The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Legal Comparison

DPDPA 2023 vs GDPR

A comprehensive comparative analysis of India's Digital Personal Data Protection Act, 2023 and the European Union's General Data Protection Regulation for multinational compliance planning.

Executive Summary

While both DPDPA 2023 and GDPR establish comprehensive frameworks for personal data protection, significant structural and operational differences exist. GDPR provides six legal bases for processing with broad data subject rights including portability, whereas DPDPA adopts a simplified two-basis model (consent and legitimate uses) with a narrower set of Data Principal rights.

The cross-border transfer mechanisms differ fundamentally: GDPR employs an adequacy whitelist approach requiring affirmative approval, while DPDPA adopts a blacklist approach where transfers are permitted unless specifically restricted. Organisations operating across both jurisdictions must maintain parallel compliance frameworks to satisfy both regulatory regimes.

Fundamental Structure

Aspect	DPDPA 2023 (India)	GDPR (EU)
Legislative Framework	Digital Personal Data Protection Act, 2023 with DPDP Rules, 2025	General Data Protection Regulation (EU) 2016/679 with national implementing laws
Effective Date	Full enforcement: 13th May 2027 (18 months from Rules notification)	25th May 2018
Regulatory Authority	Data Protection Board of India (DPBI)	National Supervisory Authorities + European Data Protection Board (EDPB)
Primary Terminology	Data Fiduciary, Data Principal, Data Processor	Data Controller, Data Subject, Data Processor

Territorial Scope

Aspect	DPDPA 2023 (India)	GDPR (EU)
Domestic Application	Processing of digital personal data within India	Processing by establishments in EU regardless of where processing occurs
Extraterritorial Reach	Applies to processing outside India if offering goods/services to Data Principals in India	Applies to non-EU entities offering goods/services to EU residents or monitoring their behaviour
Representative Requirement	Not explicitly mandated for foreign entities	Mandatory EU representative for non-EU controllers/processors

Lawful Bases for Processing

Aspect	DPDPA 2023 (India)	GDPR (EU)
Number of Legal Bases	Two primary: Consent and Legitimate Uses (Section 7)	Six legal bases under Article 6(1)
Legitimate Interest	Not recognised as standalone basis; replaced by enumerated "Legitimate Uses"	Legitimate interest is a flexible legal basis requiring balancing test
Contract Performance	Subsumed under Legitimate Uses for employment and specified purposes	Distinct legal basis under Article 6(1)(b)
Legal Obligation	Covered under Legitimate Uses	Separate legal basis under Article 6(1)(c)

Consent Requirements

Aspect	DPDPA 2023 (India)	GDPR (EU)
Standard	Free, specific, informed, unconditional, unambiguous with clear affirmative action	Freely given, specific, informed, unambiguous indication by statement or clear affirmative action
Withdrawal	Must be as easy as giving consent; withdrawal does not affect prior lawful processing	Must be as easy to withdraw as to give; prior processing remains lawful
Children's Consent	Verifiable parental consent required for all children (under 18 years)	Parental consent for children under 16 (Member States may lower to 13)
Bundled Consent	Prohibited; consent must be specific to each processing purpose	Discouraged; granularity required under recitals

Data Principal/Subject Rights

Aspect	DPDPA 2023 (India)	GDPR (EU)
Right to Access	Section 11: Summary of personal data and processing activities	Article 15: Comprehensive access including copy of data
Right to Correction	Section 12: Correction, completion, updating of inaccurate data	Article 16: Rectification of inaccurate personal data
Right to Erasure	Section 13: Erasure when consent withdrawn or purpose fulfilled	Article 17: "Right to be forgotten" with broader grounds
Right to Portability	Not explicitly provided	Article 20: Receive data in structured, machine-readable format
Right to Object	Not explicitly provided as separate right	Article 21: Object to processing including for direct marketing
Right to Restrict Processing	Not explicitly provided	Article 18: Restriction of processing in specified circumstances
Right Against Automated Decisions	Limited provisions; detailed rules awaited	Article 22: Right not to be subject to solely automated decisions including profiling

Penalties & Enforcement

Aspect	DPDPA 2023 (India)	GDPR (EU)
Maximum Penalty	₹250 crore (approximately €27 million) per contravention	€20 million or 4% of global annual turnover, whichever is higher
Penalty for Breach of Children's Data	Up to ₹200 crore	Up to €20 million or 4% of turnover
Penalty Calculation	Fixed maximum amounts in Schedule; factors include nature, gravity, mitigation efforts	Percentage of turnover allows scaling to organisation size
Criminal Sanctions	Not provided under DPDPA	Member States may impose criminal penalties

Data Protection Officer

Aspect	DPDPA 2023 (India)	GDPR (EU)
Mandatory Appointment	Required only for Significant Data Fiduciaries	Required for public authorities, large-scale monitoring, special categories
Qualifications	Senior management, India resident, professional competence in data protection	Expert knowledge of data protection law and practices
Independence	Must not be removed/penalised for performing functions	Independent position, reports to highest management level
Registration	Contact details published by Data Fiduciary	Contact details communicated to Supervisory Authority

Cross-Border Transfers

Aspect	DPDPA 2023 (India)	GDPR (EU)
Default Position	Permitted to all countries except those notified on blacklist	Prohibited unless adequate safeguards or derogations apply
Adequacy Mechanism	Blacklist approach: Government notifies restricted countries	Whitelist approach: Commission issues adequacy decisions
Standard Contractual Clauses	Not currently mandated; may be prescribed	Primary transfer mechanism for non-adequate countries
Binding Corporate Rules	Not provided for	Available for intra-group transfers

Breach Notification

Aspect	DPDPA 2023 (India)	GDPR (EU)
Notification to Authority	Two-stage: Initial intimation + detailed report within 72 hours	Without undue delay, not later than 72 hours (where feasible)
Notification to Data Subjects	As directed by Data Protection Board	When breach likely to result in high risk to rights and freedoms
Documentation	Prescribed form with 14 mandatory particulars	Document all breaches including facts, effects, remedial action

Key Takeaways for Multinational Organisations

DPDPA Advantages

• Simplified legal bases reduce complexity
• Blacklist approach facilitates cross-border transfers
• Fixed penalty caps provide predictability
• DPO required only for Significant Data Fiduciaries

GDPR Advantages

• Broader data subject rights including portability
• Legitimate interest provides processing flexibility
• Established adequacy framework with 14+ countries
• Comprehensive automated decision-making protections

DPDPA vs CCPA →

Compare with California privacy law

DPDPA vs IT Act →

Evolution from IT Act 2000

Tool

Compliance Diagnostic →

Assess your DPDPA readiness

Legal Disclaimer: This comparison is provided for educational purposes and does not constitute legal advice. The analysis reflects the legislative position as of the DPDP Rules, 2025 notification dated 13th November 2025. Organisations should obtain jurisdiction-specific legal counsel for compliance implementation.