FAQs on the Digital Personal Data Protection Act and Rules.

INTRODUCTION 

Following years of legislative groundwork and an extensive consultation process, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has finally been enforced (albeit in part). The Central Government has also released the necessary Digital Personal Data Protection Rules (“Rules”) under the DPDP Act, providing the operational framework for compliance. This landmark framework, which obligates data fiduciaries to adhere to strict standards when processing the personal data of data principals, is largely considered business-friendly and is expected to meet global data adequacy requirements. Organisations, therefore, need to actively revisit and update their existing information technology policies and processes to ensure full compliance with the new legal requirements laid out in the DPDP Act and its accompanying Rules. 

In order to help you and your organisation understand the intricacies of the DPDP Act and the Rules and the obligations that your organisation may have to undertake, we have prepared these FAQs answering pertinent questions on the compliance with the DPDP Act, which could come up frequently. We have prepared a note capturing the key provisions of the DPDP Act and Rules, along with a detailed analysis of the same, which can be accessed here. 

IMPLEMENTATION  

When do the provisions of the DPDP Act come into force? 

The provisions of the DPDP Act and Rules are being enforced in a phased manner:  

Effective immediately: The provisions and rules related to the Data Protection Board (“Board”) and certain miscellaneous provisions, including the power to make rules.    

Effective 1 (one) year of the publication of the official gazette notification i.e., November 13, 2026: The provisions and rules relating to the consent manager. 

Effective 18 (eighteen) months after the publication of the official gazette notification i.e., May 13, 2027: The remaining substantial provisions relating to consent, notice requirements, duties of data fiduciaries and rights of data principals. 

Until when does my organisation need to comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)? 

The SPDI Rules will remain in force until the last set of provisions are enforced on May 13, 2027 (please refer to FAQ No. 2(i)) i.e., until 18 (eighteen) months after the publication of the official gazette notification. Therefore, until then, all entities handling / processing sensitive personal information must comply with all provisions of the SPDI Rules. 

What can my organisation do in preparedness during the transition period? 

The substantial provisions under the DPDP Act and Rules relevant for an organisation come into force on May 13, 2027. Hence, the transition period may be utilised to achieve compliance with the DPDP Act and Rules in a phased manner depending on the scale of the organisation and the resources and time required. Your organisation may consider: 

• Assessing the applicability of the DPDP Act and Rules based on: 
• who you are: whether the organisation would be deemed a data fiduciary (data controller) or a data processor; 
• what you process: whether the organisation processes personal data and if yes, for what purposes; 
• where you process: whether the organisation processes personal data within India, or outside India in connection with offering goods or services in India; and 
• how you process: whether the scale and nature of processing personal data is likely to make the organisation a significant data fiduciary; 
• Mapping all categories of personal data being processed and identifying legal bases for processing, consent or otherwise; 
• Implementing reasonable security safeguards; 
• Implementing technical and organisational safeguards, and data integrity and erasure / anonymization processes;  
• Establishing grievance redressal systems and breach notification protocols; 
• Harmonious assessment of the impact of sectoral requirements, especially for regulated entities, along with the requirements under the DPDP Act and Rules; 
• Re-evaluate relationships with your vendors / customers etc., to determine the role of the parties and the obligations of each such party;  
• Train your personnel / employees on the DPDP Act and the Rules; and 
• Assess applicability of enhanced or special obligations that may apply to your organisation and implementing specialised measures to ensure compliance. 

APPLICABILITY  

Would my organisation be considered as a ‘data fiduciary’ or a ‘data processor’? 

If your organisation collects personal data of data principals for a specific purpose and determines the manner in which such personal data should be processed digitally, your organisation would be a ‘data fiduciary’ and would have to comply with the obligations on data fiduciaries set out under the DPDP Act (see FAQ No. 5).   

If your organisation only processes personal data on behalf of or under the instruction of another organisation (for instance, as an outsourced service provider), your organisation would be considered as a ‘data processor’. In this case, the organisation on whose behalf or under whose instruction you are processing such personal data would be the data fiduciary. 

In what scenarios would my entity be treated as a significant data fiduciary? 

Currently, there are no prescribed scenarios stipulated under the DPDP Act or Rules to be construed as a ‘significant data fiduciary’. The Central Government may, at its discretion, notify any data fiduciary or a class of data fiduciaries as a ‘significant data fiduciary’ after an assessment of some relevant factors, such as:  

• The volume and sensitivity of personal data processed by the data fiduciaries;  
• The risk to the rights of data principals;  
• The potential impact on the sovereignty and integrity of India;  
• The risk to electoral democracy;  
• The security of the State; and   
• Public order.  

Therefore, your organisation will only be considered a ‘significant data fiduciary’ if it falls within the specified class of data fiduciaries and fulfils the prescribed criteria, as may be notified by the Central Government from time to time. 

Who is considered as a ‘data principal’ for the purposes of data processing? 

A data principal is the individual to whom the personal data relates. However, when the personal data is in relation to a child, the data principals would include the parents or lawful guardians of such child; and when the personal data is in relation to a person with disability, the data principal would include her lawful guardians acting on her behalf.  

What is considered as ‘processing’ of personal data? 

The DPDP Act defines ‘processing’ of personal data as a wholly or partly automated operation or set of operations performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. 

What type of data does the DPDP Act apply to? 

The DPDP Act is applicable to the processing of digital personal data:  

• collected in digital form (i.e., digital personal data); or  
• collected in non-digital form and digitised subsequently.  

However, the provisions of the DPDP Act will not apply if:  

• The data being processed is not personal data; 
• The data being processed is not collected in digital form or digitised subsequently; 
• You are processing personal data for any personal or domestic use; or 
• You are processing personal data that has been made publicly available by the data principal or any other person who is under an obligation under Indian laws to make such personal data publicly available. 

What kind of data processing is exempt from the provisions of the DPDP Act?  

Chapter II (Obligations of Data Fiduciary) and Chapter III (Rights and Duties of Data Principal) of the DPDP Act do not apply to personal data that is processed when such processing is:  

• necessary for enforcing any legal right or claim; 
• necessary for a court, tribunal, or statutory Indian body to perform its judicial, quasi-judicial, regulatory, or supervisory function; 
• done for the prevention, detection, investigation, or prosecution of any offence or contravention of law in India; 
• of personal data of non-Indian data principals pursuant to a contract with a person outside India by a person based in India; 
• necessary for an approved scheme (merger, amalgamation, demerger, etc.) involving companies; and 
• done to ascertain the financial information and liabilities of a loan defaulter from a financial institution, provided it complies with other applicable laws. 

Are there different categories of personal data? 

The DPDP Act and Rules do not classify personal data sets into different categories. They treat all digitised personal data uniformly. This includes, but is not limited to, name, age, date of birth, Aadhaar / PAN card details, financial data (bank account number, transaction history), medical data, biometric data, and employment / educational qualifications.  

Will the compliances under the Information Technology Act, 2000 (“IT Act”) remain applicable to my organisation post the implementation of the DPDP Act? 

Section 43A of the IT Act (compensation for failure to protect sensitive personal data) and the rules framed thereunder (i.e., the SPDI Rules) – which largely constituted the existing data protection framework in India prior to the DPDP Act, will be repealed and replaced with substantial provisions of the DPDP Act on May 13, 2027 (for better understanding, please refer to FAQ No. 2(ii)). However, other provisions of the IT Act will continue to remain applicable.  

