India DPDPA


What is the Digital Personal Data Protection Act (DPDPA)?

The Digital Personal Data Protection Act (DPDPA), enacted in August 2023, is India’s comprehensive privacy law governing the processing of digital personal data. It aims to safeguard individual privacy while enabling responsible data use for lawful purposes such as governance, innovation, and service delivery. It applies to personal data collected online or offline but subsequently digitised, and covers entities both within and outside India if they offer goods, services or monitor individuals in India.

When did the DPDPA come into force?

The Act was passed in August 2023. Its key provisions were implemented in 2024, followed by the introduction of detailed rules by MeitY in January 2025. These rules became operational through phased enforcement in 2025, bringing full legal effect to its obligations, penalties, and rights enforcement mechanisms.

Who does the DPDPA apply to?

The DPDPA has a broad scope and applies to a wide range of entities:

  • All organisations operating in India, including companies, startups, government departments, schools, hospitals, and NGOs.
  • Foreign entities that process personal data to offer goods or services to individuals in India or to engage in profiling.

The Act excludes personal or household activities and data that has been fully anonymised or lawfully made public.

What qualifies as personal data under the DPDPA?

Personal data is any digital information that can directly or indirectly identify an individual. This includes:

  • Basic identifiers: names, phone numbers, addresses
  • Government IDs: Aadhaar, PAN, passport numbers
  • Sensitive data: financial records, health data, biometrics
  • Online data: IP addresses, cookie identifiers, device information

What are the key principles of the DPDPA?

The Act outlines foundational principles to guide data processing:

  • Consent-based Processing: Data should only be processed with explicit consent, unless covered under a legitimate use.
  • Purpose Limitation: Data should be collected only for specific, lawful purposes.
  • Data Minimisation: Only necessary data should be collected and used.
  • Data Accuracy: Entities must ensure data is complete and up to date.
  • Security Safeguards: Reasonable measures must be in place to prevent data breaches.
  • Transparency and Rights: Individuals must be informed of their rights and given mechanisms to exercise them.
  • Accountability: Fiduciaries must be able to demonstrate compliance.

What rights do individuals (Data Principals) have?

The DPDPA grants individuals several rights to help them control their data:

  • Right to Access: Know what data is being held and how it is being used.
  • Right to Correction and Erasure: Request corrections or deletion of inaccurate or unnecessary data.
  • Right to Withdraw Consent: Opt out of processing at any time.
  • Right to Grievance Redressal: File complaints with the organisation or escalate to the Data Protection Board.
  • Right to Nominate: Designate another individual to manage rights after death or incapacity.

What is consent under the DPDPA?

Consent must be:

  • Free, specific, informed, and unambiguous
  • Given through clear affirmative action
  • Easily withdrawn, with a process as simple as giving consent

Notices must be in plain language and accessible formats.

Who are Data Fiduciaries and Data Processors?

  • Data Fiduciary: Determines the purpose and means of processing data (e.g., a business or agency).
  • Data Processor: Processes data on behalf of a fiduciary, under contract.

Fiduciaries bear primary responsibility for compliance.

What are Significant Data Fiduciaries (SDFs)?

SDFs are high-impact entities that process large volumes of data or sensitive information. They have additional obligations:

  • Appointing a Data Protection Officer (DPO) based in India
  • Conducting Data Protection Impact Assessments (DPIAs)
  • Performing annual audits
  • Ensuring algorithmic transparency and restrictions on international data transfers

What changed under the DPDPA Rules, 2025?

The 2025 rules provide further clarity and enforcement mechanisms:

  • Mandatory breach notification within 72 hours
  • Standardised consent and privacy notice templates
  • Parental consent for children under 18
  • White-listed countries for data transfers abroad
  • Security standards and data retention timelines based on fiduciary category
  • Defined grievance response timelines

How is children’s data treated?

Children receive special protection under the Act:

  • Age of consent is under 18
  • Parental consent is mandatory
  • Targeted advertising and behavioural tracking are prohibited
  • Some exemptions for educational, medical, or safety purposes are allowed under strict conditions

What are the security obligations?

All Data Fiduciaries must:

  • Use encryption, obfuscation, or masking
  • Control access to systems and data
  • Maintain logs to detect breaches and retain them for at least one year
  • Ensure business continuity through backups
  • Include data protection clauses in contracts with processors

What are the rules on data retention and deletion?

Data must be deleted when:

  • It is no longer required for the original purpose
  • The individual withdraws consent

High-volume entities like ecommerce or social media platforms must delete unused data after 3 years of inactivity, with 48 hours’ prior notice to the individual.

Are there exemptions?

Yes, specific exemptions apply:

  • National security and public interest functions
  • Legal proceedings, investigations, and compliance
  • Medical emergencies or public health needs
  • Government schemes involving public funds

What about cross-border data transfers?

  • Allowed only to countries not restricted by the Indian government
  • No adequacy or SCC regime; a whitelist approach is followed
  • SDFs may face stricter restrictions on transferring certain personal or traffic data

What is the grievance redressal process?

  • Data Principal files complaint with the organisation (Fiduciary).
  • If unresolved, they can escalate to the Data Protection Board of India (DPBI).
  • The Board investigates and may issue fines or remediation orders.

What are the penalties for non-compliance?

Fines consist of:

  • Up to ₹250 crore for major breaches
  • ₹200 crore for failing to notify breaches or protect children’s data
  • ₹10,000 for knowingly filing false complaints
  • Suspension of operations or services in severe cases

Do SMEs and Startups need to comply?

Yes, however:

  • Startups and low-risk entities may receive compliance relaxations
  • Entities processing sensitive or large-scale data can still be classified as SDFs

What are Consent Managers?

These are government-registered platforms that help individuals manage their consents across different services. They ensure:

  • Transparent, secure, and interoperable consent management
  • Individuals can view, grant, or withdraw consents in one place

Where can I find official DPDPA resources?

Stay ahead of regulations without breaking the bank.
Let our platform be your trusted partner.