{"id":20997,"date":"2026-03-30T06:08:19","date_gmt":"2026-03-30T06:08:19","guid":{"rendered":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/?p=20997"},"modified":"2026-04-05T05:15:58","modified_gmt":"2026-04-05T05:15:58","slug":"digital-personal-data-protection-act-2023","status":"publish","type":"post","link":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/","title":{"rendered":"Digital Personal Data Protection Act, 2023"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"introduction-and-background\"><span class=\"ez-toc-section\" id=\"Introduction_And_Background\"><\/span>Introduction And Background<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>For many decades, Indian law did not have a comprehensive data protection framework, and issues relating to personal data were addressed only indirectly through constitutional provisions, sectoral regulations, and general principles of administrative and criminal law.<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #0c0c0c;color:#0c0c0c\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #0c0c0c;color:#0c0c0c\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Introduction_And_Background\" >Introduction And Background<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Srikrishna_Committee_And_Policy_Foundation\" >Srikrishna Committee And Policy Foundation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Enactment_And_Operational_Framework\" >Enactment And Operational Framework<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Objectives_Of_The_Digital_Personal_Data_Protection_Act_2023\" >Objectives Of The Digital Personal Data Protection Act, 2023<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Applicability_And_Scope_Of_The_Act\" >Applicability And Scope Of The Act<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Quick_Overview_Of_Scope\" >Quick Overview Of Scope<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Key_Definitions_Under_the_DPDP_Framework\" >Key Definitions Under the DPDP Framework<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Notice_And_Consent_Under_The_DPDP_Framework\" >Notice And Consent Under The DPDP Framework<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Notice_Under_Section_5\" >Notice Under Section 5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Illustration\" >Illustration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Consent_Under_Section_6\" >Consent Under Section 6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Illustration-2\" >Illustration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Obligations_Of_Data_Fiduciaries\" >Obligations Of Data Fiduciaries<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Taking_Reasonable_Security_Safeguards_Section_85_And_Rule_6\" >Taking Reasonable Security Safeguards (Section 8(5) And Rule 6)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Reporting_Personal_Data_Breaches_Section_86_And_Rule_7\" >Reporting Personal Data Breaches (Section 8(6) And Rule 7)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Erasure_Of_Personal_Data_When_No_Longer_Needed_Section_87\" >Erasure Of Personal Data When No Longer Needed (Section 8(7))<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Publishing_Contact_Details_For_Queries_And_Grievances_Section_89\" >Publishing Contact Details For Queries And Grievances (Section 8(9))<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Significant_Data_Fiduciaries_SDFs\" >Significant Data Fiduciaries (SDFs)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Rights_And_Duties_Of_The_Data_Principal\" >Rights And Duties Of The Data Principal<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Rights_Of_The_Data_Principal\" >Rights Of The Data Principal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Duties_Of_The_Data_Principal\" >Duties Of The Data Principal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Special_Categories_Children_And_Persons_With_Disabilities\" >Special Categories: Children And Persons With Disabilities<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Illustration-3\" >Illustration<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Cross-Border_Data_Transfers\" >Cross-Border Data Transfers<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Exceptions_And_Exemptions_Under_The_DPDP_Act_2023\" >Exceptions And Exemptions Under The DPDP Act, 2023<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#The_Data_Protection_Board_Of_India\" >The Data Protection Board Of India<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Nature_And_Composition_Of_The_Board\" >Nature And Composition Of The Board<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Powers_And_Functions_Of_The_Board\" >Powers And Functions Of The Board<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Penalties_And_Consequences_Of_Non-Compliance\" >Penalties And Consequences Of Non-Compliance<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Appellate_Structure\" >Appellate Structure<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Compliance_Roadmap_Under_The_DPDP_Act_And_Rules\" >Compliance Roadmap Under The DPDP Act And Rules<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Key_Implementation_Timeline\" >Key Implementation Timeline<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Challenges_In_Implementation\" >Challenges In Implementation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#References\" >References<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/www.legalserviceindia.com\/Legal-Articles\/digital-personal-data-protection-act-2023\/#FAQs_on_the_DPDP_Act_and_Rules\" >FAQs on the DPDP Act and Rules<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<p>This changed decisively with the landmark judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), where a nine-judge Bench unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution.