The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), assented on 11 August 2023, is India's first comprehensive data-protection statute. It imposes seven core obligations on every Data Fiduciary processing digital personal data: lawful consent with a plain-language notice (Sections 5-6), purpose limitation and accuracy (Section 8(3)), reasonable security safeguards (Section 8(5)), 72-hour personal data breach notification (Section 8(6)), retention limits (Section 8(7)), grievance redressal (Section 8(10)) and fulfilment of seven data-principal rights (Sections 11-14). Non-compliance carries penalties up to Rs. 250 crore per contravention under the Schedule read with Section 33.
TL;DR for founders
If your company processes personal data of anyone in India — or offers goods or services to users in India from anywhere in the world — you are a Data Fiduciary under the DPDP Act. You must obtain consent, serve a plain-language notice, keep data secure, notify the Data Protection Board within 72 hours of any breach, fulfil user rights requests, and appoint a grievance officer. Big players may be designated Significant Data Fiduciaries (SDF) with extra obligations: a resident DPO, a DPIA, and an annual independent audit. Maximum penalty: ₹250 crore per breach. Substantive obligations go live on 13 May 2027 — you have roughly 12 months from now to put the infrastructure in place.
Scope of the DPDP Act, 2023
Section 3 of the Digital Personal Data Protection Act, 2023 ('DPDP Act') fixes the Act's territorial reach. It applies to:
- Processing of digital personal data within the territory of India where the data is (a) collected in digital form, or (b) collected in non-digital form and digitised subsequently (Section 3(a)); and
- Processing outside India if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India (Section 3(b)).
Section 3(c) carves out four categories: personal data processed by an individual for personal or domestic purposes; personal data made or caused to be made publicly available by the Data Principal; personal data made publicly available by any other person under a legal obligation; and processing for research, archiving or statistical purposes where personal data is not used to take any decision specific to a Data Principal (the last three governed by Section 17 exemptions).
Practitioner note on extra-territoriality. Section 3(b) is the architectural choice that catches global SaaS, cloud and app businesses serving Indian users. It is narrower than the GDPR Article 3(2) test — the DPDP Act does not have an independent "monitoring of behaviour" limb — but broader than the pre-DPDP position, which depended on the "computer resource located in India" hook in Section 1(2) read with Section 75 of the Information Technology Act, 2000 ('IT Act').
Key definitions
Section 2 of the DPDP Act defines the building blocks of the regime. The six that every compliance team must internalise:
| Term | Definition (Section 2) | Compliance touchpoint |
|---|---|---|
| Data Principal | The individual to whom personal data relates; includes a parent/lawful guardian in the case of a child or person with disability (Section 2(j)). | Rights under Sections 11-14; grievance redressal. |
| Data Fiduciary | Any person who alone or in conjunction with others determines the purpose and means of processing of personal data (Section 2(i)). | Primary compliance duty-bearer. |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary (Section 2(k)). | Bound by contract under Section 8(2); Rule 6 security safeguards flow down. |
| Consent Manager | A person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent (Section 2(g)). | New regulated intermediary — registration under Rule 4 of the DPDP Rules 2025 from 13 November 2026. |
| Significant Data Fiduciary (SDF) | A Data Fiduciary or class notified by the Central Government under Section 10(1) based on volume, sensitivity, risk and systemic factors. | Additional obligations under Section 10 and Rule 13 — DPO, DPIA, audit. |
| Personal data breach | Any unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access that compromises confidentiality, integrity or availability of personal data (Section 2(u)). | Triggers Section 8(6) notification to DPBI within 72 hours and intimation to affected Data Principals without delay. |
The seven data principal rights
Sections 11-14 DPDP Act, read with Rule 14 of the DPDP Rules, 2025, confer seven rights on every Data Principal:
- Right to access information (Section 11(1)(a)) — summary of personal data processed and processing activities.
- Right to access identities of data processors (Section 11(1)(b)) — identities of all Data Fiduciaries and Data Processors with whom personal data has been shared, except those sharing done under a legal obligation or in the public interest.
- Right to correction, completion and updation (Section 12(1)(a)).
- Right to erasure (Section 12(1)(b)) — unless retention is necessary for the specified purpose or for compliance with law.
- Right to grievance redressal (Section 13) — a readily available means to seek redressal from the Data Fiduciary or Consent Manager.
- Right to nominate (Section 14) — nominate another individual to exercise these rights in the event of death or incapacity.
