Data Prinicipals-Data Subject

Data Fiduciaries-Data controller

It is applicable only to personal data and to only digitized format not digitized format

Digital personal data applies to outside the country if it applies in exchange of goods and services

If data given according to user consent

EXEMPTION

IF DATA IS PRESENT BY DATA PRINICPAL OR FOR LEGAL RIGHTS-IF COURT HAS SAID THEN THERE NOT
APPLOED

RESEARCH PROCESS -STATISITCAL PROCESS- THEN IT IS EXEMPTED

PROCESSING OUTSIDE INDIA -ACT WILL NOT APPLIED

IF TRACKING BEHAVIORAL AND APPLY SIDES

Key Features of the DPDP Act:

1. Scope and Applicability:

o The DPDP Act applies to the processing of personal data in India, by both Indian and
foreign entities.

o It applies to entities involved in the processing of personal data in relation to Indian

citizens or residents, regardless of where the entity is located.

o The law applies to both government and private sector organizations.

2. Personal Data:

o The Act defines personal data as any data that relates to an identified or identifiable
individual, including sensitive personal data such as health data, financial
information, biometric data, etc.

3. Data Fiduciaries:

o Entities that collect, process, and store personal data are termed Data Fiduciaries.
These organizations are accountable for ensuring compliance with the Act, including
taking steps to protect personal data.

o Data Fiduciaries are responsible for ensuring transparency about data collection,
processing purposes, and the rights of individuals.

4. Consent-Based Processing:

o The DPDP Act emphasizes informed consent from individuals before collecting their
personal data.

o Organizations must seek explicit consent from individuals for processing their
personal data, specifying the purpose, duration, and nature of the processing.
 o The opt-in model must be followed, where consent cannot be assumed or coerced.

o Minors must give consent, or their guardians must provide consent for data
processing.

5. Rights of Data Principals (Individuals): The Act provides several rights to individuals
(referred to as Data Principals) to control their personal data:

o Right to Access: Individuals have the right to access their personal data held by
organizations.

o Right to Correction: Individuals can request the correction of inaccurate or

incomplete personal data.

o Right to Erasure: Individuals can request the deletion of their personal data, subject
to certain conditions.

o Right to Data Portability: Individuals have the right to transfer their personal data
from one service provider to another.

o Right to Object to Processing: Individuals can object to the processing of their data
in certain situations, especially when the processing is based on legitimate interests.

o Right to Information: Individuals have the right to be informed about the processing
of their data, including the purpose, types of data processed, and retention periods.

6. Data Protection Officer (DPO):

o Certain organizations that process large volumes of personal data will need to
appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring the
organization’s compliance with the DPDP Act and managing data protection risks.

7. Data Processing Obligations:

o Purpose Limitation: Personal data should only be collected for specified, legitimate
purposes and should not be further processed in ways that are incompatible with
those purposes.

o Data Minimization: Organizations must collect only the data necessary for the
intended purpose and must not retain data longer than necessary.

o Security Measures: Data Fiduciaries must implement appropriate security

safeguards to protect personal data from unauthorized access, disclosure, alteration,
or destruction.

o Transparency: Organizations must provide individuals with clear information about

their data processing practices, including a privacy policy outlining data handling
processes.

8. Sensitive Personal Data (SPD):

o Sensitive personal data includes financial data, biometric data, health data, genetic
data, and more.

o The processing of sensitive data requires additional safeguards, such as explicit

consent from the individual.
 o The Act mandates that special conditions are applied to sensitive data processing,
including a requirement for data localization for certain types of sensitive data.

9. Data Localization:

o The DPDP Act introduces data localization provisions, requiring certain types of
personal data (e.g., sensitive personal data) to be stored within India.

o The Act allows for the transfer of personal data outside India under strict conditions,
such as ensuring that the recipient country has adequate data protection laws, or
through contractual mechanisms like Standard Contractual Clauses (SCCs).