<\/p>\n\n\n\n<p>The Court recognised privacy not merely as a negative right against State interference, but also as a positive right that requires the State to put in place a strong legal framework to protect individuals against misuse of their personal data by both State and non-State actors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"srikrishna-committee-and-policy-foundation\"><span class=\"ez-toc-section\" id=\"Srikrishna_Committee_And_Policy_Foundation\"><\/span>Srikrishna Committee And Policy Foundation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Pursuant to this judgment, the Government constituted a Committee of Experts under the chairmanship of Justice B.N. Srikrishna to examine issues relating to data protection and to propose a comprehensive legal framework for India.<\/p>\n\n\n\n<p>The Committee\u2019s work laid the intellectual and policy foundation for a dedicated data protection statute.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enactment-and-operational-framework\"><span class=\"ez-toc-section\" id=\"Enactment_And_Operational_Framework\"><\/span>Enactment And Operational Framework<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This legislative process resulted in the enactment of the Digital Personal Data Protection Act, 2023, which aims to regulate the processing of digital personal data in a manner that balances individual privacy with lawful and necessary data use.<\/p>\n\n\n\n<p>To operationalise the Act, the Central Government subsequently notified the Digital Personal Data Protection Rules, 2025, which lay down detailed procedural and compliance requirements relating to notice, consent, security safeguards, breach reporting, and special protections for children and persons with disabilities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"objectives-of-the-digital-personal-data-protection-act-2023\"><span class=\"ez-toc-section\" id=\"Objectives_Of_The_Digital_Personal_Data_Protection_Act_2023\"><\/span>Objectives Of The Digital Personal Data Protection Act, 2023<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The main objectives of the DPDP Act are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To recognise and protect the right of individuals to their personal data in the digital environment.<\/li>\n\n\n\n<li>To regulate the processing of digital personal data in a lawful, fair, and transparent manner.<\/li>\n\n\n\n<li>To impose clear obligations and accountability on entities processing personal data.<\/li>\n\n\n\n<li>To confer enforceable rights on individuals in relation to their personal data.<\/li>\n\n\n\n<li>To establish an effective enforcement mechanism through the Data Protection Board of India.<\/li>\n\n\n\n<li>To provide for penalties and remedies in cases of non-compliance and personal data breaches.<\/li>\n\n\n\n<li>To balance individual privacy with legitimate business, governance, and public interest needs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"applicability-and-scope-of-the-act\"><span class=\"ez-toc-section\" id=\"Applicability_And_Scope_Of_The_Act\"><\/span>Applicability And Scope Of The Act<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>According to Section 3, the DPDP Act applies to the processing of \u201cdigital personal data\u201d in India, including personal data that is collected in non-digital form but is subsequently digitised.<\/p>\n\n\n\n<p>It also has extra-territorial reach and applies to processing outside India if such processing is connected with offering goods or services to individuals in India.<\/p>\n\n\n\n<p>At the same time, the Act does not apply to personal data processed by an individual for purely personal or domestic purposes, nor to personal data that is made publicly available by the individual herself or under a legal obligation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"quick-overview-of-scope\"><span class=\"ez-toc-section\" id=\"Quick_Overview_Of_Scope\"><\/span>Quick Overview Of Scope<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Aspect<\/th><th>Coverage<\/th><\/tr><\/thead><tbody><tr><td>Type Of Data<\/td><td>Digital personal data and digitised data<\/td><\/tr><tr><td>Territorial Scope<\/td><td>India and extra-territorial (if linked to goods\/services in India)<\/td><\/tr><tr><td>Exclusions<\/td><td>Personal\/domestic use; publicly available data<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"key-definitions-under-dpdp-framework\"><span class=\"ez-toc-section\" id=\"Key_Definitions_Under_the_DPDP_Framework\"><\/span>Key Definitions Under the DPDP Framework<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The DPDP Act contains a detailed definition clause in Section 2.