Summarization of the DPDP Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023 establishes India's core legal framework for the protection of personal data in the digital ecosystem. It defines how personal data may be lawfully processed, the rights and duties of individuals (Data Principals), and the obligations of organizations and government bodies (Data Fiduciaries). The Act introduces consent-based processing, limited legitimate uses, strong safeguards for children's data, breach notification requirements, user rights such as access, correction, erasure, and grievance redressal, and enhanced compliance duties for Significant Data Fiduciaries. It also empowers the Data Protection Board of India to enforce compliance and impose penalties, ensuring accountability, transparency, and responsible data handling across India.
Scroll Below for the Full Resource
Download the Resource as PDF
Fill out the form below to download this resource instantly.
A comprehensive breakdown of the DPDPA Act sections, covering obligations, rights, penalties, and governance framework
| Section No. | Category / Theme | What the Section Mandates |
|---|---|---|
Section 1 | Preliminary | Sets the short title and states that the Central Government will notify the dates for different provisions to come into force. |
Section 2 | Definitions | Defines key terms including "Data Fiduciary," "Data Principal," "Consent Manager," "Significant Data Fiduciary," and "Person". |
Section 3 | Application of Act | Applies the Act to digital personal data processed within India, or outside India if offering goods/services to India; exempts personal/domestic use and publicly available data. |
Section 4 | Grounds for Processing | Mandates that data can only be processed for a lawful purpose based on Consent or "Certain Legitimate Uses". |
Section 5 | Notice | Mandates giving a notice detailing data collected and rights before seeking consent, and sending a notice to legacy users "as soon as reasonably practicable". |
Section 6 | Consent | Mandates consent be free, specific, informed, unconditional, and unambiguous; allows withdrawal of consent; introduces Consent Managers. |
Section 7 | Certain Legitimate Uses | Lists scenarios where data can be processed without explicit consent (e.g., voluntary provision, employment purposes, medical emergencies, state benefits). |
Section 8 | General Obligations | Mandates accuracy, security safeguards, breach notifications to Board/Users, erasure of data (retention limits), and grievance redressal mechanisms. |
Section 9 | Children's Data | Mandates obtaining verifiable parental consent before processing child data; prohibits tracking, behavioral monitoring, or targeted ads directed at children. |
Section 10 | Significant Data Fiduciary (SDF) | Empower Government to notify SDFs; mandates SDFs to appoint a DPO based in India, an independent auditor, and conduct periodic DPIAs and audits. |
Section 11 | Right to Access | Grants Data Principals the right to request a summary of their data being processed and the identities of other Fiduciaries/Processors with whom it was shared. |
Section 12 | Right to Correction & Erasure | Grants Data Principals the right to request correction of inaccurate data and erasure of data unless retention is required by law. |
Section 13 | Grievance Redressal | Mandates readily available grievance redressal means and requires Fiduciaries to respond within a prescribed period. |
Section 14 | Right to Nominate | Grants Data Principals the right to nominate an individual to exercise their rights in the event of death or incapacity. |
Section 15 | Duties of Data Principal | Mandates users not to impersonate others, suppress material information, or file false/frivolous grievances. |
Section 16 | Processing Outside India | Allows the Central Government to restrict data transfer to specific notified countries or territories. |
Section 17 | Exemptions | Exempts certain processing (e.g., courts, prevention of offenses) from most Act provisions; allows Government to exempt startups from specific obligations. |
Section 29 | Appeal | Allows appeals against Board orders to the Appellate Tribunal (TDSAT) within 60 days. |
Section 30 | Execution of Orders | Mandates that Tribunal orders are executable as a decree of a civil court. |
Section 31 | Alternate Dispute Resolution | Allows the Board to direct parties to attempt resolution through mediation. |
Section 32 | Voluntary Undertaking | Allows Board to accept voluntary undertakings from entities to take specific actions instead of facing further proceedings. |
Section 33 | Penalties | Empower Board to impose monetary penalties specified in the Schedule (up to ₹250 Crore) based on breach severity. |
Section 36 | Power to Call for Info | Empower Central Government to require the Board or Data Fiduciaries to furnish information. |
Section 37 | Blocking Information | Empower Government, upon Board reference, to block public access to a Fiduciary's platform after multiple penalties. |
The Schedule | Penalties | Lists specific monetary penalties (e.g., up to ₹250 crore for security failure, ₹200 crore for child data violation). |
Note: The other sections and schedules are related to the setup and functioning of the DPBI, or the powers given to the Central Govt. of India.