Act Overview

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s comprehensive data protection law that aims to protect the digital personal data of individuals while enabling legitimate uses of such data. The Act establishes a framework for the processing of digital personal data, recognizing both the right of individuals to protect their personal data and the need to process such data for lawful purposes.

The legislation balances individual privacy rights with the practical needs of businesses and government entities to process data. It introduces key concepts such as Data Fiduciary, Data Principal, Data Processor, and establishes the Data Protection Board of India as the regulatory authority.

  • August 2023

    Act Passed

  • 7 Chapters

    44 Sections

  • ₹250 Cr

    Maximum Penalty

Key Principles of DPDP Act

Lawfulness of Processing
Personal data must be processed for a lawful purpose with valid consent from the data principal.

Purpose Limitation
Data should only be processed for specified, explicit, and legitimate purposes.

Data Minimization
Only collect data that is necessary and adequate for the specified purpose.

Accuracy
Ensure personal data is accurate and kept up to date where necessary.

Storage Limitation
Retain data only for as long as necessary for the processing purpose.

Accountability
Data fiduciaries must be able to demonstrate compliance with the Act.

Rights of Data Principals

Individuals (Data Principals) are granted several rights under the DPDP Act to ensure control over their personal data:

  • Right to access personal data
  • Right to correction of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to data portability
  • Right to grievance redressal
  • Right to nominate (in case of death or incapacity)

Obligations of Data Fiduciaries

Organizations processing personal data (Data Fiduciaries) must fulfill several obligations:

Obtain Valid Consent
Consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action.

Implement Security Measures
Put in place reasonable security safeguards to prevent data breaches and unauthorized access.

Respond to Data Principal Requests
Address requests for access, correction, erasure within specified timelines.

Report Data Breaches
Notify the Data Protection Board and affected individuals in case of a breach.

Appoint Data Protection Officer
Significant data fiduciaries must appoint a Data Protection Officer and conduct regular audits.

Maintain Processing Records
Keep detailed records of data processing activities and consent obtained.

Penalties for Non-Compliance

The Data Protection Board can impose significant financial penalties for violations

Violation Type
Maximum Penalty
Non-compliance with Act provisions
Up to ₹250 crores
Failure to report data breach
Up to ₹200 crores
Non-compliance with children’s data rules
Up to ₹200 crores
Failure to implement security measures
Up to ₹250 crores

Frequently Asked Questions

Who does the DPDP Act apply to?

This is dummy content..

What is considered 'personal data' under DPDP Act?

This is dummy content..

What are the key differences between DPDP Act and GDPR?

This is dummy content..

When did the DPDP Act come into effect?

This is dummy content..

What is a Data Fiduciary?

This is dummy content..

Need Help with DPDP Compliance?

Our experts can guide you through the complexities of the DPDP Act and help ensure your organization is fully compliant.

Contact Our Experts