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Digital Personal Data (Section 2(n)):<\/strong> This means personal data that exists in digital form. The DPDP Act mainly deals with this category of data, such as data stored on computers, mobile phones, servers, or cloud platforms.<\/li>\n\n\n\n<li><strong>Data Principal (Section 2(j)):<\/strong> A Data Principal is the individual to whom the personal data relates. If the individual is a child or a person with disability, the term also includes the parent or lawful guardian acting on their behalf.<\/li>\n\n\n\n<li><strong>Data Fiduciary (Section 2(i)):<\/strong> A Data Fiduciary is any person or entity that decides the purpose and means of processing personal data. In practical terms, this is the organisation or person who is in control of why and how the data is used.<\/li>\n\n\n\n<li><strong>Data Processor (Section 2(k)):<\/strong> A Data Processor is any person or entity that processes personal data on behalf of a Data Fiduciary. For example, a cloud storage provider or an IT service company processing data for another company is a Data Processor.<\/li>\n\n\n\n<li><strong>Processing (Section 2(x)):<\/strong> Processing means any operation performed on digital personal data, such as collecting, storing, using, sharing, analysing, or deleting the data.<\/li>\n\n\n\n<li><strong>Consent Manager (Section 2(g)):<\/strong> A Consent Manager is a person registered with the Data Protection Board who helps a Data Principal give, manage, review, and withdraw her consent through an accessible and transparent platform.<\/li>\n\n\n\n<li><strong>Significant Data Fiduciary (Section 2(z)):<\/strong> A Significant Data Fiduciary is a class of Data Fiduciaries that may be notified by the Central Government under section 10. Such entities are subject to additional compliance duties under the Act.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"notice-and-consent-under-dpdp-framework\"><span class=\"ez-toc-section\" id=\"Notice_And_Consent_Under_The_DPDP_Framework\"><\/span>Notice And Consent Under The DPDP Framework<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The DPDP Act is based on the principle that personal data should normally be processed only after the individual is properly informed and has agreed to such processing. For this reason, the law first lays down rules on notice in Section 5, and then deals with consent in Section 6.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"notice-under-section-5\"><span class=\"ez-toc-section\" id=\"Notice_Under_Section_5\"><\/span>Notice Under Section 5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Section 5 makes it mandatory for every Data Fiduciary to give a notice to the Data Principal before or at the time of seeking consent. This notice must clearly inform the individual about what personal data will be processed and for what purpose. It must also explain how the individual can exercise her rights under the Act and how she can make a complaint to the Data Protection Board. In everyday life, we usually see such notices as privacy notices or privacy pop-ups on websites and mobile apps.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"illustration-notice\"><span class=\"ez-toc-section\" id=\"Illustration\"><\/span>Illustration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Suppose X opens a new mobile banking app. Before asking X to click \u201cI agree\u201d, the bank shows a screen explaining that it will collect X\u2019s name, identity details, and transaction information to open and operate the account, and also tells X how she can withdraw consent later. This screen is the notice required under Section 5.<\/p>\n\n\n\n<p>Rule 3 of the DPDP Rules, 2025, further explains how this notice should be given. The Rules require the notice to be presented in a clear and understandable manner, independent from other information, and in simple language. The notice must also provide easy ways for the Data Principal to withdraw consent, exercise her rights, and approach the Board in case of grievance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"consent-under-section-6\"><span class=\"ez-toc-section\" id=\"Consent_Under_Section_6\"><\/span>Consent Under Section 6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Section 6 provides that consent must be free, specific, informed, unconditional, and unambiguous, and must be given through a clear affirmative action. In practice, consent is what we usually give when we click \u201cAccept\u201d or \u201cAllow\u201d after reading (or being shown) a privacy notice on an app or website. Consent is valid only for the specific purpose mentioned in the notice and only for such data as is necessary for that purpose. The Act also gives the Data Principal the right to withdraw consent at any time, and the process of withdrawing consent must be as easy as the process of giving it. If consent is withdrawn, the Data Fiduciary must stop processing the data within a reasonable time, unless the law allows such processing to continue.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"illustration-consent\"><span class=\"ez-toc-section\" id=\"Illustration-2\"><\/span>Illustration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If a fitness app takes a user\u2019s consent to process her health data only to track daily steps, it cannot use the same consent to send marketing messages or share the data with advertisers. If the user later withdraws her consent, the app must stop using her health data for tracking steps as well.