Who Does DPDP Act Apply To? (Overview of DPDP Act Applicability in 2026)

Leave a Comment / cybersecurity definitions, DPDP Act

The Digital Personal Data Protection Act (DPDP Act), enacted in India in August 2023, represents a significant advancement in the country’s approach to data privacy and protection. This legislation aims to create a comprehensive framework for the processing of personal data, aligning closely with principles found in the European Union’s General Data Protection Regulation (GDPR). The DPDP Act legislation, which represents a significant shift in how personal data is handled, imposes various obligations and rights that must be adhered to by organizations operating within and outside India. The DPDP Act is designed to protect individuals’ personal data while balancing the needs of data processing by businesses and government entities. It establishes clear definitions, rights, and obligations concerning personal data.

Key Definitions

  • Personal Data: Defined as any data that relates to an identifiable individual.
  • Data Fiduciaries: Entities that determine the purpose and means of processing personal data.
  • Data Principals: Individuals whose personal data is being processed.
  • Significant Data Fiduciaries (SDFs): A subset of data fiduciaries that handle large volumes of sensitive personal data or pose significant risks to individuals’ rights.

Who Does DPDP Act Apply To?

The Digital Personal Data Protection Act (DPDP Act), enacted in India in August 2023, establishes a comprehensive legal framework for the processing of personal data. The DPDP Act applies to all entities processing digital personal data within Indian territory. Entities outside India that offer goods or services to individuals in India. The law does not cover personal data processed for domestic purposes or publicly available information.

Its applicability is crucial for understanding how businesses, both domestic and international, must navigate the landscape of data protection in India. This section delves into the specific clauses and provisions that define and elaborate on the applicability of the DPDP Act from the perspective of Indian businesses.

Does your company need to comply with the DPDP Act in India?

DPDP Act Rights and Obligations

The DPDP Act grants several rights to individuals, including:

  • Right to Notice: Individuals must be informed about the collection and use of their personal data.
  • Right to Access: Individuals can request access to their personal data held by data fiduciaries.
  • Right to Erasure: Individuals can request deletion of their personal data when it is no longer necessary for the purpose for which it was collected.
  • Right to Portability: Individuals can transfer their personal data from one service provider to another.

Obligations of Data Fiduciaries

Data fiduciaries must:

  • Obtain verifiable consent from individuals before processing their personal data.
  • Ensure that the processing is done for legitimate purposes and that the data is accurate and up-to-date.
  • Implement security measures to protect personal data from breaches.
  • Notify the Data Protection Board (DPB) and affected individuals in case of a data breach.

DPDP Act Consent Management

The DPDP Act introduces a mechanism for managing consent through “Consent Managers,” who act on behalf of individuals. This system aims to enhance transparency and control over personal data usage.

What is the Territorial Scope of the DPDP Act?

The DPDP Act applies to any processing of digital personal data that occurs within Indian territory. This includes data collected online or offline, as long as it is subsequently digitized. Therefore, businesses operating in India must comply with the Act regardless of their physical location if they are processing personal data. This broad territorial scope means that even foreign companies offering goods or services to individuals in India are subject to the same regulations as local entities. Consequently, it is crucial for businesses to assess their operations and ensure compliance with the DPDP Act when engaging with Indian consumers.

What about DPDP Act Extraterritorial Applicability?

In addition to its territorial scope, the DPDP Act has extraterritorial applicability, meaning it extends to entities outside India that process personal data related to individuals within India. If a foreign company collects or processes personal data from Indian residents while offering goods or services in India, it must adhere to the provisions of the DPDP Act. This requirement emphasizes the importance of understanding international compliance obligations and necessitates that businesses implement appropriate data protection measures when dealing with Indian customers or clients.

Non-Domestic Context

The law does not apply to personal data processed for purely domestic or household purposes. Therefore, activities such as personal email communications or family photo storage do not fall under its jurisdiction.

What is the Definition of Personal Data under DPDP Act?

The DPDP Act defines “personal data” as any information that relates to an identifiable individual. This definition encompasses a wide range of data types, including names, identification numbers, location data, online identifiers, and any other factors specific to an individual’s identity. Importantly, the Act applies not only to personal data collected in digital form but also to non-digital data that has been digitized. Businesses must ensure they have clear policies and procedures in place for handling all forms of personal data under this definition.