I am operating an offshore online platform, and I offer my services to data principals in India – do the provisions of the DPDP Act apply to me? 

Yes, the provisions of the DPDP Act will apply to your organisation if it is processing personal data outside India in connection with offering any goods or services (online or otherwise) to data principals located in India. 

Additionally, the transfer of such personal data for processing outside the territory of India shall be subject to any restrictions that may be prescribed by the Central Government. 

I am operating in India, but I do not process personal data of individuals located in India - do the provisions of the DPDP Act apply to me? 

No, if your organisation processes personal data of individuals not present within the territory of India pursuant to a contract with an overseas counterparty, you are not required to comply with Chapter II (Obligations of Data Fiduciary) and Chapter III (Rights and Duties of Data Principal) of the DPDP Act. However, it is important to note that while your organisation is exempted from the core compliance requirements of the DPDP Act, it must still comply with the requirement of implementing reasonable security safeguards to protect the personal data in its possession.  

Any restrictions on cross-border transfer of personal data imposed under the DPDP Act would also not be applicable on such a data fiduciary in India (please refer to FAQ No. 12 (i) on cross-border transfer restrictions). 

ON CONSENT AND LEGITIMATE USE  

What can I consider to be valid ‘consent’ of a data principal while processing her personal data? Would a click wrap mechanism be regarded as a valid consent? 

For consent in respect of any specified purpose to be considered valid under the DPDP Act, it must be free, specific, informed, unconditional and unambiguous. The data principal must provide a clear affirmative action signifying agreement to the processing of her personal data for the specified purpose and limited to such personal data as is necessary for the specified purpose. A clickwrap mechanism, i.e., a click to accept can be considered a valid form of consent if it meets the above criteria. 

What are the consequences of a data principal withdrawing her consent? 

If a data principal withdraws her consent to the processing of personal data, your organisation must, within a reasonable time, cease and ensure that any other entity processing her personal data on behalf of your organisation also ceases processing of her personal data. If a data principal withdraws her consent to the processing of her personal data for a particular purpose, your organisation or any other entity processing her personal data on behalf of your organisation, must stop processing her personal data for that purpose. However, you may still be required by law to retain the personal data of the data principal as per prescribed retention periods under the Rules (as detailed in FAQ No. 6(i) below), even after such data principal withdraws her consent. In case your organisation has already processed the personal data for that purpose before the withdrawal of consent, the processing that was done before the withdrawal of consent will still be considered lawful. 

What are the legitimate uses for which my organisation does not need to obtain consent of the data principal? 

• Your organisation may process the personal data of a data principal for any of the following legitimate uses without obtaining the consent of the data principal: For specified purposes (that would also need to be notified to the data principal) where a data principal has voluntarily provided her personal data to your organisation and has not indicated that she does not consent to the use of her personal data; 
• For purposes falling within the scope of employment or for safeguarding an employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or the provision of any service or benefit sought by a data principal who is an employee; 
• For fulfilling an existing legal obligation to disclose any information to government actors. This is, however, subject to the processing being in accordance with the information disclosure requirements under any law in force;  
• For responding to a medical emergency involving a threat to the life or an immediate threat to the health; 
• For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; and 
• For taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. 

I work at a government organisation / body. What are the legitimate uses for which my organisation does not need to obtain consent of the data principal? 

Government actors like your organisation may process the personal data of a data principal without obtaining her consent for the legitimate use of providing any subsidies, benefits, services, certificates, licences or permits to the data principal, provided that:  

• The data principal has previously consented to the processing of her personal data by government actors for subsidies, benefits, services, certificates, licences or permits; or  
• Such personal data is available in digital form, or in non-digital form and digitised subsequently from any database, register, book or other document which is maintained by government actors and is notified by the Central Government.  

However, in order to avail of the above exemption, you must implement appropriate technical and organisational measures to ensure that: 

• You carry out processing in a lawful manner; 
• You process personal data for the purpose of provision of subsidies, benefits, services, certificates, licences or permits to the data principal; 
• You limit the processing to the personal data that is necessary for such uses or to achieve such purposes; 
• You undertake reasonable efforts to ensure the completeness, accuracy and consistency of personal data; 
• You retain personal data only until required for such uses or achieving such purposes, or for compliance with any law for the time being in force; 
• You undertake reasonable security safeguards to prevent personal data breach and protect personal data in your possession or control, including in respect of any processing undertaken by your vendors or sub-contractors; 
• You undertake processing while intimating the data principal of the same, and: 

1. give the business contact information of a person who is able to answer on your behalf any questions raised by the data principal about the processing of her personal data; 
2. specify the hyperlink for accessing your website, app, or both, along with a description of any other means using which such data principal may exercise her rights under the DPDP Act;  
3. carry out the processing in a manner consistent with such other standards as may be issued by the Central Government or any law for the time being in force; and  

You take accountability for effective observance of the above standards if you, by yourself or in conjunction with others, determine the purpose and means of processing of personal data. 

My organisation has already obtained consent or processes personal data based on legitimate uses before the DPDP Rules were issued. Does it need to take consent again or inform the data principals of the legitimate uses relied on? 

If the data principal has given her consent to process her personal data for specific purpose(s) before the coming into force of the consent-specific requirements under the DPDP Act (i.e., before May 13, 2027), your organisation must provide a notice to the data principal via email, an in-app notification, or other similarly effective method as soon as possible, on or after May 13, 2027, prior to continued processing of such data (a) describing the personal data and the purpose of its processing; (b) the manner in which she may exercise her rights to withdraw consent and for grievance redressal; and (c) the manner in which she may make a complaint to the Board (please refer to the notice requirements detailed in FAQ No. 5(i)(c) below). You may continue to process the personal data unless the data principal withdraws her consent. 

Does my organisation need to provide a notice to my data principal every time it seeks her consent? What is the form and manner of provision of notice? 

Yes, every time your organisation seeks the consent of a data principal, it must provide a notice to the data principal in clear and simple language. This must be provided either before or at the time of making a request for consent, in a manner that is understandable to the data principal, independent of any other information that your organisation has provided or may provide to her. The data principal must be given the option to access the contents of the notice in English or any of the 22 (twenty-two) languages specified in the Constitution of India. If a data principal has given her consent before the commencement of the DPDP Act, then your organisation must provide such data principal with such notice, in the same manner as mentioned above, as soon as it is reasonably practicable.  

The notice must be in clean and plain language, along with a fair account of the details necessary to enable the data principal to give specific and informed consent for the processing of her personal data, and must contain:  

• An itemised description of the personal data sought to be collected from the data principal; 
• the specified purpose or purposes of, for its processing;  
• specific description of the goods or services to be provided or uses to be enabled by such data processing; 
• communication link for accessing the website or app of your organisation and a description of other means, if any, using which the data principal may exercise her right to withdraw consent, rights conferred under the DPDP Act and make a complaint to the Board (please refer to the notice requirements detailed in FAQ No. 5(i)(c) below). 

You must ensure that the data principal is able to withdraw her consent as easily as she gave her consent. 

Can I collect personal data available in public domain and process the same without the consent / notice to the data principals? 

