logo
Whatsapp Call
Contact Us
Personal Data Protection Bill

Digital Personal Data Protection Act, 2023 (DPDP Act) – Explained

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive law that regulates how digital personal data is collected, processed, stored, and transferred. It applies to all entities—public or private—that handle personal data of individuals within India. The Act is designed to strengthen user privacy, establish data accountability, and modernize India’s digital governance framework.

Overview of the DPDP Act, 2023

The DPDP Act was introduced to address growing concerns about the misuse of personal data in the digital space. It provides individuals (referred to as Data Principals) with rights over their data and defines the responsibilities of those handling this data (known as Data Fiduciaries). The law also sets up an enforcement body, the Data Protection Board of India (DPBI), to ensure compliance and resolve disputes.

Key Features of the Digital Personal Data Protection Act

1. Consent-Based Data Processing

Organizations must:

  • Obtain explicit and informed consent before collecting personal data.

  • Ensure consent requests are clear, specific, and easy to understand.

  • Allow individuals to withdraw consent at any time.

2. Obligations of Data Fiduciaries

Entities that collect and process personal data are required to:

  • Implement technical and organizational safeguards to prevent unauthorized access.

  • Notify the individual and the Data Protection Board in the event of a data breach.

  • Appoint a Data Protection Officer (DPO) if classified as a Significant Data Fiduciary.

  • Adhere to the principles of purpose limitation and data minimization.

3. Data Protection Board of India (DPBI)

The DPBI acts as an independent regulatory authority responsible for:

  • Monitoring compliance with the DPDP Act.

  • Investigating data breaches and user complaints.

  • Issuing corrective directives and imposing penalties up to ₹250 crore per violation.

4. Cross-Border Data Transfers

  • Personal data may be transferred outside India only to countries or territories approved by the Central Government.

  • The law allows the government to restrict data transfers to jurisdictions deemed non-compliant or risky.

5. Rights of Data Principals (Individuals)

The Act empowers individuals with the following rights:

  • Right to Access: Know what data is collected and how it is used.

  • Right to Correction: Request updates to incorrect or outdated information.

  • Right to Erasure: Ask for personal data to be deleted when no longer necessary.

  • Right to Data Portability: Request a copy of data in a machine-readable format for transfer.

  • Right to Grievance Redressal: Lodge complaints with the organization or escalate to the DPBI.

  • Right to Nominate: Authorize another person to act on their behalf in case of death or incapacity.

Data Protection Board of India (DPBI)

Establishment

The DPBI was created under Section 18 of the DPDP Act to function as an adjudicatory body for privacy-related grievances. It operates independently under the supervision of the Ministry of Electronics and Information Technology (MeitY).

Structure

  • Composed of a Chairperson and other members, appointed by the Central Government.

  • Members serve a two-year term and may be reappointed.

Key Functions

1. Enforcement and Compliance Monitoring

  • Verifies if organizations are fulfilling legal obligations under the Act.

  • Ensures implementation of user-centric privacy practices.

2. Handling Complaints and Data Breaches

  • Investigates violations or breaches reported by individuals or discovered independently.

  • Collects evidence and issues findings.

3. Issuing Directives and Penalties

  • Orders companies to rectify non-compliant data handling practices.

  • Can impose financial penalties up to ₹250 crore.

  • In severe cases, may recommend blocking access to digital services or platforms.

4. Cross-Border Data Oversight

  • Evaluates whether personal data sent abroad is being handled securely and lawfully.

5. Child Data Protection

  • Enforces stricter obligations on entities handling children’s data.

  • Ensures that parental consent and age verification mechanisms are in place.

Frequently Asked Questions (FAQs)

What is the Digital Personal Data Protection Act, 2023?

The DPDP Act is a legal framework that governs how personal data is collected, stored, and processed in digital form. It aims to protect individuals' privacy and ensure responsible data practices by organizations.

Who enforces the DPDP Act?

The Data Protection Board of India (DPBI) is the regulatory body that monitors compliance, investigates breaches, and resolves disputes under the DPDP Act.

What rights do individuals have under the DPDP Act?

Individuals have rights such as access to their data, correction, erasure, data portability, grievance redressal, and the ability to nominate someone to manage their data if they are unable to do so.

Can companies send personal data outside India?

Yes, but only to countries approved by the Central Government. The DPBI monitors and enforces compliance for all such transfers.

Who appoints the DPBI?

Members of the DPBI, including the Chairperson, are appointed by the Central Government through a formal selection process led by MeitY.

yogesh

yogesh

Search...

Categories

Recent Posts

img
img
img
img
img

Tags

logo

Digital Library

New Labour Codes

Solutions

Resources

The content or information provided on this website is for general information purposes only. The information is provided by https://digiliance.in , is a property of Spectra Outsource Solutions Pvt. Ltd.. We strive to ensure that the information is accurate and up-to-date, but we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event the company is liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. For any suggestions or feedback write to us at [email protected]