DPDP Act — India’s Data Protection Law

What is the DPDP Act?

The Digital Personal Data Protection Act (DPDP) is India’s comprehensive data protection legislation, enacted in 2023. It governs how personal data is collected, processed, and stored—protecting citizen privacy while enabling digital innovation.

Key Definitions

Personal Data

  • Any information that can identify an individual
  • Includes: Name, phone, email, biometrics, location
  • Even online identifiers: IP addresses, cookies

Data Fiduciary

  • Organization: Determines purpose of processing
  • Examples: Companies, apps, websites
  • Obligations: Must protect data

Data Principal

  • Individual: Whose data is being processed
  • Rights Holder: You have rights over your data

Your Rights as a Citizen

Data Rights

  1. Access: Get copy of your data held
  2. Correction: Fix inaccurate data
  3. Erasure: Request deletion (“right to be forgotten”)
  4. Portability: Transfer data to another service
  5. Grievance: File complaints

How to Exercise

  • Submit request to data fiduciary
  • Must respond within specific timeline
  • Can escalate to Data Protection Board

Obligations for Businesses

  • Explicit Consent: Clear, specific permission
  • Purpose Limitation: Only for stated reason
  • Withdrawal: Must be as easy as giving consent
  • Children’s Data: Parental consent required (<18)

Data Fiduciary Duties

  • Purpose Limitation: Process only for stated purpose
  • Data Accuracy: Keep data accurate
  • Security: Reasonable safeguards
  • Breach Notification: Notify affected individuals + Board
  • Data Retention: Delete when no longer needed

Exemptions

Government Exemptions

  • National Security: For defense, security
  • Legal Proceedings: Court cases
  • Regulatory Functions: RBI, SEBI powers

Other Exemptions

  • Research: Anonymized data
  • Employment: Employee records
  • Emergency: Life-threatening situations

Data Protection Board

Structure

  • Chairperson: Appointed by Central Government
  • Members: 2-6 technical/financial experts
  • Powers: Enforcement, penalties, appeals

Functions

  • Grievance Redressal: Handle complaints
  • Compliance Audits: Check organizations
  • Cross-Border Transfers: Approve agreements

Penalties

  • Minor Breach: ₹50,000 - ₹5 crore
  • Serious Breach: ₹5 crore - ₹25 crore
  • Repeated Breach: Up to ₹50 crore

Key Differences from GDPR

AspectDPDP ActGDPR
ConsentOpt-inOpt-in
Children<18 years<16 years
Data TransferListed countries onlyAdequacy mechanism
RegulatorBoardDPA

Cross-Border Data Transfer

Allowed Destinations

  • White-listed Countries: As notified by Government
  • Standard Contractual Clauses: Approved agreements
  • Binding Corporate Rules: Intra-group policies

India’s Position

  • No explicit “adequacy” from EU yet
  • Negotiations ongoing
  • Data localization for some sectors

Compliance Timeline

Phased Implementation

  • Phase 1: Key provisions (2024)
  • Phase 2: All obligations (2025)
  • Phase 3: Full enforcement

Who Must Comply

  • All Data Fiduciaries: Operating in India
  • Digital Platforms: Apps, websites
  • Government Bodies: Local and state

Your Data Rights in Action

Access Request Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

To: [Company Privacy Team]
Subject: Data Access Request - [Your Name]

I am requesting access to all personal data 
you hold about me, including:
- Account information
- Transaction history
- Communication records
- Any third parties with whom shared

Please provide within 30 days as required by DPDP Act.

Filing a Complaint

  1. Internal: First to the organization
  2. Board: If unresolved in 30 days
  3. Appellate Tribunal: Next level
  4. High Court: Final appeal

Key Sectors Impacted

Tech Companies

  • Social Media: Must remove content on request
  • E-Commerce: Consent for data usage
  • Fintech: Aadhaar, KYC data protection

Healthcare

  • Hospital Records: Patient data protection
  • Insurance: Medical history privacy
  • Research: Anonymization requirements

Government

  • Aadhaar: UIDAI data handling
  • Service Delivery: citizen data protection
  • Surveillance: Checks and balances

Best Practices for Citizens

Protecting Your Data

  1. Minimize Sharing: Only provide necessary data
  2. Read Policies: Understand how data used
  3. Revoke Consent: When no longer needed
  4. Request Deletion: Periodically clean up
  5. Use Privacy Tools: VPN, ad blockers

Red Flags

  • Excessive Permissions: Apps asking too much
  • No Opt-Out: Can’t withdraw consent
  • Unclear Purpose: Why they need data unclear

Prime References

This 101 guide is part of DPIWatch’s citizen education initiative. Last updated: March 2026.