10. Data Breach Notifications:

o Organizations must notify both the Data Principal and the Data Protection Authority
(DPA) in case of a data breach that could result in harm to individuals.

o The notification must occur within a specified time frame (typically 72 hours of the
breach becoming known).

11. Data Protection Authority (DPA):

o The Data Protection Authority (DPA) will be an independent body responsible for
overseeing compliance with the DPDP Act.

o The DPA will have powers to investigate complaints, conduct audits, impose
penalties, and take corrective actions.

o The DPA will also handle grievances from data principals and issue guidelines for the
effective implementation of the Act.

12. Penalties for Non-Compliance:

o The DPDP Act includes severe penalties for organizations that fail to comply with its
provisions.

o The penalties can include fines based on the nature of the violation, with penalties
for non-compliance reaching up to 5% of annual global turnover or INR 150 crore
(whichever is higher).

o Penalties for violations include failure to obtain consent, non-compliance with data
localization, or not taking appropriate security measures.

Data Fiduciary should provide privacy notice to take consent

Key Features of the DPDP Act:

1. Scope and Applicability:

o The DPDP Act applies to the processing of personal data in India, by both Indian and
foreign entities.

o It applies to entities involved in the processing of personal data in relation to Indian

citizens or residents, regardless of where the entity is located.

o The law applies to both government and private sector organizations.

2. Personal Data:

o The Act defines personal data as any data that relates to an identified or identifiable
individual, including sensitive personal data such as health data, financial
information, biometric data, etc.

3. Data Fiduciaries:

o Entities that collect, process, and store personal data are termed Data Fiduciaries.
These organizations are accountable for ensuring compliance with the Act, including
taking steps to protect personal data.

o Data Fiduciaries are responsible for ensuring transparency about data collection,
processing purposes, and the rights of individuals.

4. Consent-Based Processing:

o The DPDP Act emphasizes informed consent from individuals before collecting their
personal data.

o Organizations must seek explicit consent from individuals for processing their
personal data, specifying the purpose, duration, and nature of the processing.

o The opt-in model must be followed, where consent cannot be assumed or coerced.

o Minors must give consent, or their guardians must provide consent for data
processing.

5. Rights of Data Principals (Individuals): The Act provides several rights to individuals
(referred to as Data Principals) to control their personal data:

o Right to Access: Individuals have the right to access their personal data held by
organizations.

o Right to Correction: Individuals can request the correction of inaccurate or

incomplete personal data.

o Right to Erasure: Individuals can request the deletion of their personal data, subject
to certain conditions.

o Right to Data Portability: Individuals have the right to transfer their personal data
from one service provider to another.

o Right to Object to Processing: Individuals can object to the processing of their data
in certain situations, especially when the processing is based on legitimate interests.

o Right to Information: Individuals have the right to be informed about the processing
of their data, including the purpose, types of data processed, and retention periods.

6. Data Protection Officer (DPO):

o Certain organizations that process large volumes of personal data will need to
appoint a Data Protection Officer (DPO). The DPO is responsible for ensuring the
organization’s compliance with the DPDP Act and managing data protection risks.

7. Data Processing Obligations:

 o Purpose Limitation: Personal data should only be collected for specified, legitimate
purposes and should not be further processed in ways that are incompatible with
those purposes.

o Data Minimization: Organizations must collect only the data necessary for the
intended purpose and must not retain data longer than necessary.

o Security Measures: Data Fiduciaries must implement appropriate security

safeguards to protect personal data from unauthorized access, disclosure, alteration,
or destruction.

o Transparency: Organizations must provide individuals with clear information about

their data processing practices, including a privacy policy outlining data handling
processes.

8. Sensitive Personal Data (SPD):

o Sensitive personal data includes financial data, biometric data, health data, genetic
data, and more.

o The processing of sensitive data requires additional safeguards, such as explicit

consent from the individual.

o The Act mandates that special conditions are applied to sensitive data processing,
including a requirement for data localization for certain types of sensitive data.

