DPDPA

Under the DPDPA, Data Privacy refers to an individual’s right to have their personal data collected, processed, stored, and shared only for lawful purposes, with explicit consent, and with adequate safeguards. Organizations must ensure transparency, purpose limitation, and protective measures while handling personal data.

The DPDP framework requires organisations to follow lawful processing, gain valid consent, manage data lifecycle securely, implement breach reporting, and honour data principals’ rights like access, correction, and grievance redressal.

The DPDP Rules define the operational details such as consent formats, breach reporting timelines, handling of children’s data, data retention norms, and cross-border transfer requirements. These Rules determine how organisations must implement the Act in practice.

The Digital Personal Data Protection (DPDP) Act is India’s comprehensive data protection law that governs how personal data of individuals is processed. It imposes strict responsibilities on Data Fiduciaries, including obtaining consent, ensuring security safeguards, enabling user rights, and preventing the misuse of personal data.

Businesses must:

  • Obtain valid consent
  • Provide notice of data use
  • Ensure data accuracy
  • Implement strong security safeguards
  • Allow user rights (access, correction, deletion)
  • Delete data after the purpose is fulfilled
  • Report breaches to the Data Protection Board

Data fiduciaries must provide at least 48 hours’ notice to data principals before erasing personal data due to inactivity or the end of retention periods. This allows data principals to engage or exercise rights to avoid erasure, unless legally required otherwise.

Erasure is required upon consent withdrawal, when the specified purpose ends, or if the data principal does not engage within retention periods for certain fiduciaries/purposes in the Third Schedule. Legal mandates may override these obligations.

The DPDPA replaces fragmented IT Act rules with a unified, rights-based Data Privacy Act focused on user rights, consent-driven processing, purpose limitation, children’s protection, and stringent penalties of up to ₹250 crore for violations.