Almost every obligation in India's Digital Personal Data Protection Act 2023 turns on a single phrase: personal data. If something is personal data, the law applies — you need a lawful basis, a notice, security safeguards, and a way to honour the individual's rights. If it is not, the Act largely leaves it alone.
So getting this definition right is not a legal nicety. It decides which of your spreadsheets, databases, CCTV feeds, and CRM records fall under the law, and which do not. This guide explains what personal data means under the DPDP Act, gives plain examples of what counts and what does not, clears up the widespread myth about "sensitive personal data", and maps the three roles every business needs to understand: the Data Principal, the Data Fiduciary, and the Data Processor.
What Is Personal Data Under the DPDP Act?
Personal data is any data about an individual who can be identified by or in relation to that data. That is the definition in Section 2 of the DPDP Act 2023, and the key word is identifiable. If a piece of information can be tied back to a specific living person — directly, or by combining it with other information you hold — it is personal data.
Two parts make up the test:
- It is "data" — a representation of information, facts, opinions, or instructions, in a form suitable for processing (digital or otherwise).
- It relates to an identifiable individual — a natural person who can be singled out from that data, alone or in combination with other data.
If both are true, you are holding personal data, and the DPDP Act applies to how you collect, store, use, and share it.
Key Takeaway
The line is "identifiable individual." A phone number on its own identifies a person, so it is personal data. Aggregate, anonymised statistics that can never be traced back to anyone are not. Most of the grey area in practice is about whether data can be re-linked to a person.
Examples of Personal Data (and What Is Not)
The definition is abstract, so here is the practical version. The table below shows common examples Indian businesses handle every day.
| Usually personal data | Not personal data on its own |
|---|---|
| Full name, with any other detail | Fully anonymised, aggregated statistics |
| Mobile number, email address | A city's total population figure |
| Aadhaar, PAN, passport, voter ID | A product's price or stock count |
| Home or billing address | Weather data for a region |
| Photographs and CCTV footage of a person | Truly de-identified survey totals |
| Location data and device identifiers | A company's registered office address* |
| Bank account, UPI ID, card details | Generic, non-personal log entries |
| Health records, biometric data | Anonymous website visit counts |
| Employee ID linked to a person | — |
| Online identifiers (cookies, IP) that single out a user | — |
*Company information is generally not personal data — the Act protects individuals, not organisations. But the moment a detail identifies a specific person (a proprietor's name, a director's personal mobile, a sole trader's home address), it becomes personal data again.
A useful rule of thumb: if you could use the data, on its own or with other records you keep, to send a message to one particular human being or pull up their file, it is almost certainly personal data.
"Digital" Personal Data: Why That Word Matters
The Act's full name is the Digital Personal Data Protection Act, and that word sets its scope. The law applies to personal data that is:
- collected in digital form, or
- collected on paper and later digitised (for example, a paper consent form you scan and store).
Purely offline, never-digitised records — a handwritten visitor register that stays in a drawer — fall outside the Act. In reality, almost every business digitises its records, so for practical purposes most personal data you handle is in scope.
Do not treat "we mostly use paper" as an exemption. The instant that paper is scanned, photographed, or typed into a system, it becomes digital personal data and the full weight of the Act applies.
Is There "Sensitive Personal Data" Under the DPDP Act?
This is the single biggest misconception, so it is worth stating plainly.
The DPDP Act 2023 does not create a separate legal category called "sensitive personal data." The older SPDI Rules (2011) under the IT Act did, and the EU's GDPR has its own "special category" data. People assume the DPDP Act copied that structure. It did not.
Under the DPDP Act, there is one definition of personal data, and it covers everything from your name to your health and biometric records under the same core rules. The Act adds extra protection in specific situations rather than by data type:
- Children's data (under 18) requires verifiable parental consent, and behavioural tracking or targeted advertising to children is prohibited.
- Persons with disability under lawful guardianship get equivalent protection through their guardian.
- Significant Data Fiduciaries — larger or higher-risk organisations the government may notify — carry heavier obligations such as a Data Protection Officer and Data Protection Impact Assessments.
Key Takeaway
Stop sorting your data into "sensitive" and "ordinary" buckets for DPDP purposes. The Act treats it as one category. The heightened duties attach to who the person is (a child, a person with disability) or who you are (a Significant Data Fiduciary), not to a special tier of data.
For a side-by-side view of how this differs from Europe, see our DPDP Act vs GDPR comparison.
Who's Who: Data Principal, Data Fiduciary, Data Processor
Once you know what personal data is, the next question is who does what with it. The DPDP Act defines three roles, and a real-world data flow usually involves all three. This is exactly the language regulators, contracts, and auditors will use, so it pays to get it right.
Data Principal
The individual
The person the data is about — your customer, employee, or user. For a child, it is their parent or lawful guardian.