9. Data Localization:

o The DPDP Act introduces data localization provisions, requiring certain types of
personal data (e.g., sensitive personal data) to be stored within India.

o The Act allows for the transfer of personal data outside India under strict conditions,
such as ensuring that the recipient country has adequate data protection laws, or
through contractual mechanisms like Standard Contractual Clauses (SCCs).

10. Data Breach Notifications:

o Organizations must notify both the Data Principal and the Data Protection Authority
(DPA) in case of a data breach that could result in harm to individuals.

o The notification must occur within a specified time frame (typically 72 hours of the
breach becoming known).

11. Data Protection Authority (DPA):

o The Data Protection Authority (DPA) will be an independent body responsible for
overseeing compliance with the DPDP Act.

o The DPA will have powers to investigate complaints, conduct audits, impose
penalties, and take corrective actions.

o The DPA will also handle grievances from data principals and issue guidelines for the
effective implementation of the Act.

12. Penalties for Non-Compliance:

 o The DPDP Act includes severe penalties for organizations that fail to comply with its
provisions.

o The penalties can include fines based on the nature of the violation, with penalties
for non-compliance reaching up to 5% of annual global turnover or INR 150 crore
(whichever is higher).

o Penalties for violations include failure to obtain consent, non-compliance with data
localization, or not taking appropriate security measures.

Key Provisions for Cross-Border Transfers in DPDP

1. Permissible Transfers to Notified Countries:

o Personal data can only be transferred to countries or territories that the Indian
government notifies as "trusted."

o These countries are determined based on factors like the adequacy of their data
protection frameworks and alignment with India’s national security and public
interest.

2. Government Control and Flexibility:

o The government retains the authority to notify or delist countries depending on

evolving diplomatic or policy considerations.

3. Legal and Contractual Safeguards:

o Organizations engaging in cross-border data transfers must ensure that recipients

handle the data responsibly, complying with India’s data protection standards.

4. Applicability of Data Principal Rights:

o Indian data principals (individuals) retain their rights over personal data, regardless
of where it is processed. This includes rights like withdrawal of consent, data access,
and grievance redressal.

5. Sensitive Data Handling:

o Although the DPDP does not explicitly define sensitive personal data as the GDPR
does, cross-border transfers imply stringent measures for data handling, especially if
individuals’ fundamental privacy rights are at stake.
Severe breaches -250 crore

1. Failure to Implement Security Safeguards

 Penalty: Up to ₹250 crore.

 Reason: Breach of data protection obligations, such as failure to secure personal data against
unauthorized access or loss.

2. Non-Compliance with Data Principal Rights

 Penalty: Up to ₹200 crore.

 Reason: Failure to provide data principals (individuals) with rights such as data access,
correction, or erasure within the stipulated timeline.

3. Breach of Purpose Limitation

 Penalty: Up to ₹200 crore.

 Reason: Processing personal data beyond the purpose for which it was collected without
obtaining consent.

4. Failure to Notify Data Breaches

 Penalty: Up to ₹150 crore.

 Reason: Not informing the Data Protection Board or affected data principals about a data
breach promptly.

5. Failure to Comply with Obligations of Consent

 Penalty: Up to ₹50 crore.

 Reason: Processing personal data without valid consent or violating conditions for
withdrawal of consent.
6. Non-Compliance by Significant Data Fiduciaries

 Penalty: As per the severity (up to ₹250 crore).

 Reason: Failing to adhere to additional obligations such as conducting Data Protection

Impact Assessments (DPIAs) or appointing a Data Protection Officer (DPO).

7. Failure to Prevent Harm

 Penalty: Variable fines, depending on the harm caused to the individual.

 Reason: Allowing personal data misuse leading to financial, emotional, or reputational harm
to individuals.

Data protection board-investigation, potential violation,breach can conduct enquiries huge e

Appealed tdsat still not hc or sc

 GDPR
Aspect DPDP (India)
(EU)

-
Protects
personal
data of
individua
ls in the
EU,
irrespecti
ve of
where
the
processi
ng
occurs. - Protects personal data of individuals within India.
Scope
- - Focuses primarily on data processed in India.
Applicabl
e to
business
es
offering
goods/se
rvices to
EU
residents
or
monitori
ng their
behavior.

