The genesis of promulgating the DPDP Act is protection of huge personal digital data available with various authorities, intermediaries, ecommerce players and different connected parties. The growing digital economy has led to increased concerns over privacy and data security. Data protection in European Union is governed by General Data Protection Regulation (GDPR) of 2018.

Right to privacy is listed as a fundamental right under the Indian Constitution and was judicially settled by the Supreme Court of India in the landmark judgement of Justice K.S. Puttaswamy vs Union of India in 2017. This groundbreaking law has been in the making since 2017 when the Ministry of Electronics and Information Technology (MeitY) formed an expert committee to draft the data protection law and the since then the draft has seen various revisions, tweaks and finally become an Act on 11th August 2023 after receiving the assent of the President of India.

This Act regulate the processing of digital personal data, acknowledging:

A. Individuals’ right to protect their personal data and

B. Necessity of processing such data for lawful purposes, along with related and incidental matters.

This is the first Act of the Parliament of India where “she/her” pronouns were used unlike the usual “he/him” pronouns.




I.    Data: Means any Information, facts, concepts, opinions, or instructions represented in a form suitable for communication, interpretation, or processing by humans or automated systems.

II.   Personal data: means any data about an individual who is identifiable by or in relation to such data.

III.  Data Principal: The individual to whom the personal data belongs. This includes:

Children: Represented by their parents or lawful guardians.

Persons with disabilities: Represented by their lawful guardians acting on their behalf.

IV.  Data Fiduciary: Is a person or entity who decides how and why personal data is processed.

V.   Data Processor: Any person or entity that processes personal data on behalf of a Data Fiduciary.

VI. Consent Manager: A person registered with the Board who serves as a single point of contact, enabling a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

VII. Board: means the Data Protection Board of India established by the Central Government.




I.   Consented, lawful, and transparent use of personal data.

II.  Purpose limitation (use data only for the specified purpose).

III. Data minimization (collect only necessary data).

IV. Data accuracy (ensure data is correct and updated).

V.   Storage limitation (retain data only as needed).

VI.  Reasonable security safeguards.

VII. Accountability (adjudicate breaches and impose penalties).




Scope of Application:

A. Within the territory of India where the personal data is collected–

in digital form; or

in non-digital form and digitised subsequently;

B. Outside the territory of India:

Applies to processing digital personal data in connection with activities offering goods or services to individuals (Data Principals) within India.




  • Personal data processed by an individual for personal or domestic purposes.
  • Personal data made publicly available by:
    • The Data Principal themselves.
    • Any other person required by law to make such data publicly available.




  1. When processing is necessary to enforce legal rights or claims;
  2. When carried out by courts or authorized bodies in India for judicial, regulatory, or supervisory functions;
  3. For preventing, detecting, investigating, or prosecuting offenses or legal violations in India;
  4. When processing data of individuals outside India under a contract with an entity abroad by an Indian entity;
  5. For company schemes like mergers or transfers approved by a competent authority;
  6. To determine the financial status of loan defaulters, in compliance with disclosure laws.




  • This section outlines the permissible grounds for processing personal data under the Act. Personal data processing must adhere to the provisions of the Act and serve a lawful purpose, which includes:
  • Obtaining consent from the Data Principal. Consent needs to be provided along with Privacy notice which should include the purpose, personal data collected, how to withdraw the consent or exercise grievance redressal. Privacy notice can be in English or any of the languages mentioned in the constitution
  • Processing for specific legitimate purposes.
  • Lawful purpose” is defined as any purpose not explicitly prohibited by law”







Limited for specific purpose

Contact details of Data protection officer




Consent Manager is a new concept who will be single point of contact for data principal to manage review and withdraw consent.

Consent Manager needs to be registered with Data Protection Board of India.

Criteria for a person or entity to act as consent manager will be provided by the Rules.




a) Right to access information about personal data:

The Data Principal has the right to request and receive from a Data Fiduciary, with whom they have previously consented, the following upon a prescribed request:

(a) A summary of their personal data being processed and the activities involved.

(b) Details of other Data Fiduciaries and Data Processors who have received their personal data, along with a description of the shared data.

(c) Any other prescribed information related to their personal data and its processing.

