The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s dedicated legislation governing the processing of digital personal data. It aims to protect the privacy of individuals while ensuring the lawful and secure use of data by Data Fiduciaries, Data Processors and the State. The Act received Presidential assent on 11 August 2023 and the Digital Personal Data Protection Rules, 2025 were notified to operationalise its provisions.
This Act is applicable on digital personal data processed in India as well as processing outside India if such processing relates to the offering of goods or services to Data Principals within India. This applicability is provided under Section 3(a) and 3(b). The Act does not apply to personal data processed for purely personal or domestic purposes or to personal data that is made publicly available by the Data Principal or under a legal obligation. This non-applicability provision is contained in Section 3(c).
Section 2 defines the key terms. Personal Data is defined in Section 2(t) as any data about an individual who is identifiable. Processing is defined under Section 2(x) as a wholly or partly automated operation. A Data Fiduciary is defined in Section 2(i) as any person who determines the purpose and means of processing. A Data Principal is defined in Section 2(j) as the individual to whom personal data relates. A Consent Manager is defined in Section 2(g) as a platform registered with the Data Protection Board enabling individuals to manage consent.
The Act provides two legal grounds for processing: consent and legitimate use. Under Sections 5 and 6, a Data Fiduciary must issue a notice containing the description of personal data to be collected and the purposes of processing. Consent must be free, specific, informed and unambiguous as required under Section 6(4). The withdrawal of consent must be as easy as the giving of consent under Section 6(5). The DPDP Rules 2025, specifically Rule 3, prescribe the detailed requirements for notice, including clarity, independent comprehensibility and the manner in which notice is to be provided.
Section 7 lists legitimate uses for processing without consent. These include processing necessary for State functions under Section 7(c), compliance with any law under Section 7(d), responding to a medical emergency under Section 7(f), taking measures during an epidemic or public health emergency under Section 7(g), responding to a disaster under Section 7(h), and employment-related purposes under Section 7(i).
Section 8 sets out the general obligations of Data Fiduciaries. They must ensure accuracy of data if it is likely to be used for decision-making or disclosure as per Section 8(3). They must implement reasonable security safeguards to prevent a personal data breach under Section 8(4) and Section 8(5). In the event of a breach, they must notify the Data Protection Board and affected Data Principals under Section 8(6). They must publish the contact details of a Data Protection Officer or a designated contact person under Section 8(9) and establish an effective grievance redressal mechanism under Section 8(10).
Processing of children’s personal data is governed by Section 9. A Data Fiduciary must obtain verifiable parental consent under Section 9(1). Section 9(2) prohibits processing that is detrimental to the wellbeing of children. Section 9(3) prohibits tracking, behavioural monitoring or targeted advertising directed at children. The DPDP Rules 2025, under Rule 12 read with the Fourth Schedule, introduce limited exemptions for certain entities such as healthcare institutions, educational bodies and specific online platforms compliant with safety policies.
Significant Data Fiduciaries are regulated under Section 10. The Central Government may notify any Data Fiduciary as a Significant Data Fiduciary based on volume and sensitivity of data, risk to rights, use of new technologies, or potential impact on sovereignty and public order. Such entities must appoint a Data Protection Officer located in India under Section 10(2)(a)(ii) and conduct data protection impact assessments, periodic audits and risk assessments as per Section 10(2). Rule 13 of the DPDP Rules 2025 elaborates these obligations and mandates annual reporting to the Board.
Data Principals have several rights under Chapter III. Section 11 grants the right to obtain a summary of personal data being processed and identities of Data Fiduciaries and Data Processors. Section 12 grants the right to correction, completion, updating and erasure of personal data. Section 13 grants the right to grievance redressal, which must be addressed within prescribed timelines. Section 14 gives Data Principals the right to nominate another person to exercise their rights in case of death or incapacity. Section 15 sets out the duties of Data Principals, requiring them not to impersonate others, not to suppress material information, not to register false grievances and to comply with the Act.
Special provisions are contained in Chapter IV. Section 16 empowers the Central Government to restrict cross-border transfers of personal data to notified countries or territories. Section 17 provides exemptions. Under Section 17(1), exemptions from Chapters II and III and Section 16 apply to processing for legal claims, court or tribunal proceedings, crime investigation, cross-border processing under approved contracts, corporate mergers or restructuring and loan default assessments. Section 17(2) provides that the Act does not apply to notified State instrumentalities for reasons of sovereignty and security or to research, statistical or archival purposes subject to safeguards. Section 17(3), 17(4) and 17(5) provide for additional exemptions, including relaxations for startups and specific categories of State functions.
The Data Protection Board of India is established under Section 18 as a body corporate. Section 19 describes its composition, including a Chairperson and Members. Section 20 sets out their terms of appointment, which is two years, with eligibility for reappointment. The Board is empowered under Sections 28 to 32 to initiate inquiry into breaches, impose penalties and accept voluntary undertakings under Section 32.
Penalties are provided under Section 33 read with the Schedule. A failure to implement reasonable security safeguards under Section 8(5) may attract a penalty of up to ₹250 crore. A failure to report a personal data breach under Section 8(6) may attract a penalty of up to ₹200 crore. Violations relating to the processing of children’s data under Section 9 may attract a penalty of up to ₹200 crore. Significant Data Fiduciaries violating Section 10 obligations may face penalties up to ₹150 crore. Any breach of the duties under Section 15 by a Data Principal may attract a fine up to ₹10,000. Any other general breach may attract penalties up to ₹50 crore.
The DPDP Rules 2025 lay down the detailed procedural and technical framework to operationalise the Act. Rule 3 elaborates notice requirements. Rules 10 and 11 clarify consent mechanisms. Rule 12 and the Fourth Schedule define exemptions relating to children’s data. Rule 13 mandates data protection impact assessments, audits and algorithmic risk mitigation for Significant Data Fiduciaries. Rule 14 prescribes procedures for Data Principal rights under Sections 11 to 14. Rule 15 governs cross-border data processing. Rule 16 provides provisions for research exemptions. Rules 17 and 18 deal with the constitution and service conditions of the Data Protection Board.
The DPDP Act 2023, together with the DPDP Rules 2025, constitutes a comprehensive privacy framework intended to balance individual rights, organisational responsibilities and national interests. Organisations processing digital personal data must ensure compliance with Sections 3, 5 to 17, 33 and the corresponding rules to avoid significant penalties and to maintain responsible data governance.
****
Constructive suggestions and Crticism are welcome. For any clarification, please feel free to contact the undersigned
CS AMIT KUMAR – csak70943@gmail.com
Author Bio
Very Informative…keep it up.
Well Insight.
Very insightful
very well explained, thank you for providing DPDP in brief.