Decentra
lized:
Each EU
member
Regulato
state has
ry Centralized: A single Data Protection Board of India (DPBI) oversees
its own
Authorit enforcement.
Data
y
Protectio
n
Authorit
y (DPA).

Consent Requires Consent is a primary requirement but simplified as deemed consent for certain
Require explicit scenarios like performance of contracts or public services.
ments consent
for most
processi
 GDPR
Aspect DPDP (India)
(EU)

ng
activities
.
Legitimat
e
interests
and
contract
ual
obligatio
ns are
also legal
bases for
processi
ng.

Allowed
to
countries
offering
adequat
e
Cross- protectio
Border n or
Allowed only to countries notified as trusted by the Indian government.
Data under
Transfers safeguar
ds like
standard
contract
ual
clauses
(SCCs).

Data Extensiv Limited to basic rights like access, correction, erasure, and grievance redressal.
Principal e rights, Portability and restriction rights are not explicitly defined.
Rights including
right to
be
forgotte
n, data
portabili
ty,
access,
rectifica
tion, and
restrictio
 GDPR
Aspect DPDP (India)
(EU)

n of
processi
ng.

Special
categorie
s like
health,
race,
religion,
Sensitive
and
Personal The concept exists but is not explicitly categorized in the law.
political
Data
views
require
addition
al
safeguar
ds.

- Fines
up to
€20
million
or 4% of
Penalties global - Fines are capped at ₹250 crore for severe violations.
turnover
,
whichev
er is
higher.

Mandato
Data
ry within
Breach Must notify the Data Protection Board within a reasonable timeframe, but no
72 hours
Notificati fixed deadline is mentioned.
to the
ons
DPA.

Account Both Accountability primarily lies with data fiduciaries (controllers). Processors are
ability of data indirectly accountable.
Processo controlle
rs rs and
processo
rs are
directly
accounta
ble
 GDPR
Aspect DPDP (India)
(EU)

under
GDPR.

Requires
parental
consent
for
processi
ng data
of
Children' Requires consent for processing data of children under 18 years. Stricter focus on
children
s Data child privacy.
under 16
years
(can be
lowered
to 13 by
member
states).

Encourag
es codes
of
conduct
and
Code of certificati
Certification mechanisms or codes of conduct are not emphasized yet.
Conduct on
mechani
sms at
the
industry
level.

Legal Includes Primarily based on consent and limited cases of deemed consent.
Basis for multiple
Processi legal
ng bases:
consent,
legitimat
e
interests
,
contract
ual
necessity
, legal
obligatio
 GDPR
Aspect DPDP (India)
(EU)

n, public
interest,
and vital
interests
.

Applicab GDPR DPDP is expected to provide simpler compliance measures for startups and
ility to applies smaller entities, though not explicitly outlined.
SMEs uniforml
y to all
organiza
tions,
but small
business
es can
have
reduced
obligatio
ns under
certain
conditio
ns.
 GDPR
Aspect DPDP (India)
(EU)

The Digital Personal Data Protection Act (DPDPA) of 2023, commonly referred to
as the DPDP Act is the data privacy legislation of India. The law is a meticulous
blend of recognition of the rights of individuals and the need for processing of
data.

Ever since the famous Puttaswamy judgment recognized the right to privacy as a
fundamental right, digital privacy has been a hot topic in the country. Now that
the DPDP Act has received the assent of the President, India is ready to enter its
digital privacy era.

Effective date: Subject to Government notification

Official text: Digital Personal Data Protection Act, 2023

What is the Digital Personal Data Protection Act?

The Digital Personal Data Protection Act was passed in early August of 2023. The
act is expected to come into force in 2024 through a government notification.
The law enumerates the rights and duties of data principals, and obligations
of data fiduciaries, imposes penalties for data breaches, and also creates a
special category of data fiduciaries called the significant data fiduciaries. DPDP
Act recognizes verifiable consent for children and persons with disability.