- Right to withdraw consent (Section 6(4) — structurally a right-like obligation on the fiduciary to honour withdrawal with ease equivalent to the giving of consent).
Every Data Fiduciary must publish the URL or other mechanism for exercising each of these rights under Rule 14(2) DPDP Rules, together with the prescribed response timelines in the notice served under Rule 3.
The seven core data-fiduciary obligations
Chapter II of the DPDP Act (Sections 4-10) holds the substantive duties. For every Data Fiduciary, seven obligations are cumulative and non-waivable:
1. Lawful basis — consent or certain legitimate uses
Section 4(1) DPDP Act permits processing of personal data only (a) for a lawful purpose (b) on the basis of the Data Principal's consent, or for certain legitimate uses listed in Section 7. Section 7 is a closed list comprising: voluntary provision by the Data Principal; State-delivery of subsidies, benefits, services, certificates, licences or permits; compliance with a judgment; medical emergency; provision of medical treatment during epidemic or disaster; employment-related processing; and specified public-interest purposes (takeovers, mergers, credit-information, loan recovery, establishment of identity, processing for network and information security).
There is no "legitimate interest" basis. Data fiduciaries habituated to the GDPR Article 6(1)(f) legitimate-interest regime must redesign processing to fit either consent or one of the enumerated Section 7 legitimate uses.
2. Notice (Section 5) and consent (Section 6)
Section 5 DPDP Act requires a notice — clear, plain language, independent of other documents — itemising the personal data, the specified purpose, the goods/services/uses enabled, the mechanism for exercising rights and the mechanism for complaining to the DPBI. Rule 3 DPDP Rules 2025 prescribes the 22 language choices (English + any of the Eighth Schedule languages).
Section 6 DPDP Act requires consent that is free, specific, informed, unconditional and unambiguous, given with a clear affirmative action. Bundled or conditional consent tied to provision of unrelated goods/services is void. The burden of proving consent lies on the Data Fiduciary (Section 6(10)).
3. Purpose limitation and accuracy (Section 8(3), 8(4))
Personal data collected must be used only for the specified purpose for which consent was obtained or the Section 7 basis was engaged. Data Fiduciaries must take reasonable steps to ensure completeness, accuracy and consistency where the personal data is used to make a decision affecting a Data Principal or is disclosed to another Data Fiduciary.
4. Security safeguards (Section 8(5))
Section 8(5) imposes an affirmative obligation to take "reasonable security safeguards" to prevent personal data breach. Rule 6 DPDP Rules 2025 operationalises: encryption/obfuscation/masking/virtual tokens; access controls; logging and monitoring; personal-data-breach-detection mechanisms; rolling 180-day log retention; back-ups; and contractual flow-down to Data Processors. This is the most litigable sub-obligation — Entry 5 of the Schedule carries the ₹250 crore ceiling.
5. Breach notification (Section 8(6))
Section 8(6) read with Rule 7 DPDP Rules 2025 requires two parallel notifications on becoming aware of a personal data breach:
- To affected Data Principals — without delay, in plain language, via registered communication channels, describing nature, consequences and mitigation.
- To the Data Protection Board of India — a detailed report within 72 hours (extendable only with Board permission) covering updated scope, facts and circumstances, remedial action, findings on the person who caused the breach, and communications sent to Data Principals.
This is distinct from — and additional to — the 6-hour CERT-In reporting obligation under Section 70B(6) of the Information Technology Act, 2000 read with the CERT-In Directions dated 28 April 2022.
6. Retention and erasure (Section 8(7))
Personal data must be erased when the specified purpose is no longer being served, save for retention required by law. Rule 8 DPDP Rules 2025 specifies a presumptive three-year no-engagement trigger for specified classes of fiduciaries (Third Schedule).
7. Grievance redressal (Section 8(10))
Every Data Fiduciary must publish a mechanism for redressal of grievances by Data Principals, with a statutory response timeline. Rule 9 DPDP Rules 2025 requires the contact details of the Grievance Officer (or DPO, for SDFs) to be prominently displayed.
Additional Significant Data Fiduciary (SDF) obligations
Section 10 DPDP Act empowers the Central Government to notify a Data Fiduciary or class as an SDF based on: (a) volume and sensitivity of personal data processed, (b) risk to Data Principal rights, (c) potential impact on India's sovereignty and integrity, (d) risk to electoral democracy, (e) security of the State, and (f) public order.
