❓ DPDPA Frequently Asked Questions

The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection legislation that governs the processing of digital personal data. It establishes a legal framework for data collection, storage, and processing while empowering individuals with rights over their personal data.

Key Features:

• Applies to digital personal data processed within India
• Has extra-territorial application for processing related to offering goods/services to Indian individuals
• Establishes the Data Protection Board of India for enforcement
• Prescribes penalties up to ₹250 crore for non-compliance

The DPDP Rules 2025 were officially notified on January 3, 2025, providing detailed implementation guidelines for the DPDPA 2023.

The Rules cover:

• Format and manner of giving notice
• Consent Manager registration and obligations
• Security safeguards requirements
• Breach notification procedures
• Data Principal rights exercise process
• Cross-border transfer conditions
• Board functioning and procedures

Under Section 2(t), "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

Examples include:

• Name, Aadhaar number, PAN, passport
• Email address, phone number, address
• Biometric data (fingerprints, facial recognition)
• Financial data (bank accounts, transactions)
• Health records and medical history
• Online identifiers (IP address, device ID)

A Data Fiduciary (Section 2(i)) is any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

In simple terms: If your organization decides WHY and HOW personal data is collected and used, you are a Data Fiduciary.

A Data Principal (Section 2(j)) is the individual to whom the personal data relates. Simply put: If it's YOUR data, YOU are the Data Principal.

Special provisions:

• For children (under 18): Parent/lawful guardian acts as Data Principal
• For persons with disabilities with lawful guardian: The guardian acts as Data Principal

A Data Processor (Section 2(k)) is any person who processes personal data on behalf of a Data Fiduciary.

Key differences from Data Fiduciary:

• Follows instructions from Data Fiduciary
• Does not determine purpose or means of processing
• Has contractual liability, not direct DPDPA liability

Under Section 2(x), "Processing" means any automated operation on digital personal data, including:

• Collection and recording
• Organisation and structuring
• Storage and adaptation
• Retrieval and use
• Sharing and disclosure
• Restriction and erasure

Under Section 4, valid consent must be:

• Free: Given voluntarily without coercion
• Specific: Related to a particular purpose
• Informed: Data Principal understands what they're consenting to
• Unconditional: Cannot be bundled with unrelated services
• Unambiguous: Clear affirmative action required

Under Section 6 and Rule 3, Notice must include:

• Personal data being collected
• Purpose of processing
• How to exercise Data Principal rights
• How to make complaints to Data Protection Board

Language Requirements: Must be in English AND any of the 22 Scheduled languages as chosen by Data Principal.

Yes! Under Section 4(6)-(7):

• Data Principal may withdraw consent at any time
• Withdrawal must be as easy as giving consent
• Data Fiduciary must provide clear withdrawal mechanism
• Upon withdrawal, processing must stop and data erased (unless legally required to retain)

Section 5 provides Legitimate Uses without explicit consent:

1. Voluntary provision: Data Principal provides for specified purpose
2. State functions: Subsidies, benefits, services, certificates, licenses
3. Legal obligations: Compliance with judgments or laws
4. Medical emergencies: Threat to life/health
5. Employment: Recruitment, verification, performance (with safeguards)
6. Public interest: Mergers, acquisitions, restructuring

A Consent Manager (Section 14) is a registered entity that enables Data Principals to:

• Give consent to multiple Data Fiduciaries through one platform
• Manage, modify, or withdraw consent easily
• Track and maintain records of all consents

Requirements (Rule 4): Must be registered with Data Protection Board, interoperable, no conflict of interest, maintain technical safeguards.

Under Section 11, Data Principals have:

• Right to Access: Know what data is being processed
• Right to Correction: Correct inaccurate data
• Right to Erasure: Request deletion of data
• Right to Grievance Redressal: Complain to Data Fiduciary
• Right to Nominate: Designate someone to act on their behalf (Section 12)

Under Rule 14, Data Fiduciaries must respond within 7 days of receiving a valid request.

The response must include:

• Summary of personal data processed
• Processing purposes
• Categories of data shared with third parties

Under Section 13, Data Principals must:

• Provide authentic information when exercising rights
• Not file false or frivolous complaints
• Not impersonate another person while providing data
• Not suppress material information

Under Section 33 and The Schedule:

• ₹250 Crore: Failure to take reasonable security safeguards leading to data breach
• ₹200 Crore: Failure to notify Board and Data Principal of breach
• ₹150 Crore: Non-compliance with children's data provisions
• ₹50 Crore: Other violations (per instance)
• ₹10,000: False complaints by Data Principals

The Board considers:

• Nature, gravity, and duration of breach
• Type of personal data affected
• Repetitive nature of breach
• Number of Data Principals affected
• Actions taken to mitigate effects
• Whether intentional or negligent
• Compliance history of the entity

No. Unlike earlier drafts (2019), DPDPA 2023 does NOT prescribe criminal penalties.

