Search site

Understanding Digital Data Protection in India – Key Frequently Asked Questions (FAQs) 

Posted On - 14 April, 2026

With innovations in the field of technology, data pertaining to individuals has gained significant importance. The late 2010s has been witness to the emergence of comprehensive laws on data protection enacted across the globe including the landmark General Data Protection Regulation(“GDPR”) introduced in the European Union. The Digital Personal Data Protection Act, 2023(“DPDP Act/ Act”) is India’s key legislation which prescribes how digital personal data is collected and processed. Prior to the DPDP Act, reliance was placed on the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT SPDI Rules), which provided only basic protections for privacy.

Subsequent to the recognition of the ‘Right to privacy’ under Article 21 of the Constitution of India by the Supreme Court1, the Government of India formed the Justice B.N. Srikrishna Committee on Data Protection, which submitted its 2018 report with a draft Data Protection Bill. After multiple draft iterations and extensive consultations with diverse stakeholders, the Ministry of Electronics and Information Technology (“MeitY”) introduced the Digital Personal Data Protection Bill, 2022. Following its passage by the Parliament and subsequent presidential assent on August 11, 2023, the Bill was enacted as the DPDP Act. It aims to protect individual privacy while allowing organisations, including businesses and government bodies, to use personal data in a lawful and responsible manner. The DPDP Act emphasises on transparency and accountability in the processing of personal data, while also establishing robust obligations for the entities collecting the digital personal data. The Digital Personal Data Protection Rules, 2025(“DPDP Rules”) supplement the provisions of the Act and detail the process of implementation.

Through its notification dated 13 November 2025, the Government has provided for a phased enforcement of the DPDP Act and the DPDP Rules2 whereby (1) the definitions and the establishment of the Data Protection Board (“DPB”/ “Board”) will come into effect on 13 November 2025; (2) provisions dealing with the registration of Consent Managers and breach of registration will come into effect a year later, on 13 November 2026 and (3) subsequently the key provisions dealing with obligations and penalties of key stakeholders will become effective on 13 May 2027. (To read further on the phased manner of enforcement of the DPDP Act and DPDP Rules, please click here.)

These FAQs aim to clarify the key provisions of the DPDP Act and DPDP Rules, as well as the associated compliance requirements and are structured in the following parts:

PART I: KEY DEFINITIONS AND SCOPE

  1. How are ‘data’ and ‘personal data’ defined under the DPDP Act?

The term ‘data’ is broadly defined as any representation of information, facts, concepts, opinions, or instructions in a form suitable for communication, interpretation, or processing.3 In contrast, ‘personal data’ refers specifically to information about an individual who can be identified either directly or indirectly through such data. Examples include a person’s name, phone number, or email address.4

It is significant to note that the DPDPA does not differentiate between sensitive and non‑sensitive personal data, unlike the current classification under the IT SPDI Rules.

  1. How is ‘processing’ of personal data defined under DPDP Act?

The definition of the term ‘processing’ is significant, as the obligations and safeguards under the law are triggered by the act of processing personal data. In relation to personal data, the term ‘processing’ refers to any operation, whether fully or partly automated, performed on digital personal data. It includes activities such as collecting, recording, organizing, storing, modifying, retrieving, using, combining, sharing, disclosing, restricting, erasing, or destroying data.5 It is pertinent to note that processing is not limited to complex technical operations, it also covers routine handling of data.

For example: collecting a customer’s email address for a newsletter or storing patient records in a hospital database, both of which constitute ‘processing’

  1. Who are the key stakeholders defined under the DPDP Act? 

The DPDP framework comprises certain key stakeholders6 each playing a distinct role with varying obligations:

Data Principal is an individual whose personal data is being processed. It also includes (i) parents or lawful guardians where such person is a child and (ii) lawful guardian where such person is a person with disability.
Consent Manager is a registered entity that enables a Data Principal in managing and communicating their consent.
Data Fiduciary determine the purpose and means of processing personal data.
Data Processor processes the personal data of the Data Principals on behalf of the Data Fiduciary.
  1. How are ‘Significant Data Fiduciaries’ identified under the DPDP Act and DPDP Rules?

Under the DPDP Act and the DPDP Rules, the Central Government shall identify Significant Data Fiduciaries based on an assessment of several factors including (i) the volume and sensitivity of personal data processed, (ii) risks to the rights of Data Principals, (iii) the potential impact on the sovereignty and integrity, (iv) risks to electoral democracy, (v) security of the state, and (vi) public order.7

  1. What is the scope of applicability of the provisions of the DPDP Act?

The DPDP Act applies to the processing of digital personal data within India. This includes data collected directly in digital form as well as data initially collected in non-digital form and subsequently digitized. The Act also applies to the processing of digital personal data outside India when such processing is related to the offering of goods or services to Data Principals located in India.

