admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 1 of 6

Digital Personal Data Protection Act (DPDPA) 2023

Master India's landmark data protection legislation - understand key definitions, Data Fiduciary obligations, Data Principal rights, consent framework, cross-border transfer provisions, and the comprehensive penalty structure.

Duration: ~120 minutes Sections: 6 Quiz: 15 Questions

1.1 Key Definitions under DPDPA 2023

The DPDPA 2023 introduces specific terminology that forms the foundation of India's data protection framework. Understanding these definitions is essential for proper compliance implementation.

Personal Data [Section 2(t)]

Personal Data
Any data about an individual who is identifiable by or in relation to such data. This covers both direct identifiers (name, Aadhaar) and indirect identifiers (IP address, location data when combined with other data).
Key Distinction

Unlike GDPR, DPDPA does not distinguish between "personal data" and "sensitive personal data." The Act applies uniformly to all personal data, though rules may prescribe additional safeguards for certain categories.

Data Principal [Section 2(j)]

Data Principal
The individual to whom the personal data relates. In case of a child (below 18 years), the parent or lawful guardian is treated as the Data Principal. For persons with disabilities, the lawful guardian acts on their behalf.

Data Fiduciary [Section 2(i)]

Data Fiduciary
Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. This is equivalent to "data controller" under GDPR terminology.

Data Processor [Section 2(k)]

Data Processor
Any person who processes personal data on behalf of a Data Fiduciary. Unlike GDPR, DPDPA does not impose direct statutory obligations on Data Processors - accountability flows through the Data Fiduciary.

Significant Data Fiduciary [Section 2(x)]

Significant Data Fiduciary (SDF)
A Data Fiduciary notified as such by the Central Government based on: (a) volume and sensitivity of data processed, (b) risk to Data Principal rights, (c) potential impact on sovereignty/security, (d) other relevant factors.
Additional SDF Obligations

SDFs must appoint a Data Protection Officer (resident in India), appoint an independent data auditor, conduct periodic Data Protection Impact Assessments (DPIAs), and comply with additional Central Government requirements.

Consent Manager [Section 2(g)]

Consent Manager
A person registered with the Data Protection Board who acts as a single point of contact to enable Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
TermDPDPA 2023GDPR Equivalent
Data PrincipalIndividual whose data is processedData Subject
Data FiduciaryDetermines purpose and meansData Controller
Data ProcessorProcesses on behalf of FiduciaryData Processor
Significant Data FiduciaryNotified high-risk entitiesNo direct equivalent
Consent ManagerConsent management platformNo equivalent

1.2 Data Fiduciary Obligations

DPDPA 2023 imposes comprehensive obligations on Data Fiduciaries. Non-compliance can result in penalties up to Rs. 250 crore. Understanding these obligations is critical for compliance professionals.

Lawful Processing [Section 4]

Personal data may only be processed for lawful purposes:

  1. With Consent: Data Principal has given consent for specified purpose
  2. Legitimate Uses: Certain specified purposes without consent (Section 7)

Ground Rules for Processing [Section 5]

Notice Requirement

Before seeking consent, Data Fiduciary must provide notice containing: (a) personal data to be processed, (b) purpose of processing, (c) how to exercise rights, (d) how to file complaints with the Board.

Security Safeguards [Section 8(5)]

Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. This includes:

  • Technical measures: Encryption, access controls, secure storage
  • Organizational measures: Security policies, training, incident response
  • Contractual safeguards: Data Processor agreements with security clauses

Data Breach Notification [Section 8(6)]

Mandatory Breach Reporting

In case of personal data breach, the Data Fiduciary must notify: (1) the Data Protection Board, and (2) each affected Data Principal, in such form and manner as may be prescribed. Failure to notify: Penalty up to Rs. 200 crore.

Data Retention [Section 8(7)]

Personal data must not be retained beyond the period necessary for the specified purpose, unless retention is required by law. Upon purpose completion or consent withdrawal, data must be erased unless legal retention applies.

