COOKIES. CONSENT. COMPLIANCE
Schedule a Demo
secure privacy badge logo
Regulations
EUROPE
GDPR (EU) UK DPA (United Kingdom) FADP (Switzerland) NewDPA (Norway)

View All

North America
PIPEDA (Canada) CCPA/CPRA (California) CPA (Colorado) VCDPA (Virginia)

View All

Middle East
PDPL (UAE) DIFC DPA (Dubai) PDPL (Saudi Arabia) KVKK (Turkey)

View All

Asia
PIPA (South Korea) NewPIPL (China) Data Privacy Act 2012 (Philippines) PDPA (Singapore)

View All

Central and South America
LGPD (Brazil) DPL (Colombia) Personal Data Protection Law (Argentina) LSPDP (Panama)

View All

Africa
POPIA (South Africa) Law no.09-08 (Morocco) LPDP (Egypt) DPA (Kenya)
Oceania
APP (Australia) Privacy Act (New Zealand)
Features
Cookie BannersPreference CenterCookie & Website ScannerConsent LoggingData Subject Request FormsCookie PolicyPolicy CenterLegal Templates70+ Language Support
Cookie Banners
Integrations
HubspotWordpressMagentoAdobe Tag ManagerWixShopifyDrupalGoogle Tag ManagerWeeblySquarespaceWebviewSitecoreUmbracoJoomlaBigcommerceGoogle Consent ModeAdobe LaunchTealium IAB TCF v2.2
Hubspot badge
Pricing
Partner
Resources
BlogSupportContact UsDocsRequest DemoTraining & CertificationGDPR Website Scanner
May 29, 2024

What Data is Protected by the India Digital Personal Data Protection Act 2023? A Comprehensive Guide to the India Data Privacy Law

Delve into the comprehensive guide to the India Digital Personal Data Protection Act 2023, exploring the breadth of protected data types and the implications of India's data privacy law.

In an increasingly data-driven world, personal information has become a valuable commodity. As individuals entrust more and more of their personal details to online platforms and digital services, the need for robust data protection measures has grown more crucial than ever. The India Digital Personal Data Protection Act (DPDPA), enacted in 2023, aims to establish a comprehensive framework for the protection of personal data in India. This article delves into the scope of protection under the DPDPA, providing a clear understanding of the types of data safeguarded by this landmark legislation.

What is the India Digital Personal Data Protection Act (DPDPA) 2023?

The India Digital Personal Data Protection Act 2023 (DPDPA) is a landmark legislation that aims to safeguard the privacy of individuals in the digital age. The Act came into effect on September 1, 2023, and it applies to all organizations that process personal data of individuals in India.

What is personal data?

Personal data is defined under the DPDPA as "any data that relates to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier." This broad definition encompasses a wide range of information, including but not limited to:

  • Name, address, and contact information
  • Date of birth and gender
  • Financial information, such as bank account numbers and credit card details
  • Online browsing history and search queries
  • Social media posts and messages
  • Location data, such as GPS coordinates

What data is protected by the DPDPA?

The DPDPA protects personal data that is processed in India, regardless of whether the data was originally collected in India or elsewhere. The Act also applies to the processing of personal data of Indian citizens, even if the data is processed outside of India.

The DPDPA does not apply to personal data that is:

  • Processed for law enforcement or national security purposes
  • Processed for the purpose of journalism or artistic expression
  • Processed for personal or family purposes

India DPDP Phase 2 is expected to clarify how this scope interacts with data localization and cross‑border transfer restrictions.

Key principles of the DPDPA

The DPDPA is based on six key principles:

  1. Lawfulness: Personal data must be processed lawfully, fairly, and transparently.
  2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

These principles will be further operationalized in India DPDP Phase 2, especially for significant data fiduciaries.

Rights of data principals

The DPDPA grants individuals several rights with respect to their personal data, including:

  • The right to access their personal data
  • The right to rectification of inaccurate personal data
  • The right to erasure of their personal data
  • The right to restrict the processing of their personal data
  • The right to data portability
  • The right to object to the processing of their personal data

Enforcement of the DPDPA

The DPDPA is enforced by the Data Protection Authority of India (DPA), which is an independent body responsible for overseeing the implementation of the Act. The DPA has the power to investigate complaints, issue fines, and order organizations to comply with the Act.

Final thoughts

The DPDPA is a significant piece of legislation that will have a profound impact on the way that organizations collect, use, and share personal data in India. The Act provides individuals with greater control over their personal data and imposes stricter obligations on organizations that process personal data. Organizations that are subject to the DPDPA should take steps to ensure that they are in compliance with the Act.

logo

Get Started For Free with the
#1 Cookie Consent Platform.

tick

No credit card required

Sign-up for FREE

image

EU AI Act for CTOs: What Engineering Teams Must Build, Document, and Operationalize

Your product team ships a new AI-powered hiring screening feature. It ranks candidates automatically based on CV data. It is running in production across three enterprise clients in Germany, France, and the Netherlands. Nobody ran a risk classification exercise before launch. There is no technical documentation file. The logging infrastructure captures model outputs but not the decision logic. You have no human override mechanism.

    image

    GDPR Fines and Penalties Explained: Calculation, Enforcement Trends, and Risk Mitigation

    Your legal team forwards you a letter from a supervisory authority. A data subject complaint has triggered a formal investigation. Your company processed personal data without a valid lawful basis six months ago — a decision made by a product manager who didn't loop in privacy counsel. Now you're looking at a potential Tier 2 fine, which means up to €20 million or 4 percent of your annual global turnover, whichever is greater. You have thirty days to respond.

    • GDPR
    image

    Privacy Governance for Financial Services: An Operational Framework for Banks and Fintech

    Your compliance team has documented your GDPR obligations. But who monitors whether those obligations are being met on Tuesday afternoon when a new vendor API goes live?

    • Privacy Governance
    • Fintech