PART I- UNDERSTANDING THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 : WHAT IT MEANS FOR YOU
Everyone talks about “data privacy”. Most people do not know what it means in daily life. The Digital Personal Data Protection Act, 2023 (“Act”) makes it real. It decides who can take your data. It decides why they can take it. It decides what they must tell you. It also decides what you can ask back.
We will keep this simple. We will read the Act like a lay person would read it. We will not treat it like a compliance manual. We will treat it like a rulebook for normal life. You order food. You book cabs. You shop online. You sign up on apps. You share your number. You share your address. You share your location. You do it in seconds. This Act tells you what those seconds mean.
Key Definitions/concepts
Data Fiduciary – any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. [Section 2(i)]
What does it mean– A Data Fiduciary is the person or business that decides why it will collect personal data and how it will process it. In simple terms, the Data Fiduciary decides the purpose and the method. Example. You run an ecommerce website. You ask users for their name, phone number, and address. You collect this data to deliver products and to handle returns. You also decide where you store the data and which service provider will send your order updates. You act as the Data Fiduciary.
Data Principal – the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, as the case may be.
[Section 2(j)]
What does it mean– A Data Principal is the individual the personal data relates to. The law also deals with two situations. If the Data Principal is a child, the parent or lawful guardian steps in for consent and rights. If the Data Principal is a person with disability who has a lawful guardian, that guardian steps in. Example. Your learning app collects Riya’s name and email. Riya is the Data Principal. If Riya is 15, her parent will give consent for the app to collect and use that data. If your app serves an adult user who has a lawful guardian, the guardian can give consent and can also ask for correction or deletion on the user’s behalf.
Personal Data – any data about an individual who is identifiable by or in relation to such data. [Section 2(t)]
What does it mean– Personal Data means any data about a person where you can identify that person from the data itself or by linking it with other data. Example. A name and phone number identify a person directly.
Processing – a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, storage, use, sharing, disclosure, analysis, alignment or combination, indexing, erasure or destruction.
[Section 2(x)]
What does it mean– Processing covers almost everything you do with personal data in digital form. It includes collecting it, storing it, using it, sharing it, analysing it, and deleting it. Example. A user signs up on your app. Your system stores the email. You use the email to send a login link and product updates. You later delete the email when the user closes the account. Each of these steps counts as processing.
Data Processor – any person who processes personal data on behalf of a Data Fiduciary. [Section 2(k)]
What does it mean– A Data Processor is a person or company that processes personal data for the Data Fiduciary. The Data Processor does the work. It does not decide the purpose. Example. You use a cloud email service to send OTPs and order updates. That service processes your user emails only to deliver messages. It acts as your Data Processor. You still remain responsible as the Data Fiduciary because you chose the purpose and the tools.
Data Protection Board (“the Board”) – the Data Protection Board of India established by the Central Government under section 18. [Section 18(1)]
What does it mean– The Board is the authority the Central Government will set up under the Act. You can treat it like a specialised quasi judicial body for DPDP disputes and enforcement. It can look into complaints and personal data breaches. It can issue directions. It can impose monetary penalties.
Consent Manager – a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review or withdraw her consent through an accessible, transparent and interoperable platform. [Section 2(g)]
What does it mean- A Consent Manager is an entity that registers with the Board and helps people manage consent through a single platform. It works like a control panel for consent. Example. Suppose you use five apps and you have given each app consent for marketing emails. A Consent Manager can give you one dashboard where you can review those consents and withdraw them without visiting each app separately, if those apps integrate with that platform.
Intermediary – “intermediary” shall have the meaning assigned to it in section 2(1)(w) of the Information Technology Act, 2000 [Section 37(3)]
What does it mean– An Intermediary has the same meaning as in the Information Technology Act, 2000. In plain terms, it is a platform or service that receives, stores, transmits, or hosts information for users. Example. A social media platform, a messaging app, a video hosting site, an internet service provider, and an online marketplace can all qualify as intermediaries because they carry user content or enable communication between users.