Clause (b) and (c) of the above do not apply if the sharing is with another Data Fiduciary authorized by law, upon their written request, for purposes such as preventing or investigating offences or cyber incidents, or for legal prosecution.


b) Right to correction and erasure of personal data:

A Data Principal can correct, complete, update, or request erasure of her personal data if she previously consented to its processing. The Data Fiduciary must promptly correct inaccuracies, complete incomplete data, and update information upon request. Erasure of personal data will be carried out upon request, unless retention is required by law or for the specified purpose.


c) Right of grievance redressal

The Data Principal has the right to easily access grievance redressal procedures provided by a Data Fiduciary or Consent Manager for any issues related to the handling of their personal data or the exercise of their rights under this Act and its rules. The Data Fiduciary or Consent Manager must respond to such grievances within a specified timeframe after receiving them. The Data Principal must attempt to resolve their grievance through this process before seeking assistance from the Board.


d) Right to Nominate

A Data Principal has the right to appoint another individual, as prescribed, who will act on their behalf in case of the Data Principal’s death or inability to exercise their rights under this Act and its rules.

In this context, “incapacity” refers to the inability to exercise the rights of the Data Principal as per this Act or its rules due to mental incapacity or physical infirmity.




Breach of the obligation of Data Fiduciary to implement reasonable security safeguards to prevent personal data breach: Up to ₹250 Crores.

Failure to notify the Board or affected Data Principal of a personal data breach: Up to ₹200 Crores.

Breach of additional obligations related to children: Up to ₹200 Crores.

Breach of additional obligations applicable to Significant Data Fiduciaries: Up to ₹150 Crores.

Breach of duties by the Data Principal: Up to ₹10,000.

Breach of any voluntary undertaking accepted by the Board: Penalties proportionate to the breach specified under section 28.

Breach of any other provision of the Act or rules made thereunder: Up to ₹50 Crores.




Data Protection Board is an independent body and act on a complaint made by data principal for non-compliance and can pass the order.

Any aggrieved person may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) against an order or direction issued by the Board under this Act.

Such appeals must be filed within sixty days from the date of receipt of the order or direction, in the prescribed format and accompanied by the requisite fee.

The Appellate Tribunal may entertain an appeal filed after the prescribed period if it is satisfied with the reasons provided for the delay.

Upon receipt of an appeal, the Appellate Tribunal shall provide the parties an opportunity to be heard and may pass such orders as it deems fit, including confirming, modifying, or setting aside the order appealed against.

The Appellate Tribunal shall communicate its orders to the Board and all concerned parties.

If the Board thinks a complaint can be settled through mediation, it can direct the parties to try resolving the dispute with a mutually agreed mediator or as per Indian law.




Data Transfer Abroad: The Act relaxes data localization compared to the 2019 bill, allowing cross-border data flow to government-notified countries. Details on criteria and processing are pending from the Data Protection Board.

Offline Data: The Act applies only to digital data and digitized offline data, leaving a gap in handling purely offline data.

Government Exemptions: The Act allows government data access for national security, raising concerns about undermining the right to privacy. The government argues these exemptions are necessary for disaster and terrorist response.

Rules for DPDP Act are yet to be notified post which the DPDP Act will be fully implemented in its true spirit. Data Protection Board operationalization will also be provided in the Rules.




DPDP Act represents a significant step towards safeguarding personal data in the digital era. By establishing comprehensive provisions for data handling, rights of data principals, and obligations of data fiduciaries, the Act ensures accountability and transparency in data processing practices. Through mechanisms such as grievance redressal, mediation, and appellate procedures, it provides avenues for resolving disputes and ensuring compliance with legal standards.

The Act not only aims to protect individuals’ privacy and autonomy but also promotes trust and confidence in digital transactions. By setting clear guidelines and stringent penalties for non-compliance, it encourages responsible data governance and enhances data security measures. Overall, the Act strives to harmonize technological advancement with fundamental rights, fostering a balanced approach to digital personal data protection in the modern digital landscape.

Akansha Rathi and Associates (ARACS), Company Secretary Firm in Navi Mumbai is engaged into compliance related services. We have a team of experts who not only possess required skills and experience but also have worked in complex business environment and were engaged in providing complex solutions in terms of providing related Compliance services to our clients.