12. Processing of personal data on the basis of consent.—
(1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.
(2) For the consent of the data principal to be valid, it must be—
(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872);
(b) informed, having regard to whether the data principal has been provided with the information required under section 8;
(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
(3) The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.
(4) The data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data in accordance with sub-section (2).
(5) Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.
13. Processing of personal data for functions of the State. —
(1) Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.
(2) Personal data may be processed if such processing is necessary for the exercise of any function of the State authorised by law for:
(a) the provision of any service or benefit to the data principal from the State; or
(b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.
14. Processing of personal data in compliance with law or any order of any court or tribunal. —
Personal data may be processed if such processing is—
(a) explicitly mandated under any law made by Parliament or any State Legislature; or
(b) for compliance with any order or judgment of any Court or Tribunal in India.
15. Processing of personal data necessary for prompt action. —
Personal data may be processed if such processing is necessary—
(a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual;
(b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or
(c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.
16. Processing of personal data necessary for purposes related to employment. —
(1) Personal data may be processed if such processing is necessary for—
(a) recruitment or termination of employment of a data principal by the data fiduciary;
(b) provision of any service to, or benefit sought by, the data principal who is an employee of the data fiduciary;
(c) verifying the attendance of the data principal who is an employee of the data fiduciary; or
(d) any other activity relating to the assessment of the performance of the data principal who is an employee of the data fiduciary.
(2) Sub-section (1) shall apply only where processing on the basis of consent of the data principal is not appropriate having regard to the employment relationship between the data fiduciary and the data principal, or would involve a disproportionate effort on the part of the data fiduciary due to the nature of the processing activities under this section
17. Processing of data for reasonable purposes. —
(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration—
(a) the interest of the data fiduciary in processing for that purpose;
(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal;
(c) any public interest in processing for that purpose;
(d) the effect of the processing activity on the rights of the data principal; and
(e) the reasonable expectations of the data principal having regard to the context of the processing.
(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including—
(a) prevention and detection of any unlawful activity including fraud;
(b) whistle blowing;
(c) mergers and acquisitions;
(d) network and information security;
(e) credit scoring;
(f) recovery of debt;
(g) processing of publicly available personal data;
(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall:
(a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and
(b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose.