INTRODUCTION
The Digital Personal Data Protection Act, 2023 (DPDPA) marks India’s first comprehensive framework for regulating the collection, processing, and protection of personal data in the digital age. It applies not only to data processed within India but also to processing carried out overseas when linked to offering goods or services to individuals in India. At its core, the Act adopts a consent-driven approach, requiring organisations; referred to as Data Fiduciaries; to obtain clear, informed, and unambiguous consent before processing personal data.
At the same time, the law recognises certain practical exceptions by permitting processing without consent in specific situations termed as “legitimate uses,” such as voluntary data sharing, delivery of state benefits, compliance with legal obligations, medical emergencies, and employment-related purposes. By balancing individual privacy rights with operational and governance needs, the DPDPA lays down the foundation for a structured and accountable data protection regime in India.
KEY TERMINOLOGY OF THE ACT
- Data Fiduciary[1]: Entity determining purposes and means of personal data processing (equivalent to GDPR “controller”). All businesses collecting Indian consumer data become data fiduciaries under India’s DPDP Act, or the person or entity who alone or in conjunction with others, determines the means and purposes of processing (akin to data controller).
- Data Processor[2]: The person or entity that processes Personal Data (PD) for the Data Fiduciary.
- Data Principal[3]: An Individual whose personal data is processed or the individual to whom PD relates to (akin to data subject) and includes, in case of (i) children up to age of 18 (eighteen) years (Minor), their parents or lawful guardian; (ii) persons with disabilities (PWDs), their lawful guardian; and (iii) death or incapacitation of the individual, the person they would have nominated while they were living esaccording to Section 14 of the DPDPA.
- Consent[4]: Free, specific, informed, unconditional, unambiguous indication through clear affirmative action. Pre-checked boxes, bundled consents, and implied consent all violate India’s DPDP Act standards.
- Significant Data Fiduciary (SDF)[5]: High-volume or high-risk processors designated by the government facing enhanced obligations. The government has not yet formally notified the SDF list.
CORE OBLIGATIONS IMPOSED BY THE DPDPA
The Digital Personal Data Protection framework imposes a set of core obligations on organisations to ensure responsible handling of personal data. These include implementing reasonable security safeguards, maintaining data accuracy and completeness, and promptly notifying both the Data Protection Board and affected individuals in the event of a data breach; along with submitting a detailed report within 72 hours. Organisations are also required to uphold the rights of data principals, including the rights to access, correction, erasure, and effective grievance redressal. Transparency is a key requirement, necessitating clear and accessible privacy notices as well as robust grievance mechanisms. Additionally, organisations must maintain proper records to demonstrate accountability and compliance.
Entities classified as Significant Data Fiduciaries (SDFs); based on factors such as the volume and sensitivity of data processed, potential risks to individuals, and implications for national interests; are subject to enhanced obligations. These include appointing a Data Protection Officer based in India who reports to the Board of Directors, engaging an independent data auditor, conducting annual Data Protection Impact Assessments, and maintaining detailed Records of Processing Activities. Compliance is overseen by the Data Protection Board of India, which is empowered to investigate violations and impose penalties ranging from ₹10,000 for frivolous complaints to as high as ₹250 crore for serious breaches, particularly those involving failure to implement adequate security safeguards. Collectively, this framework provides a comprehensive compliance checklist for organisations to establish, maintain, and demonstrate adherence to data protection standards in India.