Once designated, an SDF must under Section 10(2) read with Rule 13 DPDP Rules 2025:
- Appoint a Data Protection Officer (DPO) resident in India, reporting to the Board or equivalent governing body, who represents the SDF for DPDP purposes.
- Appoint an independent Data Auditor to carry out data audits.
- Undertake a Data Protection Impact Assessment (DPIA) and a periodic data audit — at least once every twelve months — and submit an observation report to the DPBI.
- Apply such other prescribed measures, including algorithmic evaluation where processing poses risks to Data Principal rights.
As of April 2026, no SDFs have been designated by notification. Designations and the associated Rule 13 duties become live on or after 13 May 2027, once that rule commences.
Children's data (Section 9)
Section 9 DPDP Act treats children (individuals below 18) as a specially protected class:
- Section 9(1) — verifiable consent of a parent or lawful guardian is required before processing the personal data of a child.
- Section 9(3) — tracking, behavioural monitoring and targeted advertising directed at children are prohibited (subject to exemptions under Section 9(5) notified by the Central Government for classes of fiduciaries and purposes).
- Rule 10 DPDP Rules 2025 — three verification pathways: information already reliably held by the Data Fiduciary; identity and age details voluntarily provided; or a government-issued/authorised token.
The Fourth Schedule to the DPDP Rules 2025 lists exempt classes (e.g., specified educational and health services).
Cross-border transfer (Section 16)
Section 16(1) DPDP Act permits transfer of personal data outside India, save in respect of such countries or territories as may be restricted by the Central Government by notification. This is a blacklist / negative-list model — transfers are permitted until a country is named on a restriction list.
Section 16(2) preserves the continued operation of sectoral localisation rules: RBI's 6 April 2018 Circular on Storage of Payment System Data; the SEBI Cybersecurity and Cyber Resilience Framework ('CSCRF'); the IRDAI Information and Cyber Security Guidelines, 2023; and the UIDAI Aadhaar (Data Security) Regulations, 2016.
Until a notification is issued, cross-border transfer is on consent + notice + sectoral compliance. See Veritect's companion playbook cross-border-data-transfer-dpdp-sop.md for the operational SOP.
Exemptions (Section 17)
Section 17 DPDP Act excludes the Act's application (wholly or partly) in four buckets:
- Section 17(1) — processing for enforcement of legal right, court-ordered processing, prevention of offences, and certain cross-border commercial contracts (Section 17(1)(d)).
- Section 17(2) — Central Government notifications exempting instrumentalities of the State in the interests of sovereignty, integrity, security, friendly relations, public order or to prevent incitement to offences — an unbounded executive power that has attracted constitutional critique under K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
- Section 17(3) — Central Government may exempt specified classes of Data Fiduciaries (including start-ups) from Section 5, Section 8(3), (7) and Sections 11-14.
- Section 17(4) — deemed sunset of the exemption under Section 17(3) after five years from commencement unless extended.
Data Protection Board of India
Sections 18-26 DPDP Act constitute the Data Protection Board of India ('DPBI'), a statutory body. Key features:
- Digital-first functioning (Section 28(3)) — proceedings conducted by electronic means by default.
- Powers of a civil court (Section 28(7)) for summoning witnesses, producing documents and adjudicating.
- Penalty quantification (Section 33(2)) based on nature, gravity, duration, personal data affected, repetitive character, gains/losses and proportionality.
- Voluntary undertaking (Section 32) — the Board may accept a voluntary undertaking in lieu of penalty.
- Appeal (Section 29) — aggrieved person may appeal to the Telecom Disputes Settlement and Appellate Tribunal ('TDSAT') within 60 days (extendable on cause); TDSAT orders are appealable to the Supreme Court under Section 18 of the Telecom Regulatory Authority of India Act, 1997 on questions of law within 90 days.
- Bar on civil court jurisdiction (Section 39) — a Data Principal cannot sue a Data Fiduciary in a civil court for matters within the Board's competence.
