The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s comprehensive law governing the processing of digital personal data. It aims to protect individuals’ privacy while enabling lawful data processing for legitimate purposes. The Act establishes rights for data principals (individuals), obligations for data fiduciaries (entities processing data), and sets out penalties for non-compliance.
If the direct link is broken, search for the Act on the e-Gazette portal above.
Data Principal The individual to whom the personal data relates. |
Data Fiduciary Any person, company, or government entity that determines the purpose and means of processing personal data. |
Data Processor Any person who processes personal data on behalf of a data fiduciary. |
Significant Data Fiduciary A data fiduciary classified as significant by the government based on volume and sensitivity of data processed, risk to rights, etc. |
Child An individual who has not completed eighteen years of age. |
Personal Data Any data about an individual who is identifiable by or in relation to such data. |
Data A representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing. |
Data Breach Any unauthorized processing, disclosure, acquisition, or access that compromises the confidentiality, integrity, or availability of personal data. |
Processing Any operation performed on personal data, including collection, storage, use, and disclosure. |
Consent Free, specific, informed, unconditional, and unambiguous indication of the data principal’s wishes. |
Purpose Limitation Personal data must be collected for specified, explicit, and lawful purposes and not further processed in a manner incompatible with those purposes. |
Notice Information provided to the data principal regarding the collection and processing of their personal data. |
Data Protection Board The authority established under the Act to monitor and enforce compliance with its provisions. |