However, it is pertinent to note that, the DPDP Act does not apply to personal data:

  1. processed by an individual for personal or domestic purposes, or
  2. to personal data that has been made publicly available by the individual concerned or by any person under a legal obligation to do so.8
  1. What are the exemptions to the applicability of the provisions of the DPDP Act?

The DPDP Act provides for exemption of applicability of provisions dealing with obligations of Data Fiduciary except general obligations of Data Fiduciary stated in Section 8(1) to (5); rights of Data Principal and cross border transfer of data when the processing of personal data is:

  1. for enforcing any legal right or claim;
  2. by a court or tribunal for judicial, quasi-judicial, regulatory or supervisory function;
  3. for prevention, detection, investigation or prosecution of any offence or contravention of law;
  4. pursuant to any contract between any person inside India and any person outside India;
  5. is necessary for a court- or authority-approved scheme of compromise, arrangement, merger, amalgamation, demerger, reconstruction, division, or transfer of an undertaking between companies; and
  6. for ascertaining the financial information, assets, and liabilities of a person who has defaulted on a loan or advance from a financial institution, in accordance with applicable laws governing information or data disclosure.9

Additionally, the provisions of the DPDP Act shall not apply to (i) instrumentalities of the State processing the personal data in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, the maintenance of public order, the prevention of incitement to cognizable offences relating to these matters; and (ii) processing necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal.10

  1. How does the DPDP Act interplay with other Indian laws such as the IT Act, 2000, IT SPDI Rules or sectoral regulations?

Section 44(2) of the DPDP Act amends certain provisions of the IT Act including omission of Section 43A of the IT Act dealing with compensation for failure to protect sensitive personal data or information. With respect to the other sectoral regulations, the provisions of the DPDP Act shall be in addition to and not in derogation of any other laws. However, if there is any conflict, the provisions of the DPDP Act shall prevail.11

  1. How does the DPDP Act compare with GDPR, California Consumer Privacy Act (“CCPA”) and other global data protection laws?

The DPDP Act draws inspiration from major global privacy frameworks, including the GDPR and U.S. laws such as the CCPA, particularly in its emphasis on (i) obtaining free, informed, and specific consent, and (ii) mandating the adoption of robust technical and organizational safeguards for protecting personal data.

PART II: CONSENT AND OBTAINING OF CONSENT:

  1. What elements must a Data Fiduciary include in the notice provided to a Data Principal, either prior to or at the time of seeking consent, under the DPDP Act and DPDP Rules?

A Data Fiduciary must provide a notice in clear and plain language to the Data Principal, prior to or at the time of seeking consent, that includes: (i) the itemised description of personal data to be processed and the specific purpose and specific description of the goods and services to be provided or uses to be enabled by processing the same; (ii) the manner in which the Data Principal may exercise rights, withdraw consent and file grievances including escalating complaints to the DPB; and (iii) the contact details of the Data Fiduciary or the Consent Manager.12

The notice must be clear and understandable on its own, independent of any other information provided by the Data Fiduciary.13

A notice must also be issued to Data Principals whose consent was obtained before commencement of the DPDP Act.14

  1. Is any specific training or awareness required for employees?

The DPDP Act does not expressly mandate employee training or awareness programmes. However, from a practical standpoint, employees of Data Fiduciaries processing Personal Data must be aware of the rights of the Data Principal and the obligation associated with processing the Personal Data.

  1. How should consent be obtained from the Data Principal?

A valid consent under the DPDP Act must be expressed through clear affirmative action by the Data Principal. Every request for consent from the Data Fiduciary must be in clear and plain language with an option of accessing such request in English or any language stated in the Eighth schedule of the Indian Constitution.  The request must include the contact details of the Data Protection Officer for a Significant Data Fiduciary, or of an authorised contact person for any other Data Fiduciary, to respond to communications regarding the purpose of collection of data.15

It should be noted that any consent sought by the Data Fiduciary and given by the Data Principal, to the extent that it violates the provisions of the DPDP Act or the DPDP Rules, shall be invalid.16

For example: X, an individual, provides consent through Y’s mobile app or website, where Y is a service provider. X provides her consent to Y for (i) processing his personal data for the provision of services, and (ii) waiving his right to file a complaint with the DPB. While the first component constitutes valid consent for data processing, the second component, seeking to waive the statutory right to complain is void and unenforceable.

