India DPDPA

Q: What is the Digital Personal Data Protection Act (DPDPA)?

The Digital Personal Data Protection Act (DPDPA), enacted in August 2023, is India's comprehensive privacy law governing the processing of digital personal data. It aims to safeguard individual privacy while enabling responsible data use for lawful purposes such as governance, innovation, and service delivery. It applies to personal data collected online or offline but subsequently digitised, and covers entities both within and outside India if they offer goods, services or monitor individuals in India.

Q: Who does the DPDPA apply to?

The DPDPA has a broad scope and applies to all organisations operating in India, including companies, startups, government departments, schools, hospitals, and NGOs. It also covers foreign entities that process personal data to offer goods or services to individuals in India or to engage in profiling. The Act excludes personal or household activities and data that has been fully anonymised or lawfully made public.

Q: What are the key principles of the DPDPA?

The DPDPA outlines foundational principles including consent-based processing, purpose limitation, data minimisation, data accuracy, security safeguards, transparency and rights for individuals, and accountability for data fiduciaries to demonstrate compliance.

Q: What rights do individuals (Data Principals) have?

The DPDPA grants individuals the right to access their data and know how it is being used, the right to correction and erasure of inaccurate or unnecessary data, the right to withdraw consent at any time, the right to grievance redressal through the organisation or the Data Protection Board, and the right to nominate another individual to manage rights after death or incapacity.

Q: What is consent under the DPDPA?

Consent under the DPDPA must be free, specific, informed, and unambiguous, given through clear affirmative action. It must be easily withdrawn, with a process as simple as giving consent. Consent notices must be provided in plain language and accessible formats.

Q: Who are Data Fiduciaries and Data Processors?

A Data Fiduciary determines the purpose and means of processing data, such as a business or agency. A Data Processor processes data on behalf of a fiduciary under contract. Fiduciaries bear primary responsibility for compliance under the DPDPA.

Q: What are Significant Data Fiduciaries (SDFs)?

Significant Data Fiduciaries are high-impact entities that process large volumes of data or sensitive information. They have additional obligations including appointing a Data Protection Officer based in India, conducting Data Protection Impact Assessments, performing annual audits, and ensuring algorithmic transparency and restrictions on international data transfers.

Q: What changed under the DPDPA Rules, 2025?

The 2025 rules provide further clarity and enforcement mechanisms including mandatory breach notification within 72 hours, standardised consent and privacy notice templates, parental consent for children under 18, white-listed countries for data transfers abroad, security standards and data retention timelines based on fiduciary category, and defined grievance response timelines.

Q: What are the penalties for non-compliance?

Penalties under the DPDPA include fines of up to 250 crore rupees for major breaches, 200 crore rupees for failing to notify breaches or protect children's data, and 10,000 rupees for knowingly filing false complaints. Severe cases may result in suspension of operations or services.

Q: What about cross-border data transfers?

Cross-border data transfers are allowed only to countries not restricted by the Indian government. There is no adequacy or Standard Contractual Clause regime; instead a whitelist approach is followed. Significant Data Fiduciaries may face stricter restrictions on transferring certain personal or traffic data.

What is the Digital Personal Data Protection Act (DPDPA)?

The Digital Personal Data Protection Act (DPDPA), enacted in August 2023, is India's comprehensive privacy law governing the processing of digital personal data. It aims to safeguard individual privacy while enabling responsible data use for lawful purposes such as governance, innovation, and service delivery. It applies to personal data collected online or offline but subsequently digitised, and covers entities both within and outside India if they offer goods or services to, or monitor, individuals in India.

When did the DPDPA come into force? ✦ Updated

The Act received Presidential assent on 11 August 2023. The Final Rules were gazetted by MeitY on 13 November 2025 (Gazette Notifications G.S.R. 843(E)–846(E)), following public consultation on the Draft Rules published on 3 January 2025. Commencement is phased across three stages:

Phase	Date	Rules in force
Phase 1	13 November 2025	Rules 1, 2 and 17–21 — definitions and DPBI constitution and operations
Phase 2	13 November 2026	Rule 4 — Consent Manager registration and obligations
Phase 3	13 May 2027	Rules 3, 5–16, 22 and 23 — all core obligations: notice and consent, security safeguards, breach notification, children's data, erasure timelines, cross-border transfers, and rights of Data Principals

Organisations have until 13 May 2027 to achieve full compliance with the substantive provisions of the Act and Rules.

Who does the DPDPA apply to?

The DPDPA has a broad scope and applies to a wide range of entities:

All organisations operating in India, including companies, startups, government departments, schools, hospitals, and NGOs.
Foreign entities that process personal data to offer goods or services to individuals in India or to engage in profiling.

The Act excludes personal or household activities and data that has been fully anonymised or lawfully made publicly available.

What qualifies as personal data under the DPDPA?

Personal data is any digital information that can directly or indirectly identify an individual. This includes:

Basic identifiers: names, phone numbers, addresses
Government IDs: Aadhaar, PAN, passport numbers
Sensitive data: financial records, health data, biometrics
Online data: IP addresses, cookie identifiers, device information

What are the key principles of the DPDPA?

