DPDP

DPDP Act — India’s Data Protection Law What is the DPDP Act? The Digital Personal Data Protection Act (DPDP) is India’s comprehensive data protection legislation, enacted in 2023. It governs how personal data is collected, processed, and stored—protecting citizen privacy while enabling digital innovation. Key Definitions Personal Data Any information that can identify an individual Includes: Name, phone, email, biometrics, location Even online identifiers: IP addresses, cookies Data Fiduciary Organization: Determines purpose of processing Examples: Companies, apps, websites Obligations: Must protect data Data Principal Individual: Whose data is being processed Rights Holder: You have rights over your data Your Rights as a Citizen Data Rights Access: Get copy of your data held Correction: Fix inaccurate data Erasure: Request deletion (“right to be forgotten”) Portability: Transfer data to another service Grievance: File complaints How to Exercise Submit request to data fiduciary Must respond within specific timeline Can escalate to Data Protection Board Obligations for Businesses Consent Requirements Explicit Consent: Clear, specific permission Purpose Limitation: Only for stated reason Withdrawal: Must be as easy as giving consent Children’s Data: Parental consent required (<18) Data Fiduciary Duties Purpose Limitation: Process only for stated purpose Data Accuracy: Keep data accurate Security: Reasonable safeguards Breach Notification: Notify affected individuals + Board Data Retention: Delete when no longer needed Exemptions Government Exemptions National Security: For defense, security Legal Proceedings: Court cases Regulatory Functions: RBI, SEBI powers Other Exemptions Research: Anonymized data Employment: Employee records Emergency: Life-threatening situations Data Protection Board Structure Chairperson: Appointed by Central Government Members: 2-6 technical/financial experts Powers: Enforcement, penalties, appeals Functions Grievance Redressal: Handle complaints Compliance Audits: Check organizations Cross-Border Transfers: Approve agreements Penalties Minor Breach: ₹50,000 - ₹5 crore Serious Breach: ₹5 crore - ₹25 crore Repeated Breach: Up to ₹50 crore Key Differences from GDPR Aspect DPDP Act GDPR Consent Opt-in Opt-in Children <18 years <16 years Data Transfer Listed countries only Adequacy mechanism Regulator Board DPA Cross-Border Data Transfer Allowed Destinations White-listed Countries: As notified by Government Standard Contractual Clauses: Approved agreements Binding Corporate Rules: Intra-group policies India’s Position No explicit “adequacy” from EU yet Negotiations ongoing Data localization for some sectors Compliance Timeline Phased Implementation Phase 1: Key provisions (2024) Phase 2: All obligations (2025) Phase 3: Full enforcement Who Must Comply All Data Fiduciaries: Operating in India Digital Platforms: Apps, websites Government Bodies: Local and state Your Data Rights in Action Access Request Example 1 2 3 4 5 6 7 8 9 10 11 To: [Company Privacy Team] Subject: Data Access Request - [Your Name] I am requesting access to all personal data you hold about me, including: - Account information - Transaction history - Communication records - Any third parties with whom shared Please provide within 30 days as required by DPDP Act. Filing a Complaint Internal: First to the organization Board: If unresolved in 30 days Appellate Tribunal: Next level High Court: Final appeal Key Sectors Impacted Tech Companies Social Media: Must remove content on request E-Commerce: Consent for data usage Fintech: Aadhaar, KYC data protection Healthcare Hospital Records: Patient data protection Insurance: Medical history privacy Research: Anonymization requirements Government Aadhaar: UIDAI data handling Service Delivery: citizen data protection Surveillance: Checks and balances Best Practices for Citizens Protecting Your Data Minimize Sharing: Only provide necessary data Read Policies: Understand how data used Revoke Consent: When no longer needed Request Deletion: Periodically clean up Use Privacy Tools: VPN, ad blockers Red Flags Excessive Permissions: Apps asking too much No Opt-Out: Can’t withdraw consent Unclear Purpose: Why they need data unclear Prime References DPDP Act 2023 - Full text MeitY DPDP - Implementation Data Protection Board - Complaints This 101 guide is part of DPIWatch’s citizen education initiative. Last updated: March 2026. ...