<\/p>\n\n\n\n<p>The Act further allows consent to be managed through a Consent Manager, who acts on behalf of the Data Principal and must be registered with the Data Protection Board.<\/p>\n\n\n\n<p>Rule 4 of the DPDP Rules, 2025, deals with the registration and functioning of Consent Managers and lays down their duties and responsibilities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"obligations-of-data-fiduciaries\"><span class=\"ez-toc-section\" id=\"Obligations_Of_Data_Fiduciaries\"><\/span>Obligations Of Data Fiduciaries<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Under the DPDP Act, the Data Fiduciary carries the primary responsibility for lawful and safe processing of personal data. Section 8 provides general obligations of Data Fiduciaries:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Overall responsibility for compliance (Section 8(1)):<\/strong> The Data Fiduciary remains responsible for compliance with the Act even if the data is processed through a Data Processor. Outsourcing does not shift legal responsibility.<\/li>\n\n\n\n<li><strong>Engaging Data Processors only under valid contracts (Section 8(2)):<\/strong> A Data Fiduciary can use a Data Processor only under a valid contract that ensures compliance with the DPDP framework.<\/li>\n\n\n\n<li><strong>Ensuring accuracy and completeness of data (Section 8(3)):<\/strong> Where personal data is likely to be used for making decisions affecting the Data Principal or is likely to be shared, the Data Fiduciary must ensure that the data is accurate, complete, and consistent.<\/li>\n\n\n\n<li><strong>Implementing technical and organisational measures (Section 8(4)):<\/strong> The Data Fiduciary must put in place appropriate technical and organisational measures to ensure effective compliance with the Act.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"security-safeguards\"><span class=\"ez-toc-section\" id=\"Taking_Reasonable_Security_Safeguards_Section_85_And_Rule_6\"><\/span>Taking Reasonable Security Safeguards (Section 8(5) And Rule 6)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of measures like encryption, masking, or similar safeguards,<\/li>\n\n\n\n<li>Controlled access to systems and data,<\/li>\n\n\n\n<li>Logging, monitoring, and review of access,<\/li>\n\n\n\n<li>Backup and recovery measures,<\/li>\n\n\n\n<li>Security-related clauses in contracts with Data Processors, and<\/li>\n\n\n\n<li>Organisational and technical steps to ensure security are actually followed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"data-breach-reporting\"><span class=\"ez-toc-section\" id=\"Reporting_Personal_Data_Breaches_Section_86_And_Rule_7\"><\/span>Reporting Personal Data Breaches (Section 8(6) And Rule 7)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inform the Data Protection Board without delay, and<\/li>\n\n\n\n<li>Inform the affected Data Principals in a clear and concise manner.<\/li>\n<\/ul>\n\n\n\n<p>Rule 7 specifies that the information must include the nature of the breach, its possible impact, and the steps taken to reduce harm.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"data-erasure\"><span class=\"ez-toc-section\" id=\"Erasure_Of_Personal_Data_When_No_Longer_Needed_Section_87\"><\/span>Erasure Of Personal Data When No Longer Needed (Section 8(7))<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Data Principal withdraws consent, or<\/li>\n\n\n\n<li>The purpose for which the data was collected is no longer served,<\/li>\n<\/ul>\n\n\n\n<p>unless retention is required by law.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"contact-details-publication\"><span class=\"ez-toc-section\" id=\"Publishing_Contact_Details_For_Queries_And_Grievances_Section_89\"><\/span>Publishing Contact Details For Queries And Grievances (Section 8(9))<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The Data Fiduciary must publish the business contact details of the Data Protection Officer (if applicable) or of a person who can answer questions about data processing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"significant-data-fiduciaries\"><span class=\"ez-toc-section\" id=\"Significant_Data_Fiduciaries_SDFs\"><\/span>Significant Data Fiduciaries (SDFs)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The DPDP Act under section 10 creates a special category called Significant Data Fiduciaries (SDFs) for entities whose data processing activities pose higher risks to individuals.<\/p>\n\n\n\n<p>A Data Fiduciary may be classified as an SDF by the Central Government based on factors such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The volume of personal data processed,<\/li>\n\n\n\n<li>The sensitivity of the personal data processed,<\/li>\n\n\n\n<li>The risk of harm to the rights of Data Principals,<\/li>\n\n\n\n<li>The potential impact on the sovereignty and integrity of India,<\/li>\n\n\n\n<li>The risk to electoral democracy, security of the State, or public order, and<\/li>\n\n\n\n<li>Any other factor that indicates a higher level of risk from the data processing activity.<\/li>\n<\/ul>\n\n\n\n<p>For example, large social media platforms handling data of millions of users, major e-commerce marketplaces processing customer behaviour and payment details, big fintech or banking platforms dealing with financial data, may be classified as Significant Data Fiduciaries because of the scale, sensitivity, and impact of their data processing activities.