Data Privacy & Technology Law — India
Digital Personal Data Protection Act 2023 — India
India's first comprehensive data protection law is in force. If your business collects or processes personal data of Indian citizens — online or offline — the DPDP Act applies to you. Penalties reach Rs. 250 crore per instance of breach.
Digital Personal Data Protection Act, 2023 | Presidential Assent: 11 August 2023
Quick Summary
India's primary data protection legislation is the Digital Personal Data Protection Act, 2023 (DPDP Act), which received Presidential assent on 11 August 2023. The Act establishes rights for Data Principals (individuals whose data is processed) and obligations for Data Fiduciaries (entities that determine the purpose and means of processing personal data). Key obligations include: processing personal data only for lawful purposes with valid consent or on specified legitimate use grounds; providing a clear and plain-language Privacy Notice; ensuring data accuracy; implementing reasonable security safeguards; erasing personal data when the purpose is fulfilled; and appointing a Data Protection Officer (mandatory for Significant Data Fiduciaries as designated by the Central Government). The Data Protection Board of India will adjudicate complaints and impose penalties.
The DPDP Act imposes significant penalties for breach — up to Rs. 250 crore for failure to notify a data breach, and up to Rs. 200 crore for non-fulfilment of obligations related to children's data. Rules under the Act are yet to be fully notified as of June 2026; however, compliance preparation — privacy notice drafting, consent mechanism implementation, data retention policy, and vendor agreement review — should proceed based on the Act's provisions. Cross-border data transfers are permitted to countries notified by the Central Government as having adequate data protection standards.
Key references: DPDP Act, 2023 · MeitY · Ministry of Law & Justice · MCA · Last reviewed: June 2026
The Core Framework — Data Fiduciary and Data Principal
The office is located in Kakkanad, Ernakulam. DPDP Act compliance advisory for technology companies and businesses in Kochi, Kakkanad, Infopark and across Ernakulam district is handled from the office.
The DPDP Act establishes a consent-based framework for processing digital personal data. The two central parties are:
- Data Principal: The individual whose personal data is being processed — the person the data is about
- Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data — essentially any business that collects and uses personal information
- Data Processor: An entity that processes data on behalf of a Data Fiduciary (under contract)
The Act applies to: processing of digital personal data within India; and processing of personal data outside India if it relates to offering goods or services to Data Principals within India. Cross-border applicability is significant for NRI-focused businesses and international companies serving Indian customers.
Obligations of a Data Fiduciary
Obtain valid consent
Consent must be free, specific, informed, unconditional and unambiguous. Pre-ticked boxes, bundled consent, and dark patterns are not valid. A notice must explain what data is collected, why, and how it will be used — in clear, plain language.
Purpose limitation
Data may only be used for the purpose for which consent was obtained. Using customer data collected for one purpose to market a new product without fresh consent is a violation.
Data minimisation
Only data that is necessary for the stated purpose may be collected. Collecting additional data "just in case" it may be useful later violates the minimisation principle.
Storage limitation
Personal data must be deleted once the purpose for which it was collected has been fulfilled and there is no legal requirement to retain it. Indefinite retention is prohibited.
Security safeguards
Reasonable security safeguards must be implemented to prevent data breaches — encryption, access controls, and security audits. The standard will be specified in Rules.
Breach notification
In the event of a personal data breach, the Data Protection Board of India and all affected Data Principals must be notified — timeline and procedure to be specified in Rules.
Rights of the Data Principal
- Right to information: Access to what personal data is held and how it is being processed
- Right to correction and erasure: Correct inaccurate data; erase data when no longer needed
- Right to grievance redressal: Mechanism to raise complaints against the Data Fiduciary
- Right to nominate: Nominate another individual to exercise rights in the event of death or incapacity
Penalties Under the DPDP Act
| Violation | Maximum Penalty |
| Breach due to failure to implement reasonable security safeguards | Rs. 250 crore |
| Failure to notify Board and Data Principals of a breach | Rs. 200 crore |
| Non-fulfilment of obligations regarding children's data | Rs. 200 crore |
| Non-fulfilment of Significant Data Fiduciary obligations | Rs. 150 crore |
| Breach of any other provision of the Act or Rules | Rs. 50 crore |
Adjudication: Penalties are assessed by the Data Protection Board of India — an independent digital adjudicatory body. Appeals lie to the High Court. The Board may also direct the Data Fiduciary to take corrective action, and repeated violations attract higher penalties.
Children's Data — Elevated Obligations
The DPDP Act imposes significantly stricter obligations for processing data of children (under 18 years). A Data Fiduciary must obtain verifiable parental consent before processing a child's personal data. Additionally, tracking or behavioural monitoring of children and targeted advertising directed at children is prohibited. Penalties for violation reach Rs. 200 crore — reflecting the legislature's strong policy position on protecting minors' data.
What Businesses Must Do Now
- Audit all personal data currently collected — what is it, why, and what is the legal basis
- Review and redraft privacy policies and consent mechanisms for DPDP compliance
- Implement a data subject rights response process (information, correction, erasure requests)
- Establish a data breach response procedure — internal escalation, Board notification, Principal notification
- Review data processor agreements with third-party vendors and cloud providers
- Appoint a Data Protection Officer if required for Significant Data Fiduciary classification
Is Your Business DPDP-Compliant?
The DPDP Rules, once notified, will activate the full compliance regime. Businesses that begin the compliance audit and documentation process now will be significantly better positioned than those who wait. The office advises on DPDP compliance frameworks, drafts privacy policies and consent mechanisms, and advises on data breach response.
Contact the Office
Corporate & Technology Law