Skip to main content
Data & Technology

Data Protection in India: DPDP Act 2023

India's comprehensive data privacy law governing digital personal data collection, processing, and transfer, with penalties up to INR 250 crore for non-compliance.

By Manu RaoUpdated March 2026

By Vikram Mehta | Updated March 2026

What Is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy legislation. Enacted as Act No. 22 of 2023, it received Presidential assent on August 11, 2023, and was operationalized through the DPDP Rules 2025, notified on November 13, 2025. The Act governs the collection, storage, processing, and transfer of digital personal data by any entity (called a "Data Fiduciary") and grants individuals (called "Data Principals") enforceable rights over their personal data.

For foreign companies operating in India or processing data of Indian residents, the DPDP Act is directly relevant. The law has extraterritorial application under Section 3 — it applies to any organization outside India that offers goods or services to Data Principals within India or engages in profiling of Indian citizens. If your company collects customer data, employee data, or user analytics from India, you are a Data Fiduciary under this Act, regardless of where your servers are located. This applies equally to FDI-funded subsidiaries, liaison offices, and SaaS providers serving Indian clients remotely.

The DPDP Act draws heavily from the EU's GDPR framework but is significantly more consent-centric and less complex in its compliance structure. Unlike the GDPR, which provides six legal bases for processing, the DPDP Act relies primarily on consent and a narrower set of "certain legitimate uses." Full compliance is mandatory by May 13, 2027, with penalties reaching INR 250 crore (approximately USD 30 million) per violation.

Legal Basis

The core legislative framework:

  • The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) — Passed by Lok Sabha on August 7, 2023, Rajya Sabha on August 9, 2023, Presidential assent on August 11, 2023. Contains 44 sections across 7 chapters.
  • DPDP Rules, 2025 — Notified by MeitY on November 13, 2025 under Section 40 of the Act. These rules operationalize the Act with specific procedural requirements, timelines, and compliance mechanisms.
  • Section 3 (Application) — Applies to processing of digital personal data within India, and to processing outside India where goods/services are offered to Indian Data Principals.
  • Sections 5-7 (Consent Framework) — Section 5 establishes notice requirements, Section 6 prescribes consent standards (free, specific, informed, unconditional, unambiguous), Section 7 defines "certain legitimate uses" where consent is not required.
  • Section 10 (Significant Data Fiduciary) — Government designation based on data volume, sensitivity, and national security impact. Additional obligations include DPO appointment and Data Protection Impact Assessments.
  • Section 16 (Cross-Border Transfer) — Permits transfers to all countries except those specifically restricted by the Central Government through notification (negative list approach).
  • Section 33 (Penalties) — Schedule of penalties ranging from INR 10,000 to INR 250 crore depending on violation type.

Key Principles of the DPDP Act

The Act is built on seven foundational principles that every Data Fiduciary must embed into its operations:

PrincipleDPDP Act ProvisionPractical Requirement
Purpose LimitationSection 6(1)Collect data only for the specific purpose stated in the consent notice
Data MinimizationSection 6(1)Limit collection to personal data that is necessary for the specified purpose
AccuracySection 8(3)Ensure data completeness, correctness, and consistency, especially where decisions affect the Data Principal
Storage LimitationSection 8(7)Erase personal data when the purpose is fulfilled or consent is withdrawn, unless retention is required by law
Security SafeguardsSection 8(4)Implement reasonable technical and organizational measures to protect personal data
AccountabilitySection 8(1)Data Fiduciary is responsible for all processing, including by Data Processors acting on its behalf
TransparencySection 5Provide clear notice in plain language before or at the time of data collection

Consent Framework and Deemed Consent

Consent under the DPDP Act must satisfy five conditions: it must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action (Section 6). The Act introduces a unique "Consent Manager" concept — entities registered with the Data Protection Board that serve as intermediaries, allowing Data Principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries through a single platform (Section 9).

When Is Consent Not Required?

Section 7 defines "certain legitimate uses" where processing is permitted without explicit consent:

  • Voluntary provision — Where the Data Principal voluntarily provides data and has not indicated refusal
  • State functions — Processing for subsidies, benefits, services, permits, or licenses by the government
  • Legal obligation — Compliance with any judgment, order, or regulatory requirement
  • Medical emergencies — Response to threats to life or health of the Data Principal
  • Employment purposes — Processing for employment-related activities (recruitment, termination, attendance, performance assessment)
  • Public interest — Specified purposes including mergers, insolvency, credit scoring, and fraud prevention

Consent Managers must be India-incorporated companies with a minimum net worth of INR 2 crore. Foreign platforms like OneTrust or TrustArc cannot operate as registered Consent Managers unless they establish an Indian entity meeting this threshold.

