How to Legally Collect & Store Customer Data in India

Introduction

Over the last few years, Indian businesses, especially those in retail, tech, and services, have come to depend heavily on customer data. It’s no longer just a by-product of operations. It’s central to how businesses reach users, personalise offerings, and optimise revenue. But with that shift, legal obligations around data have become stricter. And in 2025, companies can’t afford to be lethargic about how to legally collect & store customer data in India.

The introduction of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) brought in a structured framework, consent-based, purpose-limited, and compliance-heavy. It had reshaped what companies are allowed to do, and more importantly, what they’re required to do when it comes to data collection, processing, and storage.

This article is meant to serve as a practical guide for companies trying to align with the law. Here’s what is covered:

• Definitions and scope of “personal data” in India.
• What makes data collection lawful under DPDP.
• Drafting notices and obtaining valid consent.
• Best practices under customer data storage laws India.
• Creating a sound data retention policy under DPDP Act.
• Meeting consent requirements under Indian data protection law.

Understanding Personal Data in the Indian Legal Context

Any discussion on ‘how to legally collect & store customer data in India’ must begin with a clear grasp of what exactly qualifies as “personal data” under Indian law. The Digital Personal Data Protection Act, 2023 (“DPDP Act”) has provided a statutory definition, but how it plays out in practical business settings often depends on context, intent of use, and the risk profile of the data collected.

The DPDP Act defines “personal data” in very broad terms. It covers any data about an individual who can be identified either from that data alone or in combination with other available information. That sounds like basic name–email–phone number territory. But in reality, what qualifies goes much further. If the system tracks a customer’s IP address, device ID, purchase history, or browsing pattern, it likely would be processing personal data, even if name would never be entered.

Now, this classification is not academic. Businesses that fail to correctly assess what they would be collecting may inadvertently skip consent obligations or breach storage norms. And under the DPDP regime, that would be classified as a compliance violation.

Definitions in Law, Implications in Practice

The statutory language (Section 2(t) of the DPDP Act) is deceptively simple:

“Personal data” means any data about an individual who is identifiable by or in relation to such data.

But in real operations, legal teams are constantly being pulled into debates over what actually is defined under personal data.

Here’s a quick list of what typically qualifies:

• Basic identifiers: Full name, mobile number, email address.
• Government IDs: Aadhaar, PAN, passport number.
• Digital touchpoints: IP addresses, device fingerprints, digital IDs.
• Transactional history: Orders, browsing patterns, payment trails.
• Biometric and health-linked inputs.
• Location data, especially if real-time and user-specific.

If the data can trace back, even probabilistically, to an individual, it would be classified as personal data under the DPDP Act.

Implicit Hierarchies, Sensitive Data and Regulatory Risk

Interestingly, the DPDP Act no longer carves out a separate category called “sensitive personal data” the way earlier drafts or the GDPR do. But that doesn’t mean Indian law treats all personal data the same.

Sectoral regulators such as RBI, SEBI, IRDAI, and MeitY have, over the years, issued circulars or internal advisories requiring enhanced security standards for what may be informally referred to as high-risk data.

What usually falls into this high-risk bucket?

• Bank details, UPI credentials, CVV codes;
• Medical records, mental health data;
• Biometric scans, facial recognition samples;
• Gender identity, caste, or religious affiliation; and
• Data belonging to minors or disabled individuals.

Even if the DPDP Act avoids the label “sensitive”, businesses are expected to know when additional safeguards must kick in. Ignoring that distinction might not get flagged by the text of the Act, but it can still land in regulatory trouble.

Sector-Specific Interpretations

Below is a table capturing how different sectors typically encounter personal data and what classification they are expected to apply in practice:

Sector	Sample Data Points	Classification	Compliance Implication
FinTech	Aadhaar, account number, UPI ID	High Risk/Personal	RBI encryption norms apply
EdTech	Student records, parent contacts, quiz history	Personal/Sensitive	Child-specific safeguards
E-commerce	Name, phone, delivery address, past orders	Personal	Profiling risk under consent
HealthTech	Blood reports, prescriptions, doctor notes	Sensitive	Likely requires DPO, DPIA
CRM SaaS	Lead tags, chat transcripts, behavioral logs	Personal	Must issue granular privacy notices

Legal Risk of Misclassification

Excluding personal data from core legal workflows—whether in privacy notices, data retention policies, or cross-border transfer assessments—creates immediate compliance risk. This is not a hypothetical concern. For instance, even if a company claims to store only hashed identifiers, those identifiers may still be considered personal data under the law if they can later be linked to an individual profile.

Operationally, such misjudgments often surface in subtle but critical ways:

• Behavioral logs are retained to refine user experience—were users informed, and did they consent?
• Support tickets are “anonymized” by the development team—were they truly anonymized, or merely masked?
• A cloud vendor holds system logs beyond your retention window—are you still responsible? The answer is yes.

Each of these reflects a broader issue: misunderstanding what qualifies as “personal data” under the DPDP Act can lead to systemic non-compliance. Beyond retention concerns, it may trigger mandatory breach reporting, regulatory scrutiny, and erosion of user trust.

