# THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
## (NO. 22 OF 2023)

**Date of Assent:** 11th August, 2023  
**Source:** Ministry of Law and Justice (Legislative Department), Gazette of India, Extraordinary, Part II — Section 1  
**Official PDF:** https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

---

An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as follows:—

---

## CHAPTER I — PRELIMINARY

### Section 1. Short title and commencement.
(1) This Act may be called the Digital Personal Data Protection Act, 2023.

(2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.

### Section 2. Definitions.
In this Act, unless the context otherwise requires,—

(a) **"Appellate Tribunal"** means the Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997;

(b) **"automated"** means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

(c) **"Board"** means the Data Protection Board of India established by the Central Government under section 18;

(d) **"certain legitimate uses"** means the uses referred to in section 7;

(e) **"Chairperson"** means the Chairperson of the Board;

(f) **"child"** means an individual who has not completed the age of eighteen years;

(g) **"Consent Manager"** means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;

(h) **"data"** means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;

(i) **"Data Fiduciary"** means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;

(j) **"Data Principal"** means the individual to whom the personal data relates and where such individual is—
  - (i) a child, includes the parents or lawful guardian of such a child;
  - (ii) a person with disability, includes her lawful guardian, acting on her behalf;

(k) **"Data Processor"** means any person who processes personal data on behalf of a Data Fiduciary;

(l) **"Data Protection Officer"** means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;

(m) **"digital office"** means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;

(n) **"digital personal data"** means personal data in digital form;

(o) **"gain"** means—
  - (i) a gain in property or supply of services, whether temporary or permanent; or
  - (ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;

(p) **"loss"** means—
  - (i) a loss in property or interruption in supply of services, whether temporary or permanent; or
  - (ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;

(q) **"Member"** means a Member of the Board and includes the Chairperson;

(r) **"notification"** means a notification published in the Official Gazette;

(s) **"person"** includes—
  - (i) an individual;
  - (ii) a Hindu undivided family;
  - (iii) a company;
  - (iv) a firm;
  - (v) an association of persons or a body of individuals, whether incorporated or not;
  - (vi) the State; and
  - (vii) every artificial juristic person;

(t) **"personal data"** means any data about an individual who is identifiable by or in relation to such data;

(u) **"personal data breach"** means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;

(v) **"prescribed"** means prescribed by rules made under this Act;

(w) **"processing"** in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

(x) **"she"** in relation to an individual includes the reference to such individual irrespective of gender;

(y) **"Significant Data Fiduciary"** means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10;

(z) **"specified purpose"** means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder; and

(za) **"State"** means the State as defined under article 12 of the Constitution.

### Section 3. Application of Act.
Subject to the provisions of this Act, it shall—

(a) apply to the processing of digital personal data within the territory of India where the personal data is collected—
  - (i) in digital form; or
  - (ii) in non-digital form and digitised subsequently;

(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;

(c) not apply to—
  - (i) personal data processed by an individual for any personal or domestic purpose; and
  - (ii) personal data that is made or caused to be made publicly available by the Data Principal or any other person who is under an obligation under any law to make such personal data publicly available.

---

## CHAPTER II — OBLIGATIONS OF DATA FIDUCIARY

### Section 4. Grounds for processing personal data.
(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose—
  - (a) for which the Data Principal has given her consent; or
  - (b) for certain legitimate uses.

(2) For the purposes of this section, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.

### Section 5. Notice.
(1) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her—
  - (i) the personal data and the purpose for which the same is proposed to be processed;
  - (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
  - (iii) the manner in which the Data Principal may make a complaint to the Board.

(2) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act—
  - (a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her about the processing and her rights; and
  - (b) the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.

(3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice in English or any language specified in the Eighth Schedule to the Constitution.

### Section 6. Consent.
(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

(2) Any part of consent which constitutes an infringement of the provisions of this Act or any other law shall be invalid to the extent of such infringement.

(3) Every request for consent shall be presented in a clear and plain language, giving the Data Principal the option to access such request in English or any language specified in the Eighth Schedule to the Constitution.

(4) Where consent given by the Data Principal is the basis of processing, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.

(5) The consequences of the withdrawal shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing based on consent before its withdrawal.

(6) If a Data Principal withdraws her consent, the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless processing without her consent is required or authorised under this Act or any other law.

(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

(8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.

(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

(10) Where consent is the basis of processing and a question arises in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given and consent was given in accordance with the provisions of this Act.

