DPDP Act 2023 FAQ: What Every Business and Startup Must Know About Compliance

By Akanksha Vatsa & Adv. Manvee (Technology & Data Protection Lawyer)

Introduction

India’s data protection framework underwent a structural transformation with the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act 2023”). For the first time, India adopted a comprehensive, horizontal data protection statute governing the processing of digital personal data across sectors, technologies, and organisational forms. Unlike the earlier framework under the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which applied narrowly and unevenly, the DPDP Act 2023 establishes a unified, principle-based regime anchored in consent, accountability, and individual autonomy.

The constitutional basis of the DPDP Act 2023 lies in the Supreme Court’s landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, where the right to privacy was recognised as a fundamental right under Article 21 of the Constitution.[1] The Court emphasised that informational privacy requires a statutory framework that balances individual dignity with legitimate state and commercial interests. The DPDP Act 2023 operationalises this mandate by placing the individual (hereinafter “Data Principal”) at the centre of data governance, while assigning clear responsibilities to entities that collect and process personal data (hereinafter termed as “Data Fiduciaries”).

For businesses and start-ups, the DPDP Act 2023 is not merely a compliance statute. It reshapes how digital products are designed, how consent is sought, how data is retained, and how accountability is demonstrated. This article presents an integrated, FAQ-based guide to the DPDP Act 2023, moving from foundational concepts to consent mechanisms, children’s data, business obligations, and enforcement, with a specific focus on practical compliance for organisations with no prior data protection expertise.

Key Concepts Under the Digital Personal Data Protection Act, 2023

1. What is “data” and “personal data” under the DPDP Act 2023?

The DPDP Act 2023 defines “data” as a structured representation of information, facts, concepts, opinions, or instructions that is suitable for communication, interpretation, or processing, whether manually or through automated means.[2] This technology-neutral definition ensures that the law remains adaptable to evolving digital systems.

“Personal data” means any data about an individual who is identifiable by or in relation to such data.[3] Identifiability is the governing test, not the form of the data. Names, phone numbers, IP addresses, customer identifiers, or combinations of information that can identify an individual all fall within this definition.

While personal data may exist in physical or digital form, the DPDP Act 2023 applies only to digital personal data.[4] Accordingly, data collected in physical form becomes subject to the Act once it is digitised, such as when information from paper forms is entered into a database.

2. What does “processing” of personal data mean?

“Processing” under the DPDP Act 2023 is defined broadly to include any operation performed on personal data, whether automated or manual. This includes collection, recording, organisation, storage, adaptation, retrieval, use, sharing, disclosure, restriction, erasure, or destruction.[5]

In practice, nearly every interaction an organisation has with personal data constitutes processing. From maintaining employee records to analysing customer behaviour or deleting inactive user accounts, the entire lifecycle of data is regulated under the Act.

3. Who are Data Principals, Data Fiduciaries, and Data Processors?

A Data Principal is the individual to whom the personal data relates. In certain contexts, this also includes parents or lawful guardians of children, guardians of persons with disabilities, and nominees acting on behalf of deceased or incapacitated individuals.[6]

A Data Fiduciary is the person or entity that determines the purpose and means of processing personal data.[7] This role is comparable to a “data controller” under other global data protection laws and carries primary responsibility and liability under the DPDP Act 2023.

A Data Processor processes personal data on behalf of a Data Fiduciary and strictly in accordance with its instructions.[8] While processors have obligations, accountability ultimately rests with the Data Fiduciary.

4. What is the territorial scope of the DPDP Act 2023?

The DPDP Act 2023 applies to the processing of digital personal data within India.[9] It also applies extraterritorially to processing outside India where such processing is connected with offering goods or services to individuals located in India.[10] As a result, foreign entities targeting Indian users may be subject to the Act even without a physical presence in India.

