Resources

Explore our resources for actionable insights on data security and management

What is Digital Personal Data Protection Act (DPDP Act)?

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is a national privacy law that regulates the processing of digital personal data. It aims to balance two principles:

1. The individual’s right to privacy and control over personal data

2. The need for lawful, transparent, and secure processing by organizations for legitimate purposes

 

The law covers data originally collected in digital form or data that has been digitized later. It establishes new roles and responsibilities for data handlers and enforcement authorities.

  • Personal data: Any data about an identifiable individual

  • Processing: Any automated operation on personal data (collect, store, use, share, erase, etc.).

  • Data Principal: The individual the data relates to

  • Data Fiduciary:  The organization that decides the purpose and means of processing

  • Data Processor: A third party that processes data on behalf of a fiduciary

Enactment & Timing

The DPDP Act was passed by the Indian Parliament and received Presidential assent on August 11, 2023, officially becoming law. However, the Act’s provisions are not all yet in force. Under Section 1(2), the Government may notify different commencement dates for different provisions. This means:

  • The Act exists on the statute books, but many operational details—such as compliance obligations, enforcement mechanisms, and Data Protection Board procedures—will only apply after formal notification in the Official Gazette.

  • Organizations should prepare now for a phased rollout, as different sections of the Act are expected to take effect at different times.

  • The Ministry of Electronics and Information Technology (MeitY) is finalizing DPDP Rules 2025, which will operationalize the Act and clarify procedures for consent, breach notification, and cross-border transfers.

Who is in the scope (and who isn't)

  • In India: All processing of digital personal data
  • Outside India: Processing connected to offering goods or services to people in India (extraterritorial reach)
  • Out of scope: (a) purely personal/domestic use; (b) personal data made publicly available by the individual or by someone legally required to publish it

Lawful grounds to process

DPDP allows processing when:

  • The Data Principal gives valid consent (free, specific, informed, unambiguous, by clear affirmative action, and limited to what’s necessary); consent can be withdrawn as easily as it was given.

  • There are “certain legitimate uses” listed in the Act (e.g., specified public benefits or where the individual voluntarily provided data for the stated purpose and hasn’t objected).

 

Consent Managers: Individuals can give/manage/withdraw consent through a Consent Manager, a provider that must be registered with the Data Protection Board and act on the individual’s behalf.

Rights for individuals (and their related duties)

Individuals (Data Principals) can:

  • Access a summary of data being processed and with whom it’s shared

  • Correct, update, or erase (subject to legal retention)

  • File a grievance and escalate unresolved complaints to the Board

  • Nominate another person to exercise rights if the individual dies or becomes incapacitated

 

Duties: Provide accurate data, avoid impersonation, and refrain from frivolous complaints.

Special rules for children

  • Applies to those under 18 years
  • Requires verifiable parental or guardian consent
  • Prohibits targeted advertising, profiling, or behavioral tracking of children’s data

Significant Data Fiduciaries (SDFs)

Designated by the Government based on data volume, sensitivity, and national security relevance.
SDFs must appoint an India-based Data Protection Officer, conduct Data Protection Impact Assessments (DPIAs), and perform independent audits.

Cross-border transfers

Transfers of personal data are allowed by default, except to countries that the Government specifically restricts by notification (“negative-list model”). Contracts and safeguards are still required for compliance.

Penalties

The Data Protection Board of India (DPB) investigates breaches and issues binding directions.

Violation Category
Maximum Penalty (INR)
Approximate in USD
Failure to implement “reasonable security safeguards” (leading to breach)
₹ 250 crore
~ $28.3 million
Failure to notify data breach / violation of children’s-data obligations
₹ 200 crore
~ $22.6 million
Failure of a “Significant Data Fiduciary” (SDF) to meet its additional obligations
₹ 150 crore
~ $17 million
Any other breach under the Act (catch-all)
₹ 50 crore
~ $5.65 million
Frivolous or malicious complaint by a Data Principal
₹ 10,000
~ $113

Find out what Fasoo can do for you

Contact Us
Contact  Us
Contact Us
Keep me informed
Privacy Overview
Fasoo

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

3rd Party Cookies (Analytics)

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Powered by  GDPR Cookie Compliance