What Happens If a Customer Removes Permission for a Data Element, but a DF Still Uses It?

Legal Obligation to Cease Processing
• Under Section 6(6) of the DPDPA, if a Data Principal withdraws consent, the Data Fiduciary must cease processing the personal data within a reasonable time, unless:
o The processing is required or authorized under another law in force in India.
o The processing falls under certain legitimate uses as defined in Section 7 of the DPDPA (e.g., for legal claims, medical emergencies, or public interest purposes).
• If the DF continues to process the data without a valid legal basis, it is in breach of the DPDPA.

Consequences for the Data Fiduciary
• Penalties: The Data Protection Board of India (DPBI) can impose monetary penalties on the DF for non-compliance. Under Section 33 and the Schedule of the DPDPA:
o Breach of obligations related to consent withdrawal can attract penalties of up to ₹250 crore.
• Reputational Damage: Continued use of data after consent withdrawal can lead to loss of trust and reputational harm for the DF.
• Legal Action: The Data Principal can file a complaint with the DPBI, which can investigate and impose penalties or other corrective measures.

Data Principal’s Rights
• The Data Principal has the right to:
o Withdraw Consent: Under Section 6(4), consent can be withdrawn at any time, and the DF must ensure the process is as easy as giving consent.
o File a Complaint: Under Section 13, the Data Principal can file a grievance with the DF or directly with the DPBI if the DF fails to comply with the withdrawal of consent.
o Request Erasure: Under Section 12, the Data Principal can request the DF to erase their personal data if the specified purpose is no longer being served or if consent is withdrawn.

Obligations of the Data Fiduciary
• Immediate Cessation: The DF must stop processing the data element for which consent has been withdrawn, unless there is a valid legal basis (e.g., compliance with another law).
• Notify Data Processors: If the DF has engaged a Data Processor, it must ensure the Processor also ceases processing the data (Section 8(7)).
• Record Keeping: The DF must maintain records of consent withdrawals and ensure compliance with the DPDPA.

Exceptions Where Processing Can Continue
• The DF may continue processing the data if:
o It is necessary for compliance with a legal obligation (e.g., tax laws, court orders).
o It falls under certain legitimate uses (e.g., medical emergencies, public health, or employment-related purposes).
o The data is required for fulfilling a contract with the Data Principal (e.g., processing payment for an order already placed).

Remedial Actions by the DF
• If the DF inadvertently continues processing the data after consent withdrawal, it should:
o Immediately cease processing the data.
o Notify the Data Principal of the breach and the steps taken to rectify it.
o Report the Breach: If the breach compromises the confidentiality, integrity, or availability of personal data, the DF must notify the DPBI and the affected Data Principal under Section 8(6).

Example Scenario
• Scenario: A customer withdraws consent for their phone number to be used for marketing purposes, but the DF continues to send promotional messages.
• Consequence:
o The DF is in violation of Section 6(6).
o The customer can file a complaint with the DPBI.
o The DPBI may impose a penalty of up to ₹250 crore on the DF for failing to comply with the withdrawal of consent.