🎯 DPDPA Interview Questions & Answers 2025

Model Answer:

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data protection legislation governing digital personal data processing. It was enacted to:

• Protect individual rights: Establish rights of data principals over their personal data
• Address K.S. Puttaswamy judgment: Fulfill Supreme Court's 2017 mandate recognizing privacy as fundamental right
• Enable digital economy: Balance data protection with legitimate business needs
• Global harmonization: Align India's framework with international standards

Passed on August 11, 2023, it establishes the Data Protection Board of India for enforcement.

📖 Section 1 - Short Title & Commencement

Model Answer:

Under Section 2(t), "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

Key characteristics: Must be digital, relate to natural person, capable of identifying individual.

Examples:

• Direct identifiers: Name, Aadhaar, PAN, passport number
• Contact info: Email, phone, address
• Biometric: Fingerprints, facial recognition
• Financial: Bank accounts, transactions
• Online: IP address, device ID, cookies (when linked)
• Employment: Employee ID, salary, performance
• Health: Medical records, prescriptions

Note: Unlike GDPR, DPDPA has no separate "sensitive data" category.

📖 Section 2 - Definitions

Model Answer:

Data Fiduciary (Section 2(i)): Determines the purpose and means of processing personal data - decides WHY and HOW data is processed. Has primary liability under DPDPA.

Data Processor (Section 2(k)): Processes data on behalf of Data Fiduciary - follows instructions. Has contractual liability.

Example: E-commerce company (Fiduciary) collects customer data; Cloud provider hosting that data (Processor).

Key Point: Data Fiduciary remains responsible for Data Processor's actions. Valid contract required under Section 8(2).

📖 Section 2(i) & 2(k)

Model Answer:

Data Principal (Section 2(j)): The individual to whom personal data relates. If it's YOUR data, YOU are the Data Principal.

Special provisions:

• For children (under 18): Parent/guardian acts as Data Principal
• For persons with disabilities with lawful guardian: Guardian acts

Rights under Section 11:

• Right to access information about processing
• Right to correction and erasure
• Right to grievance redressal
• Right to nominate (Section 12)

📖 Section 11 - Rights of Data Principal

Model Answer:

SDF is a Data Fiduciary notified by Central Government based on: volume/sensitivity of data, risk to Data Principals, impact on sovereignty/security, use of new technologies.

Additional Obligations (Section 10):

1. Appoint DPO: Based in India, point of contact for Board
2. Independent Data Auditor: Evaluate compliance
3. DPIA: Before high-risk processing
4. Periodic Audits: Regular compliance reviews

Per Rule 13: SDFs must publish DPO contact info, maintain records for 7 years, comply with algorithmic transparency requirements.

📖 Section 10 - Significant Data Fiduciary

Model Answer:

DPDPA applies to:

1. Processing of digital personal data within India
2. Data collected online or non-digital data subsequently digitized

Extra-territorial (Section 3(b)): Processing OUTSIDE India if connected with offering goods/services to Indian Data Principals OR profiling Data Principals in India.

Exclusions: Personal/domestic use; data made publicly available by Data Principal or required by law to be public.

Example: Foreign e-commerce company selling to Indian customers must comply even with servers abroad.

📖 Section 3 - Application

Model Answer:

Under Section 4, valid consent must be FSIUU:

• Free: Without coercion or undue influence
• Specific: For particular purpose
• Informed: Data Principal understands what they're consenting to
• Unconditional: Not bundled with unrelated services
• Unambiguous: Clear affirmative action

Requirements: Clear, plain language; available in 22 scheduled languages; specify data collected and purpose.

Important: Pre-ticked boxes do NOT constitute valid consent.

📖 Section 4 - Consent

Model Answer:

Section 5 provides Legitimate Uses without explicit consent:

1. Voluntary provision: Data Principal voluntarily provides for specified purpose
2. State functions: Subsidies, benefits, services, certificates, licenses
3. Legal obligations: Compliance with judgments, orders, or laws
4. Medical emergencies: Threat to life/health
5. Employment: Recruitment, verification, performance assessment (with safeguards)
6. Public interest: Mergers, acquisitions, restructuring

Interview Tip: Unlike GDPR's 6 lawful bases, DPDPA primarily relies on consent with these exceptions.

