Directorship – Comply with MCA, KYC Guidelines

Ministry of Corporate Affairs (MCA), India would be conducting KYC (Know Your Customer) of Directors of all companies on an annual basis through a new e-form viz. DIR-3 KYC to be notified and deployed shortly with MCA.

Accordingly, every Director who has been allotted Director Identification Number (DIN) on or before March 31, 2018 and whose DIN is either (i) in ‘Approved’ status, or (ii) inactive due to disqualification of such Director would be mandatorily required to file form DIR-3 KYC on or before September 15, 2018 with MCA.

While filing the form, the Unique Personal Mobile Number and Personal Email ID of the Director would have to be mandatorily indicated and would be verified by One Time Password (OTP) to be sent to such Director’s registered mobile no.

The e-form should be filed by every Director using his own Digital Signature Certificate (DSC) with MCA and should be duly by a practicing professional (CA/CS/CMA).

Failure to comply with this provision will result in the DIN of such Director to be ‘Deactivated’ thus disqualifying such Director. Activation of DIN can then be done by paying requisite filing fees.

Decoding GDPR and Its impact in India

The General Data Protection Regulation (“GDPR”) was adopted by the European Union on 27th April 2016 and came into full effect on 25th May 2018, allowing for a transition time of a little over two years. In an increasing data-dependent world, the GDPR aims to protect individuals from the misuse of their personal data and breach of their privacy.

The GDPR has a universal impact, due to its extraterritorial scope and its precedential nature, for other countries to enact stronger data protection laws. Following is a brief overview of GDPR and the compliances it requires.  


The GDPR is applicable to all entities that process personal data of individuals in the European Union (and not only citizens of the European Union (EU)), for providing goods or services or for monitoring their behavior. Therefore, Indian businesses servicing the EU market will have to ensure GDPR compliance, if they collect or process personal data.

Personal Data

Personal data, under the GDPR, includes any information of an identified or identifiable natural person. The GDPR further provides for special categories of personal data, the compliances for processing of which are more stringent. Similar to Sensitive Personal Data and Information (SPDI) under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 in India, the special categories of personal information under the GDPR include biometric data, health records, sexual orientation. However, GDPR extends the special categories of personal information to include data revealing a person’s ethnic or racial origins, political opinions, religious beliefs or trade union memberships.

Control and Processing

The GDPR identifies entities as “Controller” or “Processor”. A Controller is an entity that determines the purpose and means of processing personal data and has several accountability obligations. A Processor is an entity that processes i.e. collects, records, organizes, stores etc. personal data on behalf of the Controller. A Processor must process personal data only under a contract with the Controller and in accordance with documented instructions of the Controller.

It is important for businesses to identify the capacity in which they act and the nature of data they deal with to ensure full GDPR compliance.


The foundation of GDPR is consent of the data subject for processing personal data. Till now, online service providers had the practice of providing lengthy privacy policies, full of legal ease and practically incomprehensible for a lay person. GDPR requires that consent is sought from the data subject distinct, from any other terms and conditions, in an intelligible and easily accessible form, using clear and plain language. Separate and explicit consent must be sought for processing of special categories of personal data.

The data subject also has the right to withdraw her consent and the option to withdraw consent must be made as accessible as the option to provide consent.

GDPR Privacy Policy

On top of every GDPR compliance checklist for every business should be updating of website privacy policy.

Under the GDPR, the Controller is required to provide the data subject with relevant information relating to the collection and processing of data at the time of collection of such data. To do so the Controller should maintain a GDPR-compliant privacy policy. The privacy policy should be concise, transparent and easy to understand.

The privacy policy should include details of the Controller, the purpose of processing the data, the period for which data will be stored or the criteria for determining such period and the recipients of the data. The privacy policy should also inform the data subject of her rights under the GDPR, such as the right to request for access, rectification and erasure of data, right to withdraw consent, right to object to processing and right to data portability.

If the Controller undertakes further processing of the personal data, a fresh disclosure is to be made prior to such processing.

Security Measures

The Controller must maintain a record of the processing activities it or the Processor, acting on its behalf, undertakes. The records should include details of the controller, processor, purpose of processing, categories of data subjects and personal data.

The GDPR lays down several technical and organizational measures to be implemented to ensure the security of personal data, including pseudonymization and encrypting data, backup protection, ability to ensure the integrity of processing systems, regular testing, and audit of the safety mechanisms.  

The GDPR also lays down a “code of conduct” to be adhered to by Controllers and Processors. In addition, there is a provision for certification by a certifying authority to be established under the GDPR. Whilst such certification does not reduce the responsibilities under the GPDR, it will act as prima facie evidence of GDPR compliance.


Non-compliance of the GDPR entails high fines and it is advisable for businesses dealing with EU markets to make themselves GDPR compliant. With the Supreme Court judgment on privacy and the Srikrishna Committee issuing its white paper on Data Protection framework, India too seems to be moving towards a more robust legislation on data protection and adherence to the GDPR requirements may be viewed as preparation for the same.

Contributed by: Ishan Johri 


New requirement for Foreign Direct Investment

The Reserve Bank of India (RBI) has announced that with a view to integrating the reporting structures of various types of foreign investments in India, it will introduce a single master form (SMF) which is to be filed online.  