DPDP Act 2023: Phased Implementation and Transition from SPDI Rules

5. When do the provisions of the DPDP Act 2023 come into force?

The DPDP Act 2023 is being enforced in a phased manner to allow organisations time to transition to the new compliance framework.[11]

The first phase came into effect upon notification of the DPDP Rules in November 2025 and relates primarily to institutional provisions, including the establishment, composition, and functioning of the Data Protection Board of India, along with rule-making powers.[12]

The second phase, concerning Consent Managers, will come into force one year after notification, i.e., on November 13, 2026.[13] This phase enables the consent management ecosystem to be operational before substantive obligations apply.

The third and final phase, which includes the core compliance obligations such as consent requirements, notice obligations, rights of Data Principals, duties of Data Fiduciaries, breach notification, and penalties, will come into force eighteen months after notification, i.e., on May 13, 2027.[14] From this date, full compliance with the DPDP Act 2023 becomes mandatory.

6. Until when do the SPDI Rules continue to apply?

Until the final phase of the DPDP Act 2023 comes into force, the SPDI Rules continue to remain applicable.[15] Accordingly, organisations handling sensitive personal data must comply with the SPDI Rules until May 13, 2027, after which Section 43A of the Information Technology Act, 2000, and the SPDI Rules will stand repealed.[16] Other provisions of the IT Act, however, will continue to apply.

7. What should organisations do during the transition period?

The transition period is intended to facilitate progressive compliance, not regulatory inertia. Organisations should use this time to:

• assess applicability,
• map personal data flows i.e. prepare a personal data inventory
• identify lawful processing bases,
• redesign consent mechanisms,
• update contracts/contractual clauses with their processors as well as their vendors,
• implement security safeguards,
• establish grievance redressal and breach response systems.[17]
• Organisations should also train personnel and
• Conduct a harmonised assessment of DPDP obligations alongside sector-specific regulations, particularly in regulated industries (such as Finance, Healthcare, etc.)

8. How does the transition affect existing consents?

Where personal data was collected on the basis of consent prior to the enforcement of DPDP Act 2023’s consent requirements, organisations are not required to recollect consent immediately. However, after May 13, 2027, they must issue a fresh notice informing Data Principals of the purpose of processing, their rights, and grievance mechanisms.[18] Processing may continue unless consent is withdrawn.

Consent Requirements Under the Digital Personal Data Protection Act, 2023

9. Why does the DPDP Act 2023 place consent at the centre of data processing?

The DPDP Act 2023 is fundamentally consent-centric. Consent is treated not as a procedural checkbox but as a substantive expression of individual autonomy over personal data. This approach reflects the constitutional emphasis on informational self-determination articulated by the Supreme Court in Puttaswamy Judgment.[19] Under the Act, consent is the default legal basis for processing personal data, and any deviation from this rule must fall squarely within statutorily defined exceptions.

For businesses, this means that the legitimacy of most data processing activities ranging from onboarding users to analytics and marketing depends on whether consent has been obtained in the manner prescribed by law.

Practical Illustration

A food delivery application i.e., “Panda Eats,” collects a user’s phone number to create an account and deliver orders. If Panda Eats later starts using that phone number for promotional SMS campaigns without obtaining specific consent for marketing, such processing would be unlawful. Even though the number was collected legitimately for service delivery, its use for advertising requires separate, purpose-specific consent.

10. What constitutes valid consent under the DPDP Act 2023?

Consent under the DPDP Act 2023 must be free, specific, informed, unconditional, and unambiguous, and must be signified through a clear affirmative action by the Data Principal.[20] This formulation deliberately rejects older practices where consent was inferred from silence, inactivity, or continued use of a service.

Consent is also purpose-bound. A Data Fiduciary may process personal data only for the specific purpose disclosed at the time consent is sought, and only to the extent necessary to achieve that purpose. Any change in purpose, expansion of use, or additional data collection requires fresh consent.[21]

Crucially, the burden of proof lies entirely on the Data Fiduciary. In the event of a complaint or regulatory inquiry, the organisation must be able to demonstrate that consent was obtained in compliance with the Act.[22]

Practical Illustration

A fitness app “FitBit” displays a consent screen stating: “We will use your health data to provide personalised workout recommendations. Do you agree?”