  1. How is the consent of Data Principals obtained in cases of children and persons with disabilities?

The consent of a child or a person with disability must be obtained through the verifiable consent of parent or a lawful guardian.17 The Data Fiduciary must adopt appropriate technical and organisational measures to ensure verifiable parental consent is obtained before processing a child’s personal data, while exercising due diligence to verify that the person identifying as the parent is an identifiable adult, as required under applicable Indian law.18

  1. What is a valid consent under DPDP Act?

A valid consent under the DPDP Act must be freely given, specific, informed, unconditional, and unambiguous, and expressed through a clear affirmative action. It must be limited to the Personal Data necessary for a specified purpose and the consent must signify the agreement to the processing of Personal Data for the specified purpose.19

For example: When a Data Principal installs a food delivery app, the notice and request for consent must include specific details regarding:

  1. Data collected: Address and phone number
  2. Purpose: Delivery of the order
  3. Manner of grievance redressal and filing complaint to DPB
  4. Contact details of person to resolve issues regarding purpose of data collection

Further, the checkbox to consent must not be clicked beforehand and must be clicked by the Data Principal himself.

  1. Under what circumstances are Data Fiduciaries permitted to process digital personal data without obtaining consent from the Data Principal?

Personal data can be processed, without the consent of the Data Principal, for certain legitimate uses including when:

  1. the data is voluntarily provided for a specific purpose, and consent has not been withdrawn;
  2. benefits are to be provided by the State and its instrumentalities;
  3. matters that are related to national security, sovereignty and integrity of the State;
  4.  compliance is required with any judgement, decree or order;
  5. During medical emergencies or when health services are to be provided during an epidemic, outbreak or any other threat to public health;
  6.  services are provided during any disaster; and
  7.  processing is for purposes of employment or to protect legitimate business interests, including trade secrets and intellectual property.20
  1. What are the consequences of withdrawal of consent under the DPDP Act?

Upon withdrawal of consent by the Data Principal, the Data Fiduciary must stop processing the personal data within a reasonable time and ensure that any Data Processor also ceases processing, unless continued processing is permitted under law.21 Any processing carried out before withdrawal remains lawful, though the Data Principal may lose access to services that depended on such consent.22

  1. What are the obligations of Data Fiduciaries when consent is refused or partially granted?

When a Data Principal refuses or partially grants consent, the Data Fiduciary must limit processing strictly to what is permitted and cease processing for any purpose for which consent is denied or withdrawn.

  1. What is the process prescribed under the DPDP Act and DPDP Rules for the registration of Consent Managers?

Consent Managers are required to register with the DPB.23 Registration conditions are outlined in Part A of Schedule I to the DPDP Rules24, mandating that applicants be Indian-incorporated companies possessing adequate financial resources and the capability to implement suitable technical and operational measures for compliance with DPDP Act.

  1. What is the role of Consent Managers in obtaining and withdrawing consent? 

Consent Managers act as intermediaries that enable individuals to provide, review, and withdraw consent for the processing of their personal data. Consent Managers are accountable to the Data Principal and function under regulatory oversight, thereby ensuring that personal data management is transparent, reliable, and firmly under the control of the Data Principal.

However, it is pertinent to note that it is not mandatory for Data Fiduciaries to appoint a Consent Manager.

PART III: OBLIGATIONS UNDER THE PROVISIONS OF THE DPDP ACT:

  1. What rights are available to Data Principals under the DPDP Act and what are the corresponding obligations on Data Fiduciaries?

In addition to general obligations, the rights granted to Data Principles impose certain duties on Data Fiduciaries. These include:

Sl. No. Right of Data Principal Duty/obligation of Data Fiduciary
1. Right to access information about Personal Data being processed25 Summary of processing of Personal DataData of all other Data Fiduciaries and Processors with whom data has been sharedAny other information related to the personal data of such Data Principal
2. Right to seek correction and erasure of Personal Data26 Correct the inaccurate or misleading personal dataComplete incomplete personal dataUpdate the personal dataErasure of personal data
3. Right to seek grievance redressal27 Respond to grievances
4. Right to nominate a nominee to act on their behalf upon death or incapacitation28 Recognize the nominated individual and the exercise of rights by the same
  1. How can Data Principals exercise their rights practically?

Data Principals can exercise their rights through digital tools such as apps and web portals that may be created by Data Fiduciaries for effective grievance redressal.

Further, the rights of the Data Principal involving provision, withdrawal and access to consent can be exercised through a Consent Manager. The Consent Manager must provide a mechanism through its platform that allows a Data Principal to grant consent for the processing of her personal data by a Data Fiduciary registered on the platform. Such consent may be given either directly to the concerned Data Fiduciary or indirectly through another onboarded Data Fiduciary that holds the Data Principal’s personal data with her prior consent.29

Example 1 (Direct Consent via Platform): B1 requests X’s consent on platform P to access her bank account statement stored in her digital locker. X grants consent directly to B1 through P and allows access to the statement.

