What is the Digital Personal Data Protection Act, 2023?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection legislation. It governs the processing of digital personal data of individuals (Data Principals) by organisations (Data Fiduciaries). It received Presidential assent on 11 August 2023. The DPDP Rules 2025 were notified on 13 November 2025, triggering the compliance clock.

When must organisations comply with the DPDPA?

The DPDP Rules 2025 were issued through a Gazette notification dated 13 November 2025, while PIB public materials refer to 14 November 2025. The Rules use staggered commencement: Rules 1, 2 and 17 to 21 on publication, Rule 4 after one year, and Rules 3, 5 to 16, 22 and 23 after eighteen months.

What is the maximum penalty under the DPDPA?

Under Section 33 of the DPDPA 2023 read with the Schedule, the highest scheduled penalty is up to ₹250 crore for failure to take reasonable security safeguards. Breach notification failures and children's data obligation failures can attract penalties up to ₹200 crore. The Data Protection Board of India determines penalties after inquiry and hearing.

Does the DPDPA apply to foreign companies?

Yes. Under Section 1(2) of the DPDPA 2023, the Act applies extraterritorially — any organisation (regardless of where it is incorporated) that offers goods or services to individuals in India, or processes the personal data of persons in India, must comply.

What documents are required for DPDPA compliance?

DPDPA compliance requires at minimum: Privacy Policy / Notice (Rule 3), Consent Notice (Rule 3, Section 6), Data Processing Agreements with vendors (Section 8(2), 8(5) and Rule 6(f)), Data Retention & Erasure Policy (Rule 8), Breach Incident Response Procedure (Rule 7), DSAR Procedure (Rule 14 and Sections 11–14), Grievance Redressal Mechanism (Section 13 and Rule 14), Data Mapping / ROPA (Sections 5 and 8), Security Safeguards Policy (Rule 6), and Access Control Policy. Significant Data Fiduciaries additionally need DPO appointment, DPIA, independent audit, and algorithmic due diligence.

What is a Significant Data Fiduciary (SDF)?

A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government under Section 10 of the DPDPA, based on factors such as volume and sensitivity of personal data processed, risk to Data Principal rights, national security, public order, and similar criteria. SDFs face additional obligations including DPO appointment under Section 10, independent audit, periodic DPIA, algorithmic due diligence, and any Rule 13 transfer restrictions for specified personal data.

What are the five rights of Data Principals under the DPDPA?

Under the DPDPA 2023, Data Principals (individuals whose data is processed) have five enforceable rights: (1) Right to Access information about data being processed (Section 11); (2) Right to Correction and Erasure of personal data (Section 12); (3) Right to Grievance Redressal against Data Fiduciaries (Section 13); (4) Right to Nominate another individual to exercise rights on death or incapacity (Section 14); and (5) Right to Withdraw Consent at any time (Section 6(4)).

How should organisations handle data breaches under the DPDPA?

Under Rule 7 of the DPDP Rules 2025, a Data Fiduciary must notify affected Data Principals without delay after becoming aware of a personal data breach. The Data Protection Board of India must receive an initial intimation without delay and a detailed updated intimation within 72 hours, unless the Board allows a longer period on written request.

DPDPA 2023 Compliance Guide — India Digital Personal Data Protection Act

Step 01 — Your Assessment

Generate Your Tailored Compliance Roadmap

Answer 6 questions about your business. Receive a prioritised, personalised DPDPA compliance plan with exact statutory obligations, required documents, and milestone deadlines.

1

Step 1 of 6

What best describes your business?

We will tailor your compliance roadmap based on your industry-specific obligations and risks.

Sections 11–14 — Data Principal Rights

The 5 Rights Every Business Must Honour

Every individual whose personal data you hold has these four enforceable rights under the DPDPA 2023. Non-fulfilment can be escalated directly to the Data Protection Board of India.

Section 11

Right to Information

Statutory Text

""A Data Principal shall have the right to obtain from the Data Fiduciary — (a) a summary of personal data being processed by the Data Fiduciary; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared.""

Response window: Publish process; track SLA

Your Obligation as Data Fiduciary

You must tell individuals exactly what data you hold about them, why you are processing it, and who you have shared it with — upon their request. This is fulfilled through your DSAR (Data Subject Access Request) process.

