India

Digital Personal Data Protection Act, 2023

A simple visual summary of India’s DPDPA: what it means for users, businesses, SaaS products, privacy tools, and digital platforms.

Big Picture

User gives data ↓ Company gives clear notice ↓ User gives consent ↓ Company processes data lawfully ↓ Security safeguards applied ↓ User can access, correct, erase or complain ↓ Data Protection Board investigates violations ↓ Penalties may apply

Key Actors

Data Principal

The individual whose personal data is being processed.

Examples: customer, user, patient, student, employee.

Data Fiduciary

The person or organization deciding why and how personal data is processed.

Examples: apps, banks, websites, companies, government bodies.

Data Processor

A vendor or service provider processing data on behalf of a Data Fiduciary.

Examples: cloud provider, email system, analytics vendor.

When Does the Act Apply?

The Act applies to digital personal data processed in India, including offline data that is later digitized. It can also apply to companies outside India if they offer goods or services to people in India.

It generally does not apply to personal/domestic use or personal data made publicly available.

Consent Rules

Consent must be

Free
Specific
Informed
Unambiguous
Given through clear affirmative action

Data minimization

Organizations should collect only the data necessary for the stated purpose.

Withdrawal

Users must be able to withdraw consent with ease comparable to how consent was given.

Legitimate Uses Without Fresh Consent

Government services, subsidies, certificates, licences or permits
Legal obligations and court orders
Medical emergencies
Epidemics, disasters and public health threats
Employment-related purposes
State security, public order and law enforcement

Business Obligations

Protect data

Use reasonable security safeguards to prevent personal data breaches.

Report breaches

Notify the Data Protection Board and affected users when a personal data breach occurs.

Delete data

Erase personal data when consent is withdrawn or the purpose is no longer served, unless retention is legally required.

Handle grievances

Provide an effective way for users to raise complaints and exercise rights.

Children’s Data

Children are individuals under 18 years.
Verifiable parental or guardian consent is required.
Tracking, behavioural monitoring and targeted ads directed at children are restricted.

Rights of Individuals

Access

Know what personal data is being processed.

Correction

Correct inaccurate or misleading data.

Update

Update incomplete or outdated data.

Erasure

Request deletion where legally allowed.

Grievance

Use complaint mechanisms before approaching the Board.

Nomination

Nominate someone to exercise rights after death or incapacity.

Penalties

Security safeguard failure

Up to ₹250 crore

Breach notification failure

Up to ₹200 crore

Children’s data violation

Up to ₹200 crore

Significant Data Fiduciary violation

Up to ₹150 crore

Other violations

Up to ₹50 crore

User duty violation

Up to ₹10,000

Why This Matters for Praivasi™

DPDPA makes privacy-by-design more important. Tools that help users redact, minimize, protect, understand and control personal data can become valuable for individuals, startups, SaaS companies, legal teams, healthcare users and businesses.