Library / Jurisdictions
DPDP

Digital Personal Data Protection Act (India)

India's first comprehensive personal data protection law, enacted in 2023, with implementation phasing into effect through 2024-2025.

At a glance
Effective
Phased rollout from 2024 (rules notified late 2024 / 2025)
Authority
Data Protection Board of India
Maximum fine
₹250 crore (~$30M USD)
Vendor monitoring
Required (§ 8, data fiduciary obligations)

The Digital Personal Data Protection Act, 2023 is India's first comprehensive personal data protection statute. It introduces "Data Fiduciary" (controller) and "Data Processor" terminology, with extraterritorial application to processing of digital personal data of individuals located in India where the processing is in connection with offering goods or services to such individuals.

Who it applies to

DPDP applies to processing of digital personal data:

  • Within India in any form (digitally collected or digitised).
  • Outside India, where the processing is in connection with offering goods or services to individuals in India.

Notable absences: there is no revenue or volume threshold; there are no exemptions for small enterprises (though processing certain categories may exempt the entity from some obligations).

Data Fiduciary obligations

Section 8 imposes obligations on data fiduciaries, including:

  • Notice and consent. Specific, informed, free, and unambiguous consent. Notice must precede consent.
  • Purpose limitation. Processing only for the purposes for which consent was given (or for legitimate uses defined in section 7).
  • Accuracy. Reasonable efforts to ensure accuracy and completeness.
  • Retention limits. Personal data must be erased once the purpose is no longer served, unless legal obligations require retention.
  • Security safeguards. Reasonable security to prevent breach.
  • Breach notification. To the Data Protection Board and to affected data principals.
  • Data principal rights. Access, correction, erasure, grievance redressal, nomination.

Significant Data Fiduciaries

Some data fiduciaries are designated as "Significant Data Fiduciaries" by the central government, based on volume and sensitivity of data, risk to electoral democracy, security of the state, public order, etc. Significant Data Fiduciaries have additional obligations:

  • Appointment of a Data Protection Officer based in India.
  • Appointment of an independent data auditor.
  • Periodic data protection impact assessments.
  • Periodic audits and other measures.

Cross-border transfers

DPDP allows transfers to any country, except those notified by the central government as restricted. This is an inversion of the GDPR approach: transfers are permitted by default rather than restricted by default. The list of restricted countries had not been published as of late 2025.

Vendor monitoring under DPDP

The framework is newer and less prescriptive than GDPR, but the underlying logic is similar. For vendor monitoring:

  • Consent and notice management is the data fiduciary's responsibility; vendors processing on behalf of the fiduciary must operate within the consented scope.
  • Vendor contracts must reflect DPDP obligations passed through to processors.
  • Significant Data Fiduciary status may flow down to vendors if the vendor is itself a fiduciary; this affects vendor due diligence.
  • Cross-border restrictions, if and when published, will require monitoring of vendor subprocessor locations.

Enforcement

The Data Protection Board of India is the regulator. Penalties are graded by category of violation:

  • Failure to take reasonable security safeguards: up to ₹250 crore (~$30M).
  • Failure to notify a breach: up to ₹200 crore.
  • Other violations: lower bands.

Enforcement is in early stages; the rules implementing the act were notified in late 2024 and 2025, and operational practice will develop through the late 2020s.

Related references