| Section 2 Definitions (DPDP Act, 2023) |
| Section 2(a) – "Appellate Tribunal" |
Defines the Appellate Tribunal as the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). |
Identifies the authority where appeals against Data Protection Board decisions must be filed.
|
| Section 2(f) – "Child" |
Defines a child as an individual below 18 years of age. |
Triggers enhanced protection obligations and parental consent requirements.
|
| Section 2(g) – "Consent Manager" |
Defines a Consent Manager as a registered entity enabling data principals to manage, review, and withdraw consent. |
Introduces centralized, auditable consent management as an ecosystem role.
|
| Section 2(h) – "Data" |
Defines data as a representation of information, facts, concepts, opinions, or instructions suitable for communication or processing. |
Establishes the broad scope of what qualifies as data under the Act. |
| Section 2(i) – "Data Fiduciary" |
Defines a Data Fiduciary as the entity that determines the purpose and means of processing personal data. |
Assigns primary legal responsibility for DPDP compliance and penalties.
|
| Section 2(j) – "Data Principal" |
Defines a Data Principal as the individual to whom personal data relates. |
Identifies the rights-holder under the DPDP framework. |
| Section 2(k) – "Data Processor" |
Defines a Data Processor as an entity processing personal data on behalf of a Data Fiduciary. |
Separates operational processing from accountability and decision-making. |
| Section 2(l) – "Digital Personal Data" |
Defines digital personal data as personal data in digital form. |
Limits the Act’s applicability to digital data only. |
| Section 2(m) – "Personal Data" |
Defines personal data as any data about an identifiable individual. |
Sets the foundational scope for all protections and obligations under the Act. |
| Section 2(n) – "Processing" |
Defines processing as any operation performed on personal data, including collection, storage, use, sharing, or deletion. |
Ensures nearly all data-handling activities fall within regulatory scope |
| Section 2(o) – "Significant Data Fiduciary" |
Defines a Significant Data Fiduciary as a fiduciary notified by the government based on volume, sensitivity, or risk. |
Triggers enhanced compliance obligations such as DPIA, audits, and DPO appointment. |
| Section 2(p) – "State" |
Defines State to include Central Government, State Governments, and their instrumentalities. |
Clarifies that government bodies are data fiduciaries under the Act (subject to exemptions). |
| Section 2(q) – "Telecom Disputes Settlement and Appellate Tribunal" |
Formally defines TDSAT. |
Establishes statutory appellate jurisdiction. |
| Section 3 – Applicability |
| Section 3(1) |
Mandates that the DPDP Act applies to all personal data that is already in digital form and is processed within the territory of India, regardless of whether the processing entity is public or private. |
Operationally, organizations must:
- Identify all digital systems processing personal data
- Treat all such processing as in-scope for DPDP
|
| Section 3(2) |
Extends the applicability of the Act to non-digital (offline) personal data once it is converted into digital form. |
Operationally, organizations must:
- Treat digitization (scanning, data entry, OCR) as a compliance trigger
- Apply consent, retention, and security controls immediately after digitization
- Include legacy paper records in DPDP data inventories once digitized
|
| Section 3(3) |
Extends applicability to processing outside India if it is connected to offering goods or services to individuals in India. |
Operationally, organizations must:
- Apply DPDP controls to overseas processing vendors
- Ensure contracts with foreign processors include DPDP obligations
- Treat Indian users’ data as protected even when processed abroad
|
| Section 4 – Grounds for Processing Personal Data |
| Section 4(1) |
Mandates that personal data may be processed only for a lawful purpose. |
Operationally, organizations must:
- Define and document a lawful purpose for every processing activity
- Prohibit open-ended or undefined data collection
- Link each data element to a specific business purpose
|
| Section 4(2) |
Restricts lawful processing strictly to:
Consent under Section 6,
Legitimate uses under Section 7
|
Operationally, organizations must:
- Map each processing activity to either “consent-based” or “legitimate use”
- Avoid hybrid or assumed lawful bases
- Be able to demonstrate lawful basis during audits
|
| Section 5 – Notice |
| Section 5(1) |
Mandates that a clear notice must be provided to the Data Principal before or at the time of seeking consent. |
Operationally, organizations must:
- Display privacy notices at data collection points
- Ensure notices are accessible and understandable
- Provide notices in clear language (not legal jargon)
|
| Section 5(2) |
Mandates that the notice must include:
- Personal data being collected
- Purpose of processing
- Rights of the Data Principal
- Grievance Redressal Mechanism
|
Operationally, organizations must:
- Maintain standardized notice templates
- Keep notices aligned with actual processing
- Update notices whenever processing changes
|
| Section 6 – Consent |
| Section 6(1) |
Mandates that consent must be free, informed, specific, unconditional, and unambiguous. |
Operationally, organizations must:
- Avoid forced or bundled consent
- Separate consent by purpose
- Ensure users understand what they are agreeing to
|
| Section 6(2) |
Mandates that consent must be given through clear affirmative action. |
Operationally, organizations must:
- Use opt-in mechanisms (checkbox, toggle, button)
- Prohibit pre-ticked boxes or implied consent
- Log consent actions as evidence
|
| Section 6(3) |
Grants the Data Principal the right to withdraw consent at any time. |
Operationally, organizations must:
- Provide easy consent withdrawal mechanisms
- Stop processing immediately after withdrawal
- Maintain records of withdrawal actions
|
| Section 7 – Legitimate Uses |
| Section 7(a) |
Permits processing without consent for functions of the State. |
Operationally:
- Government bodies may process data for sovereign functions
- Private entities must verify legal backing before relying on this clause
|
| Section 7(b) |
