🇮🇳

Digital Personal Data Protection Act 2023 (India)

India's comprehensive data-protection regulation, enacted August 2023. Applies to processing of digital personal data within India + cross-border processing of data principals in India. Penalty up to ₹250 crore per violation. The dominant privacy regulation for the world's most populous market.

2 critical12 high5 medium1 low

DPDP-1DPDP-001high

Lawful Processing of Personal Data

Personal data may be processed only for lawful purposes consented to by the data principal or for legitimate uses.

→

DPDP-2DPDP-002high

Notice to Data Principals

Data fiduciary must provide notice in clear and plain language at or before processing.

→

DPDP-3DPDP-003high

Consent Management

Consent must be free, specific, informed, unconditional, unambiguous, and revocable.

→

DPDP-4DPDP-004medium

Data Accuracy

Data fiduciary must take reasonable steps to ensure data is accurate, complete, and consistent.

→

DPDP-5DPDP-005medium

Data Retention Limitation

Personal data must not be retained beyond purpose or contractual period; deleted when consent withdrawn.

→

DPDP-6DPDP-006critical

Security Safeguards

Data fiduciary must implement reasonable security safeguards to protect personal data.

→

DPDP-7DPDP-007critical

Breach Notification

Data fiduciary must notify Data Protection Board + affected data principals of personal data breach.

→

DPDP-8DPDP-008high

Data Principal Rights

Data principals have rights to access, correction, erasure, grievance redressal.

→

DPDP-9DPDP-009high

Cross-Border Transfer

Cross-border transfers permitted only to countries notified by Central Government.

→

DPDP-10DPDP-010high

Children's Data Protection

Verifiable parental consent required before processing data of children (under 18 in India per DPDP).

→

DPDP-11DPDP-011high

Significant Data Fiduciary Obligations

Companies designated as Significant Data Fiduciary have additional obligations: DPIA, audits, DPO.

→

DPDP-12DPDP-012medium

Grievance Officer

Data fiduciary must designate grievance officer + publish contact information.

→

DPDP-13DPDP-013medium

Data Protection Board Cooperation

Data fiduciaries must cooperate with DPB investigations + provide requested information.

→

DPDP-14DPDP-014high

Reasonable Security Safeguards Documentation

Document the security safeguards deployed; serves as DPB defense in breach investigations.

→

DPDP-15DPDP-015medium

Employee Data Lawful Use

Employee personal data may be processed only for legitimate employment purposes.

→

DPDP-16DPDP-016high

Data Retention Compliance

Data must be retained only as long as necessary; deleted promptly when no longer required.

→

DPDP-17DPDP-017high

Easy Consent Withdrawal

Withdrawal of consent must be as easy as giving it.

→

DPDP-18DPDP-018low

Penalty Awareness

Awareness of DPDP penalty structure: up to ₹250 crore per violation.

→

DPDP-19DPDP-019high

Verifiable Consent Records

Consent records must be verifiable: timestamp, scope, mechanism, withdrawal log.

→

DPDP-20DPDP-020high

Cross-Border Transfer Restrictions

Maintain ability to suspend transfers per Central Government notification.

→