Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025
INTRODUCTION
The Digital Personal Data Protection Act, 2023, together with the Digital Personal Data Protection Rules, 2025, establishes India’s first comprehensive legal framework governing the collection, processing, storage, and protection of digital personal data. The law introduces a rights-based regime centred on informed consent, accountability of Data Fiduciaries, stringent obligations for significant data handlers, and clear responsibilities for individuals. It aims to balance innovation with privacy protection by mandating transparent data practices, robust security safeguards, breach reporting mechanisms, and strict timelines for compliance. With an 18-month implementation window ending on 14 May 2027, the legislation marks a pivotal step towards strengthening digital trust, empowering data principals, and ensuring responsible data governance across all sectors.
| IMPORTANT DEFINITION | |||
| 1. | Consent Manager: | means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform | |
| 2. | means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means | ||
| 3. | Data Fiduciary | means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; | |
| 4. | Data Principle | means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf; | |
| 5. | means any person who processes personal data on behalf of a Data Fiduciary; | ||
| Applicability
18 month from the date of notification i.e., 14th May, 2027 |
(a) apply to the processing of digital personal data within the territory of India where the personal data is collected– (i) in digital form; or non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India (c) not apply to— (i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data that is made or caused to be made publicly available by— (A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. |
||
| Sr. No | Particulars | Approval/ Compliance | Timeline |
| 1. | Grounds for processing personal data | Only for which data principle has given her consent & for lawful purpose | |
| 2. | Notice
(Consent is only valid if it’s informed) (In case data has been processed prior to commencement of act intimate as soon as reasonably possible) |
Whenever a Data Fiduciary ask a Data Principal for consent, it must first provide a clear notice that explains what personal data is being collected and why also explain how they can control or withdraw their consent and how they can complain in case of breach. | Notice to be shared and consent to be taken |
| 3. | Consent | The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, in clear and plain language. Can be withdrawn anytime.
Once Data Principal withdraws her consent to the processing of personal data, the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal. |
|
| 4. | Data Fiduciary may process personal data of a Data Principal for certain legitimate purpose | 1. purpose for which the Data Principal has voluntarily provided her personal data
2. for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit 3. for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; 4. for fulfilling any obligation under any law for the time being in force in India 5. for compliance with any judgment or decree or order or any claim of a civil or contractual nature outside India 6. for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; 7. for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; 8. for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. 9. for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. |
|
| 5. | Obligations of Data Fiduciary | 1. A Data Fiduciary is always responsible for compliance with the Act, even if processing is done by a Data Processor on its behalf.
2. Can appoint or engage a Data Processor only under a valid contract. 3. Must ensure personal data is complete, accurate, and consistent if it is: Used to make decisions affecting the Data Principal, or Disclosed to another Data Fiduciary. 4. Must implement technical & organisational measures to comply with the Act. Implement technical measures Such as encryption, access controls, secure storage, monitoring systems. Implement organizational measures such as internal policies, staff training, governance structures, audits, accountability mechanisms. 5. Must protect personal data in its possession or under its control (including data processed by a Data Processor) with reasonable security measures to prevent breaches. 6. In case of a personal data breach, must inform both the Data Protection Board and affected Data Principals in the prescribed manner. 7. Must erase personal data when consent is withdrawn or when the specified purpose is no longer served. Must ensure Data Processors also erase such data provided to them. |
|
| 6. | Registration & Obligations of consent manager | 1 year from the date of publication | |
| 7. | Informing Board about breach | Detail report to be given to board about data breach | |
| 8. | Intimation of personal data breach | First Intimation: Description of breach, nature, extent, timing, location, impact.
Second Intimation: Updated & detailed information; Broad facts; measures implemented or proposed; findings regarding person who caused the breach; remedial measures; report regarding intimation |
First Intimation: Without delay
Second Intimation: Detailed report within 72 hours. |
| 9. | Manner of processing personal data | No processing without clear notice & explicit consent, however it can be done only for lawful or legitimate purposes. | |
| 10. | Appointment of data processor for processing data on its behalf | Even when outsourcing processing to a Data Processor, the Data Fiduciary carries ultimate responsibility for compliance and must ensure minimum one-year retention of data and logs, followed by erasure unless legally required otherwise. | Retention period: 1 year
Intimation: 48 hours prior to deletion |
| 11. | Publishing business contact information of Data Protection Officer | The DPO’s or authorised person’s contact details must be easily accessible online and consistently shared in communications with Data Principals to ensure accountability and support.
|
|
| 12. | Establishing grievance redressal mechanism for Data Principals | Every Data Fiduciary must provide Data Principals with a grievance redressal mechanism.
The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. |
Within 90 days |
| 13. | Data Fiduciary to obtain consent of parent of child/ legal guardian before processing any personal data | Processing personal data of children or persons with disabilities requires verifiable parental/guardian consent, with strict checks on the guardian’s legal authority. Certain exemptions exist for specified classes/purposes under the Fourth Schedule.