FitBit users must actively click “I Agree” before it collects heart rate or step data.
If FitBit automatically enables tracking by default, or hides the consent inside long terms and conditions, such consent would not be considered valid under the DPDP Act 2023.

11. How must consent be requested and recorded?

Consent must be preceded by a clear and intelligible notice. The notice must describe the categories of personal data being collected, the purpose of processing, the goods or services enabled by such processing, and the rights available to the Data Principal, including the right to withdraw consent and seek grievance redressal.[23]

The DPDP Act 2023 requires that the notice be presented in plain language, independent of other contractual terms, and accessible in English or any language specified in the Eighth Schedule to the Constitution.[24] This requirement is particularly significant in India’s linguistically diverse digital ecosystem and underscores the Act’s emphasis on meaningful choice.

While the DPDP Act 2023 does not prescribe a fixed format, consent mechanisms such as click-wrap agreements may be valid provided they meet the statutory thresholds. Pre-ticked boxes, bundled permissions, or consent buried in lengthy terms of service are unlikely to pass legal scrutiny.

Practical Illustration

An e-commerce platform “Ziggy” asks users for consent in the following manner:

• Separate consent for: (a) Account creation; (b) Order fulfilment; (c) Marketing emails
• Notice displayed in English and Hindi
• Each consent obtained through a separate toggle

Ziggy also stores:

• Timestamp of consent
• IP address
• Version of the notice shown to the user

This creates an audit trail to demonstrate compliance if questioned by the regulator.

12. Is implied or deemed consent recognised?

No. The DPDP Act 2023 does not recognise implied consent.[25] Continued use of a platform, browsing activity, or failure to opt out cannot be treated as consent. This marks a clear departure from earlier digital practices and requires businesses to redesign user interfaces to ensure affirmative consent.

Where consent cannot be obtained in the prescribed manner, processing must either cease or be justified under one of the alternative lawful bases expressly permitted by the Act.

Practical Illustration

A news website, “BhartiNews” places a banner that says: “By continuing to browse this website, you consent to all data processing.” The user is not given a choice or an “Accept” button. Under the DPDP Act, this would not constitute valid consent, because:

• There is no clear affirmative action.
• Consent is assumed from continued use.

BhartiNews must instead provide an explicit “Accept” option.

13. Can consent be withdrawn, and what are the legal consequences?

Yes. A Data Principal has the right to withdraw consent at any time, and the mechanism for withdrawal must be as easy as the mechanism used to give consent.[26] Any design that makes withdrawal cumbersome or opaque would be inconsistent with the Act.

Upon withdrawal, the Data Fiduciary must, within a reasonable time, cease processing the personal data and ensure that any Data Processor acting on its behalf also stops such processing.[27] Processing carried out prior to withdrawal remains lawful.

The DPDP Act 2023 clarifies that the consequences of withdrawal are borne by the Data Principal. This may include loss of access to a service where processing of personal data is integral to service delivery, provided such consequences are proportionate and clearly disclosed.[28]

Practical Illustration

A user signs up for a music streaming platform, “Zync” and consents to receive promotional emails. After three months, the user clicks “Unsubscribe”.

Legal effect:

• Zync must stop sending marketing emails.
• Zync must also ensure that any third-party marketing vendors stop processing the user’s email.
• The user may still continue to use the core music streaming service of Zync, unless marketing emails were essential to the service (which is unlikely).

14. Is consent required for processing employee data?

Consent is not always required for processing employee data. The DPDP Act 2023 permits processing without consent where it is necessary for employment-related purposes or for safeguarding the employer from loss or liability.[29] This includes payroll administration, attendance systems, internal investigations, prevention of corporate espionage, and protection of confidential information.

