Digital Personal Data Protection Act, 2023 – India’s GDPR Law

What is the Digital Personal Data Protection Act, 2023?

Also known as the DPD Act or DPDA 2023 or India’s GDPR Act or sometimes even the IDPR or Indian Data Protection Act, the Digital Personal Data Protection Act, 2023 is a statute that was passed by the Indian Parliament in 2023. It deals with the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto

Whom is the Digital Personal Data Protection Act, 2023 applicable to?

The Digital Personal Data Protection Act, 2023 protects the “digital personal data” of an “individual” who is identifiable by such data or identifiable in relation to such data within the territory of India or in connection with any activity related to offering of goods or services to individuals within the territory of India.

Section 3 of the Act says that:

  1. Subject to the provisions of this Act, it shall—
    (a) apply to the processing of digital personal data within the territory of India
    where the personal data is collected––

    (i) in digital form; or
    (ii) in non-digital form and digitised subsequently;
    (b) also apply to processing of digital personal data outside the territory of
    India,
    if such processing is in connection with any activity related to offering of
    goods or services to Data Principals within the territory of India;
    (c) not apply to—
    (i) personal data processed by an individual for any personal or domestic purpose; and
    (ii) personal data that is made or caused to be made publicly available by—
    (A) the Data Principal to whom such personal data relates; or
    (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

    Illustration
    X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.

Is it applicable to foreign entities outside India? What is the Jurisdiction of the Digital Personal Data Protection Act, 2023?

Yes, the Digital Personal Data Protection Act, 2023 is applicable to Foreign entities or companies which maybe physically located outside India but are offering goods or services to customers within the territory of India, irrespective of where the Data Fiduciary is located.

This means that the act also has extra-territorial jurisdiction.

What does a Data Principal not include?

(j) “Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her
behalf

This means that the Data Principal must be an “individual” and not a group or organization or company. This basically means that the “individual” has to be a natural person and it does not include an artificial or juristic person.

Every example / illustration in the Act also talks about only “individuals” i.e. natural persons.

From when will the Digital Personal Data Protection Act, 2023 take effect?

The Digital Personal Data Protection Act, 2023 has come into force on 11th August 2023.

Does the Digital Personal Data Protection Act, 2023 cover data that was collected in physical form or hard copies?

If the data in physical form was later converted to soft form or was digitied by any means, then the digitized data is covered by the Digital Personal Data Protection Act, 2023.

This means that if a company has collected information through a physical form and then later scanned or photographed such form or supporting documents, the Digital Personal Data Protection Act, 2023 will apply to that information and company.

Which are the various entities and authorities under the Digital Personal Data Protection Act, 2023?

  • Data Principal
  • Data Fiduciary
    • Significant Data Fiduciary
  • Data Processor
  • Consent Manager
  • Data Protection Officer
  • Data Protection Board of India
    • Chairperson
    • Member of the Board
  • Appellate Tribunal
  • the State

Who is a Data Principal?

A Data Principal can only be a natural person or real person i.e. a human being which has some “personal data”. A child, a disabled person and even a senior citizen are all considered Data Principals.

A Data Principal cannot be an artificial or juristic person like a company, HUF, association of persons, cooperative society etc. as these artificial entities cannot possess any “personal data”.

Who is a Data Fiduciary?

Digital Personal Data Protection Act, 2023 Bare Act

Digital-Personal-Data-Protection-Act-2023

Digital Personal Data Protection Act, 2023 draft Rules 2025

Draft-Rules-2025-259889

How is the Digital Personal Data Protection Act, 2023 comparable to the GDPR?

Leave a Comment


error: The content on this website is (C) Lawgic.info. Ask for permission at info@lawgic.info !!