Data Fiduciary vs. Significant Data Fiduciary Obligations

The DPDP Act creates a two-tier compliance system. All Data Fiduciaries have baseline obligations, while Significant Data Fiduciaries (SDFs) face substantially higher requirements:

ObligationData FiduciarySignificant Data Fiduciary
Notice before collectionRequired (Section 5)Required
Consent managementRequired (Section 6)Required
Data accuracy & securityRequired (Section 8)Required (enhanced)
Breach notification to BoardRequired (Section 8(6))Required
Grievance redressal mechanismRequired (Section 13)Required
Data Protection Officer (DPO)Not requiredMandatory — must be based in India (Section 10)
Data Protection Impact Assessment (DPIA)Not requiredMandatory — periodic assessment of processing activities
Independent data auditNot requiredMandatory — annual audit by independent auditor
Algorithmic transparencyNot requiredRequired — disclose use of algorithmic decision-making

The Central Government designates SDFs based on volume and sensitivity of data processed, potential risk to Data Principal rights, and impact on India's sovereignty and security. Large technology companies, financial institutions, telecom operators, and e-commerce platforms are expected to be classified as SDFs.

Cross-Border Data Transfer Rules

Section 16 of the DPDP Act adopts a negative list approach to cross-border transfers — a significant departure from the GDPR's adequacy-based model. Personal data may be transferred to any country or territory unless the Central Government specifically restricts transfers to that jurisdiction through notification.

Key requirements for cross-border transfers:

  • The Data Fiduciary must have a lawful basis (consent or legitimate use) for the processing
  • The privacy notice must disclose that data will be transferred outside India
  • Contractual safeguards must ensure the receiving entity provides equivalent protection and breach-notification parity
  • Rule 13 of the DPDP Rules 2025 gives the government authority to restrict transfers for SDFs and to designate specific categories of data (including traffic data) that cannot leave India

For foreign companies with Indian subsidiaries or branch offices, this means employee data, customer data, and operational data can generally flow to headquarters abroad, provided no restriction notification applies to that country. However, SDFs may face additional localization requirements once the government issues specific notifications.

Penalty Structure

The DPDP Act prescribes monetary penalties (not criminal penalties) enforced by the Data Protection Board of India:

ViolationSectionMaximum Penalty
Failure to implement reasonable security safeguardsSection 8(4) read with ScheduleINR 250 crore (~USD 30M)
Failure to notify Board and Data Principals of a data breachSection 8(6) read with ScheduleINR 200 crore (~USD 24M)
Non-compliance with children's data obligationsSection 9 read with ScheduleINR 200 crore (~USD 24M)
Non-compliance with SDF additional obligationsSection 10 read with ScheduleINR 150 crore (~USD 18M)
Non-compliance with other provisions of the ActGeneral (Schedule)INR 50 crore (~USD 6M)
Breach of duty by Data Principal (false complaints, suppressing information)Section 15 read with ScheduleINR 10,000

Penalties are determined by the Data Protection Board based on nature, gravity, and duration of the breach, the type and volume of personal data affected, repetitive nature of the default, and the fiduciary's mitigation actions and compliance history. Appeals against Board decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

DPDP Act vs. GDPR: Key Differences

Foreign companies already GDPR-compliant should not assume automatic DPDP compliance. Key differences include:

FeatureDPDP Act 2023EU GDPR
ScopeDigital personal data onlyAll personal data (digital + offline)
Legal bases for processingConsent + limited legitimate usesSix legal bases including legitimate interest
Cross-border transfersNegative list (allowed unless restricted)Adequacy decisions + SCCs + BCRs
DPO requirementSDFs onlyAll controllers processing at scale
Breach notification timelineNo fixed timeline ("without delay")72 hours to supervisory authority
Child age threshold18 years16 years (member states can lower to 13)
Maximum penaltyINR 250 crore (~USD 30M) fixed capEUR 20M or 4% global turnover (whichever higher)
Right to data portabilityNot includedIncluded (Article 20)
Consent ManagerUnique feature — registered intermediaryNo equivalent
Nominee for deceased/incapacitatedIncluded (Section 14)Not included

How This Affects Foreign Investors in India

Foreign companies with any India-facing data operations must prepare for DPDP compliance:

  • Indian subsidiaries and branch offices: Your Indian subsidiary is a Data Fiduciary for employee data (HR records, payroll, PAN, Aadhaar details) and must implement consent notices, grievance redressal, and security safeguards by May 2027
  • SaaS and tech companies: If you process Indian user data from servers outside India, you are a Data Fiduciary with extraterritorial obligations under Section 3
  • Data transfers to HQ: Currently permitted under the negative list approach, but monitor government notifications for country-specific restrictions, especially for SDFs
  • Employee consent: The "employment purposes" deemed consent provision (Section 7) covers routine HR processing, but sensitive processing (background checks, health data) still requires explicit consent
  • Vendor management: If your Indian compliance involves third-party processors (payroll vendors, cloud providers), you remain liable for their data handling under Section 8(1)
  • KYC processes: Customer and employee KYC involving Aadhaar, PAN, and bank details constitutes personal data processing under the Act. Ensure your statutory audit scope includes data protection compliance

Implementation Timeline

The DPDP Rules 2025 follow a three-phase rollout:

  • Phase 1 (November 13, 2025): Data Protection Board of India established; penalty framework activated; administrative provisions in force
  • Phase 2 (November 13, 2026): Consent Manager registration opens; only India-incorporated entities with INR 2 crore minimum net worth qualify
  • Phase 3 (May 13, 2027): Full compliance mandatory — notice requirements, security protocols, breach notifications, SDF obligations, Data Principal rights mechanisms. No grace period; penalties apply from Day 1