Permits processing for compliance with law or court orders. |
Operationally:
- Maintain records of legal obligations
- Limit processing strictly to what the law requires
|
| Section 7(c) |
Permits processing for medical emergencies. |
- Enable rapid access controls for emergency scenarios
- Restrict reuse of data after emergency ends
|
| Section 7(d) |
Permits processing for employment-related purposes |
Operationally:
- HR processing may occur without consent
- Processing must still be reasonable and necessary
|
| Section 7(e) |
Permits processing for public interest or disaster management. |
Operationally:
- Processing must be proportional
- Retention must be limited to the duration of the event
|
| Section 8 – General Obligations of Data Fiduciary |
| Section 8(1) |
Mandates that the Data Fiduciary must ensure accuracy and completeness of personal data used for decision-making. |
Operationally, organizations must:
- Create and maintain records of personal data processed
- Document purpose, data categories, and retention periods
- Implement data validation and update mechanisms
- Prevent decisions based on outdated or incorrect data
|
| Section 8(2) |
Mandates implementation of reasonable security safeguards to prevent personal data breaches. |
Operationally, organizations must:
- Implement access controls, encryption, logging
- Conduct risk assessments
- Apply security controls proportional to data sensitivity
|
| Section 8(3) |
Mandates taking reasonable steps to prevent personal data breaches and to mitigate harm if a breach occurs. |
Operationally, organizations must:
- Maintain incident response plans
- Detect, respond, and contain breaches
- Document breach handling actions
|
| Section 8(4) |
Mandates deletion of personal data once the purpose is fulfilled and retention is no longer necessary. |
Operationally, organizations must:
- Define retention schedules
- Automate deletion where possible
- Ensure processors also delete data
|
| Section 9 – Processing of Children’s Personal Data |
| Section 9(1) |
Mandates obtaining verifiable parental consent before processing children’s data. |
Operationally, organizations must:
- Implement age verification mechanisms
- Verify parental identity and consent
- Maintain consent records
|
| Section 9(2) |
Prohibits tracking, behavioral monitoring, or targeted advertising directed at children. |
Operationally, organizations must:
- Disable profiling for child accounts
- Restrict analytics and ad-tech tools
- Separate child and adult data flows
|
| Section 9(3) |
Empowers the Government to exempt certain classes of Data Fiduciaries. |
Operationally:
- Monitor government notifications
- Apply exemptions only when formally notified
|
| Section 10 – Obligations of Significant Data Fiduciary |
| Section 10(1) |
Mandates appointment of a Data Protection Officer (DPO) based in India |
Operationally, organizations must:
- Appoint a qualified DPO
- Define reporting lines
- Publish DPO contact details
|
| Section 10(2) |
Mandates conducting Data Protection Impact Assessments (DPIA). |
Operationally, organizations must:
- Identify high-risk processing
- Assess impact on Data Principals
- Implement mitigation controls
|
| Section 10(3) |
Mandates periodic independent audits of DPDP compliance. |
Operationally, organizations must:
- Engage qualified auditors
- Track findings and remediation
- Maintain audit evidence
|
| Section 10(4) |
Mandates implementation of additional measures as prescribed by the Government. |
Operationally:
- Monitor rules and notifications
- Update governance controls accordingly
|
| Section 11 – Consent Manager |
A Consent Manager is an entity registered with the Data Protection Board that enables individuals to give, manage, review, and withdraw consent through a single platform. |
Operationally, an organization must:
- Be capable of integrating with Consent Managers if individuals choose to use one
- Ensure consent records are:
- Verifiable
- Time-stamped
- Purpose-specific
- Respect consent withdrawal without friction or delay
|
| Section 12 – Rights of the Data Principal |
This section grants core rights to individuals whose data you process.Rights include,
- Right to access information
- What data is processed
- For what purpose
- With whom it is shared
- Right to correction
- Inaccurate data
- Incomplete data
- Right to erasure
- Data no longer required
- Consent withdrawn
- Right to Grievance Redressal
|
Operationally, an organization must
- Maintain data inventories
- Build request-handling workflows
- Define SLA timelines internally
- Log every request and response for auditability
|
| Section 13 – Right to Nominate |
A data principal can nominate another individual to exercise their rights in case of:
- Death
- Incapacity
- Operationally
|
Systems must allow:
- Nomination capture
- Verification of nominee
- Policies must define how incapacity or death is validated
Why this matters
- This is heavily relevant for:
- Financial services
- Health platforms
- Identity-based services
- Ignoring this = future litigation risk
|
| Section 14 – Duties of Data Principal |
Individuals also have duties such as
They must:
- Not impersonate
- Not suppress material facts
- Not file false grievances
|
Operationally
- This does not reduce your obligations
- Organization cannot reject a valid request just because it’s inconvenient
- This section exists mainly to prevent abuse, not to protect sloppy data fiduciaries
|
| Section 15 – Processing of Personal Data of Children |
Children = below 18 years (India chose a strict threshold).
Restrictions
- Verifiable parental consent is mandatory
- No tracking
- No behavioral monitoring
- No targeted advertising
|
Operationally, organizations must
- Implement age-gating mechanisms
- Maintain proof of parental consent
- Disable profiling features for children
- Segment child data logically and technically
|
| Section 15 – Processing of Personal Data of Children
Section 16 – Exemptions for Certain Processing
|
Certain processing activities are exempt from standard obligations.
Includes:
- Law enforcement
- State security
- Research, archiving, statistics
|
Operationally
- Exempt ≠ uncontrolled
- Purpose limitation and proportionality still matters
- Organization must document why exemption applies
|
