Digital Personal Data Protection Act and Rules

What Does DPDPA Mean for Citizens?

Privacy is no longer a distant legal concept. It shows up in everyday moments often without us noticing. It affects:

WHAT information is being requested from us?

WHY it is being collected?

HOW securely is it being stored?

CAN we question, access, or stop its misuse?

Every click, form, app download, and consent screen involves personal data

The DPDPA applies whenever personal data is collected, stored, used, or shared in digital form, including offline data that is later digitised. It even applies to entities not established in India, but offering goods and services to Indian citizens

What Does This Change Mean for Citizens?

• Your personal data cannot be collected without a lawful reason.
• You have the right to know, decide, and question.
• Organisations must be transparent and accountable.
• There are clear remedies if something goes wrong.

Privacy is no longer something that depends on goodwill. It is your right.

What is Personal Data?

Personal data is any information that can identify a person, directly or indirectly. This may seem obvious, but in daily life, personal data often hides in plain sight.

Common examples of personal data include:

• Name, phone number, email ID
• Aadhaar, PAN, voter ID, passport
• Photos, videos, voice recordings
• Location data, IP address, device IDs
• Bank details, transaction records, health records

What is Sensitive Data?

Do you know, that some personal data can be sensitive in nature, and you should be extra cautious while sharing this data as any misuse, abuse, leak, or breach of such data may cause you serious harms.

Some examples of this personal data are:

1. Health records: Medical history, prescriptions, diagnostic reports, mental health information, vaccination details.

2. Financial details: Bank account numbers, credit/debit card details, UPI IDs, transaction history, income information.

3. Biometrics: Fingerprints, facial recognition data, iris scans, voice samples

4. Identity documents: Aadhar number, PAN, passport, voter ID, driving licence.

Where Do People Share Data Without Realising?

1. Online & Mobile Use

• Filling online forms (registrations, surveys, feedback)

• Using free apps, games, or trial services

• Signing in using social media or email accounts

• Granting app permissions without review

• Auto-syncing contacts, photos, or location data

2. Everyday Digital Transactions

Online shopping and food delivery platforms

• Digital payments, wallets, and UPI apps
• Loyalty programs, memberships, and subscriptions
• Booking travel, events, or appointments

3. Social Media & Communication

• Posting photos, videos, or location tags
• Participating in online contests, polls, or giveaways
• Clicking on links shared over email, SMS, or messaging apps
• Joining groups, forums, or community platforms

4. Work, Education & Health

• Using workplace tools, attendance apps, or HR portals
• School and college admissions and learning platforms
• Telemedicine apps and online health records
• Fitness trackers and wellness apps

What Does Giving Consent Mean?

Consent means you knowingly and freely allows an entity to collect and use your data for a stated purpose, based on the notice you receive. Every time you download an app, sign up for a service, or tick an “I Agree” box, you are giving consent. But consent is not meant to be automatic or forced.

Under the DPDP Act, consent must be meaningful, given with understanding, choice, and control. 

Note: Sharing your location with a cab app for a ride is reasonable. Allowing it to track you all day is not.

Valid Consent Must Be:

• Clear and specific
• Given freely
• Based on proper information
• Limited to a defined purpose
• Easy to withdraw
• Recorded properly

Checklist for Citizens

• Does it explain what data is being collected and for what purpose?
• Can I say no without losing service?
• Is withdrawal as easy as giving consent?
• Is the consent obtained separate for each purpose?

Understanding Your Data Rights

1. Right to Give or Refuse Consent

You have the right to allow or deny the use of your personal data for a specific purpose based on the notice provided before data collection. The notice must be in clear and understandable language.

2. Right to Know How Data is Used

You can ask organisations what personal data they collect, why it is collected, and how it is used. This information must be provided in a simple and clear format.

3. Right to Access Personal Data Information

You can access details about your personal data, including a summary of how it is processed, with whom it is shared, and what information has been shared.

4. Right to Correct Personal Data

You can request correction of inaccurate or incomplete personal data.

5. Right to Update Personal Data

You may ask organisations to update your personal information when details change, such as your address or contact number.

6. Right to Erase Personal Data

You may request deletion of your personal data in certain circumstances, and the Data Fiduciary must consider and act on the request.