Common Mistakes

  • Assuming GDPR compliance equals DPDP compliance. The DPDP Act lacks a legitimate interest basis, has a higher child age threshold (18 vs. 16), uses a negative list for transfers instead of adequacy decisions, and requires Consent Managers — none of which map directly to GDPR mechanisms.
  • Not appointing a DPO when processing Indian data at scale. Even before formal SDF designation, companies processing large volumes of Indian personal data should proactively appoint a DPO. Waiting for government notification creates a compliance gap if you are retrospectively classified.
  • Treating the "employment purposes" deemed consent as a blanket exemption. This covers routine HR processing (attendance, performance reviews) but does not extend to background verification, health monitoring, or behavioral analytics of employees — those require explicit consent.
  • Ignoring the Consent Manager registration requirement for consent platforms. Foreign consent management platforms (OneTrust, TrustArc, Cookiebot) cannot operate as registered Consent Managers in India unless they incorporate an Indian entity with INR 2 crore net worth. Using them without registration does not satisfy the Act.
  • Failing to map data flows before the May 2027 deadline. Companies that start compliance work in Q1 2027 will find it nearly impossible to complete data inventory, consent notice deployment, grievance mechanism setup, and vendor agreements in 4 months. Start now.

Practical Example

NovaBridge SaaS Inc., a US-based HR technology company, provides payroll and benefits management software to 50 Indian clients. Its platform processes personal data of approximately 25,000 Indian employees — including names, PAN numbers, bank account details, salary information, and attendance records.

NovaBridge stores all data on AWS servers in Mumbai (ap-south-1) but transmits anonymized analytics to its US headquarters for product development. Under the DPDP Act:

  • NovaBridge is a Data Processor (processing on behalf of its Indian clients, who are Data Fiduciaries)
  • However, for its own analytics processing, NovaBridge is a Data Fiduciary with direct obligations under Section 3 (extraterritorial application)
  • Each Indian client must issue a consent notice to its employees under Section 5 and ensure NovaBridge meets security standards under Section 8(4)
  • The cross-border transfer of analytics data to the US is currently permitted (the US is not on the negative list), but NovaBridge must disclose this in its privacy notice and ensure contractual safeguards
  • If the Central Government classifies NovaBridge as an SDF (likely, given 25,000+ Data Principals), it must appoint an India-based DPO, conduct annual DPIAs, and submit to independent data audits

Compliance cost estimate for NovaBridge: INR 15-25 lakh for initial setup (data mapping, consent notices, grievance mechanism, DPO appointment) plus INR 5-8 lakh annually for audits and ongoing compliance. Non-compliance risk: penalties up to INR 250 crore for a security breach affecting 25,000 Data Principals.

Key Takeaways

  • The DPDP Act 2023 is India's first comprehensive data privacy law, operationalized through DPDP Rules 2025, with full compliance mandatory by May 13, 2027
  • It applies extraterritorially to any foreign company offering goods or services to Indian users or profiling Indian citizens
  • Consent must be free, specific, informed, unconditional, and unambiguous — there is no "legitimate interest" basis as under the GDPR
  • Significant Data Fiduciaries face enhanced obligations: mandatory DPO, periodic DPIA, independent audit, and algorithmic transparency
  • Cross-border data transfers are permitted by default unless the Central Government restricts specific countries (negative list approach)
  • Penalties range from INR 10,000 to INR 250 crore per violation, with the Data Protection Board determining amounts based on severity and compliance history

Need help preparing your India operations for DPDP compliance? Beacon Filing provides end-to-end compliance outsourcing, including data mapping, consent framework setup, DPO services, and regulatory filings for foreign companies in India.

Further Reading

Related Terms

Compliance & Taxation

KYC (Know Your Customer)

Mandatory identity verification process required by RBI, SEBI, and other Indian regulators before opening bank accounts, making investments, or incorporating companies in India.

Compliance & Taxation

Compliance Calendar

A month-by-month schedule of all regulatory filing deadlines for Indian companies, covering MCA, Income Tax, GST, RBI, and other statutory obligations.

Entity Types

Private Limited Company

A business entity registered under the Companies Act 2013 with limited liability protection and restricted share transferability.

Entity Types

Wholly Owned Subsidiary

An Indian company where 100% of the shares are held by a single foreign parent company, operating as a separate legal entity.

Compliance & Taxation

Permanent Account Number (PAN)

A unique 10-character alphanumeric identifier issued by the Income Tax Department to individuals and entities for tracking tax-related transactions in India.

Compliance & Taxation

Statutory Audit

A legally mandated annual audit of a company's financial records conducted by an independent Chartered Accountant under the Companies Act 2013.

Entity Types

Branch Office

An extension of a foreign parent company in India, permitted under FEMA regulations to carry out specific business activities.

Ready to Register Your Company in India?

Talk to us. No commitment, no generic sales pitch. We will walk you through the structure, timeline, and costs specific to your situation.

WhatsApp UsEmail Us