📖 Section 5 - Legitimate Uses

Model Answer:

Under Section 4(6)-(7):

• Data Principal may withdraw consent at any time
• Withdrawal must be as easy as giving consent
• Data Fiduciary must provide clear mechanism for withdrawal
• Upon withdrawal, Data Fiduciary must cease processing and erase data (unless retention required by law)

Practical Implementation: Single-click unsubscribe, easily accessible settings, clear instructions, no penalties for withdrawal.

📖 Section 4(6)-(7)

Model Answer:

Consent Manager (Section 2(e) & Section 14): Person registered with Data Protection Board enabling Data Principals to:

• Give consent to multiple Data Fiduciaries through one platform
• Manage consent - view, modify, withdraw easily
• Track consent - maintain records

Requirements (Rule 4):

• Registered with Data Protection Board
• Interoperable across Data Fiduciaries
• No conflict of interest
• Technical and organizational safeguards
• Net worth and financial criteria

Unique to India: Similar to Account Aggregators - no GDPR equivalent.

📖 Section 14 - Consent Manager

Model Answer:

Under Section 6 and Rule 3, Notice must include:

• Personal data being collected
• Purpose of processing
• How Data Principal can exercise rights
• How to make complaints to Data Protection Board

Format Requirements:

• Clear, plain language
• Available in English and 22 Scheduled languages
• Standalone or with itemized description
• Must be given before or at time of consent request

📖 Section 6 - Notice

Model Answer:

Under Section 33 and The Schedule, penalties include:

• ₹250 Crore: Failure to take reasonable security safeguards leading to data breach
• ₹200 Crore: Failure to notify Data Protection Board and Data Principal of breach
• ₹150 Crore: Non-compliance with children's data provisions
• ₹50 Crore: For other violations (each instance)
• ₹10,000: False complaints or frivolous applications by Data Principals

Key Points:

• Penalties can be imposed per instance
• No criminal liability (unlike earlier drafts)
• Penalties go to Consolidated Fund of India

📖 Section 33 - Penalties

Model Answer:

Under Section 33, the Board considers:

• Nature, gravity, duration of the breach
• Type of personal data affected
• Repetitive nature of the breach
• Number of Data Principals affected
• Actions taken to mitigate effects
• Likely gains/harm from breach
• Whether breach was intentional or negligent
• Entity's compliance history

Interview Tip: Unlike GDPR's turnover-based penalties, DPDPA has fixed caps but considers proportionality.

📖 Section 33

Model Answer:

Under Section 8(6) and Rule 7:

Who to notify:

• Data Protection Board of India
• Affected Data Principals

Timeline: Without undue delay - Rule 7 specifies 72 hours for notification to Board

Contents (per Rule 7):

• Nature and circumstances of breach
• Categories and approximate number of Data Principals affected
• Possible consequences
• Measures taken/proposed to address breach
• Contact details of DPO or designated person

Penalty for non-notification: Up to ₹200 Crore

📖 Rule 7 - Breach Notification

Model Answer:

Under Sections 29-30:

Appeal to TDSAT:

• Appeals lie to Telecom Disputes Settlement and Appellate Tribunal
• Must be filed within 60 days of Board's order (extendable by 60 days)
• TDSAT may confirm, modify, or set aside Board's order

Procedure (Rule 19):

• Appeal filed in prescribed form
• Fee as prescribed
• Digital proceedings encouraged

Execution: TDSAT orders executable as court decrees under Section 30.

Further Appeal: Supreme Court on questions of law only.

📖 Section 29 - Appeals

Model Answer:

Who must appoint DPO: Only Significant Data Fiduciaries (SDFs) - not all Data Fiduciaries.

Key Requirements:

• Based in India - mandatory requirement
• Represents the SDF before the Board
• Point of contact for Data Principals and Board

Responsibilities (Section 10 & Rule 13):

• Ensure compliance with DPDPA and rules
• Handle grievances and complaints
• Coordinate with Data Protection Board
• Oversee DPIA implementation
• Manage audit compliance
• Maintain records for 7 years

Note: Unlike GDPR, DPDPA doesn't prescribe specific qualifications - determined by organization.

📖 Section 10 - DPO

Model Answer:

DPIA (Section 10(2)(c)): Assessment conducted before processing activities that may pose significant risk to Data Principals.