<\/p>\n\n\n\n<p>Once an entity is classified as a Significant Data Fiduciary, it becomes subject to additional compliance obligations. These include<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Appointing a Data Protection Officer, who will be responsible for ensuring compliance with the Act and will serve as a point of contact for grievance redressal.<\/li>\n\n\n\n<li>Appoint an independent data auditor to carry out a data audit and evaluate the compliance of the SDFs.<\/li>\n<\/ul>\n\n\n\n<p>Source: :contentReference[oaicite:0]{index=0}<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"rights-and-duties-of-data-principal\"><span class=\"ez-toc-section\" id=\"Rights_And_Duties_Of_The_Data_Principal\"><\/span>Rights And Duties Of The Data Principal<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The DPDP Act gives important rights to the Data Principal, that is, the individual to whom the personal data relates. These rights are meant to give people real control over their personal data and to ensure that Data Fiduciaries remain accountable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rights-of-data-principal\"><span class=\"ez-toc-section\" id=\"Rights_Of_The_Data_Principal\"><\/span>Rights Of The Data Principal<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Major rights of the Data Principal include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Right to access information about processing:<\/strong> Under section 11, a Data Principal has the right to obtain information about what personal data is being processed and the identities of the Data Fiduciaries and Data Processors with whom such data has been shared. For example, if X uses an online shopping app, she can ask the company to tell her what personal data of hers is stored and with whom it has been shared, such as delivery partners or payment service providers.<\/li>\n\n\n\n<li><strong>Right to correction and erasure:<\/strong> Under section 12, a Data Principal has the right to get inaccurate or misleading personal data corrected, completed, updated, or erased, depending on the purpose for which the data is being processed. Illustration: If X finds that her address is wrongly recorded on a banking app, she can ask the bank to correct it. If she closes her account and the data is no longer needed, she can ask for erasure, unless the law requires the bank to keep it. Rule 8 Further states that at least 48 hours before the data is erased, the Data Fiduciary must inform the Data Principal that the data will be deleted<\/li>\n\n\n\n<li><strong>Right to grievance redressal:<\/strong> Under section 13, a Data Principal has the right to raise a grievance with the Data Fiduciary and, if not satisfied, to approach the Data Protection Board of India.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"duties-of-data-principal\"><span class=\"ez-toc-section\" id=\"Duties_Of_The_Data_Principal\"><\/span>Duties Of The Data Principal<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Section 15 of the Act places certain duties on the Data Principal. These include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not impersonating another person while providing personal data,<\/li>\n\n\n\n<li>Not suppressing material information while providing personal data for documents, services, or benefits,<\/li>\n\n\n\n<li>Not filing false or frivolous complaints, and<\/li>\n\n\n\n<li>Furnishing only such information that is verifiably authentic.<\/li>\n<\/ul>\n\n\n\n<p>These duties ensure that the data protection system is not misused and that Data Fiduciaries can rely on the information provided to them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"special-categories\"><span class=\"ez-toc-section\" id=\"Special_Categories_Children_And_Persons_With_Disabilities\"><\/span>Special Categories: Children And Persons With Disabilities<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The DPDP Act recognises that children and persons with disabilities require a higher level of protection in matters relating to personal data. Section 9 of the Act provides that before processing the personal data of a child, who is defined as a person below eighteen years of age, the Data Fiduciary must obtain verifiable consent of the parent or lawful guardian. Rule 10 of the DPDP Rules, 2025, explains how such verifiable consent should be obtained and requires the Data Fiduciary to adopt appropriate technical and organisational measures to ensure that the person giving consent is actually the parent or guardian.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"illustration-child-data\"><span class=\"ez-toc-section\" id=\"Illustration-3\"><\/span>Illustration<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If a child wants to create an account on an online learning platform, the platform must first verify and obtain consent from the child\u2019s parent or guardian before collecting and using the child\u2019s personal data.<\/p>\n\n\n\n<p>A similar protective approach is taken in the case of persons with disabilities who have lawful guardians. Under Section 9 of the Act read with Rule 11 of the Rules, where a person with disability has a lawful guardian, the Data Fiduciary must obtain verifiable consent from that guardian before processing the personal data of such person, and must take due care to verify the authority of the guardian under the applicable law.