Example 2 (Consent Routed Through Another Data Fiduciary): B1 requests X’s consent on platform P to access her bank account statement held by B2. X provides consent via P, instructing B2 to share the statement with B1. B2 then transfers the statement to B1.

  1. What constitutes ‘reasonable security safeguards’ that must be implemented by Data Fiduciaries under the DPDP Act?

The DPDP Act30 read with the DPDP Rules31 provides for an indicative list of minimum reasonable security safeguards that Data Fiduciaries must implement to prevent Personal Data breaches, including:

  1. Data protection: Encryption, obfuscation, and masking of personal data.
  2. Access controls: Restricting access to the systems of Data Fiduciaries and Data Processors.
  3. Monitoring and detection: Logging, monitoring, and reviewing systems to detect unauthorised access.
  4. Incident response: Investigating breaches and updating systems to prevent recurrence.
  5. Contract with Data Processor: Appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor, wherever applicable, for taking reasonable security safeguards
  6. Retention and backups: Retaining logs for one year for detection, investigation, and remediation, and maintaining data backups to ensure continuity and protect confidentiality, integrity, and availability.
  1. Do organizations need to update their privacy policies and practices? If so, how should they be amended?

Organizations acting as Data Fiduciaries have certain general obligations under the DPDP Act such as updating their privacy policies to obtain consent from Data Principals in accordance with the DPDP Act. Data Fiduciaries must also follow data-minimization principles ensuring that excessive or irrelevant data collection is avoided and put in place reasonable security safeguards. Further, third-party Data Processors must implement similar security safeguards. Grievance redressal mechanisms should allow Data Principals to access, correct, or erase their data, and data-breach response plans must provide for timely intimation to the Board and affected individuals as required under the DPDP Act.

  1. How should organizations structure internal governance for DPDP compliance?

While the DPDP Act does not explicitly provide an obligation on Data Fiduciaries to institute internal structures, from a practical standpoint, Data Fiduciaries must consider adopting an internal governance policy to ensure accountability and effective oversight of the processing of digital personal data. Organizations may establish a data protection committee to oversee implementation, risk assessments, incident response, and ongoing compliance monitoring. Clear allocation of roles and responsibilities, regular employee training regarding data privacy, periodic audits, and formal escalation mechanisms for data breaches or complaints are essential components of an effective governance structure to ensure compliance with the DPDP Act.

  1. How long can digital personal data be retained by the Data Fiduciary?

Data Fiduciaries must keep personal data, traffic data (e.g., IP logs), and processing logs for at least one year from processing date, but only for purposes in the Seventh Schedule which includes use by state or any of its instrumentalities.32

Data fiduciaries specified in the Third Schedule of the DPDP Rules (e-commerce platforms, online gaming intermediaries, and social media intermediaries meeting certain user thresholds) must erase Personal Data 3 years after the Data Principal’s last interaction for the specified purpose or the exercise of rights by the Data Principal.

At least 48 hours before the erasure deadline, the Data Fiduciary must notify the Data Principal typically via email, app notification, or similar channels. This notice warns of the impending deletion of personal data unless the Data Principal initiates contact for the original specified purpose, or exercises their rights related to data processing.33

  1. How should Data Fiduciaries handle data of deceased individuals?

The law does not explicitly address how Data Fiduciaries should handle the personal data of deceased individuals. However, under the DPDP Act and DPDP Rules, a Data Principal may nominate one or more individuals to exercise their data rights after their death34.  Accordingly, the Data Fiduciary is required to recognize and act upon such nominations as valid under the DPDP Act. It remains unclear whether a Data Principal can make a single, blanket nomination applicable to all Fiduciaries, given the large number of entities one interacts with in a lifetime.

  1. Upon the occurrence of a personal data breach, what obligations are imposed on Data Fiduciaries?

The DPDP Act defines the term ‘personal data breach’ as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.35 When a Data Fiduciary becomes aware of a personal data breach (“breach”), they have specific obligations36 towards:

  1. Data Principals37:
    1. Inform each affected Data Principals without delay, in a clear, concise, and plain manner, about the nature, extent, timing, and likely consequences of the breach.
    2. Communicate measures already implemented to mitigate risks and advise on actions the Data Principals can take to protect their interests.
    3. Provide the business contact details of a person responsible for handling queries related to the breach.
  1. Board38:
    1. Notify the DPB without delay about the breach, including its nature, extent, timing, location, and potential impact.
    2. Within 72 hours of becoming aware of the breach, Data Fiduciary must intimate:
      • updated and detailed information regarding the breach and the events leading to it;
      • causes and findings regarding the individual responsible;
      • measures taken to mitigate risks and prevent recurrence and further,
      • a report on the notifications sent to affected Data Principals.
  1. What obligations do employers, such as Data Fiduciaries, have under the DPDP Act and DPDP Rules when processing the digital personal data of employees?

