Consent based Framework
Chapter III of the Policy introduces a framework for collecting and processing personal data based on consent that is similar to the PDP Bill. In particular, personal data may only be collected and processed with the consent of the individual (i.e. the 'data principal'), obtained either directly from the data principal or through an electronic consent management system. Data principals may also provide consent to third-party access to their personal data and control the parameters and scope thereof through the consent manager.
In addition to obtaining informed consent, the processing of personal data must be limited to health-related purposes or other incidental purposes, provided that they are reasonably expected by the data principal. Data fiduciaries must also comply with the principles of accountability, transparency, Privacy by Design, purpose limitation, and data quality, as set out in Chapter V of the Policy.
Furthermore, the Policy provides several rights for data principals under certain circumstances, including rights of access, rectification, erasure, and restriction, as well as data portability.