India DPDP Act Role Checker
Check your obligations under India's Digital Personal Data Protection Act, 2023 (DPDP Act). Answer questions about your data processing activities, data volume, whether you handle children's data, and cross-border transfers to find out your role under the DPDP Act, the key obligations that apply to you, consent requirements, and what special provisions apply for children's data and international data transfers. The DPDP Rules 2025 have operationalized the Act's provisions.
Understanding the Digital Personal Data Protection Act
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection legislation that establishes the legal framework for processing digital personal data of individuals in India. Enacted in August 2023, the DPDP Act represents a significant milestone in India's approach to data privacy, replacing the earlier framework under the Information Technology Act, 2000 and its rules. The DPDP Rules, 2025, issued by the Ministry of Electronics and Information Technology, operationalize the Act by specifying the detailed procedures, timelines, and mechanisms for compliance. Together, the Act and the Rules create a robust data protection regime that applies to all entities processing the digital personal data of individuals in India.
The DPDP Act introduces key concepts that organizations must understand. A Data Fiduciary is any person or entity that alone or in conjunction with others determines the purpose and means of processing personal data. This is equivalent to a data controller under GDPR. A Data Processor is any person or entity that processes personal data on behalf of a Data Fiduciary, similar to a data processor under GDPR. The Data Principal is the individual whose personal data is being processed. Significant Data Fiduciaries are a special category of Data Fiduciaries designated by the government based on factors such as the volume and sensitivity of data processed, the risk to the rights of data principals, and the potential impact on the sovereignty and integrity of India.
Consent and Lawful Processing
Consent is the primary basis for processing personal data under the DPDP Act. Data Fiduciaries must obtain free, specific, informed, unconditional, and unambiguous consent from Data Principals before processing their personal data. The consent must be given through a clear affirmative action, and the Data Fiduciary must provide a notice at the time of requesting consent that describes the personal data being collected, the purpose of processing, and the manner in which the Data Principal can exercise their rights, including the right to withdraw consent. The Act also recognises certain legitimate uses where consent is not required, such as processing for the performance of a legal obligation, compliance with court orders, medical emergencies, or processing by the state for providing benefits and services.
The DPDP Rules specify the format and content requirements for consent notices, the technical mechanisms for obtaining and recording consent, and the procedures for consent withdrawal. Data Fiduciaries must implement a consent management mechanism that allows Data Principals to easily give, manage, and withdraw their consent. The consent must be specific to each purpose, meaning that blanket consent covering multiple unrelated purposes is not valid. If the Data Fiduciary wishes to process data for a new purpose not covered by the original consent, fresh consent must be obtained.
Children's Data Protection
The DPDP Act places special emphasis on the protection of children's personal data. Processing the personal data of a child (a person under the age of 18) requires verifiable consent from the child's parent or lawful guardian. Data Fiduciaries must not process personal data of a child in a manner that is likely to cause any detrimental effect on the well-being of the child. The Act prohibits tracking, behavioural monitoring, or targeted advertising directed at children. Additionally, Data Fiduciaries processing children's data must not process data that is likely to cause significant harm to the child. These provisions reflect India's strong stance on protecting minors in the digital environment and place additional obligations on organizations that provide services to or collect data from children.
Cross-Border Data Transfers
The DPDP Act allows the transfer of personal data outside India, subject to restrictions that the government may impose on transfers to specific countries or territories. The government may, by notification, restrict or prohibit the transfer of personal data to any country or territory outside India. This approach differs from GDPR's adequacy mechanism, giving the Indian government the flexibility to blacklist specific jurisdictions rather than whitelisting approved ones. Until specific restrictions are notified, personal data may generally be transferred to countries not on the restricted list. Organizations engaged in cross-border data transfers must ensure they have appropriate contractual and technical safeguards in place and must be prepared to comply with any restrictions that may be notified in the future.