Obligations for Children's Data [Section 9]

  • Verifiable parental consent: Required before processing child's data
  • No behavioral monitoring: Tracking/advertising targeting children prohibited
  • No detrimental processing: Processing that may harm child's well-being prohibited
  • Age verification: Reasonable efforts to verify age required
Compliance Tip

Government may exempt certain Data Fiduciaries from child-specific obligations if they can demonstrate that their processing is verifiably safe for children. Monitor rule notifications for exemptions.

Additional SDF Obligations [Section 10]

ObligationRequirement
Data Protection OfficerAppoint DPO who is resident in India, point of contact for Data Principals and Board
Independent Data AuditorAppoint qualified auditor for annual compliance audits
DPIAConduct Data Protection Impact Assessments periodically
Additional ComplianceComply with other measures as prescribed by Central Government

1.3 Data Principal Rights

DPDPA 2023 grants comprehensive rights to Data Principals. These rights are exercisable against the Data Fiduciary and must be responded to within prescribed timelines.

Right to Access [Section 11(1)]

Right to Access Information
Data Principal has the right to obtain: (a) summary of personal data being processed, (b) processing activities undertaken, (c) identities of all Data Fiduciaries and Data Processors with whom data has been shared, (d) any other information as may be prescribed.

Right to Correction and Erasure [Section 11(2)]

Data Principals can demand:

  • Correction: Of inaccurate or misleading personal data
  • Completion: Of incomplete personal data
  • Updating: Of personal data that is no longer current
  • Erasure: Of personal data no longer necessary for the purpose

Right of Grievance Redressal [Section 11(3)]

Grievance Mechanism

Every Data Fiduciary must establish a grievance redressal mechanism and publish contact details of a person to whom Data Principals can direct their grievances. Response must be provided within prescribed time.

Right to Nominate [Section 11(4)]

Data Principals have the right to nominate any other individual who shall exercise the Data Principal's rights in the event of their death or incapacity. This is unique to DPDPA and has no GDPR equivalent.

Duties of Data Principals [Section 15]

Unique to DPDPA

Unlike GDPR, DPDPA imposes duties on Data Principals. Breach of duties can result in penalty up to Rs. 10,000.

  • Comply with laws: When exercising rights under this Act
  • Provide authentic information: Not furnish false or misleading particulars
  • No false complaints: Not file frivolous or false complaints
  • No impersonation: Not suppress material information or impersonate another person

1.4 Consent Requirements

Consent under DPDPA 2023 must meet specific criteria. Invalid consent renders the entire processing unlawful and exposes the Data Fiduciary to penalties.

Characteristics of Valid Consent [Section 6]

Consent Must Be

Free: Given without coercion, undue influence, or fraud
Specific: For a particular, clearly defined purpose
Informed: After receiving adequate notice about processing
Unconditional: Not bundled with unrelated services
Unambiguous: Clear affirmative action indicating agreement

Withdrawal of Consent [Section 6(4)]

  • Data Principal may withdraw consent at any time
  • Withdrawal must be as easy as giving consent
  • Consequences of withdrawal must be borne by Data Principal
  • Processing done before withdrawal remains lawful
  • Data Fiduciary must cease processing within reasonable time

Legitimate Uses Without Consent [Section 7]

Personal data may be processed without consent for:

  1. Specified purpose for which data was provided: Data Principal voluntarily provides data for a particular purpose
  2. State functions: Provision of subsidy, benefit, service, license, permit by State/instrumentality
  3. Legal obligations: Compliance with any law, court judgment, or order
  4. Medical emergency: Responding to medical emergency involving threat to life/health
  5. Disaster/public order: Measures during disaster or breakdown of public order
  6. Employment: For purposes related to employment (with safeguards)
Compliance Practice

Document your lawful basis for each processing activity. If relying on legitimate uses, maintain records demonstrating how the specific exemption applies. This becomes crucial during Board inquiries or audits.

