Complete Reference Guide

The DPDP Act 2023 & DPDP Rules 2025, Explained

Every section of the Digital Personal Data Protection Act (DPDPA) and every rule, explained in plain English without legal jargon. 14 chapters covering all 30 topics of the complete Act and Rules.

~45 min read44 Act sections + 23 RulesLast updated: June 2026

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. For advice specific to your situation, consult a qualified legal professional. While every effort has been made to ensure accuracy, the official gazette text is the only authoritative source.

Part 1

Foundation

What Is the DPDP Act 2023 and Who Does It Apply To?

The Digital Personal Data Protection Act, 2023 (DPDP Act, also written DPDPA) is India's first comprehensive data protection law. It governs how organisations collect, store, use, and share digital personal data. It applies across India and to foreign businesses serving Indian users, and it is enforced by the Data Protection Board of India.

  • What Is the DPDP Act 2023?
  • Who Does the DPDP Act Apply To?
  • How the DPDP Act Relates to Other Indian Laws
  • What Changed in Other Laws (IT Act, RTI Act)
Read chapter

Data Fiduciary, Data Principal, Data Processor: DPDP Act Definitions

A Data Fiduciary is any person or organisation that determines why and how personal data is processed under India's DPDP Act 2023 (also called the DPDPA). In simple terms, it is the entity that decides the purpose of using your personal data. The Data Principal is the individual the data is about, and a Data Processor handles data on a Data Fiduciary's instructions. This chapter explains all 28 definitions in the Act.

  • Key Definitions in Plain English
Read chapter

DPDP Rules 2025: The Complete Enforcement Timeline

The DPDP Rules 2025 (under the DPDP Act 2023, also called the DPDPA) were notified on 13 November 2025 and take effect in three phases. The Data Protection Board became operational immediately, penalties and Consent Manager registration begin on 13 November 2026, and full compliance with consent, notice, security, and data rights obligations is required by 13 May 2027.

  • When Does the DPDP Act Come Into Force?
Read chapter

Part 2

Consent & Obligations

Consent and Notice Under the DPDP Act

Under the DPDP Act 2023 (DPDPA), personal data can be processed on only two grounds: consent, or certain legitimate uses. Consent must be free, specific, informed, unconditional, and unambiguous, given after a clear notice, and as easy to withdraw as it was to give. This chapter covers notice and consent requirements end to end.

  • On What Basis Can You Process Personal Data?
  • What Notice Must You Give Before Collecting Data?
  • How Does Consent Work Under the DPDP Act?
Read chapter

What Is a Consent Manager Under the DPDP Act?

A Consent Manager is a platform registered with the Data Protection Board of India, under the DPDP Act 2023 (DPDPA), that lets individuals give, review, manage, and withdraw consent across services from a single interface. Registration under Rule 4 opens on 13 November 2026, with eligibility conditions covering net worth, governance, and interoperability.

  • What Is a Consent Manager?
Read chapter

Legitimate Uses Under the DPDP Act: When Is Consent Not Required?

Section 7 of the DPDP Act 2023 (DPDPA) lists the legitimate uses where personal data may be processed without consent, including voluntary sharing for a specified purpose, State functions, legal obligations, medical emergencies, and employment purposes. Each ground is narrow, and processing must still stay within its stated purpose.

  • When Is Consent NOT Required? (Legitimate Uses)
Read chapter

Data Fiduciary Obligations: Security, Retention, and Erasure

Section 8 of the DPDP Act 2023 (DPDPA) makes Data Fiduciaries responsible for lawful processing, data accuracy, security safeguards, breach notification, and timely erasure. Rule 6 prescribes minimum security measures such as encryption, access control, logging, and backups. These obligations apply regardless of any contract with a Data Processor.

  • What Are Your Obligations as a Data Fiduciary?
  • What Security Measures Are Required?
  • When Must You Delete Personal Data?
Read chapter

Data Breach Notification Under the DPDP Act and Rules 2025

Rule 7 of the DPDP Rules 2025 (under the DPDP Act 2023, or DPDPA) requires every Data Fiduciary to notify affected individuals and the Data Protection Board when a personal data breach occurs — without delay — and to file a detailed report to the Board within 72 hours. This duty sits alongside the separate CERT-In 6-hour incident reporting requirement.

  • What Must You Do After a Data Breach?
Read chapter

How the DPDP Act Protects Children's Data

The DPDP Act 2023 (DPDPA) treats anyone under 18 as a child. Processing a child's personal data requires verifiable consent from a parent or lawful guardian, and the Act bans tracking, behavioural monitoring, and targeted advertising directed at children. Limited exemptions exist for healthcare, education, and child safety under the DPDP Rules 2025.

  • How Is Children's Data Protected?
Read chapter

Significant Data Fiduciaries: Designation and Extra Obligations

A Significant Data Fiduciary (SDF) is a Data Fiduciary or class of Data Fiduciaries that the Central Government notifies under Section 10 of the DPDP Act 2023 (DPDPA), based on factors like data volume, sensitivity, and risk. SDFs must appoint a Data Protection Officer in India, conduct annual audits, and complete Data Protection Impact Assessments. If you are wondering whether your organisation qualifies as an SDF, this chapter explains how the designation works and what extra obligations it triggers.

