Imposes several duties on organizations that handle personal data. Every Data Fiduciary must ensure processing is based on a valid legal basis – primarily, this means obtaining explicit consent from the individual unless the processing falls under specific legitimate uses listed in the Act (such as for legal compliance, employment, or emergencies). Notice: A clear, itemized privacy notice must be given before collecting personal data, explaining what data will be used, for what purpose, and the individual’s rights, including how to file a complaint. Data Minimization: Collect and retain only the data that is necessary for the stated purpose. Accuracy: Ensure personal data is accurate and up to date, especially if it’s used to make decisions about the individual. Security Safeguards: Implement reasonable security measures (technical and organizational) to prevent unauthorized access or data breaches, such as encryption, access controls, and audit logs. Data Retention and Deletion: Personal data should be permanently deleted or anonymized once the purpose has been served and retention is no longer necessary. Data Breach Notification: In the event of a breach, inform the Data Protection Board and affected Data Principals within the time frame prescribed by the Rules. Grievance Mechanism: Establish an accessible grievance redressal system (such as a contact point or portal) to resolve users’ complaints. Additional for Children: If dealing with minors (<18 years), obtain parental consent and do not engage in tracking or targeted advertising directed at children. Overall, fiduciaries must adopt a “privacy by design” mindset – building these obligations into their processes and systems.