Build a self-service rights portal in your user dashboard

"Every business processing personal data must build operational workflows to fulfil these rights within prescribed timeframes. A failure to respond can be escalated to the Data Protection Board — but only after exhausting your internal grievance mechanism first. Build that mechanism before anything else."

Section 2 — Definitions

Key Terms You Must Get Right

The DPDPA 2023 defines 28 terms precisely in Section 2. Misidentifying your role (Fiduciary vs Processor) or your data (personal vs anonymous) fundamentally changes your compliance obligations.

Section 2 — Definitions

The DPDPA 2023 contains 28 defined terms in Section 2 that are used precisely throughout the Act. Understanding these definitions is the foundation of every compliance obligation. Misidentifying your role (Fiduciary vs Processor) or your data (personal vs anonymous) can fundamentally change your obligations.

Core Terms — Every Fiduciary Must Know

Verbatim — Section 2(t)

""personal data" means any data about an individual who is identifiable by or in relation to such data"

Plain English

Any piece of information that can — directly or indirectly — identify a living individual. This includes obvious identifiers (name, phone) and indirect identifiers (IP address, device ID, location, behavioural patterns linked to a person).

Practical Example

Email addresses, mobile numbers, Aadhaar, PAN, transaction history, GPS location, cookies tied to a person, health records, and biometric data all qualify.

Additional Defined Terms

Verbatim text sourced from the Digital Personal Data Protection Act, 2023 as enacted. Section references are final as published in the Official Gazette.

The Act & Rules — Browse All Provisions

DPDPA 2023 & DPDP Rules 2025 — Verbatim

Browse every provision of the final Act and notified Rules with exact statutory text and plain-English explanations. Searchable and cited.

Chapter 1

Preliminary

Chapter 2

Obligations of Data Fiduciary and Rights of Data Principal

Chapter 3

Rights and Duties of Data Principals

Chapter 4

Data Protection Board of India

Chapter 5

Data Processors

Chapter 8

Penalties

Section 6Chapter 2: Obligations of Data Fiduciary and Rights of Data PrincipalAll Fiduciaries

Consent

Penalty: ₹50 Crore (Section 33; Schedule item 7)

Verbatim Statutory Text

(1) Consent shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, signifying agreement to the processing of her personal data for the specified purpose and shall be limited to such personal data as is necessary for such specified purpose.
(3) A request for consent shall be presented to the Data Principal in clear and plain language, giving her the option to access the said request in English or any language specified in the Eighth Schedule to the Constitution.
(4) The Data Principal shall have the right to withdraw her consent given to a Data Fiduciary at any time. The ease of such withdrawal shall be comparable to the ease with which consent was given.
(6) Where a Data Principal withdraws her consent, the Data Fiduciary shall cease to process the personal data of such Data Principal within a reasonable time.

Plain English Explanation

Consent must be: free (no coercion), specific (per purpose), informed (clearly explained), unconditional (no bundling with T&Cs), and unambiguous (clear opt-in, no pre-ticked boxes). Withdrawal must be as easy as giving consent — a single-click unsubscribe if consent was a single click.

Topics

consentwithdrawalnoticelanguage

Sector Impact Analysis

How DPDPA Hits Your Industry

Every business processing digital personal data of Indians is affected. Some sectors face heightened obligations — including likely SDF designation with DPO, DPIA, and annual audit requirements.

Section 33 + Schedule — Civil Penalties

The Cost of Non-Compliance

Civil penalties are imposed under Section 33 read with the Schedule. The highest scheduled penalty is up to ₹250 crore for failure to take reasonable security safeguards.

Section 33; Schedule item 1

Failure to implement reasonable security safeguards

A personal data breach occurs due to inadequate security measures

₹250 Crore

Section 33; Schedule item 2

Failure to notify Board and affected individuals of breach

Not notifying the DPBI and every affected Data Principal after a breach

₹200 Crore

Section 33; Schedule item 3

Violations of children's data obligations

Processing child data without verifiable parental consent, or tracking/advertising to children

₹200 Crore

Section 33; Schedule item 4

Violations of Significant Data Fiduciary (SDF) obligations

Failing to appoint a DPO, conduct DPIA, engage auditor, or perform algorithmic due diligence

₹150 Crore

Section 33; Schedule item 7

Any other violation of the Act or Rules

Consent notice deficiencies, grievance mechanism failures, retention policy violations

