Personal Data is any data about an individual who is identifiable by or in relation to such data, encompassing all information that can directly or indirectly identify a living person. Under Indian law, personal data is defined in Section 2(t) of the Digital Personal Data Protection Act, 2023, and its processing is subject to the consent and rights framework established by the Act.
Legal definition
The Digital Personal Data Protection Act, 2023 provides a clear statutory definition:
Section 2(t): "'personal data' means any data about an individual who is identifiable by or in relation to such data."
This definition is intentionally broad, covering both direct identifiers (such as name, Aadhaar number, or phone number) and indirect identifiers (such as location data, browsing history, or device identifiers that can identify an individual when combined with other data points).
The Act also defines a related concept:
Section 2(e): "'digital personal data' means personal data in digital form."
The distinction between "personal data" and "digital personal data" is significant because the DPDP Act's operative provisions apply specifically to digital personal data — that is, data either collected in digital form or collected in non-digital form and subsequently digitised (Section 4(1)).
Prior regime: Before the DPDP Act, the concept of personal data was addressed through the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which defined "personal information" under Rule 2(i) as "any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person." The 2011 Rules also created a narrower category of "Sensitive Personal Data or Information" (SPDI) under Rule 3, which included passwords, financial information, health data, sexual orientation, medical records, and biometric data. The DPDP Act does not retain this SPDI distinction.
How courts have interpreted this term
Justice K.S. Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1]
The nine-judge bench of the Supreme Court, while establishing the right to privacy as a fundamental right, explicitly recognised "informational privacy" — the right to control the dissemination of one's personal information. Justice D.Y. Chandrachud observed that "the right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet." This constitutional recognition of the autonomy interest in personal data directly informed the DPDP Act's definition and rights framework.
Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar) [(2019) 1 SCC 1]
The Constitution Bench examined whether biometric data (fingerprints and iris scans) collected under the Aadhaar scheme constituted personal data warranting protection. Justice A.K. Sikri held that biometric information is "a form of personal data" that engages the right to informational privacy, and its collection must satisfy the test of proportionality. The Court struck down Section 57 of the Aadhaar Act, which had permitted private entities to demand Aadhaar authentication, effectively holding that personal data collected by the state for a specific purpose cannot be repurposed for private commercial use without adequate legal safeguards.
Surveillance & Personal Data: In the 2021 Pegasus surveillance controversy, the Supreme Court constituted a technical committee to investigate allegations of state surveillance of journalists and activists. While the final order did not create binding precedent on the definition of personal data, the proceedings reinforced judicial recognition that metadata, call logs, and device information constitute personal data deserving constitutional protection.
Why this matters
The concept of personal data is the foundational building block of India's entire data protection framework. Whether a piece of information qualifies as "personal data" determines whether the DPDP Act's obligations — consent requirements, purpose limitation, data minimization, storage limitation, and the rights of data principals — apply to its processing.
For businesses, the breadth of the definition means that virtually any data collected from users — names, email addresses, phone numbers, IP addresses, device identifiers, purchase histories, location data, and behavioural profiles — qualifies as personal data. Even pseudonymised data (where direct identifiers are replaced with codes) remains personal data under the Act if the individual can be re-identified using additional information held by the data fiduciary or a third party.
A common misunderstanding is that anonymised data is the same as personal data. Truly anonymised data — where the identification of individuals is irreversibly prevented — falls outside the scope of the DPDP Act. However, the threshold for genuine anonymisation is high. If there is any reasonable likelihood that the data can be re-linked to an individual through combination with other datasets, it remains personal data subject to the Act's requirements.
For individuals, understanding what constitutes personal data is essential for exercising rights under the Act. Every data principal has the right to know what personal data about them is being processed, the right to seek correction or erasure, and the right to withdraw consent — but these rights can only be exercised if the individual first understands what information about them qualifies as personal data under the law.
Related terms
Parent framework:
Key actors:
Related mechanisms:
Frequently asked questions
What are examples of personal data under Indian law?
Under the DPDP Act, 2023, personal data includes any information that can identify an individual, directly or indirectly. Examples include name, phone number, email address, Aadhaar number, PAN, passport number, bank account details, biometric data (fingerprints, iris scans), photographs, IP addresses, device identifiers, location data, and health records. Even combinations of seemingly innocuous data points (such as age, gender, and pincode) may constitute personal data if they can together identify a specific individual.
Is anonymised data considered personal data?
No. If data has been irreversibly anonymised such that no individual can be identified from it — either directly or in combination with other available data — it is not personal data under the DPDP Act. However, pseudonymised data (where identifiers are replaced with codes but re-identification remains possible) is still personal data. The burden of demonstrating effective anonymisation lies with the data fiduciary.
Does the DPDP Act distinguish between sensitive and non-sensitive personal data?
Unlike the earlier IT Rules of 2011 (which created a separate category of "Sensitive Personal Data or Information") and unlike the EU's GDPR (which defines "special categories" of personal data), the DPDP Act, 2023 treats all personal data uniformly. The Act does not create a separate tier of sensitive personal data with heightened protections. However, the Central Government retains the power to prescribe additional obligations for specific categories of data through rules under the Act.
Can a company use personal data collected before the DPDP Act came into force?
Yes, but subject to compliance with the Act. Section 4 applies to the processing of digital personal data regardless of when it was collected. If a data fiduciary continues to process personal data collected prior to the Act's commencement, it must ensure that such processing is based on valid consent or falls within the "certain legitimate uses" under Section 7. Where the original consent does not meet the Act's requirements, fresh consent must be obtained.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.