Processing of personal data for the ‘purposes of employment’ does not require the consent as it is one of the ‘certain legitimate uses’39 provided under the DPDP Act. However, the term ‘purpose of employment’ is undefined and can have a broad understanding. The employer must be mindful of who classifies as an ‘employee’ considering a lack of definition under the DPDP Act. Hence, employment policies of organisations must be relooked at to understand the nature of employment involved and the purposes for which personal data is currently being used.

  1. How can Data Fiduciaries ensure that Data Processors comply with the DPDP Act and DPDP Rules?

A Data Processor processes personal data on behalf of a Data Fiduciary and, therefore, an agreement between the two is essential. This agreement must incorporate the same compliance obligations required under the DPDP Act with specific focus on reasonable security measures to be instituted40. An oversight mechanism may be introduced to check the reasonable security safeguards and thereby, reducing the possibility of breach of personal data.

  1. What additional obligations and compliance requirements are applicable to a ‘Significant Data Fiduciary’ under the DPDP Act?

Given the volume of personal data they process and the resulting risks to individuals and the public, Significant Data Fiduciaries are subject to enhanced obligations41, primarily relating to grievance redressal, audits, and impact assessments. They must appoint a Data Protection Officer based in India, who acts as its representative under the DPDP Act.42 Additionally, an Significant Data Fiduciary must appoint an independent data auditor to assess compliance with the DPDP Act43.

  1. Who can be appointed as a ‘Data Protection Officer’ under the DPDP Act?

While the DPDP Act and the DPDP Rules do not prescribe specific qualifications for a Data Protection Officer, a Significant Data Fiduciary must appoint a Data Protection Officer based in India to represent it for the purposes of the DPDP Act.44 The Officer must report to the Board of Directors or a similar governing body and serve as the point of contact for the grievance redressal mechanism.

  1. What are the obligations vested upon a Consent Manager?

Part B of the First Schedule of the DPDP Rules provides for obligations of a Consent Manager:

  1. Consent Manager must enable a Data Principal, through its platform, to grant consent for processing of personal data to a Data Fiduciary onboarded on the platform.
  2. The Consent Manager must ensure that it cannot read the contents of the data being shared and must maintain a secure record of consents given, denied, or withdrawn; related notices; and instances of data sharing. The Data Principal must have access to this record, including in machine-readable form upon request.
  3. Records must be retained for at least seven years (or longer if required by law or agreement between Consent Manager and Data Principal).
  4. The Consent Manager must provide its services primarily through a website or app, through which a Data Principal may access services provided.
  5. The Consent Manager must implement reasonable security safeguards and must act in a fiduciary capacity while avoiding conflicts of interest with Data Fiduciaries.
  6. It must publicly disclose key ownership and management details to ensure transparency, maintain audit mechanisms to demonstrate compliance.
  7. The control of the company registered as a Consent Manager cannot be transferred through sale, merger, or other means without prior approval of the Board and subject to any conditions it may impose.
  1. What are the compliances and/or restrictions imposed for cross- border transfer of digital personal data outside the territory of India by the DPDP Act?

While the IT SPDI rules previously permitted permitted a person to transfer sensitive personal data to persons situated in any other country that ensured the same level of data protection adhered to by it45, the DPDP Act provides that the transfer of digital personal data outside the territory of India is permitted, except to those jurisdictions that are prohibited by the Central Government through notification46.

  1. Have any countries been notified as restricted territories by the Government of India?

The Government of India is yet to notify any countries or territories as restricted territories.

PART IV: DATA PROTECTION BOARD:

  1. What is the DPB that has been established under the DPDP Act?

The Board has been established as the primary adjudicatory body under the DPDP Act.47 The Data Fiduciaries are responsible to the DPB, which is empowered to receive complaints from Data Principals for enforcement of their rights under the DPDP Act.

