The DPDP Act 2023 (Digital Personal Data Protection Act, 2023) is India’s landmark legislation governing the collection, storage, processing, and protection of digital personal data. The Act seeks to balance an individual’s fundamental right to privacy with the need for organizations to process data for lawful and legitimate purposes.
Evolution of the DPDP Act 2023
- 2017 — The Supreme Court of India recognized the Right to Privacy as a fundamental right.
- 2018–2022 — Multiple drafts of the Personal Data Protection Bill were introduced and opened for public consultation.
- 2023 — The Digital Personal Data Protection Bill was passed by Parliament and received Presidential Assent on 11 August 2023, officially becoming the Digital Personal Data Protection Act, 2023.
Scope & Applicability
The DPDP Act applies to: Processing of digital personal data collected within India, whether originally in:
- Applies to the processing of digital personal data outside the territory of India.
- To the processing of digital personal data within the territory of India where personal data is collected
- In Digital Form
- In non-digital form which is later digitised
- Personal data processed by an individual for domestic purpose.
- Personal data that is made or cause to be made publicly available by:
- Data Principal
- Authorised Person
Personal Data:
The Digital Personal Data Protection Act, 2023 defines “Personal Data” as any data about an individual who is identifiable by or in relation to such data.
Notice Requirements for the Data Principal (DP)
The following guidelines must be adhered to when providing a Notice to the Data Principal:
- Language and Format
- The Notice must be provided directly to the Data Principal.
- It must be presented in clear and plain language.
- The Data Principal must be given the option to access the contents in English or any of the 22 languages specified in the 8th Schedule of the Constitution of India.
- Mandatory Contents
The Notice must explicitly contain the following key information:
- PD and Purpose: A description of the Personal Data (PD) sought to be collected and the specific purpose for its processing.
- Rights Exercise: The manner in which the DP may exercise their right to withdraw consent and their right to grievance redressal.
- Complaint Procedure: The manner in which the DP may file a complaint with the Data Protection Board (“Board”).
- Compliance for Existing Consent
For any existing consent obtained prior to enforcement of the DPDP Act 2023 and its Rules, a fresh Notice must be issued in accordance with the notified DPDP Rules within the timelines prescribed by the Government.
Consent
Principles of Consent Withdrawal
The Data Principal (DP) has the right to withdraw their consent, and the process must adhere to the following three key principles:
Cross-Border Transfer of Personal Data (PD)
| Regulatory Point | Detail |
|---|---|
| General Rule | No overall ban on cross-border transfer of Personal Data. |
| Restriction Mechanism | The Central Government will designate (blacklist) specific countries or territories where personal data transfers are restricted. |
| Overriding Laws | Compliance with other applicable laws (for example, data localization requirements for payments data) remains mandatory. |
- Update Policies: Review and revise policies to align with potential country-based restrictions.
- Monitor Blacklist: Ensure no PD is transferred to designated restricted countries.
- Address Sector-Specific Needs: Strictly adhere to sector-specific mandates (e.g., RBI laws prohibiting the transfer of certain financial data outside of India).
Processing Personal Data of Children and Persons with Disabilities
| Requirement | Specific Obligation |
|---|---|
| Consent | Verifiable consent must be obtained from the parent or lawful guardian prior to processing. |
| Well-being | Personal Data must not be processed in any manner that is detrimental to the child’s well-being. |
| Prohibited Activities | Behavioural monitoring and targeted advertising directed specifically at children are prohibited. |
| Account Creation | User accounts may only be created for individuals aged 18 years and above. |
| Exemptions | The Central Government may exempt specific Data Fiduciaries if their processing is demonstrably safe for the child. |
Impact:
- Heightened Protection: The regulation introduces an additional layer of protection for vulnerable groups.
- Policy Alignment: Companies must revise internal policies on monitoring and processing to align with the new restrictions on children’s data.
General Obligations
- Baseline Compliance: Data Fiduciaries must comply with all obligations—such as notice and consent—regardless of whether the Data Principal fulfils their duties.
- Integrity of Personal Data: Reasonable efforts must be made to ensure PD is accurate and complete when it may influence decisions affecting the Data Principal or be shared with another DF.
- Technical and Organisational Measures: DFs must implement appropriate measures to ensure compliance.
- Security of PD: DFs must safeguard personal data through reasonable security measures to prevent personal data breaches.
- Data Retention: PD must be deleted upon withdrawal of consent, or once the purpose of processing is reasonably assumed to have been fulfilled—whichever is earlier.