### Section 7. Certain legitimate uses.
A Data Fiduciary may process personal data of a Data Principal for any of the following uses:—

(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data, and in respect of which she has not indicated that she does not consent;

(b) for the State and any of its instrumentalities to provide or issue subsidy, benefit, service, certificate, licence or permit as may be prescribed;

(c) for the performance by the State or any of its instrumentalities of any function under any law or in the interest of sovereignty and integrity of India or security of the State;

(d) for fulfilling any obligation under any law to disclose any information to the State or any of its instrumentalities;

(e) for compliance with any judgment or decree or order issued under any law;

(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(g) for taking measures to provide medical treatment or health services during an epidemic, outbreak of disease, or any other threat to public health;

(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order; or

(i) for the purposes of employment or those related to safeguarding the employer from loss or liability.

### Section 8. General obligations of Data Fiduciary.
(1) A Data Fiduciary shall be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.

(2) A Data Fiduciary may engage a Data Processor to process personal data on its behalf for any activity related to offering of goods or services only under a valid contract.

(3) Where personal data processed by a Data Fiduciary is likely to be used to make a decision that affects the Data Principal, or disclosed to another Data Fiduciary, the Data Fiduciary shall ensure its completeness, accuracy and consistency.

(4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act.

(5) A Data Fiduciary shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.

(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law—
  - (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
  - (b) cause its Data Processor to erase any personal data that was made available for processing.

(8) The purpose shall be deemed to no longer be served, if the Data Principal does not approach the Data Fiduciary for the performance of the specified purpose, and does not exercise any of her rights in relation to such processing, for such time period as may be prescribed.

(9) A Data Fiduciary shall publish the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer questions raised by the Data Principal.

(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals.

### Section 9. Processing of personal data of children.
(1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent or the lawful guardian, as the case may be.

(2) A Data Fiduciary shall not undertake processing of personal data that is likely to cause any detrimental effect on the well-being of a child.

(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

(4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed.

(5) The Central Government may notify for certain Data Fiduciaries the age above which they shall be exempt from the obligations under sub-sections (1) and (3).

### Section 10. Additional obligations of Significant Data Fiduciary.
(1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, based on an assessment of factors including—
  - (a) the volume and sensitivity of personal data processed;
  - (b) risk to the rights of Data Principal;
  - (c) potential impact on the sovereignty and integrity of India;
  - (d) risk to electoral democracy;
  - (e) security of the State; and
  - (f) public order.

(2) The Significant Data Fiduciary shall—
  - (a) appoint a Data Protection Officer who shall represent the SDF, be based in India, be responsible to the Board of Directors, and be the point of contact for grievance redressal;
  - (b) appoint an independent data auditor to carry out data audit; and
  - (c) undertake periodic Data Protection Impact Assessment, periodic audit, and such other measures as may be prescribed.

---

## CHAPTER III — RIGHTS AND DUTIES OF DATA PRINCIPAL

### Section 11. Right to access information about personal data.
(1) The Data Principal shall have the right to obtain from the Data Fiduciary, upon making a request—
  - (a) a summary of personal data being processed and the processing activities;
  - (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared; and
  - (c) any other information related to the personal data and its processing, as may be prescribed.

### Section 12. Right to correction and erasure of personal data.
(1) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data.

(2) A Data Fiduciary shall, upon receiving a request for correction—
  - (a) correct the inaccurate or misleading personal data;
  - (b) complete the incomplete personal data; and
  - (c) update the personal data.

(3) A Data Principal may request the Data Fiduciary for erasure of her personal data, and the Data Fiduciary shall erase unless retention is necessary for the specified purpose or compliance with any law.

### Section 13. Right of grievance redressal.
(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager.

(2) The Data Fiduciary or Consent Manager shall respond to any grievances within such period as may be prescribed.

(3) The Data Principal shall exhaust the opportunity of redressing her grievance before approaching the Board.

### Section 14. Right to nominate.
(1) A Data Principal shall have the right to nominate any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.

### Section 15. Duties of Data Principal.
A Data Principal shall perform the following duties:—
- (a) comply with the provisions of all applicable laws while exercising rights;
- (b) not impersonate another person while providing personal data;
- (c) not suppress any material information while providing personal data for any document, unique identifier, proof of identity or proof of address;
- (d) not register a false or frivolous grievance or complaint; and
- (e) furnish only such information as is verifiably authentic while exercising the right to correction or erasure.

---

## CHAPTER IV — SPECIAL PROVISIONS

### Section 16. Processing of personal data outside India.
(1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.

### Section 17. Exemptions.
(1) The provisions of Chapter II (except sub-sections (1) and (5) of section 8) and Chapter III and section 16 shall not apply where—
  - (a) processing is necessary for enforcing any legal right or claim;
  - (b) processing by any court or tribunal;
  - (c) personal data processed for prevention, detection, investigation or prosecution of any offence;
  - (d) personal data of Data Principals not within India processed pursuant to any contract;
  - (e) processing necessary for a scheme of compromise, arrangement or merger; or
  - (f) processing for ascertaining financial information of a person who has defaulted on a loan.