However, this exemption is not unlimited. Processing must remain necessary and proportionate, and excessive monitoring or unrelated data use may still attract regulatory scrutiny.

Practical Illustration

An employer installs an attendance system using employee biometric data for office entry. This processing may be lawful without consent because: (A) It is necessary for employment purposes. (B) It ensures workplace security and attendance management. However, if the employer later uses the same biometric data for employee performance analytics, or Shares it with a third-party marketing partner, such use may fall outside the employment exemption and could require consent.

15. When can personal data be processed without consent?

The DPDP Act 2023 recognises specific “legitimate uses” where consent is not required. These include processing necessary for compliance with law, court orders, medical emergencies, disaster response, public health measures, and certain State functions.[30] These exceptions are narrowly framed and do not create blanket exemptions from the Act.

For businesses, reliance on legitimate use must be carefully assessed and documented, as misuse of these grounds may expose organisations to penalties.

Practical Illustration

(1) Legal Compliance: A bank shares customer transaction data with the Income Tax Department in response to a statutory notice. This processing does not require consent because it is mandated by law.

(2) Medical Emergency: An unconscious accident victim is admitted to a hospital.
Doctors access the patient’s digital health records without consent to administer urgent treatment. This is permitted as a legitimate use under the DPDP Act.

Processing Children’s Data and Data of Persons with Disabilities Under the Digital Personal Data Protection Act, 2023

16. Who is considered a child under the DPDP Act 2023?

A child is defined as any individual who has not completed eighteen years of age.[31] This definition adopts a uniform age threshold and does not recognise graded capacity based on maturity or understanding.

Practical Illustration

A 17-year-old user downloads a music streaming app, “Zync,” and creates an account using their email and phone number. Even though the user may be technologically literate and capable of using the app independently, Zync must treat them as a “child” under the DPDP Act 2023 and obtain verifiable parental consent before processing their personal data.

17. How does the DPDP Act 2023 regulate processing of children’s personal data?

The DPDP Act 2023 adopts a protective and paternalistic approach towards children’s personal data. As a general rule, personal data of a child may be processed only after obtaining verifiable consent from the child’s parent or lawful guardian.[32] Consent given directly by the child is not sufficient, regardless of the context.

In addition, the Act imposes a categorical prohibition on behavioural tracking and targeted advertising directed at children.[33] This restriction applies even where parental consent has been obtained and has significant implications for digital platforms, ed-tech services, gaming applications, and social media companies.

Practical Illustration

An ed-tech platform offers online coding classes for school students.
Before collecting a child’s name, school details, or performance data, the platform must:

• Obtain verifiable parental consent.
• Avoid tracking the child’s behaviour for advertising purposes.
• Refrain from showing targeted ads based on the child’s activity.

Even if a parent consents, the platform cannot use the child’s data for targeted advertising.

18. What is “verifiable consent” in the context of children?

Verifiable consent refers to additional due diligence undertaken by a Data Fiduciary to confirm that the person providing consent is indeed the child’s parent or lawful guardian.[34] The DPDP Rules allow flexibility in how this verification is achieved.

Organisations may rely on identity and age details already available with them, self-declarations by the parent or guardian, or verified digital identity tools such as virtual tokens issued by authorised entities or digital locker service providers. The law deliberately avoids mandating a single technological solution.

Practical Illustration

A gaming app designed for users aged 10–16 requires parental consent at sign-up.
The app:

1. Asks the child to enter the parent’s email.
2. Sends a consent link to the parent.
3. Requires the parent to confirm identity using a one-time password or digital ID.

Only after this verification does the app activate the child’s account.

19. Are there any exemptions from parental consent requirements?

Yes, but these exemptions are limited and purpose-specific. Certain entities such as healthcare professionals, clinical establishments, educational institutions, child daycare centres, and transportation providers engaged by schools may be exempt from obtaining verifiable parental consent where processing is strictly necessary for healthcare, education, safety, or child supervision functions.[35]

These exemptions do not permit commercial profiling, targeted advertising, or unrelated data processing.