Obligations Relating to Personal Data Breaches
The Board may issue directions requiring urgent measures to:
Factors considered are:
- Ensure accuracy of data
- Data breach: prevention & notification
- Data retention for only as long as required
- Publish contact details of person responsible for handling data principal requests
- Develop an effective grievance redressal mechanism
A personal data breach includes compromise of confidentiality, integrity, or availability through:
- Unauthorised processing
- Accidental disclosure
- Accidental acquisition
- Accidental sharing
- Accidental use
- Accidental alteration
- Accidental destruction or loss of access
Data Fiduciaries (DFs) and Data Processors must implement reasonable security safeguards to prevent personal data breaches.
Impact:
Companies must notify the Data Protection Board and affected Data Principals of every personal data breach and submit a detailed breach report within the prescribed timeline as per the DPDP Rules.
Obligations Relating to Significant Data Fiduciaries (SDFs)
Factors considered are:
- The volume and sensitivity of personal data processed
- Risks to the rights of Data Principal
- Potential impact on the sovereignty and integrity of India
- Risk to Electoral democracy
- Security of the State
- Public Order
Obligations of SDFs:
- Appoint a Data Protection Officer (DPO) based in India.
- Publish the DPO’s contact details on the company website.
- Ensure the DPO reports directly to the Board of Directors.
- DPO will act as the single point of contact for grievance redressal.
- Appoint an Independent Data Auditor to assess compliance.
- Conduct Data Protection Impact Assessments (DPIAs).
Impact:
- Companies may be classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of the personal data they process.
- Once designated as an SDF, companies must comply with the additional obligations outlined above
Exemptions:
Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include:
- Prevention and investigation of offenses, and
- Enforcement of legal rights or claims.
Rights of Data Principals
- Right to Access information about the processing of their PD
- Right to Correction, Completion, Updating, and Erasure of personal data
- Right to Grievance Redressal
- Right to Nominate another person in the event of death or incapacity
Roles of Data Fiduciaries
- Appoint a Data Protection Officer
- Appoint an Independent Data Auditor to evaluate compliance of Significant Data Fiduciaries
- Undertake Periodic Data Audits
- Conduct Periodic Data Protection Impact Assessments, including:
- Assessing risks to Data Principals
- Evaluating the purpose and scope of processing
- Managing identified risks
- Other prescribed components of DPIA
Data Protection Board
The Data Protection Board of India has been notified by the Cental Government and is being operationalised in a phased manner as per the DPDP Rules.
Powers
- Conduct inquiries
- Impose penalties
- Advise the Government on blocking information
- Issue interim orders
- Exercise powers equivalent to a civil court
Functions
- Inquire into non-compliance based on complaints, notifications, or referrals by the Central Government
- No suo motu power
- Direct Data Fiduciaries to adopt urgent or remedial measures in case of breaches
- Issue directions necessary to discharge its functions
Appeal Flow
Board → TDSAT → Supreme Court (only on substantial questions of law) Civil courts cannot entertain suits or proceedings under the Act; however, remedies such as writs remain available.
Voluntary Undertaking & Alternate Dispute Resolution
Voluntary Undertaking
- During proceedings before the Board, a person may submit a voluntary undertaking to comply.
- Once accepted, this bars further proceedings relating to the same matter.
- Failure to comply attracts penalties.
- A voluntary undertaking may include:
- Performing specific actions within a specified time
- Refraining from certain activities
- Publishing the undertaking
Impact:
- Encourages resolution through mediation, reducing costs and delays.
- Entities facing complaints before the Board may submit a voluntary undertaking, which prevents further proceedings on that matter.
Penalties
The Data Protection Board decides penalties based on how serious the violation is, how long it lasted, what kind of personal data was involved, and what steps were taken to fix the issue.
| Type of Violation | Maximum Penalty |
|---|---|
| Weak or missing security safeguards | Up to ₹250 crore |
| Not reporting a personal data breach | Up to ₹200 crore |
| Violating children’s data processing rules | Up to ₹200 crore |
| Significant Data Fiduciary (SDF) failing additional obligations | Up to ₹150 crore |
| Other general / residual violations | Up to ₹50 crore |
Learn More..!!
Recent Updates
On 13 November 2025, the Ministry of Electronics and Information Technology (MeitY) officially notified the Digital Personal Data Protection Rules, 2025, thereby operationalising the DPDP Act, 2023. The Data Protection Board of India (DPBI) has been formally notified, and implementation will follow a phased approach.
- Consent Manager framework will be effective from November 2026.
- Core compliance obligations (notice, consent, security safeguards, breach reporting, data rights, retention, and children’s data protection) will become fully enforceable from May 2027.
All organizations, including private companies, government bodies, MSMEs, and digital platforms, must prepare for compliance as per the phased rollout.
Disclaimer:
This document summarizes the DPDP Act 2023, and the Digital Personal Data Protection Rules, 2025, for informational purposes only. It does not constitute legal advice