(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Illustration.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of
X for (i) the processing of her personal data for making available
telemedicine services, and
(ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
(2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.
Illustration.
X, an individual, buys an insurance policy using the mobile app or website
of Y, an insurer. She gives to Y her consent for (i) the processing of her
personal data by Y for the purpose of issuing the policy, and (ii) waiving
her right to file a complaint to the Data
Protection Board of India. Part (ii) of the consent, relating to waiver of
her right to file a complaint, shall be invalid.
(3) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.
(4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.
Illustration.
X, an individual, is the user of an online shopping app or website operated
by Y, an e-commerce service provider. X consents to the processing of her
personal data by Y for the purpose of fulfilling her supply order and places
an order for supply of a good while making payment for the same. If X
withdraws her consent, Y may stop enabling X to use the app or website for
placing orders, but may not stop the processing for supply of the goods
already ordered and paid for by X.
(6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
Illustration.
X, a telecom service provider, enters into a contract with Y, a Data
Processor, for emailing telephone bills to the customers of X. Z, a customer
of X, who had earlier given her consent to X for the processing of her
personal data for emailing of bills, downloads the mobile app of X and opts
to receive bills only on the app. X shall itself cease, and shall cause Y to
cease, the processing of the personal data of Z for emailing bills.
(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
(8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.
(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
(10) Where a consent given by the Data Principal is the basis
of processing of personal data and a question arises in this regard in a
proceeding, the Data Fiduciary shall be obliged to prove that a notice was
given by her to the Data Principal and consent was
given by such Data Principal to the Data Fiduciary in accordance with the
provisions of this Act and the rules made thereunder.