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cross-border-data-transfers\"><span class=\"ez-toc-section\" id=\"Cross-Border_Data_Transfers\"><\/span>Cross-Border Data Transfers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Section 16 allows digital personal data to be transferred outside India, subject to conditions notified by the Central Government. The Act follows a permissive approach and permits cross-border data flows unless a country or territory is specifically restricted by the Government. This ensures continuity of global digital services while keeping regulatory control with the State.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exceptions-and-exemptions\"><span class=\"ez-toc-section\" id=\"Exceptions_And_Exemptions_Under_The_DPDP_Act_2023\"><\/span>Exceptions And Exemptions Under The DPDP Act, 2023<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The DPDP Act provides certain exclusions and exceptions to ensure that the law does not interfere with private life and essential State functions:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Category<\/th><th>Provision<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Personal or domestic purposes<\/td><td>Section 3(c)(i)<\/td><td>The Act does not apply to personal data processed by an individual for purely personal or domestic use, such as private contacts or personal communications.<\/td><\/tr><tr><td>Publicly available data<\/td><td>Section 3(c)(ii)<\/td><td>The Act does not apply to personal data that is made publicly available by the Data Principal herself or by any person under a legal obligation to disclose such data.<\/td><\/tr><tr><td>Certain legitimate uses<\/td><td>Section 7<\/td><td>Processing without consent is permitted for: Providing subsidies, benefits, services, certificates, licences, or permits by the State, Performing functions under law, Compliance with court orders or legal obligations, Medical emergencies, public health situations, disasters, and breakdown of public order, Employment-related purposes and safeguarding the employer from loss or liability.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"data-protection-board-india\"><span class=\"ez-toc-section\" id=\"The_Data_Protection_Board_Of_India\"><\/span>The Data Protection Board Of India<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Data Protection Board of India is established under Chapter V of the Digital Personal Data Protection Act, 2023. Under Section 18 of the Act, the Board is established as a statutory body. It is a body corporate, having perpetual succession and a common seal, with the power to acquire, hold, and dispose of property, and to sue or be sued in its own name.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"nature-and-composition\"><span class=\"ez-toc-section\" id=\"Nature_And_Composition_Of_The_Board\"><\/span>Nature And Composition Of The Board<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Board shall function as a digital office, meaning that its proceedings and operations are conducted in an electronic mode rather than through traditional physical hearings. The Act allows the Board to regulate its own procedure, provided it follows the principles of natural justice.<\/p>\n\n\n\n<p>According to Section 19, the Board should consist of a Chairperson and such other Members as the Central Government may notify. The Government prescribes their qualifications, method of appointment, terms of service, and other conditions. Members are expected to possess knowledge and experience in fields such as data governance, information technology, law, public administration, or related areas.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"powers-and-functions\"><span class=\"ez-toc-section\" id=\"Powers_And_Functions_Of_The_Board\"><\/span>Powers And Functions Of The Board<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Board has important powers to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inquire into complaints filed by Data Principals regarding violations of their rights.<\/li>\n\n\n\n<li>Inquire into personal data breaches reported under Section 8(6) of the Act.<\/li>\n\n\n\n<li>Issue directions to Data Fiduciaries or other persons to ensure compliance with the Act.<\/li>\n\n\n\n<li>Call for information, documents, and records necessary for conducting an inquiry.<\/li>\n\n\n\n<li>Summon and examine persons relevant to the proceedings.<\/li>\n\n\n\n<li>Impose monetary penalties where non-compliance is established.<\/li>\n\n\n\n<li>Issue a warning or impose costs on the complainant if the Board finds that a complaint is false or made with malicious intent,<\/li>\n<\/ul>\n\n\n\n<p>The Board also has powers similar to those of a civil court while conducting inquiries. Under Section 28, the Board has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in matters relating to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Summoning and enforcing the attendance of any person and examining them on oath,<\/li>\n\n\n\n<li>Requiring the discovery and production of documents,<\/li>\n\n\n\n<li>Receiving evidence on affidavits,<\/li>\n\n\n\n<li>Requisitioning public records from any office.