₹50 Crore

Section 33; Schedule item 5AGGREGATE CAP

Breach of Data Principal duties

A Data Principal fails to observe duties under Section 15, such as impersonation or frivolous grievances

₹10,000

How the Board Calculates Penalties

"The Board shall, while determining the amount of financial penalty... have regard to the following:" — DPDPA 2023, Schedule

01.Nature, gravity, duration, and type of breach

02.Sensitivity of the personal data involved

03.Repetitive nature of the violation

04.Whether the person realised gain or avoided loss

05.Mitigating actions taken after the breach

06.Proportionality and effectiveness of the penalty imposed

07.Likely impact of the penalty on the person

"Section 33 penalties are imposed after inquiry and hearing. A single incident may involve more than one scheduled contravention, for example security safeguards and breach notification. The Act does not state a general ₹550 crore aggregate cap in the final Schedule."

Implementation Architecture

What Compliance Must Look Like in Practice

Policies alone are not enough. The DPDPA programme must produce evidence: data maps, decision records, consent logs, breach records, processor contracts, grievance registers, and governance reporting.

Lawful Basis Decision Table

Use this before drafting notices or building consent screens.

01

Is the data digital personal data?

If it identifies an individual and is collected digitally, or later digitised, treat it as in scope.

Evidence: Data inventory entry with source, category, system, owner, and purpose.

02

Is an exemption available?

Check personal/domestic use, public data, research/statistical standards, legal proceedings, offence prevention, and notified government exemptions.

Evidence: Exemption memo with statutory clause, factual basis, and approval owner.

03

Can Section 7 apply?

Use only for listed legitimate uses such as voluntary provision for a specified purpose, employment purposes, medical emergency, legal compliance, or state functions.

Evidence: Legitimate-use register, purpose statement, and retention rule.

04

If not, is consent valid?

Consent must be free, specific, informed, unconditional, unambiguous, and withdrawable with comparable ease.

Evidence: Notice version, consent artefact, timestamp, purpose, language, and withdrawal record.

Regulator-Ready Evidence Pack

Documents are useful only if the business can prove the controls operate.

Data map and records of processing activities

Consent notice versions and consent transaction logs

Withdrawal, erasure, and retention logs

Processor inventory, DPAs, and security addenda

Rule 6 safeguard evidence: access reviews, logs, backups, encryption, monitoring

Breach register, forensic notes, Board intimations, and affected-user notices

Grievance register with acknowledgement, owner, status, and outcome

SDF file: DPO appointment, DPIA, independent audit, algorithmic diligence, Board reporting

Personal Data Breach Workflow

Immediately

Triage and contain

Confirm whether confidentiality, integrity, or availability of personal data is compromised. Preserve logs and isolate affected systems.

Without delay

Notify affected Data Principals

Use concise, clear and plain language. Include nature, extent, timing, consequences, mitigation, safety measures, and contact details.

Without delay

Initial Board intimation

Inform the Board of the breach description, nature, extent, timing, location, and likely impact.

Within 72 hours

Detailed Board update

Provide updated facts, circumstances, mitigation, cause findings, recurrence-prevention measures, and a report on Data Principal notices.

Decision Records

Every processing activity should have a recorded purpose, legal basis, data category, system owner, retention rule, processor list, and review date.

Product Gate

New products, SDKs, pixels, AI features, and vendor integrations should pass a DPDPA review before launch.

Board-Ready Evidence

Assume the regulator will ask what you did, when, why, and who approved it. Keep evidence versioned and exportable.

Section 17 — Exemptions

When the DPDPA Does Not Apply

Section 17 provides specific, narrow exemptions from the Act's obligations. These are purposive and conditional — not blanket carve-outs. Understand your boundaries precisely.

Section 17 — DPDPA 2023

Exemptions Are Narrow, Not General

Section 17 provides specific, limited exemptions from the Act's provisions. These are not blanket carve-outs — each is purposive and conditional. The Act adopts a "necessary and proportionate" standard: processing must be genuinely required for the exempt purpose, and only the minimum necessary data may be processed.

"Nothing in this Act shall apply to processing of personal data that is necessary for exercising or performing any function of Parliament or any State Legislature..." — Section 17(1)

Common Mistake

Treating an exemption as a permanent shield. Exemptions apply only to the specific purpose — once that purpose is served, normal DPDPA obligations resume.