  • What Is a Significant Data Fiduciary?
Read chapter

Part 3

Rights & Duties

Data Principal Rights: Access, Correction, Erasure, and Grievance

The DPDP Act 2023 (DPDPA) gives every Data Principal four rights: to access information about how their data is processed, to correct and erase it, to grievance redressal, and to nominate another person to exercise rights on their behalf. It also imposes duties on Data Principals, a feature unique to Indian data protection law.

  • Right to Know What Data Is Being Processed
  • Right to Correct or Delete Your Data
  • Right to File a Grievance
  • Right to Nominate Someone to Act on Your Behalf
  • Duties of the Data Principal (Unique to DPDP)
Read chapter

Cross-Border Data Transfers and Exemptions Under the DPDP Act

The DPDP Act 2023 (DPDPA) allows personal data to be transferred outside India by default, using a negative list model: transfers are permitted to every country unless the Central Government restricts that destination by notification. This chapter also covers the Section 17 exemptions, including research, startups, and State functions.

  • Transferring Personal Data Outside India
  • Who Is Exempt from the DPDP Act?
Read chapter

Part 4

Enforcement & Penalties

The Data Protection Board of India: Complaints, Inquiries, Appeals

The Data Protection Board of India is the regulator created by the DPDP Act 2023 (the DPDPA). It functions as a digital office, hears complaints, conducts inquiries, accepts voluntary undertakings, and imposes penalties. Appeals against Board orders go to the TDSAT. This chapter explains how complaints, inquiries, and appeals work.

  • The Data Protection Board of India
  • How Complaints and Inquiries Work
  • How to Appeal a Board Decision
  • Voluntary Undertakings (Compliance Agreements)
Read chapter

Penalties Under the DPDP Act: The Complete Breakdown

Penalties under the DPDP Act 2023 (DPDPA) range from Rs 10,000 to Rs 250 crore per violation. The maximum penalty under the DPDP Act — up to Rs 250 crore — applies to a failure to implement reasonable security safeguards, while failure to notify a breach and violations of children's data obligations each attract up to Rs 200 crore. The Schedule sets out the full penalty table.

  • Penalties Under the DPDP Act
  • When Can Your Services Be Blocked?
Read chapter

Frequently Asked Questions

What does DPDPA stand for?

DPDPA stands for the Digital Personal Data Protection Act, 2023 — India's first comprehensive data protection law (Act No. 22 of 2023). The same law is also written as the DPDP Act; both abbreviations refer to the identical statute.

Is DPDPA the same as the DPDP Act?

Yes. DPDPA and DPDP Act are interchangeable abbreviations for the Digital Personal Data Protection Act, 2023. There is no difference between them — both refer to the same Indian law governing digital personal data.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), commonly abbreviated as the DPDP Act or DPDPA, is India's first comprehensive law governing how organisations collect, store, use, and share personal data in digital form. It received Presidential assent on 11 August 2023.

When does the DPDP Act come into force?

The DPDP Act comes into force in three phases: Phase 1 (13 November 2025): Board established, definitions in force. Phase 2 (13 November 2026): enforcement powers, penalties framework, Consent Manager registration. Phase 3 (13 May 2027): full compliance required including consent, notice, obligations, and all rights.

What are the penalties under the DPDP Act?

Penalties range from ₹10,000 (for Data Principal duty breaches) to ₹250 crore (for failure to take reasonable security safeguards). The penalty for failing to notify a breach is up to ₹200 crore. Breaching children's data obligations carries a penalty of up to ₹200 crore.

Does the DPDP Act apply to companies outside India?

Yes. The DPDP Act applies to processing of digital personal data outside India if the processing is in connection with offering goods or services to individuals (Data Principals) within India.

What is a Data Fiduciary under the DPDP Act?

A Data Fiduciary is any person or organisation that alone or in conjunction with others determines the purpose and means of processing personal data. In simple terms, it is the entity that decides why and how personal data is collected and used.

What is the difference between a Data Fiduciary and a Data Processor?

A Data Fiduciary decides why and how personal data is processed. A Data Processor processes personal data on behalf of a Data Fiduciary, for example a cloud hosting provider or payroll outsourcing firm acting on the Data Fiduciary's instructions.

What is a Significant Data Fiduciary?

A Significant Data Fiduciary (SDF) is a Data Fiduciary that the Central Government designates based on factors like data volume, sensitivity, and risk to rights. SDFs face additional obligations including appointing a DPO, conducting annual audits and impact assessments, and potential data localisation requirements.

Can personal data be transferred outside India under the DPDP Act?

Yes, by default. The DPDP Act uses a negative list model: personal data can be transferred to any country unless the Central Government specifically restricts transfers to that country by notification. This is different from GDPR's adequacy model.

Not sure where your organisation stands?

Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.

Take the Free Assessment

Legal Disclaimer

This guide has been prepared by Vratex for general informational purposes only. It does not constitute legal advice and should not be relied upon as such. The content is based on the Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) and the Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E), dated 14 November 2025) as published in the Official Gazette of India.

While every reasonable effort has been made to ensure the accuracy and completeness of this guide, the official gazette text remains the only authoritative source of law. Laws, rules, and their interpretation may change. Readers should verify all information against the official text and consult qualified legal counsel before making compliance decisions.

Vratex, its founders, employees, and agents disclaim all liability for any loss or damage arising from reliance on this guide or any errors or omissions herein.

Last updated: June 2026 · Based on the Act as enacted and Rules as notified · Ministry of Electronics & IT