What is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) is India's first comprehensive data protection law. It was passed by Parliament and came into force on November 13, 2025 via commencement notification G.S.R. 843(E).
The Act establishes rights for individuals (Data Principals) over their personal data and obligations for businesses (Data Fiduciaries) that collect and process it. The enforcement rules (DPDP Rules 2025) take effect on May 13, 2027.
Who is Covered? (Section 3)
Section 3 of the DPDP Act defines the scope of applicability. The Act applies to:
Section 3(a)(i)
Processing of digital personal data within India where personal data is collected in digital form.
Examples: website registrations, app sign-ups, WhatsApp DMs, Instagram DMs, online checkout forms, digital payment records
Section 3(a)(ii)
Personal data collected in non-digital form and digitised subsequently.
Examples: paper forms entered into Excel or billing software, customer contact lists entered into a phone, hotel check-in forms entered into a PMS, auto dealer cards entered into a CRM
Section 3(b) — Extraterritorial Scope
Processing of personal data outside India, in connection with profiling or offering goods/services to individuals in India.
A US, UK, or Singapore company with Indian customers must comply with DPDP Act obligations.
What is a Data Fiduciary?
A Data Fiduciary is any person (individual, company, or entity) who alone or jointly with others determines the purpose and means of processing personal data. If you decide why and how you collect customer data — you are a Data Fiduciary.
All obligations under the DPDP Act apply to Data Fiduciaries. If you use third-party services (like Razorpay or Shiprocket) that process your customers' data on your behalf, those services are Data Processors — but you remain responsible as the Data Fiduciary.
What Counts as Personal Data?
Section 2(t) defines personal data as: "any data about an individual who is identifiable by or in relation to such data."
✓ Clearly Personal Data
- • Phone number
- • Email address
- • Full name + address (together)
- • Aadhaar number
- • PAN number
- • Order history + phone (together)
- • Location data
- • Financial information
- • Medical/health records
⚠️ Context-Dependent
- • Name alone (common names — grey area)
- • First name alone (very grey)
- • Age alone
- • City alone
Safe rule: if combining any two data points lets you identify or contact the person, the combination is personal data.
Business Types and Examples
Retail & Apparel Stores
Collecting customer phone numbers at POS for WhatsApp broadcasts or loyalty programmes. Section 3(a)(ii) applies the moment you enter numbers into your phone or billing system.
Covered under: Section 3(a)(ii)Auto Dealers
Collecting buyer name, address, PAN, Aadhaar, finance details, and vehicle registration during purchase. High personal data sensitivity due to financial information collected.
Covered under: Section 3(a)(i) and 3(a)(ii)Hotels & Hospitality
Guest Aadhaar, passport, travel dates, room preferences, billing details. All entered into Property Management System (PMS). Sharing with OTAs creates Data Processor relationships.
Covered under: Section 3(a)(ii)Instagram & WhatsApp Sellers
Collecting name, address, phone, and payment details via DMs is directly digital from the start. No paper involved — direct coverage under Section 3(a)(i).
Covered under: Section 3(a)(i) — directlyClinics, Hospitals & Healthcare
Patient data is among the most sensitive. Diagnoses, prescriptions, medical history, and payment details are all personal data. Health data may carry stricter rules under special category notifications.
Covered under: Section 3(a)(i) and 3(a)(ii) — HIGH PRIORITYSchools, Coaching Centres & Educational Institutions
⚠️ Yes — Schools and Coaching Centres Are Fully Covered
Any school, college, coaching centre, or EdTech platform that stores student data is a Data Fiduciary. This includes:
- • Student name, date of birth, address, phone number
- • Parent name and contact details
- • Academic performance records
- • Aadhaar/ID collected for admissions
- • Fee payment records
- • Biometric attendance data
👶 Special Rule for Student Data — Parental Consent Required
Since most students in schools are under 18, DPDP Rule 10 applies:
- • Verifiable parental consent must be obtained before processing a child's data
- • The parent's identity must be verified (DigiLocker age token is the recommended method)
- • Schools cannot behaviourally track or advertise to minors
- • Penalty for violation: up to ₹200 Crore
This applies to every school — CBSE, ICSE, state board, international schools, coaching centres, and EdTech platforms alike.
Key Obligations for Data Fiduciaries
Consent (Section 6)
Must obtain free, informed, specific, and unconditional consent before processing personal data. Consent notice must be in clear language and available in any of the 22 Eighth Schedule languages on request.
Privacy Notice (Section 5)
Must provide a clear notice stating: what data is collected, for what purpose, how long it will be retained, who it will be shared with, and how customers can exercise their rights.
Data Principal Rights (Sections 11-13)
Customers have the right to access their data, correct inaccuracies, erase their data, and nominate someone to exercise rights on their behalf. Fiduciaries must respond to these requests.
Data Breach Notification (Section 8(6))
Any breach affecting personal data must be notified to the Data Protection Board AND affected individuals within 72 hours. Failure to notify: penalty up to ₹200 Crore.
Data Retention (Section 8(7))
Personal data must be deleted once the purpose for which it was collected is fulfilled, unless retention is required by law. You cannot keep customer data indefinitely "just in case."
Compliance Deadline and Penalties
Key Dates
₹250 Cr
Failure to implement adequate data security / data breach
₹200 Cr
Failure to notify a personal data breach
₹200 Cr
Violation of children's data protection obligations
₹50 Cr
Other obligations (consent, privacy notice, DSR)