Before we delve into sections, note one small drafting choice. Section 2(y) makes the Act gender neutral. It says the Act will treat “she” as a reference to any individual, irrespective of gender. The choice still signifies something. The Act uses “she” for the person whose data is at stake. This choice makes the rights holder the default voice in the statute.
Let us understand the key provisions of this Act:
| S. No. | Section | Law as it is | What does it mean? |
| Chapter II – Obligations of Data Fiduciary | |||
| 1. | Section 4 – Grounds for processing personal data. |
(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. (2) For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law. |
Data fiduciaries may process personal data only if the processing is for a lawful purpose and is either with valid consent of the Data Principal or for a permitted legitimate use under the Act. For businesses, this means use of personal data must not be for purposes forbidden by any law. Illustration- If a Data Fiduciary runs a food delivery app, it may collect a user’s name, phone number, and address to deliver an order. The user gives consent for that purpose. The Data Fiduciary may also use the phone number to send an OTP to authenticate the login. The user expects this. The Act treats this as a permitted legitimate use if the user voluntarily provides the data for that obvious purpose and does not indicate refusal. The Data Fiduciary must not use the same data to open a loan account in the user’s name. The Data Fiduciary must not use the data to impersonate the user. The Act does not permit any processing for a purpose which law forbids. |
| 2. | Section 5 – Notice. | (1) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. (2) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— (a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. (b) the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. (3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. |
All data fiduciaries must give a clear notice before or along with seeking consent, explaining what personal data will be processed, for what purpose, how the Data Principal can exercise her rights, and how to complain to the Data Protection Board. For existing users whose consent was taken before the Act, businesses must issue a similar notice after commencement and can continue processing unless consent is withdrawn, and must make the notice available in English or any Eighth Schedule language. Illustration- If a Data Fiduciary runs an e-commerce platform, it may ask for a Data Principal’s phone number at checkout to deliver the order and to send OTPs and delivery updates. The platform must show a notice on the same screen or before it. The notice must state that it will process the phone number for delivery and service communications. It must also state how the Data Principal may withdraw consent. It must state how the Data Principal may exercise her rights. It must state how the Data Principal may complain to the Board. If the platform already collected the phone number before the Act commenced, it must send the same notice after commencement as soon as it can. It may continue to process the phone number until the Data Principal withdraws consent. If the platform wants to use the same phone number to send promotional messages, it must take consent for that purpose as well. |
| 3. | Section 6 – Consent. | (1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. (2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. (3) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. (4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. (5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. (6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. (7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. (8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. (9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. (10) Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. |
Where processing is based on consent, data fiduciaries must ensure consent is clear, purpose-specific, limited to necessary data, easy to withdraw, and obtained through transparent language, and must stop processing (including by Data Processors) once consent is withdrawn unless another lawful basis applies. Businesses must also be able to demonstrate that valid notice and consent were obtained, and accommodate consent being managed or withdrawn through a Consent Manager. Moreover, in proceedings with respect to questions of consent, the burden of proof to establish compliance shall be on the Data Fiduciary. Illustration- If a Data Fiduciary runs a cab booking app, it may ask a Data Principal for location access to pick up and drop her. The app must present a clear consent request. It must state that it will process location data for trip booking and route navigation. It must take a clear affirmative action. The user must click “Allow location for trips”. The app must not treat mere use of the app as consent for location tracking. The app must also make withdrawal simple. The user must withdraw location consent through the same settings screen where she gave it. If the user withdraws consent, the app must stop processing location data within a reasonable time and must ensure its Data Processors also stop, unless another law permits processing without consent. The app may state that withdrawal will prevent booking a cab. The user bears that consequence. The withdrawal does not make past location processing unlawful. |
| 4. | Section 7 – Certain legitimate uses. | 7. A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. (b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– (i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or (ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. (c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; (d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; (e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; (f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. (i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. |