Penalties — the Schedule
The Schedule to the DPDP Act, 2023 sets ceilings; Section 33 sets the adjudication framework. Eight heads:
| Entry | Breach | Maximum penalty |
|---|---|---|
| 1 | Failure of a Data Processor or Data Fiduciary to take reasonable security safeguards (Section 8(5)) | ₹250 crore |
| 2 | Failure to notify the Board and Data Principals of a personal data breach (Section 8(6)) | ₹200 crore |
| 3 | Non-fulfilment of obligations in relation to children (Section 9) | ₹200 crore |
| 4 | Non-fulfilment of additional obligations of an SDF (Section 10) | ₹150 crore |
| 5 | Non-fulfilment of duties of a Data Principal (Section 15) | ₹10,000 |
| 6 | Breach of voluntary undertaking (Section 32) | As per the undertaking |
| 7 | Breach of any term of the Act or Rules | ₹50 crore |
| 8 | Breach of any other provision of the Act or Rules | ₹50 crore |
Penalties are consolidated revenue of India — not damages to the Data Principal. Civil remedies continue via the DPBI compensation regime (subject to operational rules).
Interaction with prior and parallel regimes
IT (SPDI) Rules 2011. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A IT Act remain in force until 13 May 2027. On that date, Section 44(2) DPDP Act omits Section 43A IT Act, and the SPDI Rules lose their parent section.
Sectoral frameworks. DPDP does not displace:
- RBI Master Direction on Digital Payment Security Controls dated 18 February 2021 and IT Governance Master Direction dated 7 November 2023.
- SEBI CSCRF dated 20 August 2024.
- IRDAI Information and Cyber Security Guidelines, 2023 dated 24 April 2023.
- CERT-In Directions dated 28 April 2022 (6-hour incident reporting — independent and additional to the 72-hour DPDP clock).
- UIDAI Aadhaar (Data Security) Regulations, 2016.
Regulated entities must maintain parallel escalation matrices — a CERT-In filing does not discharge DPDP notification; a SEBI CSCRF incident filing does not discharge RBI CSITE obligations.
Practitioner analysis
1. The Consent Manager disintermediation opportunity
Section 6(7)-(9) read with Rule 4 DPDP Rules 2025 creates a new regulated intermediary class — the Consent Manager — that stands between the Data Principal and the Data Fiduciary. The Consent Manager owes fiduciary duties to the Data Principal, not to the fiduciary paying for its integration. This creates a market for "consent as a service" plays; expect 3-5 category-defining Consent Managers to register in the 12 months from 13 November 2026.
2. Data Processing Agreement (DPA) re-papering
Existing DPAs drafted to SPDI Rules or GDPR standards will not discharge Section 8(2) DPDP Act flow-down. The minimum DPA clauses now required: (i) processor acts only on documented instructions; (ii) processor implements Rule 6 security safeguards; (iii) processor flags breaches to the fiduciary within a compressed window (24 hours is market) to allow Section 8(6) 72-hour notification; (iv) processor deletes/returns personal data on end-of-engagement; (v) processor permits audits; (vi) processor supports Data Principal rights fulfilment.
3. DPIA templating for SDF aspirants
Even before notification, large consumer-internet, fintech and edtech platforms should build a DPIA template aligned to Rule 13 DPDP Rules. A defensible DPIA covers: lawful basis analysis per processing activity; necessity and proportionality; Data Principal impact assessment; algorithmic risk; cross-border transfer analysis; and control-gap remediation plan.
4. M&A data due diligence
Every DPDP-era M&A mandate needs a data-due-diligence workstream: target's consent corpus audit (is consent free/specific/informed/unambiguous?); RoPA maturity; open DPBI proceedings/inquiries; processor contract quality; historical breach ledger. A defective consent corpus is a latent liability — the ₹250 crore Entry 1 ceiling dwarfs typical SPA indemnity baskets.
5. Onboarding a Consent Manager
A Data Fiduciary planning to route consent through a Consent Manager must: (a) commercially contract with a Board-registered CM by 13 November 2026 (registration window opens); (b) integrate the CM's interoperable interface into the consent flow; (c) preserve the Data Principal's right to give direct consent without using the CM; (d) update the Rule 3 notice to disclose the CM engagement.
Founder checklist
- Map your data by 30 June 2026 — a single RoPA table listing every personal-data collection point, purpose, lawful basis, Data Processor, retention trigger and erasure method.
- Classify your status — Data Fiduciary (always) / probable SDF (consumer-facing platform > 10 million Indian users is a reasonable starting heuristic) / child-data handler / cross-border transferor.
- Re-paper Data Processing Agreements with Section 8(2) flow-down clauses — target completion 31 December 2026.