(2) The provisions of this Act shall not apply to processing of personal data—
  - (a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, etc.; and
  - (b) necessary for research, archiving or statistical purposes.

(3) The Central Government may notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, to whom certain provisions shall not apply.

---

## CHAPTER V — DATA PROTECTION BOARD OF INDIA

### Section 18. Establishment of Board.
(1) There shall be established a Board to be called the Data Protection Board of India.

(2) The Board shall be a body corporate having perpetual succession and a common seal.

(3) The headquarters of the Board shall be at such place as the Central Government may notify.

### Section 19. Composition and qualifications.
(1) The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify.

(2) The Chairperson and other Members shall be appointed by the Central Government.

(3) They shall be persons of ability, integrity and standing who possess special knowledge or practical experience in data governance, law, ICT, digital economy, or related fields.

### Section 20. Salary, allowances and term of office.
(1) The salary, allowances and other terms and conditions of service of the Chairperson and other Members shall be such as may be prescribed.

(2) The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment.

### Sections 21-26. [Board governance, disqualifications, resignation, proceedings, officers, powers of Chairperson]

---

## CHAPTER VI — POWERS, FUNCTIONS AND PROCEDURE OF BOARD

### Section 27. Powers and functions of Board.
(1) The Board shall exercise the following powers:—
  - (a) on receipt of an intimation of personal data breach, direct urgent remedial or mitigation measures and inquire into such breach;
  - (b) on a complaint by a Data Principal in respect of a personal data breach or breach of obligations, inquire and impose penalty;
  - (c) on a complaint regarding a Consent Manager's obligations, inquire and impose penalty;
  - (d) on receipt of intimation of breach of conditions of registration of a Consent Manager; and
  - (e) on a reference regarding breach of intermediary obligations.

### Section 28. Procedure to be followed by Board.
(1) The Board shall function as an independent body and shall, as far as practicable, function as a digital office.

(2) The Board may take action on receipt of intimation, complaint, reference or directions.

(3) The Board shall determine whether there are sufficient grounds to proceed with an inquiry.

(7) For the purposes of discharging its functions, the Board shall have the same powers as a civil court in respect of summoning persons, receiving evidence, inspecting documents, etc.

---

## CHAPTER VII — APPEAL AND ALTERNATE DISPUTE RESOLUTION

### Section 29. Appeal to Appellate Tribunal.
(1) Any person aggrieved by an order or direction of the Board may prefer an appeal before the Appellate Tribunal.

(2) Every appeal shall be filed within a period of sixty days from the date of receipt of the order.

(6) The appeal shall be dealt with as expeditiously as possible and endeavour shall be made to dispose of it within six months.

### Section 31. Alternate dispute resolution.
If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties to attempt resolution through mediation.

### Section 32. Voluntary undertaking.
(1) The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding.

---

## CHAPTER VIII — PENALTIES AND ADJUDICATION

### Section 33. Penalties.
(1) If the Board determines that breach of the provisions of this Act by a person is significant, it may impose such monetary penalty as specified in the Schedule.

(2) While determining the amount, the Board shall have regard to the nature, gravity and duration of the breach; the type and nature of personal data affected; repetitive nature; whether the person realised a gain or avoided any loss; action taken to mitigate; proportionality; and likely impact.

---

## CHAPTER IX — MISCELLANEOUS

### Section 36. Power to call for information.
The Central Government may require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for.

### Section 38. Consistency with other laws.
(1) The provisions of this Act shall be in addition to and not in derogation of any other law.

(2) In the event of any conflict, the provision of this Act shall prevail.

### Section 40. Power to make rules.
(1) The Central Government may, by notification, make rules to carry out the purposes of this Act.

---

## THE SCHEDULE — PENALTIES
[See section 33(1)]

| Sl. No. | Breach | Penalty |
|---------|--------|---------|
| 1. | Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. | May extend to **₹250 crore** |
| 2. | Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. | May extend to **₹200 crore** |
| 3. | Breach in observance of additional obligations in relation to children under section 9. | May extend to **₹200 crore** |
| 4. | Breach in observance of additional obligations of Significant Data Fiduciary under section 10. | May extend to **₹150 crore** |
| 5. | Breach in observance of the duties under section 15. | May extend to **₹10,000** |
| 6. | Breach of any term of voluntary undertaking accepted by the Board under section 32. | Up to the extent applicable for the breach in respect of which the proceedings were instituted. |
| 7. | Breach of any other provision of this Act or the rules made thereunder. | May extend to **₹50 crore** |

---

*DR. REETA VASISHTA, Secretary to the Govt. of India.*