This section allows data fiduciaries to process personal data without consent for specific legitimate uses, including when data is voluntarily provided for an obvious purpose, to meet legal or court obligations, to respond to emergencies, disasters or public health situations, and for employment-related purposes. For businesses, this means consent is not required in these limited scenarios, but processing must stop once the purpose ends and must remain strictly connected to the permitted use. Illustration- If a Data Fiduciary runs a hotel booking platform, it may process a Data Principal’s phone number and email to send the booking confirmation, check-in details, and payment receipt. The Data Principal voluntarily provided that data for that obvious purpose. The platform need not take a fresh consent only to send those service messages. If a court issues an order directing the platform to produce booking records for a dispute, the platform may process and disclose the relevant personal data to comply with that order. If the Data Principal collapses at the hotel and the hotel calls the platform to confirm identity details for emergency medical help, the platform may share limited details to respond to the medical emergency. The platform must keep each use tied to the permitted purpose. It must not use the same phone number to send marketing messages unless it takes consent for marketing. |
| 5. | Section 8 – General obligations of Data Fiduciary | (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. (2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. (3) Where personal data processed by a Data Fiduciary is likely to be— (a) used to make a decision that affects the Data Principal; or (b) disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. (4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. (5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. (6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. (7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. (8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– (a) approach the Data Fiduciary for the performance of the specified purpose; and (b) exercise any of her rights in relation to such processing, for such time period as may be prescribed, and different time periods may be prescribed for different classes of Data Fiduciaries and for different purposes. (9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. (10) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. (11) For the purposes of this section, it is hereby clarified that a Data Principal shall be considered as not having approached the Data Fiduciary for the performance of the specified purpose, in any period during which she has not initiated contact with the Data Fiduciary for such performance, in person or by way of communication in electronic or physical form. |
The Data Fiduciary stays responsible for compliance even if a vendor processes data for it. The Data Fiduciary must sign a contract with any Data Processor it uses. The Data Fiduciary must keep personal data complete and accurate when it uses that data to make decisions about a person or when it shares that data with another Data Fiduciary. The Data Fiduciary must put in place technical and organisational measures to comply with the Act. The Data Fiduciary must apply reasonable security safeguards to prevent a breach. If a breach happens, the Data Fiduciary must inform the Board and the affected persons in the prescribed manner. The Data Fiduciary must erase personal data when the person withdraws consent or when the purpose ends, unless another law requires retention. The Data Fiduciary must also ensure its Data Processor erases the data. The Data Fiduciary must publish contact details of its Data Protection Officer, where applicable, or an authorised person. The Data Fiduciary must also set up an effective grievance redress. Illustration – A food delivery company runs an app. It decides why it will collect a customer’s name, phone number, and address. It decides how it will store it. It acts as the Data Fiduciary. It uses a cloud vendor to host the database. That vendor acts as the Data Processor. Section 8 says the food delivery company stays responsible even if the vendor mishandles data. It must sign a contract with the vendor. It must also keep security safeguards in place. If a breach happens at the vendor end, the food delivery company must still intimate the Board and the affected customers. |
| 6. | Section 9 – Processing of personal data of children. | (1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. Explanation.—For the purpose of this sub-section, the expression “consent of the parent” includes the consent of lawful guardian, wherever applicable. (2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. (3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. (4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. (5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations under sub-sections (1) and (3) in respect of processing by that Data Fiduciary as the notification may specify. |
Businesses that process personal data of children must obtain verifiable parental or guardian consent, avoid any processing that could harm a child’s well-being, and are prohibited from tracking, behavioural monitoring, or targeted advertising directed at children, unless exempted by notified categories or age thresholds. This requires child-facing businesses to redesign consent flows, advertising models, and product features to meet stricter safeguards. Illustration- An online tutoring app must ensure that before an account can be made by a minor or person with disability, their parent or legal guardian’s consent is obtained. Moreover, their data shall not be used for tracking or for personalised ads and targeted marketing. |
