Powers and functions of Authority
49. (1) It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection.
(2) Without prejudice to the generality of the foregoing and other functions under this Act, the functions of the Authority shall include
(a) monitoring and enforcing application of the provisions of this Act;
(b) taking prompt and appropriate action in response to personal data breach in accordance with the provisions of this Act;
(c) maintaining a database on its website containing names of significant data fiduciaries along with a rating in the form of a data trust score indicating compliance with the obligations of this Act by such fiduciaries;
(d) examination of any data audit reports and taking any action pursuant thereto;
(e) issuance of a certificate of registration to data auditors and renewal, withdrawal, suspension or cancellation thereof and maintaining a database of registered data auditors and specifying the qualifications, code of conduct, practical training and functions to be performed by such data auditors;
( f ) classification of data fiduciaries;
(g) monitoring cross-border transfer of personal data; (h) specifying codes of practice;
(i) promoting awareness and understanding of the risks, rules, safeguards and rights in respect of protection of personal data amongst data fiduciaries and data principals;
(j) monitoring technological developments and commercial practices that may affect protection of personal data;
(k) promoting measures and undertaking research for innovation in the field of protection of personal data;
(l) advising Central Government, State Government and any other authority on measures required to be taken to promote protection of personal data and ensuring consistency of application and enforcement of this Act;
(m) specifying fees and other charges for carrying out the purposes of this Act;
(n) receiving and inquiring complaints under this Act; and
(o) performing such other functions as may be prescribed.
(3) Where, pursuant to the provisions of this Act, the Authority processes any personal data, it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section.