Consequences are:

• Monetary penalties only
• Directions from Data Protection Board
• Possible blocking of services in extreme cases

A Significant Data Fiduciary is a Data Fiduciary notified by the Central Government based on:

• Volume and sensitivity of personal data processed
• Risk of harm to Data Principals
• Potential impact on sovereignty, public order, security
• Use of new technologies for processing

Under Section 10 and Rule 13, SDFs must:

1. Appoint a DPO: Based in India, point of contact for Board
2. Appoint Independent Data Auditor: Evaluate compliance
3. Conduct DPIA: Before high-risk processing
4. Periodic Audits: Regular compliance reviews
5. Maintain records: For 7 years
6. Publish DPO contact: Business contact information

A DPIA is an assessment conducted before processing activities that may pose significant risk. It should assess:

• Nature, scope, context of processing
• Risks to Data Principal rights
• Mitigation measures
• Proportionality and necessity

Under Section 2(f), a "Child" means an individual who has not completed eighteen years of age.

Under Section 9:

1. Verifiable parental consent: Must obtain before processing
2. No behavioral monitoring: Tracking children is prohibited
3. No targeted advertising: Cannot target ads at children
4. No harmful processing: Processing likely to cause detrimental effect on child's well-being is prohibited

Yes, Rule 12 provides exemptions from verifiable consent for:

• Healthcare services for children
• Educational institutions
• Child safety and protection services
• Other classes as notified by Government

Under Section 8(6) and Rule 7:

Who to notify:

• Data Protection Board of India
• Affected Data Principals

Timeline: Within 72 hours of becoming aware of breach

Contents: Nature of breach, data affected, consequences, remediation measures, DPO contact

Under Section 8(4) and Rule 6, Data Fiduciaries must implement reasonable security safeguards:

Technical Measures:

• Encryption of data at rest and in transit
• Access controls and authentication
• Regular security testing
• Incident detection systems

Organizational Measures:

• Security policies and procedures
• Employee training
• Vendor management
• Incident response plans

Yes, with conditions. Under Section 16 and Rule 15:

• Default: Transfer permitted to all countries
• Negative list: Government may notify restricted countries
• Restricted countries: Transfer prohibited unless specific approval

DPDPA does NOT mandate blanket data localization. However:

• Government may notify countries where transfer is restricted
• Sectoral regulations (RBI, SEBI) may require localization for specific data types
• Critical personal data localization may be prescribed separately

The DPBI is the regulatory body established under Section 18 to enforce DPDPA.

Key Features:

• Digital by design - functions as "digital office"
• Composed of Chairperson and Members
• Independent in exercising powers

Powers:

• Receive and handle complaints
• Conduct inquiries
• Impose penalties up to ₹250 crore
• Issue directions to Data Fiduciaries
• Register Consent Managers

Under Section 29:

• Appeals lie to Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
• Must file within 60 days (extendable by 60 days)
• TDSAT may confirm, modify, or set aside Board's order
• Further appeal to Supreme Court on questions of law only

Under Section 17, exemptions include processing for:

• National security: Sovereignty, integrity, security of India
• Public order: Prevention of offenses
• Legal proceedings: Enforcement of legal rights/claims
• Research/archiving: Statistical, research purposes (with safeguards)
• Startups: Notified startups may get relaxations

Yes! Under Section 3, DPDPA does NOT apply to:

• Personal data processed by individuals for personal or domestic purposes
• Personal data made publicly available by Data Principal
• Data required by law to be made public

Privacy policies should be updated to include:

• Clear statement of data collected and purposes
• Data Principal rights under DPDPA
• Consent withdrawal mechanism
• Grievance redressal process
• DPO contact information (if SDF)
• Data retention periods
• Cross-border transfer information
• Complaint mechanism to Data Protection Board

Organizations should maintain:

• Consent records: When, how, what consent was obtained
• Data inventory: What personal data is processed and why
• Data Principal requests: Access, correction, erasure requests
• Breach records: Incidents and response actions
• Vendor contracts: Data processing agreements
• Training records: Employee awareness programs
• DPIA records: For SDFs
• Audit reports: Internal and external compliance reviews

Under Section 5(b) and Rule 22, employee data processing is a Legitimate Use for:

• Recruitment and onboarding
• Attendance verification
• Performance assessment
• Salary processing
• Termination procedures

HR Best Practices:

• Update employment contracts with data provisions
• Provide employee privacy notices
• Train HR staff on data handling
• Secure personnel files
• Define retention periods

DPDPA supplements IT Act. Key interactions:

• Section 43A (IT Act): Compensation provisions amended
• Section 72A (IT Act): Breach of confidentiality provisions continue
• IT Rules 2011 (SPDI): Effectively superseded by DPDPA
• Section 69A (Blocking): Continues independently