| 7. | Section 10 – Additional obligations of Significant Data Fiduciary | (1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including— (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order. (2) The Significant Data Fiduciary shall— (a) appoint a Data Protection Officer who shall— (i) represent the Significant Data Fiduciary under the provisions of this Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act; (b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and (c) undertake the following other measures, namely:— (i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; (ii) periodic audit; and (iii) such other measures, consistent with the provisions of this Act, as may be prescribed. | The Central Government can designate certain data fiduciaries as Significant Data Fiduciaries based on factors like scale, sensitivity of data, and risks to individuals or the State, triggering higher compliance obligations. Such businesses must appoint an India-based Data Protection Officer, engage an independent data auditor, and carry out periodic audits and Data Protection Impact Assessments, increasing governance and compliance requirements. Illustration- A large social media app or e-commerce website could be designated as a Significant Data Fiduciary, pursuant to which it would need to appoint a Data Protection Officer who will essentially be the Data Fiduciary’s point of contact for all data related queries and obligations. He shall conduct periodic audits, assess risks, and ensure compliance. |
| Chapter III – Obligations of Data Fiduciary | |||
| 8. | Section 11 – Right to access information about personal data. | (1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed. (2) Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. |
Businesses must be able to, on request, disclose to a Data Principal what personal data they are processing, how it is used, and with whom it has been shared, except where disclosure is legally restricted for law-enforcement or similar purposes. This requires data mapping, record-keeping, and response mechanisms to answer such requests accurately and within prescribed timelines. Illustration- If a Data Principal uses a mutual fund app, she gives consent for KYC and account opening. She later sends a request under Section 11. The app must give her a summary of the personal data it processes. It must state the processing activities. It must state that it processes her PAN, Aadhaar based KYC reference, address, bank account details, and transaction history for KYC, account maintenance, order execution, compliance, and customer support. The app must also identify who received her data. It must name the KYC agency, the payment gateway, the cloud hosting vendor, and the registrar and transfer agent, and it must describe what it shared with each of them. The app need not disclose sharing with a law enforcement body if that body sought the data in writing for investigation and law authorises the request. |
| 9. | Section 12 – Right to correction and erasure of personal data. | (1) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. (2) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data. (3) A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. |
Businesses must provide mechanisms for Data Principals to correct, update, complete, or request erasure of their personal data and must act on such requests unless retention is legally required or still necessary for the specified purpose. This obliges data fiduciaries to maintain editable records, verification processes, and clear workflows to implement changes or deletions promptly. Illustration- If a Data Principal uses an airline booking website and her profile shows the wrong passport number, she may send a request to correct it. The website must correct the inaccurate entry once it verifies the request. If her profile lacks her full name as per passport, she may request completion. The website must complete the record. If she changes her mobile number, she may request an update. The website must update it. If she deletes her account and requests erasure of her profile data, the website must erase the personal data that no longer serves the booking purpose. The website may retain invoice and transaction records if tax law or aviation security rules require retention, or if the specified purpose still requires it. |
| 10. | Section 13 – Right of grievance redressal. | (1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. (2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. (3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. |
Businesses and Consent Managers must provide an accessible grievance redressal mechanism and respond to complaints within prescribed timelines, as Data Principals must approach them before going to the Board. This requires businesses to set up clear complaint channels, tracking systems, and timely resolution processes. Illustration- If a user is concerned about whether her data is being used only for purposes for which her consent was obtained, she may file a complaint with the Data Fiduciary’s Consent Manager before approaching the Data Protection Board for redressal. |
| 11. | Section 14 – Right to nominate. | (1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. (2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body. |
Businesses must recognise and act on requests made by a nominated individual exercising a Data Principal’s rights in cases of death or incapacity. This requires processes to verify nominations and handle data rights requests from such nominees in the same manner as from the Data Principal. Illustration- A nominee may request the Data Fiduciary on the deceased’s behalf to have their data erased. |
| 12. | Section 15 – Duties of Data Principal | A Data Principal shall perform the following duties, namely— (a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act; (b) to ensure not to impersonate another person while providing her personal data for a specified purpose; (c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities; (d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and (e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder. |