Unlike GDPR and other US privacy laws, India’s privacy law does not expressly
define sensitive data. However, the central Government in the future may classify
personal data into different categories.

The Data Protection Board (DPB) is the enforcement authority under the DPDP
Act. The act also designates the Telecom Disputes Settlement and Appellate
Tribunal as the appellate authority.

Jump to

Tips for DPDPA Compliance

Who are the important parties to DPDPA?

Data principal: A data principal is a person to whom the personal data relates.
For children, their parents or legal guardians are the data principals and for
persons with disability, it is the legal guardian. The act does not specifically
define a person with a disability. However, it is assumed to be the same as the
definition under the People with Disability Act of 1995.

Data fiduciary: A data fiduciary is a person who controls the purpose and means
 GDPR
Aspect DPDP (India)
(EU)

of handling personal data. It can be a small business, a startup, or even a bank.

Data processor: A data processor is a person who handles/processes data for the
data fiduciary.

Significant data fiduciary: A data fiduciary may be designated as a significant

data fiduciary (SDF) by the Central government based on several factors like the
volume and sensitivity of the data processed or risk to national security and
electoral democracy etc. A Significant Data Fiduciary has a few additional
obligations like appointing a Data Protection Officer (DPO) and a data auditor,
conducting regular impact assessments and data audits, etc.

Who does the DPDP Act apply to?

The law applies to any person who processes digital personal data other than for
personal or domestic context if:

 The processing of digital personal data takes place within Indian territory.

 The processing of digital personal data takes place overseas but offers its
goods and services to those in India.

The law applies to personal data that were either collected in digital or non-
digital form and were digitized thereafter but does not apply to public
information or data processed in household/personal context.

A person under the DPDP Act is not just an individual or a business. Here is the
list of the entities that are included under this category.

 Any individual

 Hindu Joint Family

 Company

 Firm

 An association of persons regardless of whether they are registered or

not.

 The state as defined under Article 12 of the Indian constitution.

 Other legal persons not specified above.

What is personal data under the DPDP Act?

Any data of an individual that can be potentially used to identify that individual is
called personal data. Public information does not come under the category of
personal data.

The act defines personal data as ” any data about an individual who is identifiable by or in relatio
 GDPR
Aspect DPDP (India)
(EU)

Sub-clause (t) of section 2

Information published by the data principal herself or authorized government

agencies is termed public information. It is personal data if it was published to a
specified audience and not publicly.

What are the duties of data fiduciaries under the DPDP Act?

Data minimization

Only collect data that is required for the specific purpose. Delete the data that is
no longer necessary or if the data principal withdraws consent. Take steps to get
the personal data deleted by the processor as well.

Purpose limitation

Data controllers should limit the use of personal data to the specific purpose for
which the consent was obtained. They can however process the personal data
without express consent if the data principal volutarily gave the personal data
and did not indicate non-consent to its processing.

Data fiduciaries are allowed to use personal data for various purposes, including
complying with the law and court orders, processing by the state or its agencies
to provide benefits, subsidies, certificates, licenses, or permits, provided that the
data principal has previously consented or if that personal data is already in their
database.

They can also use personal data for the performance of governmental functions,
protecting the sovereignty, integrity, and security of India, maintaining public
order, medical emergencies, and treatments, taking measures for epidemics, and
safeguarding employers from losses.

Privacy notice

Privacy notices (commonly known as privacy policy) and requests for consent
must be accessible in English as well as in all languages provided in the 8th
schedule of the Indian Constitution. They should be given in a clear and
accessible manner. The privacy notice should be specific and easy to understand.

Further reads

Privacy notice vs Privacy policy

Privacy policy vs terms and conditions

Under the DPDP Act, data fiduciaries must provide a privacy notice along with
the request for consent. The notice and the request should include details
regarding the:
 GDPR
Aspect DPDP (India)
(EU)

 categories of personal data collected

 specific purposes for which personal data is collected

 the process of exercising consumer rights

 the procedure to revoke consent

 The procedure to file complaints with the data protection board.