Yes, the DPDP Act does not apply to personal data made publicly available by data principals voluntarily or made available by any other person who is under an obligation under Indian law to make such personal data publicly available. As a result, no consent or notice obligations will be triggered when it comes to processing such type of publicly available personal data. 

ON GENERAL OBLIGATIONS ON DATA FIDUCIARIES  

As a data fiduciary, what are my organisation’s obligations under the DPDP Act?  

Your organisation’s obligations as a data fiduciary under the DPDP Act and Rules will, inter alia, include: 

1. General obligations: 

• Only collect and process personal data based on either consent (with appropriate notice) provided by the data principal or for prescribed legitimate uses; 
• Only collect personal data of data principals for lawful purposes;  
• Make sure that the personal data being processed is complete, accurate and consistent; 
• Only engage / appoint / use a data processor under a valid contract; 
• Implement appropriate and effective technical and organisational measures;  
• Implement reasonable security safeguards (which should, at minimum, be directly proportional to the nature of processing and risk of harm) for the protection of personal data being processed and the prevention of personal data breaches; 
• Notify the Board and affected data principals promptly upon becoming aware of any personal data breach (refer to FAQ 14); 
• Transfer personal data for processing to any country outside India, as permissible under DPDP Act, only in accordance with the terms and conditions prescribed by the Central Government. 

1. Obligation in relation to requesting consent: Your organisation can only process the personal data of a data principal: (i) for which the data principal has provided her consent (except in cases of legitimate uses, more particularly described in FAQ No.4 (iii)); and (ii) which is required for the specific purpose for which consent has been sought, and nothing further, subject to exemptions as elaborated upon in FAQ No. 13. Every request for consent should be provided in the following manner: 

• It must be presented in clear and plain language; and  
• It must contain the contact details of the person authorised by you to respond to any communication from the data principal.  

1. Your organisation must also ensure that it allows the data principal to withdraw her consent at any time as easily as she has been allowed to provide her consent. 
2. Obligation to provide notice: If your organisation wants to request the consent of a data principal to process her personal data, it must provide a notice to the data principal in the manner as described under FAQ 4(vi).  
3. Obligation to correct and erase personal data: If a data principal requests your organisation to correct, complete or update her personal data for which she has previously given consent to process, it must correct, complete, or update the same in accordance with such data principal’s instructions, or where personal data processed by a data fiduciary is likely to be used to make a decision that affects the data principal or disclosed to another data fiduciary, the data fiduciary must ensure completeness, accuracy and consistency. Additionally, your organisation must ensure that it erases the personal data of the data principal, and that its data processor also erases any personal data of the data principal, on the occurrence of either of the following: 

• The data principal requests your organisation to erase her personal data; 
• The data principal withdraws her consent;  
• It has become reasonable to assume that the purpose for which the personal data was collected is no longer being served by retaining the personal data; or  
• Retention of the personal data is no longer necessary for compliance with any law. 

1.  Obligations while processing personal data of children: Refer to FAQ No. 8.  
2. Obligations while processing personal data of persons with disabilities: Refer to FAQ No. 9. 
3. Grievance Redressal: Your organisation is required to establish an effective mechanism to redress the grievances of data principals and respond to grievances within a reasonable period not exceeding 90 (ninety) days.  
4. Obligation to provide information: If the data principal requests your organisation for access to the following types of data, it must provide access to the same: 

• A summary of the personal data of the data principal which is being processed by your organisation and the processing activities undertaken by it with respect to such personal data; 
• The identities of any other data fiduciaries and data processors with whom the personal data has been shared;  
• The description of personal data shared with such other data fiduciaries or data processors; and 
• Any other information as may be prescribed by the Central Government. 

However, the obligation to provide the identities of the data fiduciaries as well as the type of personal data shared with them will not apply if the personal data has been shared pursuant to a request made in writing by such other data fiduciary in order to prevent, detect, or investigate offences or cyber incidents, or for the prosecution or punishment of offences. 

Does my organisation need to employ a full-time data protection officer (“DPO”)? Who can be a DPO? Can I engage a third-party consultant to be the DPO? 

Your organisation is required to appoint a DPO only if it is recognised as ‘significant data fiduciary’ (more particularly described in FAQ No. 3 (ii)). The DPDP Act does not specify whether the DPO needs to be a full-time employee of the organisation or not. However, the DPO must be based in India and should have the necessary qualifications and expertise to carry out their responsibilities effectively and will be answerable to the board of directors or a similar governing body of the significant data fiduciary. 

If your organisation is not a ‘significant data fiduciary’, there is still a requirement to appoint a person who is able to answer on your organisation’s behalf, the questions of the data principal about the processing of her personal data – whose details should be published on your organisation’s website or app.   

What is a data protection impact assessment? Does my organisation need to undertake a data protection impact assessment? 

Please refer to FAQ No. 7(ii). 

My organisation is compliant with all personal data related obligations currently in force under the SPDI Rules. Once the DPDP Act is enacted, what are the additional obligations that my organisation needs to comply with? 

If your organisation is currently compliant with all personal data related obligations currently in force, it will still need to take relevant steps to comply with the DPDP Act, now that it has come into force. The following are some of the additional considerations for, and obligations that your organisation will need to comply with:  

• Given that the DPDP Act does not prescribe additional obligations for certain categories of personal data (as has been the case with the SPDI Rules), it must be noted that all compliance obligations under the DPDP Act extend to all categories of personal data. 
• Obtaining consent from individuals before collecting or processing personal data or ensuring that the processing falls under one of the legitimate uses (refer to FAQ No. 4 (iii)). The DPDP Act requires your organisation to obtain consent in the prescribed manner (more particularly described in FAQ No. 4(iv)) from individuals before collecting or processing the personal data of the data principals. This consent must be free, specific, informed, unconditional and unambiguous. Along with such request for consent, a privacy notice must be issued to all data principals whose personal data is currently being processed at the time of such provision coming into effect. 
• Implementing appropriate security measures to protect personal data. The DPDP Act requires organisations to implement appropriate security measures to protect all types of personal data from a personal data breach, as opposed to implementing such measures only for sensitive personal data, which is the current requirement under the SPDI Rules. 
• Allowing access to data principal’s personal data. The DPDP Act gives the data principal the right to access her personal data that is held by a data fiduciary. The data principal also has the right to request an organisation to correct, complete, update or erase her personal data. Hence, your organisation will need to enable the exercise of these rights. 
• Reporting data breaches to the Board. The DPDP Act requires organisations to report data breaches to the Board as well as to the affected data principals.  

In addition to these obligations, the DPDP Act introduces a number of other provisions your organisation will need to be aware of. Your organisation will accordingly need to reassess its data processing policies and practices, including appropriate user experience and interfaces, to ensure that the same are aligned with the DPDP Act and the rules to be issued thereunder. Please refer to FAQ 2(iii) above as well as our insightful, perceptive note on the DPDP Act (available here) for more details. 

ON RETENTION OF DATA  

How long can my organisation retain or process personal data under the DPDP Act and Rules? 