  1. What are the powers and functions of the Board under the DPDP Act and DPDP Rules?

The Board performs a dual role under the DPDP Act: (i) enforcing the rights of Data Principals and (ii) supervising Data Fiduciaries, particularly in cases of personal data breaches. In relation to Data Principals, the Board may be approached to address complaints concerning personal data breaches, violations by Data Fiduciaries or Consent Managers, or to facilitate the exercise of rights under the Act.48 In relation to Data Fiduciaries, the Board must be notified of personal data breaches at the earliest, following which it may direct urgent remedial or mitigation measures, initiate inquiries, and impose penalties.49

The Board may issue orders and directions to modify, suspend, withdraw, or cancel its directions upon representation. For the discharge of its functions, the Board is vested with powers akin to those of a civil court under the Civil Procedure Code, 1908.50

  1. What is the procedure to be followed by the Board upon receiving a complaint/intimation under the DPDP Act and DPDP Rules?

The procedure to be followed by the Board can be understood as follows51:

  1. Upon receiving intimation of a personal data breach or a complaint for enforcement of a Data Principal’s rights, the Board may direct an inquiry where sufficient grounds exist. The existence or absence of such sufficient grounds must be recorded in writing.
  2. If there are sufficient grounds found, an inquiry must be conducted in accordance with the principles of natural justice, with reasons recorded for all actions taken during the same.
  3. The Board and its officers may seek assistance from Central or State Government officers or the police; however, they may not restrict access to premises or seize resources in a manner that disrupts the day-to-day business of the person under inquiry.
  4. Any person affected by an order or interim order must be given an opportunity to be heard, and the Board must record its reasons for such orders in writing.
  1. What are the timelines for the Board to resolve complaints?

The Board may initiate inquiries after receiving intimations of a data breach or a request for enforcement of a Data Principal’s rights. These inquiries must be completed within 6 months from the date of receipt of intimation or complaint. This 6-month period is extendable by not more than 3 months at a time for reasons to be recorded in writing.52

PART V: DISPUTE RESOLUTION AND VIOLATIONS:

  1. What are the dispute resolution mechanisms provided under the DPDP Act and the DPDP Rules?

The DPDP Act provides a clear, tiered grievance redressal mechanism for Data Principals. A complaint must first be raised through the Data Fiduciary’s grievance redressal system. If the issue is not resolved satisfactorily by the Data Fiduciary, it may be escalated to the DPB, which has civil court–like powers to examine records, collect evidence, and, where appropriate, direct the parties to mediation.

If the DPB determines that the breach of the provisions of the DPDP Act or DPDP Rules is significant, it may impose monetary penalty.53 Alternatively, the DPB may accept a voluntary undertaking to the effect of compliance with the provisions of the DPDP Act.54

Any person aggrieved by an order of the DPB may appeal to the Telecom Disputes Settlement and Appellate Tribunal within 60 days of such order.55

  1. What are the alternative dispute resolution mechanisms that can be adopted under the DPDP Act?

The DPDP Act provides mediation as an alternative dispute resolution mechanism for data protection disputes. If the DPB believes a complaint can be resolved amicably, it may direct the parties to mediation.56

  1. What are the penalties that can be imposed by the Board for violation of provisions of the DPDP Act?

The DPDP Act empowers the DPB to impose monetary penalties based on the type and severity of violations. Penalties include: up to ₹250 crore (i.e ≃ USD 30 mn) for failure to implement reasonable security safeguards; up to ₹200 crores (i.e. ≃ USD 24 mil.) for not notifying the Board or affected Data Principals of a data breach and up to ₹150 crores (i.e. ≃ USD 18 mil.) crore for Significant Data Fiduciaries failing to meet additional statutory obligations. For other contraventions of the Act or its rules, penalties may reach up to ₹50 crores (i.e. ≃ USD 7 mil.).57

  1. What factors will the Board consider when determining penalties?

When determining the imposition of a monetary penalty under the DPDP Act, several factors are considered by the DPB, including the nature, severity, and duration of the breach; the type and sensitivity of the personal data affected; whether the breach is repetitive; and whether the responsible party gained any advantage or avoided loss as a result. Authorities also assess whether the party took timely and effective steps to mitigate the breach’s impact, whether the penalty is proportionate and effective in ensuring compliance and deterring future violations, and the potential consequences of the penalty on the person or organization.58

  1. Are there criminal liabilities under the DPDP Act, or is it limited to civil penalties?

Under the DPDP Act, 2023, liability is primarily civil in nature, focusing on monetary penalties, corrective directions, and compliance measures enforced by the Board. The Act does not prescribe criminal punishments such as imprisonment for breaches of its provisions.

PART VI: OTHER MATTERS

  1. What are the potential practical implications of the DPDP Act for organizations and individuals?

The implications of the enforcement of the provisions of the DPDP Act are imminent on various sectors. Sectors like retail, FMCG and e-commerce websites need to amend and update their policies for data privacy to include specified consent, purpose limitation and reasonable safeguards to protect personal data.