7. Right to Nominate Another Person

You can nominate someone to exercise your data rights on your behalf in case of death or incapacity.

8. Right to Be Informed of a Data Breach

If your personal data is breached, the Data Fiduciary must inform both you and the Data Protection Board in the prescribed manner.

9. Right to Grievance Redressal

You can raise complaints with the Data Fiduciary or Consent Manager, who must resolve them within the prescribed time-frame. If unresolved, you may approach the Data Protection Board.

10. Right to Secure Personal Data

The Data Fiduciary must ensure your personal data is protected, including when processed by third parties, by implementing reasonable security measures such as:

• Encryption, masking, or tokenisation to protect data
• Restricting access to authorised individuals only
• Continuous system monitoring and logging to detect unauthorised access
• Maintaining data backups to restore lost or compromised information
• Retaining system logs for at least one year to investigate security incidents (unless other laws require otherwise)
• Including security requirements in contracts with Data Processors
• Implementing both technical and organisational safeguards to ensure effective data protection

Duties of Data Principal

While the law empowers you with rights, there are also duties to follow to protect your rights under the law.

Citizens should:

• Follow all applicable laws while exercising rights under the Act
• Do not impersonate someone else when providing personal data
• Do not hide or give false information when sharing identity or address details
• Do not raise false, misleading, or frivolous complaints or grievances
• Provide only correct and verifiable information when requesting correction or deletion of personal data

Non-compliance with these duties may invite Penalty of up to Rs.10,000/- as prescribed under the DPDP Act.

Did You Know?

• You can voluntarily share your personal data for a specific purpose, and it can be used only for that purpose. Governments may also use it to deliver services, benefits, licences, or permits.
• Personal data may be processed to comply with Indian laws, court orders, or lawful government directions. Data may be used during investigations, legal proceedings, or for national security.
• In emergencies, epidemics, disasters, or public order situations, data can be used to protect life and provide assistance
• Employers may process employee data for legitimate employment and legal purposes

Special Protection for Children & Persons with Disabilities

Children and Persons with Disabilities (PwD) may not always fully understand how their personal data is collected, used, or shared. To protect them, India’s data protection law provides stronger safeguards to prevent misuse and ensure their safety and inclusion.

What Does The Law Require?

• Entities must obtain verifiable consent from a parent or lawful guardian before processing a child’s data, or from a legal guardian for PwD where applicable.
• A child’s personal data cannot be used for tracking, behavioural monitoring, or targeted advertising.
• Data must not be processed in ways that could harm a child’s safety, mental health, or well-being.

What Does This Mean for Citizens & Families?

• Parents and guardians play a key role in protecting children’s digital privacy.
• PwDs are entitled to equal protection and accessible communication.
• Any unsafe, misleading, or exploitative data practice should be questioned or reported.

Exceptions

Certain entities such as healthcare providers, educational institutions, crèches/day-care centres, and school transport providers may process children’s data without requiring verifiable parental consent for specific services.

Why Does This Matter?

Children and PwD are a vulnerable section of the population. Risks to any rights may have long and unwarranted consequences.

If adults deserve control over their data, children deserve even stronger protection.

When is DPDP Not applicable

The Digital Personal Data Protection (DPDP) Act protects personal data but does not apply in certain situations. Knowing these exceptions can help you make safer choices online.

The DPDP Act may not apply when:

• You share personal data publicly: For example, posting your phone number, email, photos, or personal details on public social media profiles, forums, or comment sections.
• Data is made public as required by law: Such as names in voter lists, details of company directors on government portals, or names mentioned in court judgments.
• Data is used for personal or domestic purposes: For example, saving contacts on your phone, sharing photos in a private family group, or maintaining a personal diary

Always think carefully before sharing personal information publicly, as it may be accessed or used by others.

The Data Protection Board (DPB)

The Data Protection Board (DPB) is the authority established under the DPDP Act to protect citizens’ data rights. Individuals can approach the DPB if complaints about data misuse, breaches, or violations by a Data Fiduciary or Consent Manager are not resolved.

The Board investigates such cases and ensures compliance with the law. It operates as a digital-first body with powers to conduct inquiries, issue directions, and impose penalties for non-compliance. Its head office is in the National Capital Region.