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"penalties-and-consequences\"><span class=\"ez-toc-section\" id=\"Penalties_And_Consequences_Of_Non-Compliance\"><\/span>Penalties And Consequences Of Non-Compliance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Section 33 provides that if the Board finds a breach of the Act, it may impose monetary penalties as specified in the Schedule. Below is a summary of the penalties provided in the Schedule:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Type Of Violation<\/th><th>Maximum Penalty<\/th><\/tr><\/thead><tbody><tr><td>Failure to take reasonable security safeguards to prevent personal data breach (Section 8(5))<\/td><td>Up to \u20b9250 crore<\/td><\/tr><tr><td>Failure to notify the Board and affected Data Principals of a personal data breach (Section 8(6))<\/td><td>Up to \u20b9200 crore<\/td><\/tr><tr><td>Failure to fulfil additional obligations in relation to children\u2019s data (Section 9)<\/td><td>Up to \u20b9200 crore<\/td><\/tr><tr><td>Failure to fulfil additional obligations of Significant Data Fiduciaries (Section 10)<\/td><td>Up to \u20b9150 crore<\/td><\/tr><tr><td>Failure to comply with the duties of the Data Principal (Section 15)<\/td><td>Up to \u20b910,000<\/td><\/tr><tr><td>Breach of any other provision of the Act not specifically listed above<\/td><td>Up to \u20b950 crore<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The Act follows a civil penalty model, meaning penalties are monetary and not criminal in nature.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"appellate-structure\"><span class=\"ez-toc-section\" id=\"Appellate_Structure\"><\/span>Appellate Structure<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If a person or organisation is aggrieved by an order of the Data Protection Board, Section 29 provides the right to appeal before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within sixty days from the date of receipt of the order. The Tribunal has the power to confirm, modify, or set aside the Board\u2019s order. Further appeal lies to the Supreme Court of India on substantial questions of law.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"compliance-roadmap\"><span class=\"ez-toc-section\" id=\"Compliance_Roadmap_Under_The_DPDP_Act_And_Rules\"><\/span>Compliance Roadmap Under The DPDP Act And Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>With the notification of the DPDP Rules on 14 November 2025, India\u2019s digital personal data protection framework became fully operational and entered a phase-wise compliance timeline that gives organisations and other entities time to adjust systems and adopt responsible data practices. The Rules specify an 18-month phased compliance period to allow a smooth transition to full enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"implementation-timeline\"><span class=\"ez-toc-section\" id=\"Key_Implementation_Timeline\"><\/span>Key Implementation Timeline<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>14 November 2025:<\/strong> Rules 1-2 (Title &amp; Definitions) and Rules 17-21 (Administrative rules for Data Protection Board setup) are immediately active and enforceable.<\/li>\n\n\n\n<li><strong>13 November 2026:<\/strong> Rule 4 (Registration of Consent Managers) becomes active.<\/li>\n\n\n\n<li><strong>13 May 2027:<\/strong> The 18-month compliance deadline for all substantive obligations under the DPDP Act and the Rules, such as notices, consent mechanisms, security safeguards, breach reporting, data principal rights, and obligations for Significant Data Fiduciaries (SDFs), becomes effective.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"challenges-in-implementation\"><span class=\"ez-toc-section\" id=\"Challenges_In_Implementation\"><\/span>Challenges In Implementation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Updating Existing Systems:<\/strong> Many organisations will need to redesign their websites, apps, consent forms, privacy policies, and internal systems to meet the new notice and consent requirements.<\/li>\n\n\n\n<li><strong>Managing User Rights Efficiently:<\/strong> Companies must create simple systems for users to access, correct, erase, or withdraw consent. Handling large volumes of such requests can be difficult.<\/li>\n\n\n\n<li><strong>Data Security Readiness:<\/strong> Organisations must strengthen their technical safeguards such as encryption, access controls, logging, and monitoring. Smaller businesses may struggle with the cost and expertise required.<\/li>\n\n\n\n<li><strong>Breach Detection And Reporting:<\/strong> The law requires quick reporting of personal data breaches. Companies must have proper internal processes to detect breaches and inform the Board and affected individuals without delay.<\/li>\n\n\n\n<li><strong>Awareness And Training:<\/strong> Employees and management must understand their responsibilities under the Act. Lack of awareness may lead to accidental non-compliance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, bring an important change in how personal data is protected in India. For the first time, India now has a clear legal framework that explains how digital personal data should be collected, used, stored, and deleted. The law gives individuals specific rights over their personal data and places clear responsibilities on organisations that handle such data.