Additionally, institutions providing banking, financial and insurance services (“BFSI Institutions”) are regulated by a stringent framework, governed by key authorities including the Reserve Bank of India, Securities and Exchange Board of India, and Insurance Regulatory and Development Authority of India. The DPDP Act complements these regulations and is required to analyse in detail the compliances and requirements under the same.

However, the clash between the regulations put in place by the Reserve Bank of India with respect to retention of data and the provisions of the DPDP Act needs to be observed. For example: the RBI (Commercial Banks Know Your Customer) Directions, 202559, mandate a minimum retention period of 5 years for KYC records. They further require periodic updates of KYC based on customer risk profiles i.e. every 2 years for high-risk, 8 years for medium-risk, and 10 years for low-risk customers. This extended retention, coupled with ongoing data refresh cycles in banking systems, creates compliance challenges when aligning with the DPDP Act’s data minimization and storage limitation principles.​

  1. How will the implementation of the DPDP Act impact data collection, storage, and customer engagement practices in the travel sector?

The DPDP Act marks a significant shift in how entities in the travel industry are required to manage guest data, placing greater emphasis on transparency, accountability, and robust security practices. In light of stringent compliance standards and substantial financial penalties for non-compliance, the travel sector must proactively embed privacy-by-design principles into their operations, strengthen contractual data protection arrangements, and undertake periodic security audits to ensure long-term resilience in an increasingly data-driven environment.

  1. How does the DPDP Act impact startups and small and medium sized enterprises (“SMEs”) differently from large corporations?

The DPDP Act does not provide exemptions for startups or SMEs. Startups and SMEs must fundamentally adapt their data processing practices to comply with the DPDP Act. This entails upgrading IT systems, implementing robust consent mechanisms, fortifying data security, revising contracts with service providers, and training personnel, thereby, demanding substantial financial and operational investments by startups and SMEs.

  1.  How does the DPDP Act affect the use of emerging technologies like Artificial Intelligence (“AI”) and biometrics?

The DPDP Act significantly influences how emerging technologies such as AI and biometric systems handle personal information in India. The consent centric framework requires clear and purpose-limited use of personal data. The large-scale data collection for training AI models can conflict with principles like data minimisation and informed consent, potentially affecting AI innovation or necessitating revised data strategies for firms developing AI.

The DPDP Act currently lacks explicit provisions on AI-specific risks such as automated decision-making, algorithmic bias, transparency, and profiling, leaving regulatory gaps that could undermine fairness and accountability in AI applications unless supplemented by rules introduced in the future.  While the DPDP Act lays a foundation for consent centric use of data for AI and biometrics, significant legal and operational uncertainties remain that organisations must navigate to balance privacy obligations with technological advancement.

  1. How should organizations handle automated decision-making and profiling under the DPDP Act?

Organizations using AI-driven tools or profiling systems must obtain clear and informed consent for such processing, disclose the use and purpose of automated systems in privacy notices, and ensure that only necessary personal data is processed. They must also enable individuals to exercise their rights to access, correction, and erasure, and implement robust security safeguards to protect the data involved. Although the DPDP Act does not expressly mandate algorithmic explainability, organizations should consider adopting fairness measures to mitigate risks of bias, opacity, or arbitrary outcomes in automated decisions.

  1. What are the obligations around anonymization and pseudonymization of data?

Anonymisation generally refers to the irreversible transformation of personal data into a form where an individual can no longer be identified. Based on the applicability of the DPDP Act60, data that has been properly anonymised is likely to fall outside the Act’s applicability as the individual cannot be identified through that data.

Contrarily, pseudonymisation or de-identification, by contrast, involves removing, masking, replacing, or separating identifiers from personal data so that the resulting dataset does not directly reveal the individual’s identity on its own. However, unlike anonymisation, this process is reversible in effect, if the data is combined with identifiers or linked with other datasets, the individual may be re-identified. Accordingly, pseudonymised data is likely to remain within the scope of the DPDP Act.

  1. How will the DPDP Act affect digital advertising, cookies, and tracking technologies?

The provisions of the DPDP Act will significantly impact digital advertising, cookies, and tracking technologies by making consent the central legal requirement for processing personal data. Any cookies or tracking tools that collect personal data such as IP addresses, device identifiers, or behavioural information linked to an individual will require clear, specific, and freely given consent that can be withdrawn at any time. Organizations engaging in behavioural advertising or profiling must provide transparent notice, obtain valid consent before tracking, and ensure users can easily opt out.