Key Principle

Even within an exemption, data minimisation remains a best practice. Processing more data than necessary — even for an exempt purpose — creates legal and reputational risk.

"Exemptions under Section 17 are subject to judicial review. Indian courts apply the principle of proportionality — the exemption must be necessary and commensurate with the legitimate aim pursued. An overly broad claim of exemption will not withstand legal scrutiny."

Required Documentation

Complete Document Checklist

Every document your organisation must create, maintain, and keep current under the DPDPA 2023 and DPDP Rules 2025 — with rule references and key requirements.

28

Total Documents

16

Mandatory (All Fiduciaries)

6

SDF-Specific Additional

5

Recommended Best Practice

PolicyMandatory

Privacy Policy / Notice

The primary document explaining what data you collect, why, and how individuals can exercise their rights.

Rule 3 | Section 5, 6Draft available

NoticeMandatory

Consent Notice / Form

The specific notice presented to users at the point of data collection, seeking affirmative consent.

Rule 3 | Section 6Draft available

AgreementMandatory

Data Processing Agreement (DPA)

A contract with every vendor or third party that processes personal data on your behalf.

Section 8(2), 8(5) | Rule 6(f)Draft available

PolicyMandatory

Data Retention & Erasure Policy

Internal policy documenting how long different categories of data are retained and how they are deleted.

Rule 8 | Section 8(1)Draft available

ProcedureMandatory

Data Breach Incident Response Procedure

Step-by-step internal procedure for detecting, containing, reporting, and remediating data breaches.

Rule 7 | Section 8(7)Draft available

ProcedureMandatory

Data Subject Access Request (DSAR) Procedure

Internal procedure for handling requests from individuals to access, correct, or erase their data.

Rule 14 | Sections 11–13Draft available

ProcedureMandatory

Grievance Redressal Mechanism

Publicly accessible mechanism for Data Principals to raise complaints about data processing.

Section 13 | Rule 14(3)

ProcedureRecommended

Children's Data Consent Procedure

Procedure for obtaining verifiable parental/guardian consent for processing data of users under 18.

Rule 10 | Section 9Draft available

AssessmentRecommended

Cross-Border Data Transfer Assessment

Assessment of all cross-border data transfers against the DPDPA negative list and sectoral restrictions.

Section 16 | Rule 15

AssessmentMandatory

Data Mapping / Records of Processing Activities

A comprehensive map of all personal data flows — what is collected, where it is stored, who accesses it, and why.

Section 5, 8 | Rule 3, 6

AssessmentMandatorySDF Only

Data Protection Impact Assessment (DPIA)

Annual assessment of privacy risks in data processing operations, mandatory for Significant Data Fiduciaries.

Rule 13(a) | Section 10(2)(c)Draft available

AssessmentMandatorySDF Only

Annual Compliance Audit Framework

Framework for the independent auditor to evaluate SDF compliance with the DPDPA annually.

Rule 13(b) | Section 10(2)(b)

AgreementMandatorySDF Only

DPO Appointment & Terms of Reference

Formal appointment document and role charter for the Data Protection Officer, mandatory for SDFs.

Section 10(2)(a) | Rule 9Draft available

AssessmentMandatorySDF Only

Algorithmic Due Diligence Report

Assessment of algorithms and AI systems for risks to Data Principal rights, mandatory for SDFs.

Rule 13(c) | Section 10(2)(c)(iii)

PolicyMandatoryPhase 1 · 0–3 mo

Security Safeguards Policy

Documents the technical and organisational measures implemented to protect personal data against breaches — mandatory under Rule 6.

Rule 6 | Section 8(1)(e)Draft available

PolicyMandatoryPhase 1 · 0–3 mo

Access Control & Privileged Access Policy

Governs who may access personal data within the organisation, on what basis, and the controls surrounding privileged administrative access.

Rule 6(1)(a) | Section 8(1)(e)Draft available

PolicyMandatoryPhase 1 · 0–3 mo

Data Classification Policy

Classifies all personal data held by the organisation by sensitivity level, guiding security controls, retention, and handling procedures.

Section 2(t) | Rule 6Draft available

NoticeMandatoryPhase 1 · 0–3 mo

Employee / Staff Privacy Notice

Informs employees, contractors, and interns of the personal data collected about them, why it is processed, their DPDPA rights, and how to exercise them.

