the Personal Data Protection Bill 2019 enlist the rights of data principals.
Some of these rights which affect compliance for lenders are as follows:
  • Informed Consent:
    Personal data shall only be processed after explicit consent given by the data principal at the commencement of its processing. Hence, lenders cannot assume implied consent for processing customer data. As per Section 11, the consent must be free, specific, clear, capable of being withdrawn and most importantly �� it must be informed with the information specified in Section 7 of the Bill.
  • Specific Purpose:
    Personal data shall be collected only to the extent that is necessary for the purposes of processing. This means that it cannot be collected for reasons that are not known or declared.
  • Data Erasure:
    Personal data must be erased after the purpose for which it was shared has been met. The data principal has the right to ask for the erasure of their personal data. This poses an issue because Fintechs and NBFCs may be required by other statutory laws to store the data for a longer period. In case the Data Principal exercises the right to be forgotten, the same will have to be complied with since the Bill prescribes for an overriding effect.
  • Data Portability:
    When the processing of the personal data has been carried out through automated means, the data principal has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format.
These rights have a bearing on the different types of data collected at different steps of the lending process.

KYC Process
When commencing the process of lending, basic documents such as identity proof and address proof are needed to get to know the customer.

The clauses from the draft bill that can affect the KYC process are:
  • Storage Limitation:
    after the loan has been repaid, the data principal can request erasure of all the KYC data
  • Data Portability:
    with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal

Credit Underwriting
A number of data sources are inspected as a part of the credit underwriting process. Although the provisions of the bill do not apply to data collected from public sources, but it has huge implications for those collected from private sources. Credit assessment done by oulling information through methods like SMS Reading, Bank and Email login based pull would need to be consent based.

Credit Bureau Access
Lenders are often obligated to share a customer's personal data with credit bureaus and other third parties while servicing a loan. Under the bill's provisions, the transactions, details of the companies involved and the justification for this data transfer must be explained by lenders to their customers.

Although credit scoring is a ��reasonable purpose�� exception in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII) implies that a data principal can request it to be completely erased.

Data localisation norms
Data localisation has been an important issue for Fintech entities, particularly those who have global business and foreign headquarters. The storage norms impose strict restrictions on storage of data. The Bill proposes that sensitive personal data (which includes financial data) must be stored in India only. The same may be transferred abroad, however this is again subject to certain conditions such as taking approval of the relevant authority.

Privacy by Design
The bill mandates every data fiduciary to build a robust privacy system for storing and processing of personal data. Fintech entities along with other data fiduciaries must prepare a privacy by design policy that must contain the essential features laid down in Section 22. The policy formulated may be sent to the Data Protection Authority for certification. The policy must be published on the organisation and the authority's website.

Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary's total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintech companies and banks to start preparing for these compliance measures.

Law Article in India

Ask A Lawyers

You May Like

Legal Question & Answers

Lawyers in India - Search By City

Copyright Filing
Online Copyright Registration


How To File For Mutual Divorce In Delhi


How To File For Mutual Divorce In Delhi Mutual Consent Divorce is the Simplest Way to Obtain a D...

Increased Age For Girls Marriage


It is hoped that the Prohibition of Child Marriage (Amendment) Bill, 2021, which intends to inc...

Facade of Social Media


One may very easily get absorbed in the lives of others as one scrolls through a Facebook news ...

Section 482 CrPc - Quashing Of FIR: Guid...


The Inherent power under Section 482 in The Code Of Criminal Procedure, 1973 (37th Chapter of t...

The Uniform Civil Code (UCC) in India: A...


The Uniform Civil Code (UCC) is a concept that proposes the unification of personal laws across...

Role Of Artificial Intelligence In Legal...


Artificial intelligence (AI) is revolutionizing various sectors of the economy, and the legal i...

Lawyers Registration
Lawyers Membership - Get Clients Online

File caveat In Supreme Court Instantly