Generate a custom privacy policy

for your website

Create a free privacy policy

Generate instantlyNo signup required

Consent

Data fiduciaries cannot process personal data without the consent of the data
principal unless it is for legitimate use or is exempted by the act. Data principals
can withdraw their consent at any time. Make the process of revocation of
consent easy and convenient.

Obtain verifiable consent from the parents/legal guardians of children or legal

guardians in the case of persons with disability. A child is an individual under the
age of 18 years. We will discuss the consent requirements more elaboratively in
the following section.

Read in detail: Consent requirements under DPDPA

Data affecting data principals

The data fiduciary should ensure the accuracy, completeness, and consistency of
the personal data processed in a way that is likely to be used to make a decision
affecting the data principal or if it is going to be shared with another data
fiduciary.

Implement security measures

Data fiduciaries must implement necessary safety measures to prevent any data
breaches. Also, incorporate technical and organizational measures to comply
with the obligations and other provisions of this privacy law.

Redressal mechanisms

Data fiduciaries must implement effective and convenient redressal mechanisms.

Provide the procedures for exercising consumer rights in the privacy notice and
appoint a person to oversee grievances. Always respond to consumer requests
within a reasonable time. Publish details of the Data Protection Officer or anyone
 GDPR
Aspect DPDP (India)
(EU)

else authorized to answer requests or concerns on the data fiduciary’s behalf.

Prohibitions concerning children

Tracking, behavioral monitoring, and targeted advertising of children are not

allowed unless the central government permits them. A child is an individual
under the age of 18 years. The law imposes a duty upon the data fiduciaries to
not process the data of children if it is likely to cause any detrimental effects.

Report of breaches

Data fiduciaries must report all data breaches to the Data Protection Board as
well as to the affected person. The intimation must be made within a reasonable
time.

Other obligations

If the Government of India has issued any notification restricting the transfer of
data to any country, businesses must abide by it. Have a contractual relationship
with your data processors and other third parties if any. Determine the rights of
the parties involved and also make sure that they comply with the DPDP Act.
Deliver the consumer requests within a reasonable time.

What are the rights of data principals under the DPDP Act?

Chapter III of the DPDP Act enumerates the rights of the data principals.

Right to access

A data principal can obtain the summary of their personal data processed,
activities of the data fiduciaries, or any other information regarding the
processing of such data. They can also request the details of all data fiduciaries
and data processors with whom their personal data is shared.

Right to correction

A data principal can request the data fiduciaries to do the following to their
personal data collected by them:

 Correct any inaccuracies

 Update their personal data

 Complete their personal data

A data fiduciary who gets such a request must fulfill the request within a
reasonable time.

Right to erasure

A data principal has the right to get their personal data deleted. However, a
business/data fiduciary is not obliged to erase such personal data if it is
necessary for fulfilling the specific purpose for which it was collected or for legal
 GDPR
Aspect DPDP (India)
(EU)

compliance.

Right to grievance redressal

Data principals are entitled to an accessible grievance redressal mechanism to

resolve any issues regarding an act or omission of data fiduciaries’ obligations or
the enforcement of the data principal’s rights. Unless the data principal fails to
get their grievance redressed through this mechanism, they cannot approach the
Data Protection Board.

Right to nominate

Data principals can nominate an individual to exercise their rights under this act
in the event of their death, unsoundness of mind or infirmity of body.

Right to revoke consent

A data principal can revoke the consent at any time. However, the data principal
should bear any consequences arising from such revocation. The data fiduciaries
are bound to stop and also cause the data processors to stop processing the
personal data of the data principal in the event of revocation of consent.

Consent requirements under the DPDP Act

The DPDPA requires data fiduciaries to request consent from the data principals
before processing their personal data. However, consent is not required for
certain legitimate uses. The request for consent must be accompanied by a
privacy notice that contains the categories and purpose of personal data
processed, the grievance redressal mechanism, and the method to enforce the
rights of data principals.

