Comprehensive reference guide to India's data protection legislation, its provisions, obligations, rights, and regulatory framework under DPDPA 2023 and DPDP Rules, 2025.
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's primary legislation governing the processing of digital personal data. Enacted in August 2023, it establishes rights of individuals (Data Principals) and obligations of entities processing their data (Data Fiduciaries and Data Processors).
The Act applies to processing of digital personal data within India where data is collected in digital form or collected in non-digital form and digitized. It also applies to processing outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India.
The legislation comprises 44 sections covering definitions, rights, obligations, exemptions, Data Protection Board constitution, penalties, and procedural provisions. It is supplemented by the DPDP Rules, 2025 which provide operational details for implementation.
The Data Protection Board of India is the regulatory authority constituted under Section 19 of the Act. The Board consists of a Chairperson and other members appointed by the Central Government.
The Board has powers to inquire into violations, issue directions, impose penalties, conduct audits, and adjudicate disputes. It may also issue codes of practice and undertake measures to create awareness about data protection rights and obligations.
Essential sections of DPDPA 2023 governing data protection obligations
Data Fiduciaries must obtain valid consent before processing personal data. Consent must be free, specific, informed, unconditional, and unambiguous with clear affirmative action.
Data Fiduciaries must notify the Data Protection Board and affected Data Principals of any breach that may cause harm. Notification timeline and procedures are specified in DPDP Rules.
Special provisions for processing personal data of children below 18 years. Requires verifiable parental consent and prohibits tracking, behavioral monitoring, or targeted advertising.
Data Principals have rights to access information about processing, correction and erasure of personal data, grievance redressal, and nomination for post-mortem data management.
Data Fiduciaries must implement reasonable security safeguards, maintain accuracy, ensure completeness of data, and erase data when retention is no longer necessary.
Data Processors process personal data on behalf of Data Fiduciaries under contract. They must maintain records, implement security measures, and assist in breach management.
Understanding the terminology used in DPDPA 2023
Any person who alone or in conjunction with others determines the purpose and means of processing personal data.
Examples:
Companies, organizations, government entities that collect and use personal data
The individual to whom the personal data relates. They are the natural persons whose data is being processed.
Examples:
Customers, users, employees, citizens whose personal information is collected
Any person who processes personal data on behalf of a Data Fiduciary, excluding employees of the Data Fiduciary.
Examples:
Third-party service providers, cloud storage vendors, analytics platforms
Any data about an individual who is identifiable by or in relation to such data. Includes online identifiers and metadata.
Examples:
Name, email, phone number, Aadhaar number, IP address, device ID, location data
A wholly or partly automated operation performed on personal data including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, restriction, erasure, or destruction.
Examples:
Collecting user data, storing in databases, analyzing for insights, sharing with partners
A Data Fiduciary registered with the Board that enables Data Principals to give, manage, review, and withdraw consent through an interoperable platform.
Examples:
Platforms that centrally manage user consent across multiple services and organizations
Different types of personal data and their protection requirements
Basic identifiable information about individuals including name, contact details, demographic information.
Examples:
Name, email, phone, address, date of birth
Personal data of individuals below 18 years of age requiring enhanced protection and parental consent.
Examples:
School records, online activity of minors, preferences
Information related to financial accounts, transactions, credit history, and payment instruments.
Examples:
Bank account, card details, transaction history, credit score
Medical records, health conditions, treatment information, genetic data, and biometric health metrics.
Examples:
Medical history, prescriptions, test reports, DNA data
Physical or behavioral characteristics unique to individuals used for identification purposes.
Examples:
Fingerprints, facial recognition, iris scans, voice patterns
Real-time or historical geographic location information of individuals through devices or services.
Examples:
GPS coordinates, IP addresses, cell tower data, movement patterns
Financial penalties under DPDPA 2023 for non-compliance
Failure to take reasonable security safeguards, process children data without consent, retain data beyond necessity, or violate Data Principal rights.
Not notifying the Data Protection Board of personal data breaches that may cause harm to Data Principals within prescribed timelines.
Failure to comply with directions of the Data Protection Board, furnish information, or provide access for audits and investigations.
Continuing failure to remedy non-compliance after being directed by the Board. Penalty accrues daily until compliance is achieved.
Important Note on Penalties:
Penalties are imposed by the Data Protection Board after due inquiry and opportunity of being heard. The quantum of penalty considers factors including nature of personal data involved, nature and gravity of breach, whether breach is repetitive, financial gains from breach, and degree of harm caused to Data Principals.
Key milestones in the enactment and enforcement of DPDPA
Digital Personal Data Protection Act, 2023 received Presidential assent and was published in the Official Gazette.
DPDP Rules, 2025 was published on 13th November, 2025.
Data Protection Board of India to be constituted with Chairperson and members. Board will exercise powers under the Act.
The Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 have come into effect on 13th November, 2025. Organizations must ensure compliance with all applicable provisions.
Scenarios where DPDPA provisions may not apply or are modified
This page provides an overview of DPDPA 2023 and DPDP Rules, 2025. For complete legal text and official notifications, refer to the Government of India Gazette and Ministry of Electronics and Information Technology website.