AMLEGALSDPDPAVibe Data Privacy
India\'s Data Protection Framework

Digital Personal Data
Protection Act, 2023

A comprehensive statutory framework governing the processing of digital personal data in India, establishing rights of data principals and obligations of data fiduciaries with penalties up to ₹250 Crore.

Full Codex DPDPA FAQ

44

Sections

15

Rules

₹250 Cr

Max Penalty

2025

Effective

Legislative Framework

Statutory Architecture

The DPDPA 2023 represents India\'s first comprehensive data protection legislation, replacing the Information Technology Act provisions on data protection. Combined with the DPDP Rules 2025, it establishes a complete regulatory framework.

Act passed: 11 August 2023
Rules published: 13 November 2025
Full enforcement: 13 May 2027

Key Definitions

Data Fiduciary

Entity that determines the purpose and means of processing personal data.

Data Principal

Individual to whom the personal data relates.

Data Processor

Entity processing data on behalf of a Data Fiduciary.

Consent Manager

Registered entity enabling consent management for data principals.

Significant Data Fiduciary

High-risk fiduciaries notified based on volume/sensitivity criteria.

Act Structure

Chapter-wise Provisions

Sections 1-3

Preliminary

Definitions & Applicability

Establishes territorial scope covering digital personal data processed within India or for offering goods/services to Indian data principals.

View detailed provisions
DPDP Rules 2025

Operational Compliance Framework

Critical

Rule 3

Notice to Data Principal

High

Rule 4

Consent Manager Registration

Critical

Rule 6

Security Safeguards

Critical

Rule 7

Breach Notification

High

Rule 8

Data Retention Periods

Critical

Rule 10

Children's Verifiable Consent

Critical

Rule 13

SDF Additional Obligations

High

Rule 14

Data Principal Rights

Complete Rules Analysis
Enforcement

Penalty Schedule

ViolationMaximum Penalty
Failure to implement security safeguards (Section 8(5))₹250 Crore
Failure to notify breach (Section 8(6))₹200 Crore
Breach of children's data obligations (Section 9)₹200 Crore
Breach of SDF obligations (Section 10)₹150 Crore
Other contraventions₹50 Crore

Penalties may be applied per instance of violation and can be cumulative.

Explore Further

DPDPA Deep Dive

Complete section-by-section analysis with rule cross-references.

Learn more

DPO Toolkit

Practical resources for Data Protection Officers.

Learn more

Cross-Border Transfers

Section 16 analysis and adequacy matrix.

Learn more

Navigate DPDPA Compliance

Our team provides strategic advisory on DPDPA implementation, SDF audits, and cross border data transfer frameworks.

Get in Touch