Practical Illustration

A school uses a transport management app “SkoolSewa” to track the real-time location of school buses and notify parents. SkoolSewa collects the child’s name, class, and route details. Since the processing is: (A) strictly for child safety, and (B) conducted by a service provider engaged by the school, SkoolSewa may rely on the statutory exemption and may not need separate parental consent, provided the data is not used for marketing or profiling.

20. What standard of care applies to children’s personal data?

Data Fiduciaries must ensure that children’s personal data is not processed in a manner detrimental to the well-being of the child.[36] While the Act does not exhaustively define this phrase, it signals a higher duty of care requiring organisations to avoid manipulative design practices, excessive data collection, and unnecessary retention of children’s data.

Practical Illustration

A social media app designed for teenagers:

• Automatically makes profiles private.
• Disables targeted ads.
• Limits location sharing.
• Deletes inactive accounts after a defined period.

These features demonstrate that the platform is processing children’s data in a manner not detrimental to their well-being.

21. How does the DPDP Act 2023 apply to persons with disabilities?

The DPDP Act 2023 extends similar protective safeguards to persons with disabilities who are unable to take legally binding decisions. Processing of their personal data requires verifiable consent from a lawful guardian.[37]

Data Fiduciaries must verify guardianship through court orders or designated authorities under applicable disability and guardianship laws. This ensures that consent is not obtained from unauthorised or informal caregivers.

Practical Illustration

A digital healthcare platform, “FitBit,” provides services to an adult patient with a cognitive disability who has a court-appointed guardian.

Before collecting and processing the patient’s health and contact data, FitBit:

• Verifies the guardian’s authority using official documentation.
• Obtains consent from the guardian.
• Processes the data only for treatment and billing purposes.

Consent from the patient alone would not be legally sufficient.

22. Why are these enhanced safeguards important for businesses?

Non-compliance with obligations relating to children’s data and data of persons with disabilities attracts significantly higher penalties, which may extend up to INR 200 crore depending on the nature of the breach.[38] Beyond financial penalties, violations in this area are likely to attract heightened regulatory scrutiny and reputational harm.

For businesses, these provisions underscore the need for age-appropriate design, robust consent verification mechanisms, and conservative data practices when dealing with vulnerable groups.

Rights, Data Breach Notification, and Penalties Under the Digital Personal Data Protection Act, 2023

23. What rights does the DPDP Act 2023 confer on Data Principals?

The DPDP Act 2023 recognises Data Principals as rights-bearing subjects rather than passive data sources. While the Act does not replicate the expansive catalogue of rights found under the EU GDPR, it nevertheless confers a core set of enforceable rights designed to ensure transparency, accountability, and remedial access.

First, a Data Principal has the right to access information about the personal data being processed by a Data Fiduciary, including a summary of such data and the identities of other Data Fiduciaries or Data Processors with whom the data has been shared.[39] This right is intended to prevent opaque data ecosystems where individuals remain unaware of how their data circulates across multiple entities.

Second, Data Principals have the right to correction, completion, updating, and erasure of their personal data.[40] Where personal data is inaccurate, incomplete, or misleading, the Data Fiduciary is under a statutory obligation to rectify it upon request. Importantly, the right to erasure is triggered not only upon request but also when consent is withdrawn or when it is reasonable to assume that the purpose of processing has been fulfilled.

Third, Data Principals have the right to grievance redressal.[41] Every Data Fiduciary must establish an effective internal grievance mechanism and respond to grievances within a reasonable period not exceeding ninety days. This internal redressal mechanism is a mandatory precondition to approaching the Data Protection Board.

