🇮🇳
Digital Personal Data Protection Act, 2023
Act No. 22 of 2023 — Assented August 11, 2023
India's comprehensive data protection law governing the processing of digital personal data. The DPDP Act applies to personal data collected in digital form (or digitized from non-digital sources) within India, and to processing outside India if it relates to offering goods/services to individuals in India. The DPDP Rules 2025 provide the detailed implementation framework.
₹250 Cr
maximum penalty (~$30M USD)
per violation
per violation
Key Terminology Section 2
Data Principal
The individual whose personal data is processed (equivalent to "data subject" in GDPR)
The individual whose personal data is processed (equivalent to "data subject" in GDPR)
Data Fiduciary
Entity that determines purpose and means of processing (equivalent to "data controller")
Entity that determines purpose and means of processing (equivalent to "data controller")
Data Processor
Entity that processes data on behalf of the Data Fiduciary
Entity that processes data on behalf of the Data Fiduciary
Significant Data Fiduciary
Entities notified by the government based on volume, sensitivity, or risk — face additional obligations
Entities notified by the government based on volume, sensitivity, or risk — face additional obligations
Consent Manager
Registered entity that manages consent on behalf of Data Principals through an accessible platform
Registered entity that manages consent on behalf of Data Principals through an accessible platform
Data Protection Board
Independent adjudicatory body that handles complaints, investigations, and imposes penalties
Independent adjudicatory body that handles complaints, investigations, and imposes penalties
Personal Data
Any data about an individual who is identifiable by or in relation to such data
Any data about an individual who is identifiable by or in relation to such data
Digital Personal Data
Personal data collected in digital form or digitized from non-digital form
Personal data collected in digital form or digitized from non-digital form
Grounds for Processing Sections 4-7
Consent (Primary Basis)
- Must be free, specific, informed, unconditional, and unambiguous
- Given through a clear affirmative action
- Must be accompanied by an itemized notice in clear, plain language
- Available in English + 22 scheduled languages of India
- Can be withdrawn at any time — as easy to withdraw as to give
- For children (<18): verifiable parental/guardian consent required
- Consent Managers can facilitate consent management
Legitimate Uses (Without Consent)
- Specified purpose: Data voluntarily provided for a specific purpose
- State functions: Subsidies, benefits, licenses, permits, services by the State
- Legal obligations: Compliance under any Indian law
- Medical emergencies: Response to threats to life or health
- Employment: Processing for employment purposes (prevention of loss, attendance, etc.)
- Public interest: Mergers, insolvency, debt recovery, credit scoring, fraud prevention
Banking context:
Indian banks can rely on "legitimate uses" for KYC/AML obligations, loan processing, credit scoring, and fraud prevention. However, marketing communications, cross-selling, and data sharing with third parties generally require explicit consent.
Data Principal Rights Sections 11-14
Right to Information
Summary of data processed and processing activities
Summary of data processed and processing activities
Right to Access
Obtain summary of personal data and processing
Obtain summary of personal data and processing
Right to Correction
Correct inaccurate or misleading data
Correct inaccurate or misleading data
Right to Erasure
Delete data no longer needed for stated purpose
Delete data no longer needed for stated purpose
Right to Grievance
File complaints with the Data Fiduciary
File complaints with the Data Fiduciary
Right to Nominate
Nominate representative in case of death or incapacity
Nominate representative in case of death or incapacity
Data Principal Duties
Must not file false complaints, provide false data, or impersonate others when exercising rights. Penalties up to ₹10,000 for violations.
Must not file false complaints, provide false data, or impersonate others when exercising rights. Penalties up to ₹10,000 for violations.