Rule 3 | Section 5, 6, 11–14Draft available

NoticeMandatoryPhase 1 · 0–3 mo

Cookie & Tracking Technology Notice

Discloses all cookies and tracking technologies used on digital platforms, seeks separate, granular consent for each non-essential category.

Rule 3 | Section 6Draft available

NoticeRecommendedPhase 2 · 3–9 mo

CCTV / Physical Surveillance Notice

Informs individuals of CCTV and physical monitoring at organisational premises — a DPDPA obligation where individuals' personal data is captured.

Rule 3 | Section 5, 6Draft available

NoticeMandatoryPhase 2 · 3–9 mo

Right to Nominate Form (Section 14)

A form enabling Data Principals to nominate another individual to exercise their DPDPA rights in the event of their death or incapacity — Section 14 obligation.

Section 14 | Rule 14Draft available

RegisterMandatoryPhase 2 · 3–9 mo

Legitimate Uses Register

Documents all processing activities conducted under Section 7 "legitimate uses" — processing without consent but for specified purposes like employment, medical emergency, or state functions.

Section 7 | Rule 3(3)

RegisterMandatoryPhase 1 · 0–3 mo

Grievance Register & Complaint Log

A mandatory internal register of all grievances received from Data Principals — recording receipt, status, resolution, and escalation to DPBI.

Section 13 | Rule 14(3)

TrainingRecommendedPhase 2 · 3–9 mo

Data Protection Training Programme & Records

Structured training curriculum and attendance records for all staff handling personal data — demonstrating organisational accountability.

Section 8 | Rule 6

AssessmentRecommendedPhase 2 · 3–9 mo

Vendor / Processor Due Diligence Checklist

Pre-engagement security and compliance assessment of all vendors who will process personal data on the organisation's behalf.

Section 8(2), 8(5) | Rule 6(f)Draft available

PolicyMandatorySDF OnlyPhase 2 · 3–9 mo

Privacy by Design Framework

Embeds data protection considerations into product development, engineering, and procurement processes from inception — mandatory for SDFs, best practice for all.

Rule 13 | Section 10(2)(c)

RegisterMandatorySDF OnlyPhase 3 · 9–15 mo

Board / Management Annual Compliance Report

Annual report to the Board of Directors summarising DPDPA compliance status, audit findings, grievances handled, and outstanding remediation — mandatory for SDFs.

Rule 13(b) | Section 10(2)(b)

AgreementMandatoryConsent ManagerPhase 2 · 3–9 mo

Consent Manager Operating Agreement

The regulatory-compliant agreement governing the relationship between a registered Consent Manager and Data Fiduciaries using its platform — required under Rule 4 and the First Schedule.

Rule 4 | First Schedule | Section 6(7)–(9)Draft available

"CompliEZ data protection lawyers can draft all mandatory documents, conduct a gap analysis against your existing policies, and deliver a complete DPDPA documentation package — reviewed and signed off by qualified advocates — before the May 2027 deadline."

Request Full Documentation Package|Take Compliance Assessment

Compliance Timeline

13 November 2025 → Mid-May 2027

The compliance clock is running. Here are the key milestones between the Rules notification and the full compliance deadline — with days remaining calculated in real time.

Full Compliance Deadline

361

days remaining until the mid-May 2027 operational window

As of 18 May 2026

13 November 2025✓ Completed

DPDP Rules 2025 Notified

Enforcement Clock Starts

DPDP Rules formally notified by MeitY
Data Protection Board of India (DPBI) established under Section 18
Data Protection Board framework established as a digital-by-design institution
Procedural provisions and Board-related rules begin coming into force
Compliance timeline begins — 18 months to full enforcement

13 May 2026✓ Completed

6-Month Mark

Foundation Phase Complete

Data mapping and gap analysis completed
DPDPA Compliance Lead / DPO appointed
Cross-functional compliance team established
All vendor/processor inventory completed
Privacy Policy and Consent Notice redesign in progress

13 November 2026179 days remaining

12-Month Mark

Consent Manager Registration Framework

Consent Manager registration framework under Rule 4 becomes operative around this stage
All vendor DPAs signed and in force
Breach response plan live and tested
Grievance redressal mechanism operational
For SDFs: DPO appointed, first DPIA completed, independent auditor engaged
Staff training programme completed

13/14 May 2027361 days remaining Deadline

FULL COMPLIANCE DEADLINE

All DPDP Rules in Full Force

All DPDP Rules fully operational and enforceable
Cross-border transfer rules under Section 16 in full effect
All consent mechanisms 100% deployed and tested
Log retention at 1-year minimum (Rule 6(e)) established
For SDFs: Annual audit completed, DPIA cycle established
Algorithmic due diligence implemented (SDFs)
Full compliance achieved across all business units

Rule 4 + First Schedule — New Entity Type

The Consent Manager Ecosystem

A regulated consent intermediary that lets Data Principals give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.

