THE DIGITAL

PERSONAL DATA
PROTECTION ACT, 2023
01 02 03
The Act has not specified The Act has not specified a Publicly available data
a timeframe for Data timeframe for the Data The Act exempts any
Fiduciaries to respond to Fiduciary to send a notice Personal Data that is
any Data Principal to customers. made available publicly,
requests. but it does not clarify if
the information is made
available to public can be
used for processing or
04 05 can be for view-only
Absence of defined The Digital Personal Data purposes.
timeline for notifying a Protection Rules ( DPDP
Personal Data breach to Rules) has still not come
the Data Protection into force
Board and the affected
Data Principal.

AMBIGUITIES
 Consent for Data Collected Before the Act
Section 5(2) of DPDPA, 2023

If personal data was collected before the Act came into force, the Data Fiduciary must send a notice to

customers.

This notice should inform the customers of:

a. The personal data that was collected.

b. The purpose for which it was collected.

c. How they can exercise their rights (e.g., withdraw consent, request erasure).

d. How they can file a complaint with the Data Protection Board of India.

The notice should be in English or any language in the Eighth Schedule of the Constitution.

Consent is deemed valid unless withdrawn. The organisation can continue using the data unless the customer

explicitly withdraws consent.

The Act states that the notice should be given “as soon as it is reasonably practicable” after the Act comes into

force.

The Draft DPDP Rules, 2025 mention that data must be deleted after a notice period of 48 hours if a person has

not used a service for a prescribed duration

 Voluntary Data Sharing-Customer provides a number for a digital receipt.

Government Services

Government uses existing data for additional benefits.

Legal Compliance

Banks report transactions for tax purposes.

Court Orders

Processing Company retains employee data for a legal case.

Data without Medical Emergency

consent Doctor accesses past medical records in an emergency.

Public Health

Government tracks vaccination data.

Disaster Response

Travel records used for evacuation during floods.

Employment & Security- such as prevention of corporate espionage, maintenance of confidentiality of trade secrets,
intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is
an employee.
Data processing for employment purposes without
consent
Section 7(i) of DPDPA, 2023
Employers do not need explicit consent for processing employee data if it is
required for:
Corporate security (e.g., preventing espionage).Trade secret protection, Providing
workplace benefits.
Salary slips & tax filings (6-8 years) under Income Tax Act, 1961
Provident Fund (EPFO) records Indefinite Employees' Provident Funds &
Miscellaneous Provisions Act, 1952
Gratuity records for 5 years under Payment of Gratuity Act, 1972
ESI contributions 5 years under Employees' State Insurance Act, 1948
Offer letters & contracts Until disputes are resolved For legal defense in case of
claims
However, if the employer wants to use employee data for non-mandatory purpose,
they must obtain explicit consent.
According to Rule 8, companies must delete an individual's data three years after it
is no longer used on a platform, and such individual must be notified of 48 hours in
advance
 CONSENT AND CONSENT WITHDRAWLS
(Chapter II, Clause 6)
Consent given should be free, specific, informed, unconditional and
unambiguous with a clear affirmative action, and signify an agreement
to
the processing of personal data.
• Any part of consent referred to in this act, which constitutes an
infringement of the provisions of this act, or the rules made thereunder
or
any other law, for the time being, in force shall be invalid to the extent
of
such an infringement.
• Request for consent to be presented in English or any language
specified
in the eighth schedule of the constitution.
• Data principal shall have the right to withdraw the consent at any
time.
• Upon withdrawal of consent, the data fiduciary shall cease processing
the
personal data of data principal unless such processing is required.
Rights and duties of
data
principal (Chapter III)
duties :
rights • Not to suppress any material information while providing
personal data for
Right to access information about any document, unique identifier, proof of identity or proof of
personal data address.
Right to correction, completion, • Not to register a false or frivolous grievance or complaint.
updation and erasure of personal data • Furnish only information which is verifiably authentic.
Right of grievance redressal • Comply with the provisions of all applicable laws for the time
Right to nominate being in
force.
• Not to impersonate another person while providing her
personal data for a
specified purpose.
Notice
The notice should contain details about personal data which is to be
collected, the purpose of processing, rights of the data principal and the
way in which the rights can be exercised.
A similar notice should also, as soon as ‘reasonably practicable’ be
provided to the data principal when consent was obtained before the
commencement of the Act. The timeline of lookback period has not been
provided.
The option to access the contents of the notice should be in English or
any
language specified in the Eighth Schedule to the Constitution.
 Consent managers
The consent manager shall be accountable to the data principal and shall

The data principal act on their behalf. The consent manager

may give, manage, shall be registered
review or withdraw with the board.
consent through a
consent manager.

Consent managers can the data principal, and breach of any of their
also make complaints to are subject to inquiry by registration conditions
the board on behalf of the board in the event of
 Certain legitimate uses

Grounds of For lawful purpose after obtaining consent of the

data principal or for

processing certain legitimate uses.

These legitimate cases include:

personal data
1. Voluntarily provided personal data by data
principal.
2. Data principal has not indicated ‘does not consent’
to use personal
data.
3. By the state and any of its instrumentalities for any
function under any
law for the time being in force in India.
4. For matters concerning public interest, e.g.,
medical emergency,
judicial use.
5. For the purposes of employment or those related
to safeguarding the
employer from loss or liability..
 Definition: A Data Fiduciary classified as “Significant” by
the Central Government based on certain risk factors.
Significant Data Criteria for Classification

Fiduciary (SDF)- 1. Volume and sensitivity of personal data processed

2. Risk to the rights of Data Principals
Section 10, DPDPA 3. Impact on sovereignty, integrity, security of India
4. Public order and electoral democracy risks
5. Additional Obligations:
6. Must appoint a Data Protection Officer (DPO) based in India
7. Must conduct Data Protection Impact Assessments (DPIA) and
regular data audits
8. Must engage an Independent Data Auditor to evaluate compliance

Role: Independent regulatory body responsible for

enforcement of the DPDPA
Functions:

Data 1. Investigates non-compliance and imposes penalties

Protection
2. Handles grievances related to data protection violations
3. Issues directions and mediates disputes between Data Principals
and Data Fiduciaries

Board of India
4. Has powers similar to a civil court in enforcing compliance
5. Composition: Chairperson and members appointed by the
Central Government
 Dispute Resolution Mechanisms

Section 8(10), DPDPA: Section 11(1), DPDPA: Section 11(5), DPDPA: Section 18, DPDPA:
Requires Data Fiduciaries to Provides Data Principals with Mandates that Data Principals Establishes the Data
establish an effective the right to grievance must first exhaust the Protection Board of India,
grievance redressal redressal, including the ability grievance mechanism of the which is responsible for
mechanism to address to nominate a representative Data Fiduciary before resolving grievances,
complaints from Data for complaints. escalating the complaint to investigating non-compliance,
Principals. the Data Protection Board of and imposing penalties.
India.
Thank You