The Act outlines foundational principles to guide data processing:

Consent-based Processing: Data should only be processed with explicit consent, unless covered under a legitimate use under Section 7.
Purpose Limitation: Data should be collected only for specific, lawful purposes.
Data Minimisation: Only necessary data should be collected and used.
Data Accuracy: Entities must ensure data is complete and up to date.
Security Safeguards: Reasonable measures must be in place to prevent data breaches.
Transparency and Rights: Individuals must be informed of their rights and given mechanisms to exercise them.
Accountability: Fiduciaries must be able to demonstrate compliance.

What rights do individuals (Data Principals) have? ✦ Updated

The DPDPA grants individuals several rights to help them control their data:

Right to Access: Know what data is being held and how it is being used.
Right to Correction, Completion, Updating and Erasure: Request correction of inaccurate data; completion of incomplete data; updating of data; and deletion of unnecessary data.
Right to Withdraw Consent: Opt out of processing at any time, with withdrawal as simple as giving consent.
Right to Grievance Redressal: File complaints with the organisation or escalate to the Data Protection Board of India.
Right to Nominate: Designate another individual to manage rights after death or incapacity.

What is consent under the DPDPA? ✦ Updated

Consent must be:

Free, specific, informed, and unambiguous
Given through clear affirmative action
Easily withdrawn, with a process as simple as giving consent
Not bundled: Consent for one purpose must not be made a precondition of receiving goods or services alongside consent for any other purpose

Notices must be in plain language and accessible in English or any language specified in the Eighth Schedule to the Constitution.

Who are Data Fiduciaries and Data Processors?

Data Fiduciary: Determines the purpose and means of processing data (e.g., a business or agency).
Data Processor: Processes data on behalf of a fiduciary, under contract.

Fiduciaries bear primary responsibility for compliance.

What are Significant Data Fiduciaries (SDFs)? ✦ Updated

SDFs are Data Fiduciaries notified by the Central Government following an assessment of six statutory factors: volume and sensitivity of personal data processed; risk to the rights of Data Principals; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the State; and public order.

They have additional obligations:

Appointing a Data Protection Officer (DPO) based in India, responsible to the Board of Directors, who serves as the point of contact for grievance redressal
Appointing an independent data auditor and conducting annual audits
Conducting periodic Data Protection Impact Assessments (DPIAs), with significant findings reported to the DPBI
Observing due diligence to verify that algorithmic software does not pose a risk to Data Principals' rights
Ensuring government-designated categories of personal data and associated traffic data are not transferred outside India

What changed under the DPDPA Rules, 2025? ✦ Updated

The Final Rules, gazetted on 13 November 2025, provide further clarity and enforcement mechanisms:

Two-tier breach notification: Data Principals must be notified without delay; the DPBI must receive an initial description without delay, followed by detailed information within 72 hours
Standardised consent and privacy notice requirements specifying minimum content in plain language
Verifiable parental consent for children under 18 with specific verification procedures
Restriction-based model for cross-border transfers — the Central Government may notify restricted countries; transfers to all others are permissible by default
Security standards and data retention timelines based on fiduciary category
Defined grievance response procedures

How is children's data treated? ✦ Updated

Children receive special protection under the Act:

Age of consent is under 18
Verifiable parental or lawful guardian consent is mandatory before processing
Targeted advertising and behavioural tracking directed at children are prohibited
Processing likely to cause any detrimental effect on the well-being of a child is prohibited

Exemptions from parental consent and tracking restrictions apply under two heads set out in the Fourth Schedule:

Entity-based (Part A): clinical and mental health establishments; healthcare and allied healthcare professionals; educational institutions (for educational activities or child safety); crèches and day care centres; transport operators engaged by those institutions
Purpose-based (Part B): statutory functions in a child's interests; government subsidies or benefits under Section 7(b); creation of email user accounts; content filtering to protect child well-being; age-verification processes

Each exemption carries specific, narrow processing restrictions — none permit general tracking or profiling of children.

How is the personal data of persons with disability treated?

The DPDPA extends equivalent protections to persons with disability who have a lawful guardian. Before processing any personal data of such an individual, a Data Fiduciary must obtain verifiable consent from the lawful guardian in the same manner as for a child.