1.5 Cross-Border Data Transfers

DPDPA 2023 takes a permissive approach to cross-border transfers, allowing transfers to all countries except those specifically restricted by the Central Government.

General Rule [Section 16(1)]

Negative List Approach

Personal data may be transferred to any country or territory outside India EXCEPT those notified by the Central Government as restricted. This is opposite to GDPR's adequacy-based approach.

Restricted Countries [Section 16(1)]

The Central Government may restrict transfers to specific countries/territories by notification. Factors for restriction may include:

  • Inadequate data protection framework in the destination
  • National security considerations
  • Diplomatic relations
  • Reciprocity with India's data protection standards
Current Status

As of the knowledge cutoff, no countries have been notified as restricted. However, organizations should monitor official notifications and build flexibility into their data architecture for potential future restrictions.

Sectoral Restrictions

Even if a country is not restricted under DPDPA, sectoral regulations may impose additional restrictions:

  • RBI: Payment system data localization requirements
  • IRDAI: Insurance data processing restrictions
  • SEBI: Capital market data handling requirements
  • CERT-In: Incident data retention in India
Compliance Strategy

Conduct a comprehensive data mapping exercise identifying all cross-border flows. Apply DPDPA as baseline, then overlay sectoral requirements. Build data flow diagrams showing transfer destinations and legal bases.

1.6 Penalties Framework

DPDPA 2023 introduces significant penalties for non-compliance. Unlike GDPR's percentage-based fines, DPDPA prescribes fixed maximum amounts for different violations.

Penalty Schedule [Schedule to DPDPA]

ViolationMaximum Penalty
Breach of personal data (failure to take security safeguards)Rs. 250 Crore
Failure to notify Data Protection Board and Data Principals of breachRs. 200 Crore
Non-fulfillment of additional obligations for children's dataRs. 200 Crore
Non-fulfillment of additional obligations by Significant Data FiduciaryRs. 150 Crore
Breach of any other provisionRs. 50 Crore
Breach of duties by Data PrincipalRs. 10,000

Penalty Determination Factors

The Data Protection Board considers:

  • Nature, gravity, duration: Of the breach
  • Type and nature of data: Affected by the breach
  • Repetitive nature: Whether breach is a repeat offense
  • Gain made: From the breach by the entity
  • Action taken: By the entity to mitigate effects
  • Proportionality: Penalty must be proportionate to the breach
No Criminal Liability

Unlike IT Act Section 43A which had criminal provisions, DPDPA is purely a civil/administrative regime. However, data breaches may still attract criminal liability under IT Act provisions (like Section 66) or BNS provisions.

Data Protection Board [Sections 18-26]

The Board

The Data Protection Board of India is established as an independent body to: (a) determine non-compliance with DPDPA, (b) impose penalties, (c) direct remedial actions. Appeals from Board decisions lie to the Appellate Tribunal (TDSAT), then High Court, then Supreme Court.

Voluntary Undertaking [Section 31]

A Data Fiduciary may give a voluntary undertaking to the Board at any stage. If accepted, the Board may:

  • Accept the undertaking and close proceedings
  • Modify undertaking terms with consent
  • Proceed with inquiry if undertaking is breached

Key Takeaways

  • DPDPA 2023 applies to digital personal data processed in India or for offering goods/services to individuals in India
  • Data Fiduciaries bear primary compliance responsibility - accountability cannot be delegated to processors
  • Consent must be free, specific, informed, and unconditional - valid consent is foundational
  • Significant Data Fiduciaries have enhanced obligations including mandatory DPO and DPIA
  • Cross-border transfers permitted except to notified restricted countries
  • Maximum penalties range from Rs. 50 Crore to Rs. 250 Crore depending on violation type

Part 1 Assessment Quiz

Test Your Knowledge

15 questions covering DPDPA 2023 fundamentals

0/15
Questions Correct