<\/p>\n\n\n\n<p>The phased compliance timeline gives companies enough time to prepare and update their systems. The creation of the Data Protection Board and the system of Consent Managers helps ensure that the law is properly implemented and monitored. By May 2027, when full compliance becomes mandatory, data protection will become a regular and essential part of how organisations operate.<\/p>\n\n\n\n<p>Properly implemented and monitored. By May 2027, when full compliance becomes mandatory, data protection will become a regular and essential part of how organisations operate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"References\"><\/span>References<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Press Release: Press Information Bureau<\/li>\n\n\n\n<li>https:\/\/static.pib.gov.in\/WriteReadData\/specificdocs\/documents\/2025\/nov\/doc20251117695301.pdf<\/li>\n\n\n\n<li>https:\/\/www.meity.gov.in\/static\/uploads\/2024\/06\/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf<\/li>\n\n\n\n<li>https:\/\/dpo-india.com\/Resources\/privacy_laws_in_India\/DPDP-Rules-2025-Handbook.pdf<\/li>\n\n\n\n<li>https:\/\/dpo-india.com\/Resources\/privacy_laws_in_India\/A-Guide-DPDP-Act-Rules-2025.pdf<\/li>\n\n\n\n<li>https:\/\/cdnbbsr.s3waas.gov.in\/s3ec0490f1f4972d133619a60c30f3559e\/documents\/aor_notice_circular\/43.pdf<\/li>\n\n\n\n<li>https:\/\/prsindia.org\/files\/bills_acts\/bills_parliament\/2019\/Committee Report on Draft Personal Data Protection Bill, 2018_0.pdf<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs_on_the_DPDP_Act_and_Rules\"><\/span>FAQs on the DPDP Act and Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What is the DPDP Act?<\/strong><br>The Digital Personal Data Protection Act, 2023, is India\u2019s primary law regulating the processing of digital personal data with a focus on consent, transparency, accountability, and individual rights.<\/li>\n\n\n\n<li><strong>When were the DPDP Rules notified?<\/strong><br>The DPDP Rules, 2025, were notified on 14 November 2025, operationalising most of the substantive provisions of the Act.<\/li>\n\n\n\n<li><strong>What is a Consent Manager?<\/strong><br>A Consent Manager is a registered entity that helps Data Principals give, manage, review, and withdraw consent across multiple Data Fiduciaries through interoperable platforms.<\/li>\n\n\n\n<li><strong>Who is a Data Protection Officer (DPO)?<\/strong><br>A Data Protection Officer is a person appointed by a Significant Data Fiduciary under Section 10 of the DPDP Act. The DPO is responsible for ensuring that the organisation complies with the Act and the Rules. The DPO also acts as a contact point for Data Principals who want to raise grievances or ask questions about the processing of their personal data.<\/li>\n\n\n\n<li><strong>Does the Act apply to personal or family use of data?<\/strong><br>No. The Act does not apply to personal data processed by an individual for purely personal or domestic purposes.<\/li>\n\n\n\n<li><strong>What happens if a company fails to comply with the Act?<\/strong><br>If a company fails to comply, the Data Protection Board of India can impose monetary penalties. The amount depends on the nature and seriousness of the violation.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Award-Winning Article Written By:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ms.Jayeeta Mandal,<\/strong> 4th Year B.A. LL.B. Student at Asian Law College, Noida<\/li>\n\n\n\n<li><strong>Ms.Yoshita Manral<\/strong>, 4th Year B.A. LL.B. Student at Asian Law College, Noida<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"\/images\/certificate-excellence-legal-service-india.webp\" alt=\"Certificate of Excellence awarded by Legal Service India\"\/><\/figure>\n<\/div>\n\n\n<p class=\"has-text-align-center\">Authentication No: APR645868833592-02-0426<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Introduction And Background For many decades, Indian law did not have a comprehensive data protection framework, and issues relating to personal data were addressed only indirectly through constitutional provisions, sectoral regulations, and general principles of administrative and criminal law. This changed decisively with the landmark judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd.)<\/p>\n","protected":false},"author":1319,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"two_page_speed":[],"_jetpack_memberships_contains_paid_content":false,"_joinchat":[],"footnotes":""},"categories":[97],"tags":[3343,28],"class_list":{"0":"post-20997","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-technology-laws","7":"tag-technology-laws","8":"tag-top-news"},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/posts\/20997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/users\/1319"}],"replies":[{"embeddable":true,"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/comments?post=20997"}],"version-history":[{"count":0,"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/posts\/20997\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/media?parent=20997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/categories?post=20997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.legalserviceindia.com\/Legal-Articles\/wp-json\/wp\/v2\/tags?post=20997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}