Data Fiduciary Obligations Sections 8-10
| Obligation | Section | Details | Platform Feature |
|---|---|---|---|
| Notice Before Consent | § 5-6 | Provide itemized notice with description of data, purpose, grievance mechanism, and rights | Glossary — document data purposes |
| Purpose Limitation | § 4 | Process data only for the purpose consented to; delete when purpose is fulfilled | Technical Metadata — map data to purposes |
| Data Accuracy | § 8(3) | Ensure personal data is complete, accurate, and consistent — especially for decisions affecting the Data Principal | CDE Registry — quality controls |
| Reasonable Security | § 8(4) | Implement reasonable security safeguards to prevent data breaches | Data Classification |
| Breach Notification | § 8(6) | Notify the Data Protection Board and affected Data Principals of any personal data breach | Audit Log |
| Data Retention Limits | § 8(7) | Erase personal data when consent is withdrawn or purpose is fulfilled (unless legally required to retain) | Lineage — track data lifecycle |
| Grievance Redressal | § 8(10) | Publish contact details of a Data Protection Officer or grievance officer | Users & Roles |
Significant Data Fiduciary (SDF) Obligations Section 10
Who qualifies? The Central Government notifies entities as SDFs based on: volume and sensitivity of personal data processed, risk to Data Principals' rights, potential impact on sovereignty/security, and other relevant factors. Major banks are likely to be designated as SDFs.
Additional SDF Requirements
- Appoint a Data Protection Officer (DPO) based in India
- Appoint an independent data auditor
- Conduct Data Protection Impact Assessments (DPIA)
- Periodic audits to verify compliance
- Additional reporting to the Data Protection Board
DPDP Rules 2025: SDF Specifics
- DPO must represent the SDF before the Data Protection Board
- Annual data protection impact assessment required
- Audit by independent registered auditor at least annually
- Algorithmic transparency: clear descriptions of significant automated processing
- Data protection impact reports to be filed with the Board
Cross-Border Data Transfers Section 16
Permitted Approach
The DPDP Act uses a negative list approach: personal data may be transferred to any country except those specifically restricted by the Central Government via notification. This is different from GDPR's adequacy-based approach.Restrictions
- Central Government can restrict transfers to specific countries
- RBI data localization: payment system data must be stored in India
- Sectoral regulators (SEBI, IRDAI) may impose additional restrictions
- Government and critical personal data may face stricter rules
Penalty Structure Schedule (Table)
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent data breach | ₹250 Crore (~$30M) |
| Failure to notify Data Protection Board & affected individuals of breach | ₹200 Crore (~$24M) |
| Non-fulfillment of obligations relating to children's data | ₹200 Crore (~$24M) |
| Non-fulfillment of additional SDF obligations | ₹150 Crore (~$18M) |
| Any other non-compliance with the Act | ₹50 Crore (~$6M) |
| Data Principal filing false/frivolous complaints or providing false information | ₹10,000 (~$1,200) |
Note:
The Data Protection Board of India (DPBI) adjudicates complaints and determines penalties. Unlike GDPR, the DPDP Act does not have a percentage-of-revenue penalty model. Penalties are fixed maximums per violation type.
Legislative Timeline
2017
Supreme Court declares privacy a fundamental right (Justice K.S. Puttaswamy v. Union of India)
Supreme Court declares privacy a fundamental right (Justice K.S. Puttaswamy v. Union of India)
2018
Justice B.N. Srikrishna Committee submits draft Personal Data Protection Bill
Justice B.N. Srikrishna Committee submits draft Personal Data Protection Bill
2019
Personal Data Protection Bill, 2019 introduced in Parliament
Personal Data Protection Bill, 2019 introduced in Parliament
2022
Bill withdrawn; fresh Digital Personal Data Protection Bill drafted
Bill withdrawn; fresh Digital Personal Data Protection Bill drafted
Aug 2023
DPDP Act 2023 passed by Parliament and receives Presidential assent
DPDP Act 2023 passed by Parliament and receives Presidential assent
Jan 2025
Draft DPDP Rules 2025 published for public consultation
Draft DPDP Rules 2025 published for public consultation
2025
Expected: Final rules notified and phased enforcement begins
Expected: Final rules notified and phased enforcement begins
Banking-Specific Considerations (RBI)
Indian banks must comply with both the DPDP Act and existing Reserve Bank of India (RBI) guidelines:
RBI Data Requirements
- Payment Data Localization (2018): All payment system data must be stored exclusively in India
- Master Direction on IT Governance: Comprehensive data governance framework for regulated entities
- KYC Master Direction: Customer data collection, verification, and retention requirements
- Cyber Security Framework: Incident reporting within 6 hours to CERT-In
Practical Implications
- Banks likely to be designated as Significant Data Fiduciaries
- Must appoint DPO + independent data auditor
- Consent management systems needed for marketing and cross-selling
- Multilingual notice support (22 scheduled languages)
- Children's data: no behavioral tracking or targeted advertising for minors