Finally, the Act recognises the right to nominate another individual to exercise these rights on behalf of the Data Principal in the event of death or incapacity.[42] This provision ensures continuity of data protection rights beyond the lifetime or physical ability of the individual.

24. Are there any notable rights that are absent under the DPDP Act 2023?

Yes. The DPDP Act 2023 consciously omits certain rights that are present in other global data protection regimes. Most notably, it does not recognise a right to data portability or an explicit right to object to automated decision-making.

This omission reflects a legislative choice to prioritise regulatory simplicity and business feasibility over maximal rights expansion. However, elements of these protections may still be indirectly exercised through the right to withdraw consent or seek erasure, particularly where automated systems rely on consent-based processing.

25. What are the general obligations of Data Fiduciaries in relation to these rights?

Data Fiduciaries bear the primary responsibility for ensuring that Data Principals can effectively exercise their rights. This includes prominently publishing grievance contact details, ensuring accessibility of rights mechanisms, verifying the identity of requesting Data Principals, and maintaining internal processes for timely compliance.[43]

Where personal data is disclosed to another Data Fiduciary or Data Processor, the original Data Fiduciary must ensure that the shared data remains accurate, complete, and consistent, particularly where such data may be used to make decisions affecting the Data Principal.[44]

26. What constitutes a “personal data breach” under the DPDP Act 2023?

A personal data breach is defined broadly as any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.[45]

This definition deliberately extends beyond cyber-attacks and hacking incidents. Misconfigured databases, accidental emails, unauthorised employee access, or failure to implement adequate access controls may all qualify as personal data breaches under the Act.

27. What are the breach notification obligations of Data Fiduciaries?

The DPDP Act 2023 imposes strict and immediate breach notification obligations. Upon becoming aware of a personal data breach, the Data Fiduciary must notify both the Data Protection Board of India and each affected Data Principal without delay.[46]

The DPDP Rules further elaborate a three-stage notification framework.

• First, an initial notification must be sent to the Board as soon as practicable, outlining the nature and scope of the breach.
• Second, affected Data Principals must be informed in clear and plain language, including details of the breach, potential consequences, mitigation steps taken, and recommended safety measures.
• Third, a detailed breach report must be submitted to the Board within seventy-two hours, including root cause analysis and remedial actions.[47]

Unlike the GDPR, which applies a risk-based threshold for notifying data subjects, the DPDP Act 2023 mandates notification for all personal data breaches, regardless of severity. This reflects a strong transparency-oriented approach but also significantly increases compliance burdens for organisations.

28. What powers does the Data Protection Board of India possess?

The Data Protection Board of India is established as a specialised quasi-judicial authority responsible for enforcement of the DPDP Act 2023.[48] It is empowered to conduct inquiries, summon individuals, call for documents, receive evidence on affidavit, and impose monetary penalties.

The Board may also accept voluntary undertakings from Data Fiduciaries to remedy non-compliance, suspend proceedings, or direct corrective measures.[49] In appropriate cases, the Board may refer parties to mediation.

However, the Board does not possess powers of search and seizure where such actions would disrupt ordinary business operations, reflecting a calibrated enforcement approach.

29. What penalties can be imposed for non-compliance?

The DPDP Act 2023 prescribes significant monetary penalties, underscoring its deterrent intent. The maximum penalties include:

• Up to INR 250 crore – failure to implement reasonable security safeguards leading to a data breach;[50]
• Up to INR 200 crore – failure to notify the Board or affected Data Principals of a breach;[51]
• Up to INR 200 crore – violations relating to processing of children’s personal data;[52]
• Up to INR 150 crore – failure by Significant Data Fiduciaries to comply with additional obligations.[53]

For residual breaches not specifically enumerated, penalties may extend up to INR 50 crore. Data Principals may also be fined up to INR 10,000 for breach of their statutory duties, though this is expected to be applied sparingly.[54]

In determining penalties, the Board must consider factors such as the nature and gravity of the breach, duration, type of personal data affected, mitigation efforts, and whether the breach was intentional or negligent.[55]

30. Can decisions of the Board be challenged?

Yes. Any person aggrieved by an order of the Data Protection Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within sixty days.[56] Civil courts are expressly barred from entertaining matters falling within the jurisdiction of the Board, reinforcing the specialised nature of data protection adjudication under the Act.