The definition of consent is broad and almost similar to the GDPR’s definition
except for the word unconditional.

For consent to be valid, the following conditions should be satisfied:

 Consent should be free, specific, informed, and unconditional.

 There should be a clear indication of consenting to such action.

 Agrees to the processing of personal data for the specified purposes.

Data fiduciaries need not get consent if the data principal voluntarily gives any
personal data without indicating non-consent. For example, imagine an online
platform for recruitment. On the website, there is a form where users can add
their resume along with relevant information. If they voluntarily fill out the form,
the platform can use it to assist them with the job-hunting process.

If consent was given before the enforcement of the act, give notice to such data
principal containing the details of the data collected, the purpose of collection,
rights under the act, and the grievance redressal mechanism. Data fiduciaries
 GDPR
Aspect DPDP (India)
(EU)

can process the personal data until the consent is withdrawn.

The act also obligates the data fiduciaries to recognize consent managers and
thereby enable data principals to entrust such registered consent managers to
act on their behalf. Consent managers provide a transparent mechanism to give,
manage, review, or withdraw consent. It acts as a single point of contact for the
data principals to manage their consent.

Manage cookie consent

without any hassle

Add a cookie consent banner and manage cookie consent for privacy compliance

Try for free

14-day free trialCancel anytime

What is a personal data breach under the DPDP Act?

The DPDP Act defines a personal data breach as ” any unauthorized processing of
personal data or accidental disclosure, acquisition, sharing, use, alteration,
destruction or loss of access to personal data, that compromises the
confidentiality, integrity or availability of personal data”. All breaches need to be
reported whether or not damage was caused. Notify the breaches promptly to
the data principals as well as the Data Protection Board. The format of breach
notification is not prescribed yet.

What is the penalty for violating the DPDP Act?

The privacy law of India determines the penalty based on various factors like the
gravity of the breach and its duration, the category of personal data impacted by
the breach, its repetitive nature, the impact of monetary penalty on the violator,
etc. The penalties can reach up to a heavy sum of INR 250 crore (~ $30 million).

Unlike many other data privacy laws across the world, India’s privacy law does
not mention anything about a cure period. However, the violators will be allowed
to be heard which is a principle of natural justice.

Nature of violation/breach Penalty

Failure to implement security safeguards Up to INR 250 crores (~ $30.2

Failure to notify a breach to the board Up to INR 200 crores (~ $24.1

Non-compliance with the special provisions regarding children Up to INR 200 crores (~ $24.1
 GDPR
Aspect DPDP (India)
(EU)

Nature of violation/breach Penalty

Non-compliance with the obligations of SDF Up to INR 150 crores (~ $18.1

Non-compliance of obligations by the data principals Up to INR 10,000 (~ $120)

Violation of any voluntary undertaking if any Up to the extent applicable t

Violation of all other provisions than mentioned Up to INR 50 crore (~ $6 milli

Steps to DPDP Act compliance

 Obtain valid consent before processing personal data.

 Provide a clear privacy notice along with the request for consent.

 Make privacy notices and consent requests accessible in English and 22

other languages in the 8th schedule.

 Limit the collection of data to what is required for the specific purpose of
processing.

 Implement security safeguards.

 Obtain verifiable consent to process data of children and people with

disability.

 Delete data within a reasonable time if the data principal revokes

consent requests deletion, or when the specific purpose exhausts.

 Respond to data principals’ requests within a reasonable time.

 Avoid behavioral monitoring, target advertising, and tracking of children.

 Keep the personal data complete, accurate, and consistent.

 Conduct audits and impact assessments if you are categorized as a

Significant Data Fiduciary.

 Confirm that you do not sell personal data to countries in the negative
list as notified by the government.

 Have a contractual relationship with the data processors.

 Inform the DPB in case of any breach regardless of the volume of risk.

India DPDP Act vs EU GDPR [Infographic]

 GDPR
Aspect DPDP (India)
(EU)