Types of Entities Covered under DPDP Act

The DPDP Act applies to a diverse range of entities involved in processing digital personal data. This includes:

  • Individuals: Any person processing personal data as part of their professional activities.
  • Companies: Corporations and organizations engaged in commercial activities involving personal data.
  • Partnerships and Firms: Legal entities that process personal data as part of their operations.
  • Associations: Groups or associations—registered or unregistered—that handle personal data.
  • Government Bodies: The state and its instrumentalities are also included under this definition.

Understanding which entities fall under the purview of the DPDP Act is critical for compliance efforts, as all these parties have specific responsibilities regarding personal data processing.

Exclusions from DPDP Act Applicability

Certain types of data processing are explicitly excluded from the DPDP Act’s applicability. Notably:

  • Household Data Processing: Personal data processed for purely domestic purposes does not fall under the regulation of this law. For example, casual sharing of photos among family members would not be subject to the DPDP Act.
  • Publicly Available Information: Data that is publicly available and not subject to restrictions on access is also exempt from regulation under this Act. Businesses should be aware that just because information is public does not mean they can use it without considering other legal implications.

DPDP Act Consent Requirements

One of the cornerstone principles of the DPDP Act is the requirement for obtaining consent before processing personal data. Businesses must ensure that they obtain verifiable consent from individuals prior to collecting or using their personal information. This consent must be informed, specific, and freely given without coercion. Organizations should develop clear consent mechanisms that allow individuals to understand what they are consenting to and provide options for them to withdraw consent at any time.

DPDP Act Obligations for Data Fiduciaries

Entities classified as data fiduciaries under the DPDP Act face several obligations designed to protect individual rights and ensure responsible handling of personal data:

  • Data Security Measures: Data fiduciaries must implement reasonable security safeguards to protect personal data against breaches and unauthorized access.
  • Accountability: Organizations are required to maintain records of their processing activities and demonstrate compliance with the DPDP Act upon request by regulatory authorities.
  • Breach Notification: In case of a breach involving personal data, organizations must notify both affected individuals and the Data Protection Board (DPB) promptly.

These obligations highlight the importance of establishing robust internal policies and practices for managing personal data effectively.

Rights Granted to Data Principals

The DPDP Act grants several rights to individuals whose personal data is being processed:

  • Right to Access: Individuals can request access to their personal data held by a data fiduciary.
  • Right to Correction and Erasure: Individuals have the right to seek correction of inaccurate personal information and request deletion when it is no longer necessary for its intended purpose.
  • Right to Portability: Individuals can obtain their personal data in a structured format and transfer it to another service provider if desired.

Businesses must be prepared to facilitate these rights efficiently while ensuring compliance with legal requirements surrounding them.

Significant Data Fiduciaries (SDFs)

The DPDP Act introduces a category known as significant data fiduciaries (SDFs), which are organizations that handle large volumes of sensitive personal data or pose significant risks to individuals’ rights. SDFs face additional obligations compared to regular data fiduciaries:

  • They must appoint a Data Protection Officer (DPO) based in India who will oversee compliance efforts.
  • SDFs are required to conduct regular Data Protection Impact Assessments (DPIAs) and audits.
  • They may also need to register with relevant authorities in India.

This categorization emphasizes the need for businesses handling substantial amounts of sensitive information to adopt more stringent compliance measures.

Regulatory Framework

The establishment of a regulatory body under the DPDP Act marks a significant step toward enforcing compliance:

The Data Protection Board (DPB) will oversee adherence to the provisions laid out in the DPDP Act. It will adjudicate complaints from individuals regarding violations of their rights and impose penalties on non-compliant organizations.

Businesses must stay informed about developments within this regulatory framework and be prepared for potential audits or inquiries from regulatory authorities regarding their compliance status.

What are the Penalties for DPDP Act Non-compliance?

Non-compliance with the provisions outlined in the DPDP Act can result in significant penalties:

  • Fines can reach up to INR 250 crores (approximately $30 million), depending on various factors such as severity and frequency of violations.
  • Specific penalties may apply for failing to secure consent or adequately protect personal data against breaches.

Organizations should establish internal mechanisms for monitoring compliance continuously and addressing any potential issues before they escalate into violations subjecting them to penalties.

What are the DPDP Act Implications for Indian Businesses?

From an Indian business perspective, compliance with the DPDP Act necessitates several strategic adjustments:

  • Businesses should conduct thorough assessments of their current practices regarding personal data handling.
  • Developing comprehensive privacy policies that align with legal requirements will be essential.
  • Organizations may need to appoint dedicated personnel responsible for overseeing compliance efforts—often referred to as Data Protection Officers (DPOs).

FAQs About Who Does DPDP Act Apply To

0/5 (0 Reviews)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
Talk To An SME