  1. What changes are expected in vendor contracts and third-party risk management?

The DPDP Act holds Data Fiduciaries accountable for personal data handled by third parties. Agreements with vendors and third parties for processing of digital personal data must account for the same and delineate roles (as Data Fiduciary or Data Processor) and further, limit processing to documented instructions and defined purposes. Protective provisions addressing safeguards with respect to confidentiality, security measures for protection of personal data, deletion of data post-termination of contract and support to cater to the requests of the Data Principal may be considered as additions to vendor contracts.

Disclaimer: The information contained in this document is not legal advice or legal opinion. The contents recorded in the said document are for informational purposes only and should not be used for commercial purposes. Acuity Law disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

  1. Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. [2017 10 SCR 569] ↩︎
  2. Notification No. G.S.R. 843(E) dated 13 November 2025 ↩︎
  3. Section 2(h) of the DPDP Act ↩︎
  4. Section 2(t) of the DPDP Act ↩︎
  5. Section 2(x) of the DPDP Act ↩︎
  6. Section 2 of the DPDP Act ↩︎
  7. Section 2(z) read with Section 10 of the DPDP Act ↩︎
  8. Section 3 of the DPDP Act ↩︎
  9. Section 17(1) of the DPDP Act ↩︎
  10. Section 17(2) of the DPDP Act ↩︎
  11. Section 38 of the DPDP Act ↩︎
  12. Section 5(1) of the DPDP Act ↩︎
  13. Rule 3(a) of the DPDP Rules ↩︎
  14. Section 5(2) of the DPDP Act ↩︎
  15. Section 6 of the DPDP Act ↩︎
  16. Section 6(2) of the DPDP Act ↩︎
  17. Section 9 (1) of the DPDP Act ↩︎
  18. Rule 10 of the DPDP Rules ↩︎
  19. Section 6 of the DPDP Act ↩︎
  20. Section 7 read with Section 4 of the DPDP Act ↩︎
  21. Section 6(6) of the DPDP Act ↩︎
  22. Section 6(5) of the DPDP Act ↩︎
  23. Section 6(9) of the DPDP Act ↩︎
  24. Part A of First Schedule of DPDP Rules ↩︎
  25. Section 11 of the DPDP Act ↩︎
  26. Section 12 of the DPDP Act ↩︎
  27. Section 13 of the DPDP Act ↩︎
  28. Section 14 of the DPDP Act ↩︎
  29. Provision 1 of Part B of First Schedule of DPDP Rules ↩︎
  30. Section 8(5) of the DPDP Act ↩︎
  31. Rule 6 of the DPDP Rules ↩︎
  32. Rule 8(3) of the DPDP Rules ↩︎
  33. Rule 8(2) of the DPDP Rules ↩︎
  34. Section 14 of the DPDP Act ↩︎
  35. Section 2(u) of the DPDP Act ↩︎
  36. Section 8(6) of the DPDP Act ↩︎
  37. Rule 7(1) of the DPDP Rules ↩︎
  38. Rule 7(2) of the DPDP Rules ↩︎
  39. Section 7(i) of the DPDP Rules ↩︎
  40. Rule 6(f) of the DPDP Rules ↩︎
  41. Section 10 of the DPDP Act ↩︎
  42. Section 10(2)(a) of the DPDP Act ↩︎
  43. Section 10(2)(b) of the DPDP Act ↩︎
  44. Section 10(2)(a) of the DPDP Act ↩︎
  45. Rule 7 of IT SPDI Rules ↩︎
  46. Section 16 of DPDP Act read with Rule 15 of the DPDP Rules ↩︎
  47. Section 18 of the DPDP Act ↩︎
  48. Section 27(1)(b) of the DPDP Act ↩︎
  49. Section 27(1)(a) of the DPDP Act ↩︎
  50. Section 28(7) of the DPDP Act ↩︎
  51. Section 28 of the DPPD Act ↩︎
  52. Rule 19(9) of the DPDP Rules ↩︎
  53. Section 33(1) of the DPDP Act ↩︎
  54. Section 32(1) of the DPDP Act ↩︎
  55. Section 29 of DPDP Act r/w Rule 22 of DPDP rules ↩︎
  56. Section 31 of the DPDP Act ↩︎
  57. Section 33 r/w Schedule of the DPDP Act ↩︎
  58. Section 33(2) of the DPDP Act ↩︎
  59. RBI/DOR/2025-26/169 dated 28 November 2025 ↩︎
  60. Section 3 read with Section 2(t) of the DPDP Act ↩︎

Disclaimer: The information contained in this document is not legal advice or legal opinion. The contents recorded in the said document are for informational purposes only and should not be used for commercial purposes. Acuity Law disclaims all liability to any person for any loss or damages caused by errors or omissions, whether arising from negligence, accident or any other cause.

Get In Touch

Contact Form