Data Principals also have duties under the Act, including inter alia not to impersonate, suppress identity related information, file false or frivolous complaints, or furnish inauthentic information. Illustration- A user who provides false ID or impersonates another individual shall be liable under this provision. |
| 13. | Section 16 – Processing of personal data outside India. | (1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. (2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof. |
Section 16 deals with cross border transfers. It says this. A Data Fiduciary may transfer personal data outside India for processing unless the Central Government issues a notification which restricts transfer to a notified country or territory. A Data Fiduciary must check notifications before it transfers data. Section 16 also says this. Another Indian law may impose stricter limits than the DPDP Act. Section 16 does not dilute that stricter law. A Data Fiduciary must comply with the stricter requirement. Illustration. A SaaS company in India uses a cloud vendor with servers in Singapore to host customer accounts. It may transfer personal data to Singapore for hosting unless the Central Government notifies a restriction on transfer to Singapore. If the Government later notifies such restriction, the company must stop transfers to Singapore and move processing to a permitted destination. |
| 14. | Section 17 – Exemptions. | (1) The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— (a) the processing of personal data is necessary for enforcing any legal right or claim; (b) the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; (c) personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; (d) personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; (e) the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and (f) the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. Explanation.—For the purposes of this clause, the expressions “default” and “financial institution” shall have the meanings respectively assigned to them in sub-sections (12) and (14) of section 3 of the Insolvency and Bankruptcy Code, 2016. (2) The provisions of this Act shall not apply in respect of the processing of personal data— (a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and (b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. (3) The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7) of section 8 and sections 10 and 11 shall not apply. Explanation.—For the purposes of this sub-section, the term “startup” means a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government. (4) In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. (5) The Central Government may, before expiry of five years from the date of commencement of this Act, by notification, declare that any provision of this Act shall not apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be specified in the notification. |
This section creates broad exemptions from key obligations for specific situations such as legal enforcement, court and regulatory functions, criminal investigations, cross-border contracts involving non-Indian Data Principals, corporate restructuring, and loan default assessment, allowing businesses to process personal data without complying with most consent and rights related requirements. It also empowers the Central Government to exempt certain Data Fiduciaries (including startups or notified entities) from selected compliance obligations, reducing regulatory burden in notified cases. Illustration- If the police register an FIR under the BNSS and investigate an offence, they may send a written request to a ride hailing platform for trip records of a suspect for a specified date and time. The platform may process and share the relevant personal data for that investigation. Section 17(1)(c) applies because the processing supports prevention, detection, investigation, or prosecution of an offence. The platform need not take the Data Principal’s consent for this sharing. The platform should still share only what the request needs and should follow the disclosure procedure that the BNSS and other applicable law prescribe. |
| Chapter VII – Appeal and Alternate Dispute Resolution | |||
| 15. | Section 29 – Appeal to Appellate Tribunal. | (1) Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal. (2) Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. (3) The Appellate Tribunal may entertain an appeal after the expiry of the period specified in sub-section (2), if it is satisfied that there was sufficient cause for not preferring the appeal within that period. (4) On receipt of an appeal under sub-section (1), the Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. (5) The Appellate Tribunal shall send a copy of every order made by it to the Board and to the parties to the appeal. (6) The appeal filed before the Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date on which the appeal is presented to it. (7) Where any appeal under sub-section (6) could not be disposed of within the period of six months, the Appellate Tribunal shall record its reasons in writing for not disposing of the appeal within that period. (8) Without prejudice to the provisions of section 14A and section 16 of the Telecom Regulatory Authority of India Act, 1997, the Appellate Tribunal shall deal with an appeal under this section in accordance with such procedure as may be prescribed. (9) Where an appeal is filed against the orders of the Appellate Tribunal under this Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 shall apply. (10) In respect of appeals filed under the provisions of this Act, the Appellate Tribunal shall, as far as practicable, function as a digital office, with the receipt of appeal, hearing and pronouncement of decisions in respect of the same being digital by design. | Businesses or other persons affected by an order of the Board have a clear right to appeal to the Appellate Tribunal within 60 days, with delayed appeals allowed for sufficient cause. This provides businesses a structured, time-bound remedy against adverse regulatory orders, with appeals handled digitally and intended to be resolved expeditiously. |
