Digital Personal Data Protection Act, 2023 (DPDPA)
Complete guide to India's DPDPA 2023 — data principal rights, consent rules, data fiduciary obligations, penalties, children's data, cross-border transfer rules, and compliance requirements.
🏛️ Background
The Digital Personal Data Protection Act, 2023 (DPDPA) received Presidential assent on 11 August 2023. It is India's first comprehensive data privacy law, replacing the IT Act's Section 43A framework. The Act applies to digital personal data processed within India and outside India if related to offering goods/services to persons in India. Enforcement is by the Data Protection Board of India (DPBI). Rules for implementation are being notified in phases.
🛡️ Your Rights as a Data Principal
📋 Right to Information
Know what personal data is being collected, purpose, and with whom it's shared. Summary of data processing activities must be provided.
✏️ Right to Correction & Erasure
Request correction of inaccurate/incomplete data or erasure of data no longer needed for the purpose collected.
🚫 Right to Withdraw Consent
Withdraw consent at any time with same ease as giving it. Withdrawal doesn't affect past processing but stops future processing.
⚖️ Right to Grievance Redressal
Data fiduciary must respond within prescribed time. If unsatisfied, file complaint with Data Protection Board of India.
👤 Right to Nominate
Nominate any person to exercise your data rights in case of death or incapacity.
💰 Penalties
| Violation | Maximum Penalty |
|---|---|
| Non-fulfilment of obligations for children's data | ₹200 crore |
| Failure to take security safeguards (data breach) | ₹250 crore |
| Non-compliance with DPBI directions | ₹150 crore |
| Failure to notify data breach to Board & data principal | ₹200 crore |
| Breach by data principal (false complaint etc.) | ₹10,000 |
👶 Children's Data (Special Provisions)
- 🔒 Verifiable parental consent required before processing data of children (under 18).
- ❌ No tracking, behavioural monitoring, or targeted advertising directed at children.
- ❌ No processing that is likely to cause detrimental effect on well-being of child.
- ⚠️ Government may exempt certain data fiduciaries (e.g., educational institutions) if processing is in best interest of child.
⚠️ Disclaimer
This page is for educational and informational purposes only and does not constitute legal, tax, or financial advice. While we strive for 100% accuracy, laws and regulations change frequently. Always refer to the official gazette notifications, consult a qualified Chartered Accountant (CA), Company Secretary (CS), or legal professional before making any financial or legal decisions. Tenhash is not responsible for any actions taken based on this information. Last reviewed: March 2026.