Your organisation can process personal data until the data principal withdraws her consent to the processing or as soon as it is reasonable to assume that the specified purpose of the processing is no longer being served. From the date of such event, in respect of any processing of personal data undertaken by your organisation or by a third party on its behalf, your organisation is required to retain such personal data, associated traffic data, and other logs of the processing for a period of 1 (one) year, for the purpose of use by government actors (i) in the interest of sovereignty and integrity of India or security of the state; (ii) performance of any legally mandated function; or (iii) disclosure of any information for fulfilling any other legal obligation, or for the purpose of carrying out assessment for the notification of any data fiduciary or class of data fiduciaries as a significant data fiduciary. After this 1 (one) year period, your organisation must cause such personal data and logs to be erased, unless further retention is required for compliance with any other law. 

I am an e-commerce platform / social media intermediary / online gaming intermediary. Do I have additional obligations to retain personal data? 

Yes, if the following criteria are met:

• Your organisation is: 

1. an e-commerce entity having 2,00,00,000 (two crore) or more registered users in India; 
2. an online gaming intermediary having not less than 50,00,000 (fifty lakh) registered users in India; or  
3. a social media intermediary having not less than 2,00,00,000 (two crore) registered users in India, and 

• The data principal neither approaches you for the performance of the specified purpose nor exercises her rights in relation to such processing once the specified purpose of the processing is no longer being served. 

In such cases, your organisation is required to retain personal data for a period of 3 (three) years from the date on which the data principal last approached you for the performance of the specified purpose or to exercise her rights, or the commencement of the Rules, whichever is latest, or for such other longer period as required under any other law. Please note that the retention period of 1 (one) year elaborated in FAQ 6(i) applies in addition to and separately from this 3 (three) year retention requirement. You will, therefore, have to retain such personal data for a total period of 4 (four) years. 

Does the obligation to retain personal data for the applicable periods continue after the data principal has chosen to delete their account? 

Yes, the above retention requirements apply even after the data principal’s account has been deleted. 

OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARIES  

How do I know if my organisation will be considered as a Significant Data Fiduciary under the DPDP Act?   

Please refer to FAQ No. 3 (ii). 

Are there differing obligations for me as a data fiduciary, as compared to a significant data fiduciary? 

Unlike the SPDI Rules which prescribe uniform requirements for all types of data fiduciaries, the DPDP Act imposes additional obligations on data fiduciaries notified as significant data fiduciaries. In addition to the obligations of a data fiduciary as captured in FAQ No. 5 (1), a significant data fiduciary has the following obligations:  

• Undertaking additional measures: The significant data fiduciary must undertake an annual data protection impact assessment and audit that is submitted to the Board along with a report containing significant observations from the data protection impact assessment and audit. A data protection impact assessment involves an assessment of the - (i) description of the manner in which the personal data is processed; (ii) the purpose of processing personal data; (iii) the harm in relation to the processing of personal data and the measures for managing the risk of such harm; and (iv) such other matters with respect to processing of personal data, as may be prescribed by the Central Government. Your organisation will be required to undertake a data protection impact assessment, only if your organisation is classified as a significant data fiduciary. 
• Appointing a DPO: The significant data fiduciary must appoint a DPO to serve as the point of contact for the grievance redressal mechanism of the significant data fiduciary. The DPO must be based in India and be responsible to the board of directors or a similar governing body of the significant data fiduciary. The significant data fiduciary must provide the business contact details of such DPO, along with every request for consent made to the data principal.  
• Appointing an auditor: The significant data fiduciary must appoint an independent data auditor to evaluate the compliance of the significant data fiduciary with provisions of the DPDP Act. 
• Due diligence: The significant data fiduciary must observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of data principals;  
• Data localisation: The significant data fiduciary must take measures to ensure that specific types of personal data (identified by the Central Government) are kept and processed within the territory India. 

How do the obligations of Significant Data Fiduciaries compare with similar entities in different jurisdictions? 

The concept of significant data fiduciary is unique to the DPDP Act. Other global data protection laws such as the EU / UK General Data Protection Regulation (“GDPR”), California Consumer Privacy Act and the California Privacy Rights Act (“collectively CCPA”) and the Personal Data Protection Act of Singapore (“PDPA”) prescribe additional measures based on the nature, scope and impact of processing done by an organisation without designating a separate class of data controllers.  

Under the DPDP Act, it is mandatory only for significant data fiduciaries to appoint a DPO (refer to FAQ No. 7 (ii)). Under the EU / UK GDPR however, the requirement to appoint a DPO is triggered only when personal data is processed in certain circumstances. On the contrary, under the CCPA, appointment of a DPO is not mandatory for entities collecting any type of personal data. Under the PDPA, all organisations, regardless of their processing activities, must appoint a DPO. 

The DPDP Act and the Rules mandates only a significant data fiduciary to conduct an annual data impact assessment and audit. Under the EU / UK GDPR, however, such an impact assessment requirement is triggered based on the type of processing that a particular organisation may undertake. This is similar to the framework under the California Consumer Privacy Regulations under the CCPA, which was recently amended in September 2023 (“CCPA Regulations”). The CCPA regulations require entities to undertake an impact assessment on the processing activities that present a ‘significant risk’ to consumer privacy or security. Concurrently, it is not mandatory (although it is encouraged) for any organisation to undertake a data impact assessment under the PDPA. 

ON OBLIGATIONS IN RELATION TO PROCESSING PERSONAL DATA OF A CHILD  

Who is a ‘child’ for the purposes of data processing?  

A child for the purpose of data processing means an individual who has not completed 18 (eighteen) years of age. 

Can my organisation process children’s personal data? If yes, what are the dos and don’ts applicable to it? 

Yes, your organisation can process children’s personal data, subject to the following conditions: 

• Your organisation obtains verifiable consent of the parents or lawful guardians of the child, before processing her personal data; 
• Your organisation ensures that it does not process any personal data of a child in a manner which may be detrimental to the well-being of the child; and 
• Your organisation ensures that it does not monitor the behaviour of any child or issue advertisements targeted at children. 

What is the concept of verifiable consent? 

Verifiable consent is an additional due diligence requirement to be undertaken by data fiduciaries processing children’s personal data to confirm that the individual claiming to be the parent or guardian of the child is an adult who is identifiable if required, in connection with compliance with any law.  

What are the obligations of a data fiduciary in respect of processing of personal information of children? 

As a data fiduciary, your organisation is required to adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent / guardian is obtained before the processing of any personal data of a child. Your organisation must also undertake due diligence to confirm that the individual asserted to be the parent / guardian of the child is an adult who is identifiable on the basis of: 

• reliable details of identity and age of the parent / guardian that your organisation already has; or  
• details of their identity and age that are voluntarily provided by the parent / guardian, or  
• details of their identity and age that are voluntarily provided through a virtual token issued by an authorised entity (that is entrusted by the Central or State government to perform this function, or another person appointed by the foregoing entity, and includes a notified digital locker service provider), which is mapped to such details.  

In order to fulfil the above due diligence obligations where your organisation intends to process children’s personal data, your organisation may require the data principal to declare themselves as a child and to declare an individual as their parent / guardian and require the identified parent / guardian to provide the necessary documentation evidencing their identity and age. 

ON OBLIGATIONS IN RELATION TO PROCESSING PERSONAL DATA OF A PERSON WITH DISABILITY  

Who is a ‘person with disability’ for the purposes of data processing?  

