Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation, establishing a framework for the processing of digital personal data by prescribing obligations for data fiduciaries, rights for data principals, a consent-based processing model, and a penalty regime with fines up to Rs 250 crore, enforced through the Data Protection Board of India. Under Indian law, it received Presidential assent on 11 August 2023 and was operationalised through the Digital Personal Data Protection Rules, 2025, notified on 13 November 2025.
Legal definition
The Act establishes its foundational principles through key definitions:
Section 2(h) — "Data Fiduciary": Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
Section 2(j) — "Data Principal": The individual to whom the personal data relates and where such individual is — (i) a child, includes the parents or lawful guardian of such child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
Section 2(t) — "Personal data": Any data about an individual who is identifiable by or in relation to such data.
Section 4 — Consent: Personal data may be processed by a Data Fiduciary only in accordance with the provisions of this Act and for a lawful purpose — (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses (performance of any function under any law, compliance with court orders, medical emergencies, employment purposes, or public interest).
Section 5 — Notice: Before seeking consent, every Data Fiduciary must provide a notice to the Data Principal containing — (a) description of the personal data and the purpose of processing; (b) the manner of exercising rights under the Act; (c) the manner of making complaints to the Board.
The Act applies to the processing of digital personal data within India, and to processing outside India if it relates to offering goods or services to data principals in India.
How courts have interpreted this term
K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]
The nine-judge bench decision declaring privacy a fundamental right was the constitutional catalyst for the DPDP Act. The Court held that informational privacy — including the right to control one's personal data — is part of Article 21. Justice D.Y. Chandrachud (as he then was) in the majority opinion directed that the government must enact a data protection law that satisfies the tests of legality, necessity, and proportionality. The DPDP Act is the legislative response to this constitutional mandate.
K.S. Puttaswamy v. Union of India (Aadhaar) [(2019) 1 SCC 1]
The five-judge bench upheld the Aadhaar scheme but struck down Section 57 of the Aadhaar Act (which permitted private entities to use Aadhaar authentication). The Court held that biometric and demographic data collected under Aadhaar must be protected with robust data protection safeguards. This judgment reinforced the urgency of comprehensive data protection legislation and informed several provisions of the DPDP Act, particularly those relating to children's data and significant data fiduciaries.
Key provisions of the Act
The DPDP Act operates through several interconnected frameworks:
- Consent framework (Sections 4-7): Processing requires free, specific, informed, and unconditional consent, which may be managed through registered Consent Managers. Consent can be withdrawn at any time.
- Data principal rights (Sections 11-14): Right to access information about processing, right to correction and erasure, right to nominate, and right to grievance redressal.
- Data fiduciary obligations (Sections 8-10): Reasonable security safeguards, data accuracy, storage limitation, breach notification, and publication of contact details of Data Protection Officer.
- Children's data (Section 9): Processing requires verifiable parental consent. Targeted advertising directed at children and tracking/behavioural monitoring of children are prohibited.
- Significant Data Fiduciaries (Section 10): Enhanced obligations including appointment of DPO in India, independent data auditor, and data protection impact assessment.
- Data Protection Board (Sections 18-26): Adjudicatory body for complaints and penalties, operating as a digital-first body with proceedings conducted digitally.
- Penalties (Schedule): Up to Rs 250 crore for breach of security safeguards; up to Rs 200 crore for failure to notify breach; up to Rs 150 crore for breach of children's data obligations.
Why this matters
The DPDP Act fundamentally changes the data processing landscape in India. For the first time, every organisation — from startups to multinational corporations, from hospitals to e-commerce platforms — that processes digital personal data of Indian individuals must comply with a statutory consent framework, implement reasonable security safeguards, respect data principal rights, and face significant financial penalties for non-compliance.
For businesses, the compliance burden is substantial. Every data processing activity requires a lawful basis (consent or legitimate use), proper notice to data principals, mechanisms for consent withdrawal and data erasure, appointment of a grievance officer, and implementation of reasonable security safeguards. The penalty regime — with fines up to Rs 250 crore per violation — makes non-compliance a serious financial risk.
For individuals, the Act creates enforceable rights over personal data for the first time. Data principals can access their data, correct inaccuracies, withdraw consent, request erasure, and file complaints with the Data Protection Board. The Board must dispose of complaints within prescribed timelines and can impose penalties on non-compliant data fiduciaries.
Related terms
Core concepts under this Act:
- Data Fiduciary
- Data Principal
- Personal Data
- Consent Manager
- Significant Data Fiduciary
- Data Protection Board
Related concepts:
Frequently asked questions
When did the DPDP Act come into force?
The DPDP Act received Presidential assent on 11 August 2023. The DPDP Rules, 2025 were notified on 13 November 2025, operationalising the Act. Different provisions have staggered timelines — most obligations for data fiduciaries came into effect upon notification of the Rules, while certain provisions (such as Consent Manager registration) have extended timelines.
Does the DPDP Act apply to foreign companies?
Yes. Section 3(b) provides that the Act applies to the processing of digital personal data outside India if such processing is in connection with any activity related to offering goods or services to data principals within India. This means any foreign company that targets Indian customers or processes the data of Indian individuals must comply with the Act.
How is the DPDP Act different from GDPR?
While inspired by the GDPR, the DPDP Act is simpler and narrower in scope. It covers only digital personal data (not manual records), has fewer lawful bases for processing, does not include a right to data portability, and has a single adjudicatory body (the Data Protection Board) rather than multiple supervisory authorities. The penalty structure is also different — the DPDP Act prescribes fixed maximum penalties per violation rather than percentage-of-turnover calculations.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.