When required:

• Mandatory for Significant Data Fiduciaries
• Before high-risk processing activities
• New technologies or processing methods
• Large-scale processing

DPIA should assess:

• Nature, scope, context of processing
• Risks to Data Principal rights
• Mitigation measures
• Proportionality and necessity

Practical Tip: Document DPIAs thoroughly - they're evidence of compliance and due diligence.

📖 Section 10(2)(c)

Model Answer - Implementation Roadmap:

Phase 1: Assessment (Weeks 1-4)

• Data mapping - identify all personal data flows
• Gap analysis against DPDPA requirements
• Risk assessment
• Stakeholder identification

Phase 2: Documentation (Weeks 5-8)

• Privacy Policy update
• Consent mechanisms design
• Data Processing Agreements with vendors
• Notice templates in multiple languages

Phase 3: Implementation (Weeks 9-16)

• Technical controls deployment
• Consent management system
• Data Principal rights handling process
• Breach response procedures

Phase 4: Training & Monitoring (Ongoing)

• Employee awareness programs
• Regular audits and reviews
• Continuous improvement

Model Answer:

Under Section 8(4) and Rule 6, Data Fiduciaries must implement reasonable security safeguards:

Technical Measures:

• Encryption of data at rest and in transit
• Access controls and authentication
• Regular security testing
• Audit logging and monitoring
• Incident detection systems

Organizational Measures:

• Security policies and procedures
• Employee training
• Vendor management
• Regular risk assessments
• Incident response plans

Standard: "Reasonable" - proportionate to risks, industry standards, and nature of data.

Penalty: Up to ₹250 Crore for failure leading to breach.

📖 Rule 6 - Security Safeguards

Model Answer:

Under Section 5(b) and Rule 22, employment purposes are Legitimate Uses:

What's covered without explicit consent:

• Recruitment and onboarding
• Attendance verification
• Performance assessment
• Salary processing
• Termination procedures
• Provision of employee services

Important Safeguards Required:

• Clear communication about data use
• Processing limited to employment necessity
• No excessive collection
• Secure handling of HR records
• Retention only as long as necessary

HR Best Practices: Update employment contracts, provide employee privacy notices, train HR staff, secure personnel files.

📖 Rule 22 - Employment Processing

Model Answer - HR Response Process:

Step 1: Verify Identity

• Confirm the request is from the employee
• Use existing authentication methods

Step 2: Document Request

• Log the request with date and details
• Acknowledge receipt within 48 hours

Step 3: Gather Data (within 7 days per Rule 14)

• Personal information in HR systems
• Payroll and benefits data
• Performance records
• Email communications (if applicable)
• Access logs

Step 4: Provide Response

• Summary of personal data processed
• Processing purposes
• Categories of recipients
• Retention periods

Important: Cannot charge for first request; reasonable fee for subsequent requests.

📖 Rule 14 - Data Principal Rights

Model Answer:

Under Section 8(7) and Rule 8:

General Principle: Erase personal data when purpose is fulfilled, unless retention required by law.

Employment Data Considerations:

• During employment: Retain as needed for employment
• Post-termination: Usually 3-7 years depending on purpose
• Legal requirements: Labour laws, tax laws, PF records may require longer retention

Rule 8 - Purpose Deemed Fulfilled:

• When Data Principal withdraws consent
• 3 years from last interaction (unless specified)
• Contract completion (plus legal retention period)

HR Action: Create retention schedule mapping data types to retention periods and legal basis.

📖 Rule 8 - Retention Periods

Key Differences:

• Scope: GDPR covers all personal data; DPDPA only digital
• Lawful Bases: GDPR has 6; DPDPA primarily consent + legitimate uses
• Sensitive Data: GDPR has special categories; DPDPA has none
• Child Age: GDPR 16 (flexible to 13); DPDPA uniform 18
• Penalties: GDPR 4% global turnover; DPDPA fixed caps (max Rs.250 Cr)
• DPO: GDPR mandatory for many; DPDPA only for SDFs
• Data Portability: GDPR yes; DPDPA no explicit right
• Consent Manager: DPDPA unique concept; no GDPR equivalent

Model Answer:

Yes, dual compliance is achievable with careful planning.