For the purposes of data processing, a ‘person with disability’ is an individual who:  

has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others, and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and 

is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disabilities and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions. 

Can my organisation process personal data of persons with disability?  

Yes, your organisation can process personal data of persons with disability, provided your organisation obtains verifiable consent of the legal guardian of such person with disability before processing her personal data. 

What is the concept of verifiable consent? 

The concept of verifiable consent in the context of processing of personal data of persons with disability is similar to verifiable consent in the context of processing of children’s personal data - please see our answer to FAQ No. 8(iii) above.

What are the obligations of a data fiduciary in respect of processing the personal data of persons with disability? 

As a data fiduciary, your organisation is required to undertake due diligence while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability. This due diligence should be undertaken to confirm that such guardian is appointed by a court of law, a designated authority (designated under section 15 of the Rights of Persons with Disabilities Act, 2016), or a local level committee, under the law applicable to guardianship (i.e., the Rights of Persons with Disabilities Act, 2016 and the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, as applicable). 

In order to fulfil the above due diligence obligations where you intend to process personal data of persons with disability, you can require the data principal to declare themselves as a person with disability and to declare an individual as their lawful guardian, and require the identified guardian to provide the necessary documentation evidencing their position as the legally appointed guardian of the concerned person with disability. 

ON THE RIGHTS OF DATA PRINCIPALS  

Does a data principal have a right to access, update or request erasure of her data? What is my organisation’s obligation in this regard? 

Yes, every data principal will have the right to access, correct, complete, update or request the erasure of the personal data you have processed. To this end, your organisation must prominently publish the details of how a data principal can make a request for exercise of the aforementioned rights and the particulars of the data principal required to identify her under your organisation’s terms of service. Your organisation must ensure that data principals are allowed to access, correct, complete, update and request the erasure of her personal data. When requested, your organisation must accordingly correct the inaccurate or misleading personal data, complete the incomplete personal data, or update the personal data. Upon receipt of a request to erase the personal data or as soon as it is reasonable to assume that the specified purpose is no longer being served (whichever is earlier), your organisation must erase such personal data unless retention of the same is necessary for compliance with any law. 

If a data principal has already signified her consent to allow my organisation to share her personal data with another organisation, does my organisation have to specify the details of all other organisations with whom the personal data will be / has been shared? 

There is no obligation on you to disclose upfront, the details of recipients of personal data (i.e., organisations to whom you are sharing the personal data) with the data principals. However, under the DPDP Act, the data principal has a right to request for the identities of such recipients, in which case, you will be bound to provide such details to the data principal. 

Can a data principal nominate someone on her behalf to exercise her rights? 

Yes, a data principal does have the right to nominate one or more individuals for the purpose of exercising her rights on her behalf in case of her death or incapacity. The nominee will act on behalf of the data principal in the event of her death or if the data principal is unable to exercise her right due to unsoundness of mind or infirmity of body. 

If a data principal has a grievance regarding our data processing processes, does she first approach my organisation or the Board? 

The data principal must first file a grievance with your organisation before she can approach the Board. 

What are my organisation’s obligations with respect to providing a grievance redressal mechanism for my users? 

Your organisation must enable all data principals to contact and file the grievances they may have with regard to acts or omissions by your organisation, or to exercise her rights under the provisions of the DPDP Act. The details of the contact person to whom grievances may be communicated to must be prominently displayed on your organisation’s website / app. It must also be ensured that all grievances are responded to within a reasonable period of time not exceeding 90 (ninety) days. Your organisation may designate a grievance officer to ensure compliance with the grievance redressal related requirements under the DPDP Act and the Rules.  

Can a data principal ask for her/his data to be ported under the DPDP Act? 

No, data principals do not have the right to data portability under the DPDP Act. That said, this may be undertaken in certain circumstances, i.e. in case of processing that is necessary for a court-approved scheme of compromise / arrangement / merger / amalgamation / demerger / restructuring a company, or division of one or more companies. 

CONSENT MANAGER  

Who is a consent manager? What role do they play in the collection and processing of personal data? 

A consent manager is an entity that acts on behalf of the data principal. The consent manager is a single point of contact that enables a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. A consent manager has to be registered with the Board and must adhere to the technical, operational, financial, and other conditions as have been prescribed by the Central Government under the Rules. 

How can an entity register itself as a consent manager under the DPDP Act and Rules? 

An entity desirous of operating as a consent manager under the DPDP Act must first fulfil the conditions for registration as set out in Part A of the First Schedule of the Rules. Such conditions inter alia include being a company incorporated in India, having a net worth of at least INR 2,00,00,000 (Indian Rupees Two Crores), and having sufficient capacity to fulfil its obligations as a consent manager as prescribed under the Rules. While applying to the Board for registration, the applicant entity must furnish any particulars, information and documents as required by the Board and accordingly published on the Board’s website. As part of the application process, the Board may make an inquiry to satisfy itself that the applicant entity fulfils the prescribed conditions – based on which the Board may either register the applicant as a consent manager by notifying the applicant and publishing the details on its website or may reject the application by communicating the relevant reasons to the applicant.  

How does my organisation, as a data fiduciary engage with a consent manager for the purpose of managing a data principal’s consent(s)? 

Under the Rules, the way in which the operation of a consent manager is envisaged is that the consent manager will onboard data fiduciaries onto its platform for the purpose of managing the consent(s) of those data principals whose personal data is processed by such data fiduciaries. In doing so, the consent manager must also ensure that it remains free from conflicts of interest with data fiduciaries. Specifically, it is required to implement measures to ensure that no conflict arises on account of its directors, key managerial personnel, or senior management holding any directorship, financial interest, employment, or beneficial ownership in a data fiduciary, or having a material pecuniary relationship with them. 

From a practical standpoint, the operationalisation of this relationship can draw from the Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 (“AA Master Directions”). Under the AA Master Directions, consent managers (analogous to account aggregators) onboard financial information providers and financial information users (both analogous to data fiduciaries) by entering into separate agreements that set out rights, obligations, and technical interoperability standards. While the Rules do not expressly mandate the execution of an agreement between a consent manager and a data fiduciary, market practice will evolve in this regard, and the AA ecosystem provides a clear point of reference. Having an agreement would also help formalise the arrangement, allocate responsibilities, and ensure that the consent manager can effectively discharge its obligations in respect of data fiduciaries.  

How do I, as a data principal, use or engage with a consent manager for managing my consents? 

A consent manager is required to provide a platform (through its developed website or mobile application) through which a data principal can manage her consents. As a data principal, you would use this platform to give consent to the processing of your personal data by any data fiduciary that has been onboarded onto the consent manager’s system. Once the relevant data fiduciary is available on the platform, you can review the consent request and provide or withdraw your consent for the processing of your personal data directly through the consent manager’s interface. 

What technical and security standards must consent managers comply with under the DPDP Act and Rules? 

The consent manager must ensure that its platform is interoperable and is consistent with data protection standards and assurance framework that the Board may publish on its website from time to time and that appropriate technical and organisational measures are in place to ensure compliance with such standards. Importantly, the consent manager itself is data-blind and must ensure that it is unable to read the contents of any of the personal data it shares. The consent manager must also take reasonable security safeguards to prevent personal data breach. Such technical and organisational controls, systems, procedures and safeguards must be evaluated and audited periodically by the consent manager and reported to the Board. 