DPDP RULES, 2025
| Rule No. | Heading | Summary |
| 3 | Notice given by Data Fiduciary (DF) to Data Principal (DP) | The notice must be clear, standalone, and in plain language, specifying the personal data collected and the purposes of its processing to enable informed consent. It should also provide easy and accessible means for the Data Principal to withdraw consent, exercise rights, and access relevant platforms. Additionally, it must include a mechanism to file complaints with the Data Protection Board. |
| 4 | Registration and obligations of Consent Manager | A company incorporated in India may apply to the Board for Consent Manager registration, must follow prescribed obligations, and the Board may monitor compliance, enforce corrective measures, or suspend/cancel registration to protect Data Principals. |
| 5 | Processing of PD for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities | Processing of personal data by the State or its instrumentalities for providing subsidies, benefits, services, licences, or similar entitlements must comply with the standards prescribed in the Second Schedule. Such processing covers actions taken under law, government policy, or through the use of public funds. It applies broadly to all benefits or services funded or administered by the Central or State Governments or their authorities. |
| 6 | Reasonable security safeguards | DFs must secure PD with encryption, access control, monitoring, backups, and agreements with processors to prevent breaches and ensure continued safe processing. |
| 7 | Intimation of PD breach | DFs must promptly notify affected DPs and the Board of PD breaches, including details, consequences, mitigation measures, and follow-up actions to prevent recurrence. |
| 8 | Time period for specified purpose to be deemed as no longer being served | A Data Fiduciary must erase personal data after the specified period (as per the Third Schedule) if the Data Principal has not engaged or exercised her rights, unless retention is required by law. The Data Principal must be notified at least 48 hours before such erasure, with an opportunity to continue engagement. Additionally, certain processing records and logs must be retained for a minimum of one year before deletion, unless further retention is legally required. |
| 9 | Contact information of person to answer questions about processing | DFs must prominently publish contact information of the Data Protection Officer or responsible person on their website/app and in responses to DPs exercising their rights. |
| 10 | Verifiable consent for the processing of the PD of the child | DFs must obtain verifiable parental consent before processing a child’s PD and ensure the parent is an identifiable adult using reliable or authorised identity information. |
| 11 | Verifiable consent for processing of personal data of person with disability who has lawful guardian. | DFs must verify that a guardian providing consent for a person with disability is lawfully appointed by a court, designated authority, or local-level committee under applicable guardianship laws. |
| 12 | Exemptions from certain obligations applicable to processing of PD of child. | The requirements under Section 9(1) and 9(3) relating to processing of children’s personal data do not apply to certain classes of Data Fiduciaries specified in Part A of the Fourth Schedule, subject to prescribed conditions. Similarly, these provisions are also exempted for specific purposes listed in Part B of the Fourth Schedule, provided the stated conditions are fulfilled. |
| 13 | Additional obligations of Significant DF | A Significant Data Fiduciary must conduct an annual Data Protection Impact Assessment and audit and submit key findings to the Board to ensure compliance with the law. It must also exercise due diligence to ensure that its technical systems, including algorithms, do not pose risks to Data Principals’ rights. Additionally, certain categories of personal data may be required to be processed and stored within India, as specified by the Central Government. |
| 14 | Rights of DPs | Data Fiduciaries and, where applicable, Consent Managers must clearly publish the process and requirements for Data Principals to exercise their rights on their website or app. Data Principals can submit requests using these prescribed means and may also nominate another individual to act on their behalf. Additionally, organisations must establish an effective grievance redressal system, responding within a maximum period of 90 days. |
| 15 | Transfer of PD outside the territory of India | DFs may transfer PD outside India only if they comply with Central Government requirements, especially when sharing with foreign states, their agencies, or controlled entities. |