Data Fiduciary
Decides why & how
The business that determines the purpose and means of processing. It carries the legal obligations under the Act.
Data Processor
Acts on instructions
A vendor that processes data on the Fiduciary's behalf under contract — for example a cloud, payroll, or email provider.
Here is the same picture as a quick reference:
| Role | Who they are | Plain-English job | Example |
|---|---|---|---|
| Data Principal | The individual the data is about | Owns the rights over their data | Your customer placing an order |
| Data Fiduciary | The business deciding why and how data is processed | Holds the legal obligations | Your company, running the store |
| Data Processor | A vendor processing data on the Fiduciary's behalf | Acts only on instructions, under contract | Your cloud host or payroll provider |
The point people most often miss: the question "organisations that process data on behalf of a Data Fiduciary are called…" the answer is Data Processors — and engaging one does not transfer your accountability. As the Data Fiduciary, you remain responsible to the Data Principal even when a processor does the hands-on work. That is why a written contract with every processor matters.
A worked example
A customer (Data Principal) buys from your online store. Your company (Data Fiduciary) decides what data to collect and why. You store it on a cloud provider and send invoices through a billing tool (Data Processors). The customer's name, address, and payment details are the personal data flowing through all three.
To go deeper on the obligations each role carries, see our chapters on what a Data Fiduciary must do and the rights of the Data Principal.
Why Getting "Personal Data" Right Matters
Misjudging what counts as personal data is not a small slip — it cascades through your whole compliance posture:
- Notice and consent. You can only ask for the right consent if you have correctly identified the personal data you collect and why. Our guide on the privacy notice under the DPDP Act covers what that disclosure must say.
- Security safeguards. The Act requires "reasonable security safeguards" for personal data. You cannot protect what you have not recognised as in scope.
- Data Principal rights. People can ask what data you hold, correct it, or have it erased. If a category slipped past your radar, you cannot answer.
- Penalties. Breaches carry financial penalties of up to ₹250 crore per instance. Underestimating your data footprint directly increases that exposure — see our penalties explainer.
The first practical step is a data map: list every category of personal data you collect, where it lives, why you hold it, and who processes it. That single exercise answers most of the questions the Act will ever ask you.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Bottom Line
Personal data under the DPDP Act is any data about an identifiable individual, in digital form or later digitised. There is no separate "sensitive personal data" tier — it is one category, with extra duties for children, persons with disability, and Significant Data Fiduciaries. Around that data sit three roles: the Data Principal who owns the rights, the Data Fiduciary who decides why and how (and stays accountable), and the Data Processor who acts on the Fiduciary's instructions.
Get the definition right, map your data, and the rest of DPDP compliance becomes a series of answerable questions rather than a guessing game. Not sure whether the Act even applies to your business yet? Start with our DPDP Applicability Checker.
Frequently Asked Questions
What is the definition of personal data under the DPDP Act 2023?+
Personal data is any data about an individual who is identifiable by or in relation to that data. It has two parts: it must be "data" (a representation of information), and it must relate to an identifiable living person, either on its own or combined with other data you hold.
What are examples of personal data in India?+
Common examples include a person's name, mobile number, email, home address, Aadhaar, PAN, passport details, photographs and CCTV footage, location and device identifiers, bank or UPI details, health records, and biometric data. Online identifiers like cookies or IP addresses that single out a user also count.
Is there sensitive personal data under the DPDP Act?+
No. Unlike the older SPDI Rules or the EU's GDPR, the DPDP Act 2023 does not create a separate "sensitive personal data" category. It uses one definition of personal data, and adds extra protection for children, persons with disability, and Significant Data Fiduciaries rather than for a special tier of data.
What is the difference between a Data Principal, Data Fiduciary, and Data Processor?+
The Data Principal is the individual the data is about. The Data Fiduciary is the business that decides why and how the data is processed and holds the legal obligations. The Data Processor is a vendor that processes data on the Fiduciary's behalf, under contract. The Fiduciary stays accountable even when a Processor does the work.
What are organisations that process data on behalf of a Data Fiduciary called?+
They are called Data Processors. A Data Processor acts only on the Data Fiduciary's instructions, typically a cloud host, payroll service, or email provider. Engaging one does not transfer the Fiduciary's responsibility, which is why a written processing contract is required.
Does the DPDP Act apply to paper records?+
The Act applies to personal data collected in digital form, or collected on paper and later digitised. Purely offline records that are never digitised fall outside it. Because nearly all businesses scan or enter records into systems, most personal data ends up in scope.
For the full section-by-section walkthrough of the law, see our DPDP Act 2023 complete guide.
Legal Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change; for advice specific to your organisation's situation, consult a qualified legal professional. While every effort has been made to ensure accuracy, Vratex makes no representations as to the completeness or currency of the information contained herein.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness