Digital Personal Data Protection Act (DPDPA)
Internal Compliance Reference Documentation v2.0 (2026 Update)
Act Overview
The DPDPA governs the processing of digital personal data in India. It aims to balance the right of individuals to protect their personal data with the need to process such data for lawful purposes.
- Applicability: Digital personal data (Online and Offline digitized).
- Territory: Within India and outside (if profiling/offering goods to Indians).
Key Definitions
| Term | Definition |
|---|---|
| Data Principal | The individual to whom the personal data relates. |
| Data Fiduciary | The entity that determines the purpose and means of processing. |
| Data Processor | Any person/entity who processes data on behalf of a Fiduciary. |
| Consent Manager | A registered entity that manages consent on behalf of the Principal. |
Rights of Data Principals
Every individual (Data Principal) has the following four core rights:
- Right to Access: Summary of data processed and identities of parties shared with.
- Right to Correction/Erasure: Rectifying inaccuracies or asking to delete data no longer needed.
- Right to Grievance Redressal: Access to a mechanism to resolve complaints.
- Right to Nominate: Appointing someone to exercise rights in case of death/incapacity.
Obligations of Data Fiduciaries
Entities must ensure the following compliance measures are in place:
- Notice: Provide clear notice describing data collected and purpose.
- Accuracy: Ensure data is accurate if it affects the Principal.
- Security: Implement reasonable security safeguards to prevent breaches.
- Breach Notification: Inform the Data Protection Board and the Principal in case of a leak.
Financial Penalties
Failure to comply can result in significant fines as per the Schedule of the Act:
| Violation | Maximum Penalty |
|---|---|
| Failure to prevent data breach | Up to ₹250 Crore |
| Failure to notify breach | Up to ₹200 Crore | Up to ₹200 Crore |
| General non-compliance | Up to ₹50 Crore |