What obligations does a consent manager have? 

A consent manager has several substantive obligations under the Rules, spanning facilitation of consent, record keeping, transparency, governance and maintaining oversight. At its core, a consent manager must enable a data principal to use its website / app to give consent for the processing of personal data by any data fiduciary onboarded onto its platform, either directly or through another onboarded data fiduciary. While facilitating sharing of personal data, the consent manager must ensure that the personal data is not readable by it.  

It must maintain records of: (a) consents given, denied, or withdrawn; (b) notices accompanying consent requests; and (c) any sharing of personal data with a transferee fiduciary. These records must be accessible to the data principal, provided in machine-readable form on request, and retained for at least 7 (seven) years. 

The consent manager must act in a fiduciary capacity to the data principal, maintain and operate a website/app as the primary access point for its services, and publish details of its promoters, directors, senior management, and shareholders holding more than 2% (two percent) and any other information directed by the Board in the interest of transparency. It must also have effective audit mechanisms to monitor its technical and organisational safeguards, continued compliance with registration conditions, and adherence to its obligations under the DPDP Act and Rules, and report audit outcomes to the Board as required. 

What is the liability of a consent manager under the DPDP Act and the Rules? 

A consent manager is responsible and accountable to the data principal and owes a fiduciary duty to the data principal, not to the data fiduciary. If a consent manager breaches its obligations under the DPDP Act or Rules, the data principal has the right to seek grievance redressal against it. The Board may take cognizance of (a) a complaint filed by a data principal alleging a breach of obligations by the consent manager; and (b) any breach of the conditions of registration by the consent manager. Based on its findings, the Board may impose penalties as provided under the DPDP Act.  

If the Board believes that the consent manager is not adhering to its conditions or obligations, it may, after giving an opportunity of being heard, inform the consent manager of such non-adherence and direct it to take corrective measures. Further, wherever necessary in the interest of data principals, the Board may suspend or cancel the consent manager’s registration and issue any further directions it considers appropriate to protect data principals’ interests.  

ON PROCESSING OF PERSONAL DATA OUTSIDE INDIA  

Can my organisation transfer personal data outside of India? 

Yes, subject to certain conditions. The DPDP Act allows the Central Government to restrict the transfer of personal data outside India to certain countries or territories which it may notify in due course. However, this will not dilute the applicability of any law in India which prescribes a higher degree of protection or restriction on a data fiduciary while transferring personal data outside India. Hence, depending on the nature of the business undertaken by your organisation, restrictions or conditions may be placed by sectoral laws and regulations, which may be applicable to your organisation. Additionally, the DPDP Rules clarify that the transfer of personal data outside India may be subject to restrictions and requirements that will be issued from time to time by the Central Government, given through general or special orders, in relation to cross-border data transfers to a foreign state government or any entity or person under control of any agency of the foreign state government. 

Has the Indian Government notified any countries / territories to which transfer of personal data from India is restricted? 

No, as of date, the Central Government is yet to notify any countries / territories to which transfer of personal data from India is restricted under the DPDP Act.  

ON EXEMPTIONS UNDER THE DPDP ACT  

My organisation is an MSME, will my organisation have to comply with all the obligations under the DPDP Act? 

All obligations imposed on data fiduciaries will apply to your organisation processing personal data, even if you are an MSME. 

My organisation is a startup. Will my organisation have to comply with all the obligations under the DPDP Act? 

All obligations imposed on data fiduciaries will apply to your organisation, even if you are a startup. However, the Central Government has the power to notify data fiduciaries which are private limited companies or partnership firms or limited liability partnerships incorporated in India as ‘startups’ based on certain prescribed criteria and processes. These recognised startups may be exempt from certain provisions of the DPDP Act depending on the volume and nature of personal data processed. 

My organisation is an IT/ITeS entity and processes data of foreign residents. Do I have to comply with the DPDP Act in respect of personal data of such foreign residents? 

The DPDP Act is applicable to all data fiduciaries that process personal data within the territory of India, and only in some instances, to data fiduciaries that process personal data outside India (more particularly described in FAQ No. 3(vii)). However, processing of personal data by a person within India, of data principals not within the territory of India in furtherance of a contract with a person outside India, has been exempted from complying with Chapter II (Obligations of Data Fiduciary) and Chapter III (Rights And Duties of Data Principal) of the DPDP Act, with the exception of implementing reasonable security safeguards to protect the personal data in their possession. Any restrictions on cross-border transfer of personal data imposed under the DPDP Act would also not be applicable on such a data fiduciary in India. 

An example of such a data fiduciary whose processing activities are eligible for the above exemptions is a company in India providing backend outsourced services under a contract with an entity outside India involving processing of residents outside India. 

If my organisation is sharing personal data with the Government or any law enforcement authorities under applicable laws, will it be required to comply with the DPDP Act? 

Organisations may share personal data with Government actors to comply with its obligations under applicable laws. In such a case, the organisation does not need to take consent of, or provide notice to, the data principals. However, the general obligations imposed on data fiduciaries which are not linked to consent and notice will continue to apply to your organisation. 

Organisations may also share personal data with the Government or law enforcement authorities either proactively if necessary for enforcing any legal right / claim, or when sought for in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law. In such a case, the processing of personal data is exempt from the obligations under Chapter II (Obligations of Data Fiduciary), Chapter III (Rights And Duties of Data Principal) of the DPDP Act, with the exception of implementing reasonable security safeguards to protect the personal data in their possession, and the restrictions on cross-border transfer of personal data imposed under the DPDP Act.

ON DATA BREACH AND POWERS OF THE DATA PROTECTION BOARD  

In case of a personal data breach, what should my organisation do? 

In the event of a personal data breach, your organisation must, without any delay, notify the Board and each of the affected data principals of the breach, and the nature of the leaked personal data. In addition to this, the Rules prescribe that upon discovering a personal data breach, your organisation must immediately take 2 (two) key actions:  

• Notify the data principal: Your organisation must, without delay and in a concise, clear, and plain manner, inform each affected data principal via their registered contact method or user account. This intimation must cover: (a) the breach’s description (nature, extent, and timing); (b) the likely consequences for the data principal; (c) measures implemented by the data fiduciary to mitigate risk arising out of such breach; (d) safety measures the data principal can take; and (e) contact information of the data fiduciary for any queries.  
• Report to the Board: This notification to the Board is to be undertaken (a) without delay, with a description of the breach (nature, extent, timing, location, and likely impact); and (b) within 72 (seventy-two) hours, with an updated and detailed account of breach information, the facts / reasons leading to the breach, measures implemented / proposed to mitigate risk, findings on the person who caused the breach, remedial steps to prevent recurrence, and a report on intimations given to data principals. 

What are the penalties that can be levied by the Board under the DPDP Act? 

The penalties that may be imposed varies depending on the nature of the non-compliance and the same are as follows:  

What actions can the Board take if there is an inquiry into my organisation? 

The Board may initiate an inquiry into your organisation on receipt of intimation of certain violations of the DPDP Act either through a complaint or through the reference of the Central Government. During or after an inquiry, apart from imposing penalties, the Board is empowered to direct the implementation of any remedial or mitigation measures to inquire into a personal data breach that has been reported. The Board is also empowered to refer your organisation and the affected data principals to a mediation process. Further, the Board may accept an undertaking from your organisation to take or refrain from taking, certain actions in exchange for not continuing proceedings before the Board. 