Conclusion

Taken together, the rights framework, breach notification regime, and penalty structure under the DPDP Act 2023 represent a decisive shift in India’s approach to data governance. The Act prioritises transparency, individual control, and institutional accountability while consciously avoiding over-regulation that could stifle innovation.

For businesses, the message is clear: compliance cannot be retrofitted after a breach or complaint. It must be embedded into organisational design, decision-making, and culture. For Data Principals, the DPDP Act 2023 offers enforceable mechanisms to reclaim control over personal data in an increasingly digital society.

REFERENCES:

• Digital Personal Data Protection Act, 2023, No. 22 of 2023, Acts of Parliament, 2023 (India).
• Digital Personal Data Protection Rules, 2025, G.S.R. 843(E) (India).
• Information Technology Act, 2000, No. 21 of 2000 (India).
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E) (India).
• Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (Supreme Court of India).
• General Clauses Act, 1897, No. 10 of 1897 (India).

---

[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

[2] Digital Personal Data Protection Act, 2023, Section 2(h).

[3] Id. Section 2(t).

[4] Id. Section 3(a).

[5] Id. Section 2(x).

[6] Id. Section 2(j).

[7] Id. Section 2(i).

[8] Id. Section 8(1).

[9] Id. Section 3(a).

[10] Id. Section 3(b).

[11] Id. Section 1(2).

[12] Digital Personal Data Protection Rules, 2025, Rule 1–2.

[13] Id. Rule 4 & First Schedule.

[14] Digital Personal Data Protection Act, 2023, Section 1(2) read with Notification G.S.R. 843(E) (Nov. 13, 2025).

[15] Id. Section 44(2).

[16] Information Technology Act, 2000, § 43A (India); Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[17] Digital Personal Data Protection Rules, 2025, rr. 5–8.

[18] Digital Personal Data Protection Act, 2023, Section 5(2).

[19] Id 1 at pg 1.

[20] Digital Personal Data Protection Act, 2023, Section 6(1).

[21] Id. Section 6(4).

[22] Id. Section 6(1) proviso.

[23] Id. Section 5(1).

[24] Id. Section 5(3).

[25] Id. Section 6(1).

[26] Id. Section 6(4).

[27] Id. Section 6(6).

[28] Id. Section 6(5).

[29] Id. Section 7(b).

[30] Id. Section 7(a)–(f).

[31] Id. Section 2(f).

[32] Id. Section 9(1).

[33] Id. Section 9(1) proviso.

[34] Digital Personal Data Protection Rules, 2025, Rule 10.

[35] Id. Fourth Schedule.

[36] Digital Personal Data Protection Act, 2023, Section 9(3).

[37] Digital Personal Data Protection Rules, 2025, Rule 11.

[38] Digital Personal Data Protection Act, 2023, Section 33(1)(c).

[39] Digital Personal Data Protection Act, 2023, Section 11.

[40] Id. Section 12.

[41] Id. Section 13.

[42] Id. Section 14.

[43] Id. Section 8(1).

[44] Id. Section 8(3).

[45] Id. Section 2(z).

[46] Id. Section 8(6).

[47] Digital Personal Data Protection Rules, 2025, Rule 7.

[48] Digital Personal Data Protection Act, 2023, Section 18.

[49] Id. Section 23.

[50] Id. Section 33(1)(a).

[51] Id. Section 33(1)(b).

[52] Id. Section 33(1)(c).

[53] Id. Section 33(1)(d).

[54] Id. Section 33(8).

[55] Id. Section 33(5).

[56] Id. Section 28.