The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Handling Data Principal Rights Requests

A procedural framework for Data Fiduciaries to respond to Data Principal rights requests under Sections 11 to 14 of DPDPA 2023, including access, correction, and erasure rights.

Statutory Foundation

Sections 11 to 14 of DPDPA 2023 establish the rights of Data Principals including the right to access information, right to correction and erasure, right to grievance redressal, and right of nomination.

Rule 6 of DPDP Rules 2025 prescribes the timelines, procedures, and format for responding to Data Principal requests.

Data Principal Rights

Right to Access (Section 11)

Data Principals may request summary of personal data being processed and the processing activities undertaken by the Data Fiduciary.

Summary of data and processing activities

Right to Correction (Section 12)

Data Principals may request correction of inaccurate or misleading personal data, completion of incomplete data, and updating of personal data.

Correction, completion, updating of data

Right to Erasure (Section 12)

Data Principals may request erasure of personal data where consent has been withdrawn and continued retention is not required for the specified purpose.

Deletion of data no longer required

Right to Grievance Redressal (Section 13)

Data Principals may lodge grievances with the Data Fiduciary regarding any act or omission of the Data Fiduciary in relation to their personal data.

Complaint about processing activities

Right of Nomination (Section 14)

Data Principals may nominate an individual to exercise their rights in the event of death or incapacity.

Nomination for posthumous rights exercise

Response Procedure

Receipt and Logging

Upon receipt of a request, log the request with unique identifier, date of receipt, nature of request, and contact details of the Data Principal. Issue acknowledgment.

Identity Verification

Verify the identity of the requestor to ensure the request is from the Data Principal or their authorised nominee. The verification process must not be unduly burdensome.

Request Assessment

Assess whether the request is valid, complete, and within the scope of rights under DPDPA. Identify any applicable exemptions that may limit the obligation to comply.

Data Retrieval

Search all relevant systems to identify personal data relating to the Data Principal. Document the search scope and methodology for audit purposes.

Third Party Notification

Where personal data has been disclosed to third parties and correction or erasure is required, notify those third parties of the request unless disproportionately difficult.

Execute Request

For access requests, prepare summary of data and processing. For correction requests, update records. For erasure requests, delete data from all systems including backups.

Response Communication

Communicate the outcome to the Data Principal within the prescribed timeline. Where request cannot be fulfilled, provide reasons and information about further recourse.

Documentation

Maintain complete records of the request, assessment, actions taken, and response. Retain documentation for the period prescribed for audit and compliance purposes.

Response Timelines

Request Type	Timeline	Extension
Access Request	Within prescribed period	As permitted by Rules
Correction Request	Within prescribed period	As permitted by Rules
Erasure Request	Within prescribed period	As permitted by Rules
Grievance	Within prescribed period	As permitted by Rules

Grounds for Declining Requests

A request may be declined in the following circumstances:

• The request is manifestly unfounded or excessive
• Compliance would require disproportionate effort
• Retention is required for legal compliance or legitimate purpose
• Disclosure would adversely affect the rights of other individuals
• Processing is exempt under Section 17 (State security, legal proceedings, etc.)
• Identity of requestor cannot be verified

Where a request is declined, the Data Fiduciary must provide clear reasons and inform the Data Principal of their right to make a complaint to the Board.

Non Compliance Consequences

Penalty for Non Compliance

Failure to comply with Data Principal rights requests may attract a penalty of up to ₹50 crore per instance under Section 33 of DPDPA 2023.

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Specific timelines and procedures may be further specified by the DPDP Rules 2025. Organisations should establish documented procedures reviewed by qualified legal counsel.