- Appoint and publish a Grievance Officer (all) or DPO (SDF-candidates) by 30 September 2026.
- Run a tabletop breach drill against the 72-hour Section 8(6) clock with a simultaneous 6-hour CERT-In clock — at least once before 13 May 2027.
Frequently asked questions
Does the DPDP Act, 2023 apply to foreign companies that offer services to Indian users?
Yes. Section 3(b) of the Digital Personal Data Protection Act, 2023 gives the Act extra-territorial reach over processing of digital personal data outside India if the processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. A US-headquartered SaaS selling to Indian enterprises, or an EU app collecting data of Indian users, falls within scope even with zero Indian infrastructure.
Are start-ups exempt from any DPDP Act obligations?
Partially. Section 17(3) of the DPDP Act, 2023 empowers the Central Government to notify certain Data Fiduciaries or classes (including start-ups) as exempt from specified provisions — namely Section 5 (notice), Section 8(3) and (7) (accuracy and retention) and Sections 11-14 (data-principal rights) — having regard to volume and nature of personal data processed. The Fourth Schedule to the DPDP Rules, 2025 operationalises this. Startups remain bound by security safeguards (Section 8(5)), breach notification (Section 8(6)), and consent requirements (Section 6) irrespective of size.
How does the DPDP Act interact with the GDPR for MNCs?
The DPDP Act, 2023 and the EU General Data Protection Regulation, 2016 overlap but are not identical. Both have extra-territorial reach and both regulate consent, rights and breach notification. Key divergences: DPDP has no 'legitimate interest' legal basis (Section 7 uses 'Certain Legitimate Uses' narrowly); DPDP does not separately categorise 'sensitive' data (SPDI Rules 2011 covered this pre-DPDP); DPDP penalties (₹250 crore cap) are absolute figures rather than the GDPR's 4% global turnover model; and DPDP adopts a blacklist approach to cross-border transfer under Section 16 rather than the GDPR adequacy model. MNCs should maintain a unified RoPA and design separate notice variants.
Which sections of the DPDP Act, 2023 are currently in force?
As of April 2026, companion notifications G.S.R. 843(E) to 845(E) dated 13 November 2025 brought into force the constitutional and Data Protection Board provisions (Sections 1, 2, 18-26, 27 and portions of 33-44) alongside Rules 1, 2 and 17-21 of the DPDP Rules, 2025. Consent Manager provisions (Section 6(7)-(9) read with Rule 4) commence 13 November 2026. Substantive obligations under Sections 5, 7-16 commence 13 May 2027 with Rules 3, 5-16, 22 and 23. Section 10 (SDF designation) awaits a further Central Government notification.
What is the maximum penalty under the DPDP Act, 2023?
The Schedule to the Digital Personal Data Protection Act, 2023 read with Section 33 prescribes a maximum monetary penalty of ₹250 crore for failure to take reasonable security safeguards under Section 8(5) resulting in a personal data breach. Failure to notify a breach (Section 8(6)) attracts up to ₹200 crore; breach of children's-data obligations (Section 9) up to ₹200 crore; breach of additional SDF duties (Section 10) up to ₹150 crore; and any residual contravention up to ₹50 crore.
Can a data principal directly sue a data fiduciary in court under the DPDP Act?
No. Section 39 of the DPDP Act, 2023 bars civil courts from entertaining any suit or proceeding in respect of any matter that the Data Protection Board of India is empowered to determine. The remedial path is: grievance to Grievance Officer → complaint to DPBI (Section 27(1)(b)) → appeal to TDSAT within 60 days (Section 29) → appeal to Supreme Court on questions of law within 90 days. Section 15 separately imposes duties on data principals themselves, with a ₹10,000 penalty for breach.
Sources
- Digital Personal Data Protection Act, 2023 — MeitY PDF
- Digital Personal Data Protection Rules, 2025 — MeitY (G.S.R. 846(E))
- India Code — Act 22 of 2023
- Digital Personal Data Protection Bill, 2023 (as introduced) — PRS
- Information Technology Act, 2000 — India Code
- eGazette of India — notification search
This explainer is part of Veritect's Digital, Data & AI Law vertical. It is an original analysis prepared from Tier 1 government sources and does not reproduce or paraphrase any third-party commentary. Statutory citations are current as of 21 April 2026. For the phased-rollout calendar of the DPDP Rules, see the companion explainer dpdp-rules-2025-phased-rollout.