Data Protection & Privacy-India FAQs

1. Does the DPDPA apply to my organisation?

The DPDPA applies to any person processing digital personal data within India, and extraterritorially to any person processing personal data outside India in connection with offering goods or services to Indian residents. Both Indian and foreign organisations are subject to the Act. Exemptions exist for certain government entities, personal or household use, and research purposes.

2. When do DPDPA compliance obligations come into force?

The DPDP Rules 2025 were notified on 13 November 2025. Core compliance provisions — consent requirements, data principal rights, and data fiduciary obligations — come into force approximately May 2027 (18 months from notification). Data Protection Board establishment provisions are already operative. Organisations should begin compliance programmes now.

3. What is a Data Fiduciary and what are its obligations?

A Data Fiduciary is any person who determines the purpose and means of processing personal data. Obligations include: providing a clear consent notice before data collection; obtaining free, specific, informed, and unambiguous consent; maintaining security safeguards; erasing data when the purpose is fulfilled or consent is withdrawn; responding to data principal rights requests; and establishing a grievance mechanism. Significant Data Fiduciaries carry additional obligations including impact assessments and audits.

4. What are the rights of Data Principals under the DPDPA?

Data Principals have the right to access information about their data being processed; the right to correction and erasure of inaccurate or incomplete data; the right to nominate a person to exercise their rights in the event of death or incapacity; and the right to raise grievances. Consent can be withdrawn at any time. Grievances must be addressed by the Data Fiduciary’s mechanism within prescribed timelines, and unresolved grievances can be escalated to the Data Protection Board.

5. How does the DPDPA restrict cross-border data transfers?

The Central Government has the power to restrict cross-border transfers of personal data to specific countries. Transfers are permitted only to countries meeting conditions to be prescribed — the permitted country list has not yet been finalised. Organisations with data flows between India and the UAE, UK, or EU should structure their data processing arrangements to accommodate this restriction and monitor Central Government notifications.

6. What penalties can the Data Protection Board impose?

The Data Protection Board can impose financial penalties for non-compliance. Penalties under Section 33 of the DPDPA can reach up to Rs 250 crore for specified breaches including obligations relating to children’s data processing and data breach notification. The penalty framework is tiered based on the nature and severity of the breach. The Board is also empowered to direct Data Fiduciaries to take remedial action.