The SMF will provide for reporting to the Reserve Bank of India (RBI) of (i) total foreign investment in an Indian entity, and (ii) investment by a person resident outside India in an investment vehicle in India. As a pre-requisite to implementing the SMF and to receive foreign investments in India, Indian entities will be required to provide data on total foreign investments received by them in a format specified by Reserve Bank of India (RBI). The format for providing information on foreign investment is yet to be issued by the Reserve Bank of India (RBI) and will be made available on the website of Reserve Bank of India (RBI) between June 28, 2018 to July 12, 2018.  

What happens if you skip filing the information with the Reserve Bank of India (RBI) within the timeline prescribed by the Reserve Bank of India (RBI)? Indian entities not complying with this pre-requisite will be considered non-compliant with Foreign Exchange Management Act, 1999 and regulations made thereunder and will not be able to receive foreign investment (including indirect foreign investment) in India.

In order to enable Indian entities to start collating the information in advance, the Reserve Bank of India (RBI) has provided the list of information that will be required to be filled in the form. These details can be found in Annex 1.  The format of the SMF currently contemplated by the Reserve Bank of India (RBI) is Annex 2.  The final forms will be available in the Master Direction on Reporting under the Foreign Exchange Management Act, 1999 to be issued by the Reserve Bank of India (RBI).

Fundraised from Foreign Investors? Ensure You Don’t miss this Filing with RBI!

Which companies are eligible to file the Form FLA?

Every Indian company and Limited Liability Partnership (LLP) which have received Foreign Direct Investment (FDI) and/or made Overseas Direct Investments (ODI) in the previous year(s), including the current year are required to file Annual Return on Foreign Liabilities and Assets (“Form FLA”) with RBI on or before July 15th every year.

The Form FLA has to be also filed in a case where a company/LLP has not received any fresh FDI and/or ODI in the current year but has outstanding FDI and/or ODI from previous years.

In case where the company/LLPs financial statements are unaudited before the due date of submission of Form FLA, the return is required to be submitted on the basis of such unaudited (provisional) financial statements. Once the accounts get audited and there are revisions from the provisional information submitted, the company/LLP’s will be required to submit a revised return by September 30th.

The following companies are excluded from submitting FLA return:

  1. Where Indian company/LLP does not have any outstanding investment in respect of inward and outward FDI as on the end of March of the reporting year, the company/LLP is not required to submit the Form FLA.
  2. If a company/LLP has received only share application money and does not have any foreign direct investment or overseas direct investment outstanding as on the end of March of the reporting year, the company/LLP is not required to submit the Form FLA.
  3. If all non-resident shareholders of a company/LLP has transferred their shares to the residents during the reporting period and the company/LLP does not have any outstanding investment in respect of inward and outward FDI as on the end of March of reporting year, the company/LLP is not required to submit the Form FLA.
  4. If shares are issued by reporting company to non-resident on Non-Repatriable basis, then it should not be considered as a foreign investment; therefore, companies which have issued the shares to non-resident only on Non-Repatriable basis, are not required to submit the Form FLA.

How does one submit the Form FLA?

The format of Form FLA can be found here. The filled form along with any attachment has to be mailed to [email protected] by the due date. The email has to be sent from the official email id of any authorized person in the company/LLP, such as CFO, Director, Company Secretary, etc.  Acknowledgment will be received from RBI on the same email id from which the form is sent.

If one is incorporated as a private limited company does he need to get a trade license from the municipality?

Trade license is permission granted in form of a certificate by State government to carry on any business/trade for which it is issued. Trade license is regulated to ensure that the citizen is not adversely affected by Health Hazard & Nuisance by the improper carrying of a trade.

The trade license is a means to ensure that the manner and locality in which the business is being carried on is according to the relevant rules, standards and safety guidelines. It is issued by the municipal corporation of the place where business is located. A trade license is a permission to carry on a specific trade or business at the premises for which it has been issued. Any unauthorized running of trade is an offense which may result in a substantial penalty and subsequent prosecution.

The business owners must apply for trade license is required in particular area without any delay. An application must be made before the commencement of the activity. However, some state governments allow up to 3 months’ time to seek a trade license. License once issued requires periodical renewal on annual basis. Application for renewal must be filed at least 30 days before expiry of license.

As per shops and establishment act, it is mandatory for three kinds of business:

1. All the eating establishments like hotels, restaurants, canteen, food stall, bakeries, the sale of vegetables, meat, provisions store, etc.

2. Trades which use motives like manufacturing industries, factories, power looms, flour mills, cyber cafe, etc.

3. Offensive and dangerous trades like a barber shop, dhobi shop, timber wood, sale of firewood, candle manufacturer, cracker manufacturer, etc.

Documents required for obtaining trade license:

1. Pan card of the establishment in case of company, LLP or Firm;

2. Canceled Cheque and bank statement of the establishment;

3. Certificate of Incorporation, MOA, and AOA of the company or LLP/ Partnership Agreement as the case may be;

4. Premises proof of the establishment in the form of Sale Deed, Electricity Bill/water bill and NOC from the owner;

5. Colour photograph, Pan card and ID Proof and Address Proof of all Directors/ Partners;

6. Photograph of the establishment with the display of goods traded from the premises; and

7. Site/Key plan showing the area under the occupation of the applicant earmarking the neighborhood of the site.