Rule 4 — New Entity Type

What is a Consent Manager?

A Consent Manager is a new type of regulated entity created by the DPDPA 2023. It acts as a single, interoperable platform where an individual (Data Principal) can give, manage, review, and withdraw consent for multiple services — all in one place.

Think of it like an "Account Aggregator" but for data consent. Just as Account Aggregators transfer financial data on consent without holding the data themselves, Consent Managers manage the consent flow — never the actual personal data.

Section 2(g): "Consent Manager" means a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

Rule 4 Commencement: One Year After Gazette Publication

Rule 4 and the First Schedule create the Consent Manager registration framework. Entities should treat the one-year commencement point as the practical date by which registration readiness, technical certification, governance, and net-worth evidence must be prepared.

Consent Manager Requirements (Rule 4 + First Schedule)

Indian Company

Must be incorporated in India under Companies Act, 2013

₹2 Crore Net Worth

Minimum net worth of ₹2 crore at time of registration and maintained continuously

No Data Access

Must not read, use, or disclose the personal data for which consent is managed

No Conflict of Interest

Cannot have overlapping promoters, directors, or material relationships with Data Fiduciaries it serves

Fiduciary Duty

Must act in the best interests of Data Principals — enforceable legal duty

7-Year Records

Minimum 7-year retention of all consent transaction records

Who Should Pay Attention?

FinTechs & Banks

Intersection with RBI Account Aggregator framework needs clarity — early engagement with both frameworks is critical.

Large Platforms

Platforms with millions of users may benefit from integrating with Consent Managers to manage consent at scale more efficiently.

Companies Wanting to Launch a CM

Rule 4 registration framework comes into force one year after Gazette publication. Registration requires Board approval, financial fitness, and independent technical certification.

All Data Fiduciaries

Must support Consent Manager platforms technically — your consent systems must be interoperable with registered CMs.

Section 18 — Enforcement

The Data Protection Board of India

India's dedicated data protection adjudicatory body, established under Section 18 and designed as a digital-by-design office. Understand its powers, inquiry process, and evidence expectations.

Section 18 — DPDPA 2023

Data Protection Board of India

Established: Established under Section 18 by Central Government notification

Type: "Digital Office" — all proceedings conducted digitally; no physical attendance required

Composition: Chairperson + Members (appointed by Central Government); Vice-Chairperson elected from among Members

Proceedings: Digital-by-design under the Act and Rules; specific filing systems should be checked against current Board notifications

Section 18(2): "The Board shall be a digital office and shall carry out its functions in such digital manner as may be prescribed."

Digital-First Complaint Mechanism

Online Portal

Prepare complaints, evidence, notices, and responses for digital submission once the Board-prescribed process is available

Mobile Application

Proceedings are intended to be digital-by-design; monitor DPBI and MeitY notifications for live portal, app, fee, and filing details

Critical for Businesses

Your internal grievance mechanism under Section 13 and Rule 14 must be exhausted before a Data Principal complaint reaches the Board. A strong internal process is your first line of defence.

Board Powers (Sections 19–33)

Investigate Complaints

The Board can investigate complaints filed by Data Principals against Data Fiduciaries.

Adjudicate Disputes

Conduct hearings and adjudicate disputes between Data Principals and Fiduciaries digitally.

Impose Penalties

Issue monetary penalties under Section 33 and the Schedule, with the highest scheduled penalty up to ₹250 Crore.

Issue Directions

Order Data Fiduciaries to take specific remedial actions and correct non-compliance.

Suspend Registrations

Suspend or cancel Consent Manager registrations for non-adherence under Rule 4.

Conduct Inquiries

Inquire into breaches on complaints, breach intimations, references, court directions, and Consent Manager matters.

