India's DPDP Act 2023

DPDP applies to processing of digital personal data within India, AND to processing outside India that involves offering goods or services to Data Principals in India. Functionally: if you're an Indian company processing personal data of anyone, or a foreign company processing personal data of Indians, you're in scope.

Personal data is defined broadly — any data identifying a person, directly or indirectly. Excludes data anonymised beyond re-identification.

Two key roles. Data Fiduciary: the person/company deciding the purpose + means of processing (= what GDPR calls Data Controller). Data Processor: the person/company processing on behalf of a Data Fiduciary (= GDPR's Data Processor).

Consent must be: free, specific, informed, unconditional, unambiguous, and given by a clear affirmative action. Pre-checked boxes don't count. Combined-with-other-terms consent doesn't count.

Notice must be in clear plain language and inform the Data Principal about: the personal data being processed, the purposes, the way to exercise rights, and how to withdraw consent. Notice must be available in English and at least one of the 22 official Indian languages on Data Principal request.

Consent can be withdrawn at any time. Withdrawal can't be made harder than giving consent — and the Data Fiduciary must stop processing within a reasonable time after withdrawal.

Children's data (under 18): consent of parent/guardian required, no tracking or targeted advertising, no behavioural monitoring permitted.

Right to access — Data Principals can request a summary of all personal data being processed about them, the identities of Data Fiduciaries with whom data is shared, and any other prescribed information.

Right to correction and erasure — request correction of inaccurate data, request erasure of data no longer needed for the purpose for which it was collected.

Right of grievance redressal — every Data Fiduciary must designate a Data Protection Officer (DPO) or Grievance Officer who responds within a prescribed period.

Right of nomination — Data Principal can nominate another person to exercise rights on their behalf in case of death or incapacity.

Operationally, this means SaaS products serving Indian users must build: a self-service data export, a self-service erasure flow, a grievance contact path, and a published DPO/grievance officer identity.

Every Data Fiduciary must publish a Grievance Officer's contact info. Functionally — name, email, postal address, and the process for complaints.

If the Grievance Officer doesn't resolve a complaint within the prescribed time, the Data Principal can escalate to the Data Protection Board of India — a new body created by the Act with quasi-judicial powers including ability to impose financial penalties.

Penalties scale aggressively: up to ₹250 crore per breach for failure to take reasonable security safeguards. ₹200 crore for breach of children's data obligations. ₹50 crore for consent / notice / cross-border violations. These are the upper bounds; actual penalties are graded by Board discretion considering nature, gravity, duration, etc.

Section 16 permits transfer of personal data outside India to countries NOT specifically restricted by the central government. The default is permission; restrictions are by negative list.

As of late 2025, no countries have been explicitly restricted. The expectation is that the negative list will be small (China, possibly a few others) rather than the EU GDPR's positive-list adequacy-decision model.

For Indian SaaS using cloud providers in Singapore / Frankfurt / Virginia: the Section 16 default permits this. Document the cross-border flow in your Privacy Policy and you've satisfied the disclosure obligation.

The DPDP Act passed in August 2023. The substantive provisions don't enforce automatically — they require Rules notified by the central government to define operational details (notice format, breach notification timeline, technical safeguards, etc.).

DPDP Rules 2025 were notified November 13, 2025. They include: 18-month phase-in for Section 24 (security safeguards), specific breach reporting timeline (72 hours), DPO appointment thresholds (Significant Data Fiduciaries by class — to be designated), and consent management standards.

Section 24 substantive enforcement begins May 14, 2027 — the 18-month phase-in from November 2025 notification. Indian SaaS should be DPDP-aligned by that date or face penalty exposure.

Many Indian SaaS are building toward DPDP NOW rather than waiting — adopting the consent model, building the rights-management flows, publishing the Grievance Officer details. The 18-month phase-in is intended for implementation, not procrastination.