Key Challenges:

• Consent mechanisms: DPDPA stricter (unconditional) vs GDPR allows bundled consent in some cases
• Children's data: Different age thresholds (18 vs 16)
• Cross-border transfers: Different adequacy frameworks
• DPO requirements: Different triggering criteria
• Breach notifications: 72 hours both, but different content requirements

Strategy: Implement higher standard where differences exist - usually leads to DPDPA compliance with GDPR enhancements.

Model Answer:

GDPR Approach:

• Adequacy decisions for approved countries
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Derogations for specific situations

DPDPA Approach (Section 16 & Rule 15):

• Default: Transfer permitted to all countries
• Negative list: Government notifies restricted countries
• Simpler than GDPR - no adequacy assessments needed
• Restricted countries require government approval

Key Insight: DPDPA takes permissive approach with blacklist; GDPR takes restrictive approach with whitelist.

📖 Section 16 - Cross-Border Transfers

Model Answer - Breach Response Protocol:

Immediate (0-24 hours):

• Contain the breach - isolate affected systems
• Preserve evidence for investigation
• Activate incident response team
• Initial assessment of scope and impact

Within 72 Hours (Rule 7):

• Notify Data Protection Board with required details
• Document nature, categories affected, consequences
• Outline remediation measures

Data Principal Notification:

• Clear communication about what happened
• What data was compromised
• Steps they should take (password change, monitoring)
• Support contact information

Post-Incident:

• Root cause analysis
• Implement additional safeguards
• Update incident response procedures
• Board report and lessons learned

Penalty Risk: Up to Rs.250 Cr (security failure) + Rs.200 Cr (notification failure)

Model Answer:

Step 1: Acknowledge Request

• Confirm receipt within 48 hours
• Verify identity of requestor

Step 2: Assess Legal Retention

• Identify which laws require retention (tax, labour, etc.)
• Document the legal basis
• Determine minimum retention period

Step 3: Partial Compliance

• Erase data not required for legal compliance
• Restrict processing of retained data to legal purposes only
• Mark data for deletion when legal period expires

Step 4: Communicate

Respond explaining: what was erased, what is retained and why, when remaining data will be deleted.

Legal Basis: Section 8(7) allows retention where required by law.

Model Answer:

Key Principle: Data Fiduciary remains responsible for Data Processor actions under Section 8(2).

Immediate Actions:

• Obtain full breach details from vendor
• Assess impact on your Data Principals
• Invoke contractual breach notification clauses

Notification Obligations (YOU must):

• Notify Data Protection Board within 72 hours
• Notify affected Data Principals
• Cannot delegate notification responsibility to vendor

Contractual Remedies:

• Indemnification claims against vendor
• Audit rights exercise
• Termination if material breach

Preventive Measures: Strong DPA clauses, regular vendor audits, security certifications requirement.

Model Answer:

Upon Receipt (Rule 17-18):

• Review complaint details carefully
• Gather all relevant documentation
• Involve legal counsel and DPO

Response Preparation:

• Factual account of events
• Evidence of compliance measures taken
• Explanation of any legitimate basis for processing
• Steps taken to address complaint

Consider ADR (Section 31):

• Board may refer to mediation
• Voluntary undertaking option (Section 32)
• May reduce penalties if cooperative

Best Practice: Demonstrate good faith, cooperation, and commitment to compliance throughout.

Model Answer:

Child Definition: Under 18 years (Section 2(f))

Key Protections (Section 9):

1. Verifiable Parental Consent: Must obtain consent from parent/guardian before processing
2. No Behavioral Monitoring: Tracking and behavioral monitoring of children prohibited
3. No Targeted Advertising: Cannot target ads at children
4. No Harmful Processing: Processing likely to cause detrimental effect on child's well-being prohibited

Exemptions (Rule 12):

• Healthcare services
• Educational institutions
• Child safety services

Penalty: Up to Rs.150 Crore for non-compliance

📖 Section 9 - Children

Model Answer:

Verifiable Consent Methods (Rule 10):

• Virtual token linked to parent's identity
• Digital Locker verification
• Aadhaar-based verification (with safeguards)
• Government-issued ID verification
• Video verification with parent

Implementation Considerations:

• Balance verification strength with user experience
• Don't collect excessive data for verification
• Implement age gates at registration
• Regular re-verification for long-term services

Industry-Specific:

• Gaming: Age gates + parental controls
• Social Media: Self-declaration + parental verification
• Education: School/institution verification