In addition to the above, the DPDP Act has prescribed some powers of a civil court that may be exercised by the Board, that include the power to: 

• Summon and enforce attendance of persons for examination under oath; 
• Receive evidence on affidavit and compel the discovery and production of documents; 
• Inspect any data, books, documents, registers, or accounts; and 
• Such other matters as may be prescribed. 

Upon the advice of the Board given in the interest of the general public, the Central Government may also issue a blocking order to an intermediary, after giving an opportunity to be heard to the data fiduciary, in case the Central Government thinks it is necessary to do so, in the interests of the general public.  

However, the Board is not allowed to block access to any premises or seize equipment or items if doing so would disrupt the organisation’s daily operations. 

What rights do the data principals have against my organisation in the event of a data breach? 

In the event of a personal data breach, the data principal is required to exhaust her opportunity of redressing her grievance with the data fiduciary and can only subsequently intimate the Board of the breach if the issue remains unresolved, which could lead to an inquiry into your organisation. 

Can one appeal against any decision taken by the Board? 

Yes, any person aggrieved by an order or direction of the Board, may prefer an appeal before the Telecom Disputes Settlement and Appellate Tribunal within 60 (sixty) days of issuance of an order by the Board, in the form of a digital application along with a fee as prescribed in the Rules. 

Can a data principal directly approach the Board for any grievances? 

No, a data principal cannot directly approach the Board for a grievance. The DPDP Act mandates the data principal to exhaust the opportunity of redressing her grievance through the means provided by the data fiduciary before approaching the Board. 

Rather than approaching the Board, can a data principal approach the court for damages against my organisation handling my personal data? 

No, civil courts do not have the jurisdiction to hear matters that fall within the purview of the Board. However, a data principal may appeal against the order of the Board by approaching the Telecom Disputes Settlement and Appellate Tribunal within 60 (sixty) days of issuance of an order by the Board. 

ON GOVERNMENT ACCESS  

Do the obligations of data fiduciaries under the DPDP Act also apply to the government and its agencies? 

Yes, in a limited manner. Where processing of the personal data is undertaken by any government body performing a quasi-judicial, regulatory or supervisory function, the government body is exempt from the obligations under Chapter II (Obligations of Data Fiduciary), Chapter III (Rights And Duties of Data Principal) of the DPDP Act, with the exception of implementing reasonable security safeguards to protect the personal data in their possession, and the restrictions on cross-border transfer of personal data imposed under the DPDP Act. 

Government actors are also exempted from the provisions of the DPDP Act if the processing of personal data is in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.  

Additionally, the obligation to erase the personal data of data principals does not apply to the personal data processed by Government actors. Where a Government actor processes personal data in a manner that does not include making a decision that affects the data principal, such Government actor is also not obligated to honour the data principal’s right to have their data corrected, completed or updated. 

Does the Central Government have access to the personal data collected by my organisation and can my organisation refuse to disclose said personal data? 

Yes, the Central Government has the power to ask the Board or any data fiduciary (including your organisation as a data fiduciary) to provide them with such information as it may call for, and in such an instance, your organisation will have to comply with such a request. 

The Central Government also has the power to call for any information from an intermediary (that may or may not be a data fiduciary), to furnish any information including in the interest of sovereignty and integrity of India or security of the State, or to perform a legal function, or to assess the classification of a significant data fiduciary. 

CYBERSECURITY COMPLIANCES  

Does my organisation need to report any cyber security incident to the Board? 

Your organisation has to report any cyber security incident that constitutes a personal data breach (and not all cyber security incidents) to the Board and each affected data principal. Please refer to FAQ No. 14 for details on reporting personal data breaches to the Board and notifying the affected data principal. 

Does my organisation need to separately notify a personal data breach to the Board and the data principal if I have notified the breach to CERT-In? 

Yes, the obligation to notify a personal data breach to the Board and the affected data principal is separate from and independent of the breach notification obligations to CERT-In. 

ALIGNING WITH GLOBAL DATA PROTECTION COMPLIANCES  

My organisation is already EU GDPR and UK GDPR compliant. What additional obligations or adjustments will we need to make to comply with the DPDP Act and Rules?  

GDPR and other global data protection law compliant entities have a pre-existing foundational framework that cover many aspects under the DPDP Act. However, there are certain distinct compliance requirements that one should keep in mind. Some of them are: 

• Unlike the EU GDPR, the UK GDPR and other global data protection laws, the DPDP Act does not prescribe differential and enhanced compliances for different categories of personal data such as special categories of personal data. The obligations under the DPDP Act and Rules apply uniformly to the processing of all personal data. 
• The legal basis for processing of personal data in the EU GDPR, the UK GDPR and other global data protection laws is not equally commensurate with legal bases of processing personal data under the DPDP Act. Hence, a separate data mapping exercise may be required in this regard. 
• Revisit privacy policies / privacy notices to identify the need for DPDP Act specific modifications or addendums. 
• Personal data associated traffic data and other logs of processing must be stored for a minimum period of 1 (one) year from the date of such processing. In case of certain entities (like e-commerce / online gaming / social media platforms) meeting specified thresholds, the Rules require the storage of personal data for an additional period of 3 (three) years from the date of such processing by such entities.  
• Provide data principals the option (through their user interface) to nominate a registered consent manager on their platform, app, website, etc (as the concept of consent manager does not exist under the GDPR and other global data protection laws). 
• Implement safeguards in case of all personal data breaches (please refer to FAQ No. 14 for a detailed answer). 

Additionally, please note that if a GDPR compliant entity is designated as a significant data fiduciary, it must implement additional measures as required under the DPDP Act, Rules and as may be prescribed by the Central Government (Please refer to FAQ No. 8 for a detailed answer). 

The aforementioned obligations are in addition to the compliance requirements prescribed under the GDPR. However, there are some additional requirements under the GDPR that automatically meet the requirements under the DPDP Act. They are, inter alia, as follows: 

• The DPDP Act exempts an entity processing personal data that is available in the public forum. This, however, is included under the ambit of the GDPR; 
• The data principals under the GDPR have the right of data portability. However, such a right is not available under the DPDP Act; 
• Data principals under the GDPR have the right to object automated decision making using their personal data. Such a specific right is not available under the DPDP Act, and must be read under the larger umbrella of the right to withdraw consent 

INDUSTRY IMPACT  

Does the DPDP Act apply to the personal data of my organisation’s employees?  

Yes, your organisation would be subject to all obligations imposed on data fiduciaries under the DPDP Act and the Rules. However, please note that consent requirements do not apply if personal data is processed for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, or provision of any service or benefit sought by an employee. 

My organisation is in the B2B sector and does not interface with individuals nor collect their personal data. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

The DPDP Act and the Rules apply to all personal data including any personal data processed as part of a B2B relationship. For instance, this may include the name, email address, contact information or other personal details of an authorised representative or the employees of an organisation (such as a vendor or enterprise customer). All obligations imposed on data fiduciaries will apply to your organisation processing such personal data in the B2B sector too.

