Home
>
Blog
>
DPDP Act

What is DPDP Act in India?

November 7, 2023

Anahad Narain

Founder's Office

Summary

  • The Digital Personal Data Protection Act is India's first comprehensive data protection law.
  • In most cases, personal data can be processed only based on customer’s consent.  
  • Consent must be clear, explicit and specific, with local language options.
  • Personal data cannot be processed if purpose is completed or consent is withdrawn.
  • Businesses to ensure that their systems and vendors comply with data protection requirements.

What is the DPDP Act?

The DPDP, or Digital Personal Data Protection Act, mandates that businesses process personal data only with the explicit and specific consent of the individual. It is India’s first data protection law that gives people full control over their personal data with the right to raise erasure requests and a proper grievance redressal mechanism. 

What are the principles of data protection under the DPDP Act?

Consent is mandatory: As per the DPDP Act, consent is at the heart of data processing. Any businesses that deal with their customer’s personal data are required  to take consent before processing their personal information.

User Rights: The DPDP Act gives the Data Principal (to whom the PII relates) the right to withdraw and manage consent. They also have the right to be informed or notified by Data Fiduciaries if their data is breached.

Data Fiduciaries' Responsibility: The DPDP Act holds Data Fiduciaries (who determines the purpose of collection) accountable for all the personal data collected and processed by them. If consent is withdrawn, the Data fiduciary is not only responsible for erasing the data from their systems, but is also required to ensure that the Data Processors delete the same. 

Industry Compliance: All businesses, big or small, must comply with the  DPDP Act and ensure that they are compliant with data processing, storage and data deletion policies outlined under the Act.   

What are the exemptions under DPDP Act 2023?

It is mandatory for all businesses to comply with the DPDP Act but there are a few exemptions:. 

  • Legal Rights and Claims: Processing personal data is exempt when necessary for enforcing legal rights or claims.
  • Non-Indian Data Principals: Processing of personal data of individuals not within India's territory, if done under a contract with a person outside India by someone based in India, is exempt
  • Corporate Restructuring: Processing necessary for schemes of corporate restructuring approved by a competent authority is exempt.
  • Financial Information of Defaulters: Processing to ascertain financial information, assets, and liabilities of loan defaulters from financial institutions is exempt, subject to other disclosure laws
  • Research, Archiving, or Statistical Purposes: Processing for these purposes is exempt if the data isn't used for specific decisions about a Data Principal and is carried out according to prescribed standards.
  • If a specific data fiduciary has been exempted, as notified by the government.
  • PII of a child when processed by certain institutions for the purposes of healthcare. education, crèches, or childcare.
  • Personal data processed by an individual for personal or domestic purposes.
  • Personal data made publicly available by the Data Principal or by any other person who is legally obligated to make it public.
  • Judicial and Regulatory Functions: Processing by courts, tribunals, or other bodies with judicial, quasi-judicial, regulatory, or supervisory functions for the performance of their duties is exempt.
  • State Instrumentality (Sovereignty, Security, Public Order): The entire Act may not apply to processing by a notified State instrumentality in the interests of India's sovereignty, integrity, security, public order, or preventing incitement to cognizable offenses. 
  • State Instrumentalities (Data Erasure and Correction/Erasure): For processing by the State or its instrumentalities, provisions regarding data erasure (section 8(7) and section 12(3)) and, if the purpose doesn't affect the Data Principal, correction/completion/updating of personal data (section 12(2)) do not apply.

What is penalty for DPDP non-compliance?

Non-compliance with the DPDP Act can result in penalties upto Rs. 250 crore per violation.  The penalty will be calculated by the Data Protection Board based on the nature, severity and duration of the breach. 

Penalties for dpdp act

You can check detailed blog on DPDP Penalties, for more information

Is the DPDP Act similar to GDPR?

GDPR is applicable to entities processing data of  EU citizens.. Although DPDP and GDPR might look similar on the surface, there are a lot of differences between the two.

Under GDPR, consent is one of the legal requirements for processing data, meanwhile for DPDP Act, consent is more central and is considered as a primary requirement for the processing of personal data. 

To know in detail, read the blog on difference between DPDP and GDPR.

Category GDPR DPDP
Geographical Scope Applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. Primarily applies to Indian entities or those processing data of individuals in India.
Consent Requires explicit, informed consent for data processing, with consent being one of several legal bases. Consent is central and often the primary basis for processing personal data.
Data Protection Officer (DPO) Mandates the appointment of a DPO for organizations that process large amounts of sensitive data or regularly monitor individuals. May have similar requirements, but the specifics could differ.
Cross-Border Data Transfer Allows transfer of data outside the EU to countries deemed to have adequate data protection, or through mechanisms like Binding Corporate Rules or Standard Contractual Clauses. Allows data transfers except to jurisdictions barred by the Indian government.
Penalties for Non-Compliance Fines up to €20 million or 4% of the company's annual global turnover, whichever is higher. The penalty structure may be different, potentially involving both fines and other legal consequences.


Is your business compliant with the DPDP Act?

Contact Us to know more
Download Blog as PDF
Content

Related articles

Legal Explainer
October 14, 2024
What is a Consent Manager

Anahad Narain

12
min read
Legal Explainer
January 30, 2024
Cookie Consent under the new DPDP Rules explained

Anahad Narain

6
min read
Legal Explainer
February 15, 2024
Child consent under DPDP Act

Anahad Narain

6
min read

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.