| 23 | Calling for information from DF or the intermediary | The Central Government may require DFs or intermediaries to provide information under the Seventh Schedule and restrict disclosure to DPs if national security or sovereignty is at risk. |
THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023- BRIEF
| PHASE | REQUIREMENT | DESCRIPTION | SECTION |
| FOUNDATION | Data Fiduciary status | Determines purpose and means of processing | Sec 2(i) |
| Scope confirmation | Digital data or digitized non-digital data | Sec 3(a)(i-ii) | |
| Territoriality verified | Processing in India or offering goods/services to India | Sec 3(a-b) | |
| Exemptions ruled out | Not personal/domestic or publicly available data | Sec 3(c) | |
| LAWFUL PROCESSING | Lawful purpose only | Must not be expressly prohibited by law | Sec 4(2) |
| Consent or Legitimate Use | Required for all processing activities | Sec 4(1) (a-b) | |
| NOTICE | Pre-consent notice | Includes data, purpose, rights, DPB complaint | Sec 5(1) (i-iii) |
| Legacy consent notice | Fresh notice for existing processing | Sec 5(2) (a-b) | |
| Language options | English + 8th Schedule languages | Sec 5(3) | |
| CONSENT | Tests of consent | It should be Free, specific, informed, unconditional, unambiguous | Sec 6(1) |
| Affirmative action | Clear, granular and no pre-checked boxes | Sec 6(1) | |
| Withdrawal parity | Withdrawal as easy as giving consent | Sec 6(4) | |
| Withdrawal consequences | Impact borne by DP | Sec 6(5) | |
| Cease processing post-withdrawal | Within reasonable time post withdrawal | Sec 6(6) | |
| Consent Manager option | Optional mechanism available | Sec 6(7) | |
| Consent proof burden | Fiduciary must demonstrate compliance | Sec 6(10) | |
| LEGITIMATE USES | Voluntary provision | Personal Data Voluntarily provided | Sec 7(a) |
| State benefits/services | Prescribed subsidies mapped | Sec 7(b) | |
| State functions | Sovereignty/security functions | Sec 7(c) | |
| Legal obligations | Disclosure requirements | Sec 7(d) | |
| GENERAL OBLIGATIONS | Fiduciary responsibility | Processors bound by contract | Sec 8(1-2) |
| Data Accuracy | Complete, accurate and consistent | Sec 8(3) (a-b) | |
| Technical measures | Ensure compliance effectiveness | Sec 8(4) | |
| Security safeguards | Reasonable to prevent breach | Sec 8(5) | |
| Breach notification | Inform Board and Data Principals | Sec 8(6) | |
| Erasure post-purpose | After purpose is served or consent withdrawn | Sec 8(7)(a) | |
| Processor erasure | Ensure processors delete data | Sec 8(7)(b) | |
| Inactivity erasure | After prescribed inactivity period | Sec 8(8) | |
| Contact published | DPO or responsible person published | Sec 8(9) | |
| Grievance mechanism | Effective redressal system | Sec 8(10) | |
| CHILDREN | Verifiable parental consent | Verified consent required | Sec 9(1) |
| No detrimental effect | Protect Child Well-being | Sec 9(2) | |
| No tracking/ads | Ban on behavioural monitoring | Sec 9(3) | |
| SIGINIFICANT DATA FIDUCIARY (SDF) OBLIGATIONS | SDF assessment | Based on Volume, sensitivity, risk factors, public order, security of state, potential impact on sovereignty and integrity of India | Sec 10(1) (a-f) |
| Data Protection Officer appointment | India-based, Board report, grievance POC | Sec 10(2)(a) | |
| Independent auditor | Data audit requirement | Sec 10(2)(b) | |
| Data Protection Impact Assessment + periodic audit | Risk assessment process | Sec 10(2)(c) (i-ii) | |
| RIGHTS PORTAL | Data Principal rights | Access, correction, erasure, grievance, nomination | Sec 11-14 |
| DUTIES OF DP | Duties of DP | Comply with all provisions. | Sec 15 |
PENALTIES AS PRESCRIBED UNDER SCHEDULE OF DPDPA
| Violation | Relevant Section | Maximum Penalty | Explanation |
| Security Failure | Sec 8(5) | Rs. 250 Cr | Failing to take reasonable security safeguards to prevent data breach. |
| Failure to Report | Sec 8(6) | Rs. 200 Cr | Failing to tell the Board and the User about a data breach. |
| Children’s Data | Sec 9 | Rs. 200 Cr | Tracking kids, targeting ads to kids, or failing to verify parental consent. |
| Significant Fiduciary | Sec 10 | Rs. 150 Cr | A “Significant” company failing to hire a DPO, an Auditor, or do an Impact Assessment. |
| User Duties | Sec 15 | Rs. 10,000 | A user filing a fake complaint, impersonating others, or giving false details. |
| Voluntary Undertaking | Sec 32 | Up to Breach | Breaking a promise made to the Board (penalty applies to the original breach) |
| General Breach | Any Other | Rs. 50 Cr | Breaking any other rule in the Act (e.g., failing to give Notice or Erasure |
[1] Section 2 (i) of the Digital Personal Data Protection Act, 2023.
[2] Section 2 (k) of the Digital Personal Data Protection Act, 2023.
[3] Section 2 (j) of the Digital Personal Data Protection Act, 2023.
[4] Section 6 (1) of the Digital Personal Data Protection Act, 2023.
[5] Section 2 (z) of the Digital Personal Data Protection Act, 2023.