Central Government may notify data fiduciary or class of data fiduciary as significant data fiduciary on the basis of assessment. |
|
| 14. | Appointment of Data Protection Officer | For Significant Data Fiduciaries, the DPO is a senior, India-based officer who represents the entity under the law, reports directly to Board, and is the primary contact for grievances from Data Principals. | Applicable only to significant data fiduciary |
| 15. | Appointment of Independent data auditor to carry out data audit & Periodic Data Protection Impact Assessment | A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
once in every period of 12 months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified. |
Applicable only to significant data fiduciary |
| 16. | Rights & Duties of Data Principle | When an individual has given consent to a Data Fiduciary she can request the following:
a) Summary of data processing b) Sharing details of all other data fiduciaries and data principles with whom data has been shared However, there are certain exceptions to above: – c)Personal data is shared with another Data Fiduciary who is legally authorised to obtain it. d)Such sharing is done in writing for purposes like
|
|
| 17. | Right to correction and erasure of personal data. | A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, | |
| 18. | Duties of Data Principal. | a. Follow the law
b. No Impersonation c. Provide complete information d. No false compliant e. Authentic information for Correction |
|
| 19. | Registration of Consent Manager | Only persons who satisfy the eligibility conditions in the First Schedule (refer Annexure 1) can apply to the Board, and once registered, they serve as official Consent Managers to facilitate Data Principals’ rights and consent management. | |
| 20. | Taking reasonable security safeguards to prevent personal data breach | The law requires Data Fiduciaries to adopt a layered security approach:
|
|
| 21. | Undertaking measures to ensure protection of personal data | Significant Data Fiduciaries must localize and safeguard specified personal data, ensuring it and its traffic data remain within India, guided by recommendations of an internal compliance committee. | |
| Processing of personal data outside territory of India | Cross-border transfers of personal data are not freely permitted. They are subject to Central Government approval and conditions.
Exemption from chapter II, III & Section 16 under following circumstances: 1. Legal Rights & Claims 2. Judicial / Regulatory Functions 3. Law Enforcement 4. Cross‑Border Contracts 5. Corporate Restructuring 6. Loan Defaults & Financial Information |
||
| 22. | Giving consent to for processing of personal data by a Data Fiduciary | The Consent Manager acts as a trusted intermediary, enabling Data Principals to give consent either directly to a Data Fiduciary or through another onboarded Data Fiduciary that already holds their data with consent, ensuring lawful and verifiable processing. | |
| 23. | Consent Manager to maintain record of certain information on its platform | The Consent Manager must maintain on its platform a record of following:
|
7 years or a longer period if:
Agreed between data principal & Consent Manager or as required by law.
|
| 24. | Developing and maintaining website or app for Data Principal to access services provided by Consent Manager | The Consent Manager must provide a dedicated digital platform (website/app) as the primary gateway for Data Principals to manage their personal data rights and consent, ensuring transparency, accessibility, and compliance. | |
| 25. | Consent Manager to act in a fiduciary capacity with Data Principal | The Consent Manager must act as a trusted guardian of Data Principals’ rights, ensuring neutrality and avoiding conflicts with Data Fiduciaries, their promoters, or key managerial personnel. | |
ANNEXURE I
| Conditions for Registration
(Applicant Company) |
Obligations of Consent Manager |
| Must be a company incorporated in India | Enable Data Principals to give, manage, review, and withdraw consent via platform |
| Sufficient technical, operational, and financial capacity | Ensure personal data shared is not readable by the Consent Manager itself |
| Sound financial condition and management character | Maintain records of consents, notices, and data sharing |
| Net worth ≥ ₹2 crore | Provide Data Principals access to records; make available in machine-readable form |
| Adequate business volume, capital structure, and earning prospects | Maintain records for at least 7 years (or longer if agreed/required by law) |
| Directors, KMPs, and senior management must have reputation of fairness and integrity | Develop and maintain website/app as primary access point |
| MOA & AOA must include provisions to adhere to obligations (items 9 & 10 of Part B), amendable only with Board approval | Cannot subcontract or assign obligations under the Act |
| Operations must serve the interests of Data Principals | Take reasonable security safeguards to prevent personal data breach |
| Independent certification of platform interoperability with Board standards | Act in fiduciary capacity towards Data Principals |
| Certification of technical & organisational measures for compliance | Avoid conflict of interest with Data Fiduciaries and their promoters/KMPs |
| — | Ensure no conflict of interest arises from directors/KMPs/senior management holding directorships, financial interests, or material relationships with Data Fiduciaries |
| — | Publish transparency information: promoters, directors, KMPs, senior management, >2% shareholders, and related corporate holdings |
| — | Maintain effective audit mechanisms; report outcomes to the Board periodically or as directed |
| — | Control of Consent Manager company cannot be transferred (sale/merger) without prior Board approval |
ANNEXURE II
| Type of Breach | Relevant Section | Maximum Penalty |
| Failure to take reasonable security safeguards to prevent personal data breach | Section 8(5) | ₹250 crore |
| Failure to notify the Data Protection Board or affected Data Principal of a personal data breach | Section 8(6) | ₹200 crore |
| Breach of additional obligations in relation to children | Section 9 | ₹200 crore |
| Breach of additional obligations of Significant Data Fiduciary | Section 10 | ₹150 crore |
| Breach of duties of Data Principal | Section 15 | ₹10,000 |
| Breach of voluntary undertaking accepted by the Board | Section 32 | Penalty up to the extent applicable for the breach in respect of which proceedings were instituted |
| Breach of any other provision of the Act or rules | General | ₹50 crore |
STATUTORY TIMELINE:
| Activity | Timeline |
| Applicability of Act | 14 May 2027 (18 months from notification) |
| Registration of Consent Manager | 1 year from publication |
| Breach intimation | Immediate + detailed report within 72 hours |
| Grievance redressal | Within 90 days |
| Retention of logs | Minimum 1 year |
| DPIA & Audit (Significant Fiduciary) | Annual |
Author Bio