My organisation is in the fintech / financial services sector. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

The DPDP Act has done away with separate classification of any sensitive categories of data (which previously included financial information under SPDI Rules). Therefore, entities in the financial services sector will have to comply with all obligations prescribed for all personal data sets, including financial information and otherwise (subject to exemptions, if any).  

For organisations operating in the fintech or wider financial services sector, the DPDP Act applies in addition to sector-specific regulations issued by financial regulators such as the Reserve Bank of India (“RBI”), the Securities and Exchange Board of India (“SEBI”) and the Insurance Regulatory and Development Authority of India (“IRDAI”). In case of any conflict, the provisions of the DPDP Act would prevail to the extent of such conflict, except in case of cross border transfer of personal data. Where there is any overlap relevant to personal data transfers outside of India, your organisation must comply with the stricter requirement. This means that if RBI, SEBI or IRDAI impose more stringent obligations than those under the DPDP Act, those sectoral requirements will prevail and must be followed. For instance, data localisation mandates issued by SEBI for intermediaries (such as stockbrokers), or by the RBI for payment system operators, continue to apply even if the DPDP Act itself does not prescribe data localisation.  

Regulated entities will also need to comply with reporting obligations in parallel with those under the DPDP Act. In addition to breach notification obligations under the DPDP Act, financial sector regulators also impose reporting obligations and breach notification obligations under the CERT-In Directions will continue to apply.  

The DPDP Act also exempts organisations from certain compliance obligations (such as general data fiduciary obligations, except for the overarching obligation to comply with the DPDP Act and to protect personal data by implementing security safeguards) for specific processing activities, including processing for ascertaining the financial information of anyone who has defaulted on loan payments from a financial institution. In this manner, debt lenders (i.e. banks and non-banking financial companies) will be able to benefit from this.  

My organisation is in the telecom sector. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

As an organisation in the telecom sector, your organisation is already subject to obligations set forth by the Telecom Regulatory Authority of India (“TRAI”) and the Department of Telecommunications (“DoT”), including obligations relating to data storage, lawful interception, etc. The DPDP Act will operate alongside these existing obligations. To the extent there is any conflict, the provisions of the DPDP Act would prevail to the extent of such conflict, except in case of cross border transfer of personal data. Where there is any overlap relevant to personal data transfers outside of India, your organisation must comply with the stricter requirement. This means that if TRAI or DoT impose more stringent obligations than those under the DPDP Act, those sectoral requirements will prevail and must be followed.  

At the same time, certain entities in the telecom sector, i.e. any Government actors may rely on “legitimate use” grounds for processing personal data instead of consent, which provides a limited relaxation for specific functions carried out in public interest. However, for private telecom operators, the DPDP Act introduces more stringent requirements around consent. In particular, explicit consent is mandatory before engaging in upselling, cross-selling or otherwise selling personal data for marketing purposes. 

My organisation is an e-commerce platform. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

The Rules require data fiduciaries to respond to the grievances of data principals relating to the processing of their personal data within a period of 90 (ninety) days. However, in order to comply with the Consumer Protection (E-Commerce) Rules, 2020, you will in any case need to ensure that your grievance officer acknowledges the receipt of consumer complaints (including in relation to personal data of the consumer) within 48 (forty-eight) hours and redresses the complaint within 1 (one) month from the date of receipt of the complaint.  

Further, if you have 2,00,00,000 (two crore) or more registered users in India, you will be required to comply with the additional data retention requirements as detailed in FAQ 6(ii) above. 

My organisation is an intermediary platform. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

The Rules require data fiduciaries to respond to the grievances of data principals relating to the processing of their personal data within a period of 90 (ninety) days. However, under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, you must ensure that your appointed grievance officer in any case acknowledges every complaint raised by a user or a victim regarding a violation of your due diligence obligations, or in respect of any other matters pertaining to the computer resources made available by you within 24 (twenty-four) hours, and resolves such complaint within a period of 15 (fifteen) days from the date of its receipt. If the complaint is in the nature of a content takedown request, it must be acted upon as expeditiously as possible and resolved within 72 (seventy-two) hours. These complaints may be including in relation to personal data of an individual. 

Further, as detailed in FAQ 6(ii) above, if you are an online gaming intermediary or a social media intermediary having more registered users in India than the prescribed thresholds, you will be required to comply with the applicable additional data retention requirements. 

Separately, as you are an intermediary, the Central Government may require you to furnish any information sought from you within the specified time period. If the disclosure of such information is likely to prejudicially affect the sovereignty and integrity of India or security of the State, the Central Government may also require you to not disclose such furnishing to affected data principal or any other person except with the prior written permission of the designated authorised person. These information requests will have to be complied with regardless of whether you, as an intermediary, are a data fiduciary or not. 

My organisation is in the marketing sector. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

Where personal data is being obtained by consent, the DPDP Act and Rules prescribe very specific consent requirements that data fiduciaries are required to obtain from data principals (please refer FAQ No. 5(i)(c) for notice requirements). This would include obtaining consent for (a) marketing their own goods or services; and/or (b) sharing data with third parties for the purposes of marketing (either in the capacity of a data processor or another data fiduciary).  

If you are a data fiduciary disclosing personal data to another data fiduciary for the purposes of marketing, you are required to comply with the DPDP Act and Rules in terms of:  

• notice and consent requirements while obtaining and/or sharing the personal data with you; and  
• ensuring that the personal data shared with the other party is complete, accurate and consistent.  

The mandate to ensure the completeness, accuracy and consistency of personal data is also triggered when the processing of personal data of the data principal by the data fiduciary is likely to be used to make a decision that affects the data principal.  

It important to note that the DPDP Act categorically bars targeted advertising directed at children. (Please refer to FAQ No. 8 (ii)). 

Additionally, the Central Government may exempt a data fiduciary from following all or some of the standard obligations regarding the processing of children’s data if it is satisfied that the data fiduciary has established measures to make its data processing for children verifiably safe. The Central Government will specify a higher age limit, above which the specific Data Fiduciary will be free from the aforementioned obligations. 

My organisation provides IT/ITeS outsourcing services for global clients. Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

If your organisation provides IT/ITeS outsourcing services for global clients outside India under a contract and the personal data processed is of data principals not in India, your organisation may be exempt from many compliances under the DPDP Act as detailed under FAQ No. 13(iii).  

My organisation uses Artificial Intelligence (“AI”). Are there any additional requirements under the DPDP Act that apply specifically to my organisation?  

The DPDP Act does not specifically address AI, however, organisations using AI must still comply with the provisions of the DPDP Act to the extent its activities involve personal data processing. That said, the provisions of the DPDP Act will not apply to your use of AI if your model uses publicly available data or if it is exclusively used for statistics, research or archival purposes, adhering to prescribed standards, and refraining from making specific decisions about a data principal. Using AI models poses certain practical challenges with respect to data principals’ right to access and correction/erasure, which requires identifying the data set storing personal data. Once personal data is used during AI model training, it becomes practically unfeasible to implement erasure rights due to the inherent nature of AI. Furthermore, it may be difficult to ensure completeness, accuracy and consistency wherever AI is employed to make decisions about the data principals. Instead, your organisation may consider using anonymised data for training, to the extent possible. Separately, significant data fiduciaries will also be required to observe due diligence while adopting algorithmic software (refer to FAQ 7(ii)).