A "person with disability" covers two categories under Rule 10(3) of the DPDPA Rules 2025:

An individual with a long-term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders their full and effective participation in society, and who despite adequate support is unable to take legally binding decisions — governed by the Rights of Persons with Disabilities Act, 2016
An individual suffering from autism, cerebral palsy, mental retardation, or a combination of such conditions, including severe multiple disability — governed by the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999

Guardian verification requirements — the Data Fiduciary must observe due diligence to verify that the individual claiming to be the lawful guardian has been appointed by one of the following:

A court of law
A designated authority — an authority designated under Section 15 of the Rights of Persons with Disabilities Act, 2016 to support persons with disabilities in exercising their legal capacity
A local level committee — a committee constituted under Section 13 of the National Trust Act, 1999

Key points for Data Fiduciaries:

The lawful guardian is treated as the Data Principal acting on behalf of the person with disability — this is a statutory definition under Section 2(j)(ii) of the Act
The same verifiable consent mechanism applies as for children — identity and age verification via reliable details held by the fiduciary, voluntarily provided details, or a virtual token issued by a Digital Locker service provider
Unlike the children's provisions, there is no equivalent Fourth Schedule exemption list for persons with disability — the guardian consent requirement applies without sector-based or purpose-based carve-outs
The prohibition on processing likely to cause detrimental effect on well-being applies to children specifically under Section 9(2); however, all processing of a person with disability's data must remain consistent with the lawful guardian's consent and the purpose for which it was given

Where there is doubt about whether an individual has a lawful guardian under applicable law, Data Fiduciaries should seek legal guidance before processing, as proceeding without verifiable guardian consent risks penalties of up to ₹200 crore under the Schedule to the Act.

What are the security obligations? ✦ Updated

All Data Fiduciaries must implement reasonable security safeguards including, at minimum:

Use encryption, obfuscation, masking or virtual token mapping to protect personal data
Control access to systems and data
Maintain logs, monitoring and review to enable detection, investigation and remediation of unauthorised access
Ensure business continuity through data backups
Retain logs and personal data for at least one year (unless law requires otherwise)
Include data protection clauses in contracts with Data Processors
Implement appropriate technical and organisational measures to ensure effective observance of all safeguards

What are the rules on data retention and deletion? ✦ Updated

Data must be deleted when it is no longer required for the original purpose, or when the individual withdraws consent.

The Third Schedule mandates erasure for three classes of qualifying high-volume fiduciary, with the 3-year clock running from the date the Data Principal last approached the fiduciary for the specified purpose or exercised her rights:

Class	Threshold	Erasure Period
E-commerce entities	≥ 2 crore registered users in India	3 years
Online gaming intermediaries	≥ 50 lakh registered users in India	3 years
Social media intermediaries	≥ 2 crore registered users in India	3 years

At least 48 hours before the erasure deadline, the fiduciary must notify the Data Principal, giving her the opportunity to prevent erasure by logging in or exercising her rights.

Are there exemptions?

Yes, specific exemptions apply under Section 17:

National security and public interest functions
Legal proceedings, investigations, and compliance with law
Medical emergencies or public health needs
Government schemes involving public funds
Processing by courts, tribunals or regulatory bodies in judicial or quasi-judicial functions
Prevention, detection, investigation or prosecution of offences
Mergers, amalgamations or demergers approved by competent authority
Ascertaining financial information of defaulting borrowers

What about cross-border data transfers? ✦ Updated

Transfers are permitted by default to all countries not notified as restricted by the Central Government
No adequacy decision or standard contractual clause regime — the Act uses a restriction (blacklist) model
SDFs must additionally ensure that government-designated categories of personal data and associated traffic data are not transferred outside India

What is the grievance redressal process?

Data Principal must first file a complaint with the organisation (Fiduciary) and exhaust that mechanism
If unresolved, they can escalate to the Data Protection Board of India (DPBI)
The Board investigates and may issue directions, fines, or remediation orders
Inquiries must ordinarily be completed within six months, extendable by up to three months at a time

What are the penalties for non-compliance? ✦ Updated

The Schedule to the Act sets out seven penalty bands:

Breach	Maximum Penalty
Failure to implement security safeguards — s.8(5)	₹250 crore
Failure to notify Board or Data Principals of a breach — s.8(6)	₹200 crore
Breach of children's data obligations — s.9	₹200 crore
Breach of SDF additional obligations — s.10	₹150 crore
Breach of Data Principal duties — s.15	₹10,000
Breach of voluntary undertaking accepted by the Board — s.32	Penalty of underlying breach
Any other provision of the Act or Rules	₹50 crore

Where the DPBI has imposed penalties in two or more instances, it may refer the matter to the Central Government, which may direct blocking of access to the fiduciary's services following a hearing — a procedurally conditioned order under Section 37, not a general suspension power.

Do SMEs and Startups need to comply?

Yes, however:

The Central Government may, by notification, exempt certain fiduciaries (including recognised startups) from specific provisions including Section 5, sub-sections (3) and (7) of Section 8, and Sections 10 and 11
Entities processing sensitive or large-scale data can still be classified as SDFs and face the full range of additional obligations
Exemptions are discretionary and notification-dependent — no automatic exemption applies

What are Consent Managers?

Consent Managers are DPBI-registered companies that help individuals manage their consents across different services through a single interoperable platform. They ensure:

Transparent, secure, and interoperable consent management
Individuals can view, grant, or withdraw consents in one place
Records of consents, withdrawals and notices are maintained for at least seven years
Must be incorporated in India with a minimum net worth of ₹2 crore and cannot sub-contract their obligations

Consent Manager registration with the DPBI opens from 13 November 2026 (Phase 2 of commencement).

Where can I find official DPDPA resources?

India DPDPA‍

India DPDPA
‍