How a Complaint Reaches You (Section 24)

01

Internal Grievance First

File the complaint through the Data Fiduciary's internal grievance mechanism first. Rule 14 requires a reasonable response period not exceeding 90 days.

02

Escalate to Board

If the grievance process is exhausted or the response is unsatisfactory, the complaint may be filed before the Board in the prescribed digital manner.

03

Digital Hearing

The Board conducts proceedings digitally — no physical presence required. You can participate online.

04

Order / Penalty

The Board issues a binding order. If a penalty is imposed, it must be paid within the prescribed period.

Frequently Asked Questions

Every Question, Answered

34 critical questions across 8 categories — covering consent, rights, obligations, children's data, cross-border transfers, penalties, and more. Every answer cited to the Act and Rules.

34 questions across all categories

The DPDPA 2023 is India's comprehensive digital personal data protection law, enacted on 11 August 2023. It governs the processing of digital personal data of individuals in India. The Act establishes enforceable rights for Data Principals, imposes obligations on Data Fiduciaries, creates the Data Protection Board of India for adjudication and enforcement, and prescribes civil monetary penalties under Section 33 read with the Schedule. The DPDP Rules 2025 were notified through a Gazette notification dated 13 November 2025, with public PIB materials referring to 14 November 2025.

Statutory Reference

Preamble; Sections 1–3

Practical Takeaway

If you collect, store, or process personal data of individuals in India in digital form — you are legally subject to this Act. There is no SME/startup exemption.

"These answers reflect the DPDPA 2023 and DPDP Rules notified on 13 November 2025. Data protection law continues to evolve through government notifications and DPBI guidance. Consult qualified data protection counsel for advice specific to your organisation."

DPDPA2023.Decoded.

Generate Your Tailored Compliance Roadmap

What best describes your business?

The 5 Rights Every Business Must Honour

Right to Information

Right to Correction & Erasure

Right to Grievance Redressal

Right to Nominate

Right to Withdraw Consent

Right to Information

Key Terms You Must Get Right

Section 2 — Definitions

DPDPA 2023 & DPDP Rules 2025 — Verbatim

Consent

How DPDPA Hits Your Industry

FinTech & Banking

HealthTech & Hospitals

EdTech & Education

E-Commerce & Retail

SaaS & Cloud (B2B)

Social Media

Gaming

Digital Marketing & AdTech

The Cost of Non-Compliance

How the Board Calculates Penalties

What Compliance Must Look Like in Practice

Lawful Basis Decision Table

Is the data digital personal data?

Is an exemption available?

Can Section 7 apply?

If not, is consent valid?

Regulator-Ready Evidence Pack

Personal Data Breach Workflow

Triage and contain

Notify affected Data Principals

Initial Board intimation

Detailed Board update

Decision Records

Product Gate

Board-Ready Evidence

When the DPDPA Does Not Apply

Exemptions Are Narrow, Not General

National Security & Sovereignty

Prevention & Detection of Offences

Legal Proceedings

Research, Archiving & Statistics

Personal & Domestic Use

Publicly Available Personal Data

Processing Outside India (with India Nexus)

Startups & Notified Classes

Complete Document Checklist

Privacy Policy / Notice

Consent Notice / Form

Data Processing Agreement (DPA)

Data Retention & Erasure Policy

Data Breach Incident Response Procedure

Data Subject Access Request (DSAR) Procedure

Grievance Redressal Mechanism

Children's Data Consent Procedure

Cross-Border Data Transfer Assessment

Data Mapping / Records of Processing Activities

Data Protection Impact Assessment (DPIA)

Annual Compliance Audit Framework

DPO Appointment & Terms of Reference

Algorithmic Due Diligence Report

Security Safeguards Policy

Access Control & Privileged Access Policy

Data Classification Policy

Employee / Staff Privacy Notice

Cookie & Tracking Technology Notice

CCTV / Physical Surveillance Notice

Right to Nominate Form (Section 14)

Legitimate Uses Register

Grievance Register & Complaint Log

Data Protection Training Programme & Records

Vendor / Processor Due Diligence Checklist

Privacy by Design Framework

Board / Management Annual Compliance Report

Consent Manager Operating Agreement

13 November 2025 → Mid-May 2027

DPDPA
2023.
Decoded.

Ready to Become
DPDPA Compliant?