| 16. | Section 30 – Orders passed by Appellate Tribunal to be executable as decree. | (1) An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court. (2) Notwithstanding anything contained in sub-section (1), the Appellate Tribunal may transmit any order made by it to a civil court having local jurisdiction and such civil court shall execute the order as if it were a decree made by that court. | Orders of the Appellate Tribunal are directly enforceable like civil court decrees, meaning businesses must comply without needing separate enforcement proceedings. Non-compliance can therefore lead to immediate execution through the Tribunal itself or the relevant civil court. |
| 17. | Section 31 – Alternate dispute resolution. | If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India. | Businesses may be directed by the Board to attempt mediation for resolving complaints, requiring engagement in alternative dispute resolution before further proceedings. This can reduce litigation exposure but requires readiness to participate in mediated settlements. |
| 18. | Section 32 – Voluntary undertaking. | (1) The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28. (2) The voluntary undertaking referred to in sub-section (1) may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking. (3) The Board may, after accepting the voluntary undertaking and with the consent of the person who gave the voluntary undertaking vary the terms included in the voluntary undertaking. (4) The acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking, except in cases covered by sub-section (5). (5) Where a person fails to adhere to any term of the voluntary undertaking accepted by the Board, such breach shall be deemed to be breach of the provisions of this Act and the Board may, after giving such person an opportunity of being heard, proceed in accordance with the provisions of section 33. | Businesses may resolve proceedings by offering a voluntary undertaking to the Board to take or stop certain actions, which can halt further enforcement on those issues. However, failure to comply with the undertaking is treated as a fresh breach, exposing the business to penalties and further action. Illustration- If, during proceedings, the company alleged to violate provisions may admit to such violation and offer a written undertaking to ensure compliance and submit proof of compliance within a fixed timeline. If the Board accepts this undertaking, the company must strictly follow it and failure to do so can result in continuation of proceedings and lead to penalties. |
| Chapter VIII – Penalties and Adjudication | |||
| 19. | Section 33 – Penalties. | (1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule. (2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:— (a) the nature, gravity and duration of the breach; (b) the type and nature of the personal data affected by the breach; (c) repetitive nature of the breach; (d) whether the person, as a result of the breach, has realised a gain or avoided any loss; (e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action; (f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and (g) the likely impact of the imposition of the monetary penalty on the person. | If the Data Protection Board finds a significant breach, it can impose monetary penalties as specified in the Schedule, after giving the business an opportunity to be heard. For businesses, penalty exposure depends on factors such as the seriousness and duration of the breach, sensitivity of data involved, repeat violations, gains made, and how promptly and effectively the breach was mitigated. |
| Chapter IX – Miscellaneous | |||
| 20. | Section 37 – Power of Central Government to issue directions. | (1) The Central Government or any of its officers specially authorised by it in this behalf may, upon receipt of a reference in writing from the Board that— (a) intimates the imposition of monetary penalty by the Board on a Data Fiduciary in two or more instances; and (b) advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India, after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order, direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information. (2) Every intermediary who receives a direction issued under sub-section (1) shall be bound to comply with the same. (3) For the purposes of this section, the expressions “computer resource”, “information” and “intermediary” shall have the meanings respectively assigned to them in the Information Technology Act, 2000. | Businesses that face repeated monetary penalties under the DPDP Act risk government-ordered blocking of public access to their digital services in India, effectively disrupting their ability to offer goods or services. Intermediaries receiving such blocking orders are legally required to comply, making this a severe enforcement risk for non-compliant businesses. |
Penalties Under the Act
The Schedule to the Act sets out the maximum monetary penalties for specified categories of breach. Section 33 empowers the Board to impose a monetary penalty after it completes an inquiry and gives the concerned person an opportunity of being heard. The Board will not apply a fixed minimum. It will fix the amount within the applicable cap. The Schedule permits penalties which may extend up to ₹250 crore for certain breaches by a Data Fiduciary. The Schedule also permits a penalty which may extend up to ₹10,000 for breach of duties by a Data Principal. The Board will decide the quantum by applying the factors in Section 33(2). These factors include the nature, gravity and duration of the breach, the type of personal data affected, repetition, any gain or avoided loss, mitigation steps, proportionality, and deterrence.
That is Part I. You now know the cast and the basic rules. In Part II, we break down the sections that actually run the show. We will see what a business must do, what it must not do, and what happens when it gets it wrong in more detail