Legal Basis for Data Collection Under DPDP Act, 2023

Most businesses collecting personal data in India are quick to focus on technology, where it’s stored, what APIs are used, or how it’s encrypted. But the law doesn’t begin with tech. It begins with justification. The very act of collecting personal data, be it as simple as an email or as indirect as an IP address, must have a lawful basis. Otherwise, the collection itself is illegal, no matter how good your security team is.

Recognised Legal Grounds (and Common Misuse)

The DPDP Act outlines six lawful grounds under which data can be collected. These are:

• Consent (voluntary, informed);
• Fulfilment of a contract;
• Legal obligation (statutory compliance, court orders);
• Employment functions (but only proportionate use);
• Welfare delivery by the State; and
• Emergencies (e.g. pandemics, disasters).

Purpose Limitation:

The principle of purpose limitation under the Digital Personal Data Protection Act, 2023 (DPDP Act) is a core obligation placed on data fiduciaries. It mandates that personal data must be collected only for a specific, lawful purpose that is clearly stated to the data principal (i.e., the individual to whom the data relates) at the time of collection. As per Section 4(1)(a) of the DPDP Act, a data fiduciary may process personal data only for purposes that are lawful, specific, and explicitly informed to the individual. This ensures that individuals have a clear understanding of how their data will be used and allows them to give informed consent.

Moreover, data fiduciaries are prohibited from using the collected personal data for any new or unrelated purpose unless fresh consent is obtained or such use is permitted under specific legal grounds outlined in the Act. The purpose limitation principle is closely linked to the requirement of notice and consent and is designed to prevent the misuse or repurposing of personal data beyond what was originally agreed.

Data Retention:

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data retention is governed by the principle that personal data should not be retained for longer than is necessary to fulfill the purpose for which it was collected. As per Section 8(7) of the Act, data fiduciaries are obligated to erase personal data once it is reasonably clear that the purpose for which the data was collected is no longer being served, and retention is no longer necessary for any legal or business purpose. This requirement ensures that organizations do not hold on to personal data indefinitely, thereby reducing the risk of misuse, breaches, or non-compliance.

Accordingly, businesses are expected to implement data retention policies that define the duration for which different categories of personal data are stored, the legal or operational justifications for such retention, and the process for periodic data reviews and secure deletion. These policies must align with the purpose limitation and data minimization principles under the Act. Failing to implement or enforce a clear data retention policy not only increases compliance risk but may also trigger enforcement action by the Data Protection Board.

Privacy Notices:

The privacy notices play a central role in ensuring transparency and informed consent. As per Section 5(1) of the Act, a data fiduciary must provide a notice to the data principal before or at the time of seeking consent. This notice must clearly describe the personal data being collected, the specific purposes for which it is being processed, the manner in which individuals can exercise their rights under the Act, and details of the grievance redressal mechanism. The goal is to enable individuals to make informed decisions about sharing their data, ensuring consent is freely given and based on a clear understanding of the implications.

To comply with the DPDP Act, privacy notices must be written in clear and plain language, and where applicable, made available in multiple languages to ensure accessibility. Importantly, businesses must update their privacy notices when there is a change in processing activities or legal requirements, and they should retain documented proof of consent obtained after such notice has been provided. Inadequate or ambiguous notices can lead to invalid consent, which in turn may expose businesses to penalties or enforcement actions from the Data Protection Board.

Consent Requirements for Data Collection

Consent remains the most discussed and misunderstood requirement under Indian data protection law. While most businesses are aware that some kind of “consent” is needed, very few implement it in a way that would stand up to legal scrutiny. Under the DPDP Act, vague checkboxes or implied approvals are not enough.

To be legally valid, consent must be freely given, informed, specific, and unambiguous. And for businesses aiming for DPDP Act 2023 compliances, that standard must be met not only on the front-end interface but also in back-end storage, logs, and dispute workflows.

Key Ingredients of Valid Consent

As per Sections 6 and 7 of the DPDP Act, valid consent must satisfy all the following:

• Must be obtained before collection, unless a legal exemption applies;
• Must clearly explain what data is being collected and why;
• Should not be bundled with other services or made conditional;
• Consent for children or disabled persons must be given by guardians; and
• Withdrawal of consent must be made as easy as giving it.

A pre-checked box or silence does not equal consent. The user must actively confirm, in a clear manner, that they agree to the collection and processing of specific data.

Opt-In vs. Opt-Out Mechanisms

While the law does not explicitly prohibit opt-out models, courts and regulators globally have leaned toward opt-in as the ethical standard, especially for anything beyond service-level functionality.

Here’s a quick comparison:

Mode	Legal Status under DPDP	Risk Level	Example Use Case
Opt-In	Compliant	Low	Newsletter signup, third-party sharing
Opt-Out	Risky (not ideal)	Medium to High	Data used for ads unless unchecked
Implied	Not permitted	High	Passive cookie collection

Where consent is the basis, it must be explicit, meaning checkboxes should be unchecked by default, and language must not be misleading. Hidden preconditions, long sentences, or mixing privacy statements with unrelated T&Cs may render consent invalid.

Special Provisions for Minors and Disabled Persons

The DPDP Act requires that in case of minors (below 18 years) or persons with disabilities who are not legally competent to contract, consent must be provided by a parent or lawful guardian.

This means platforms serving users below 18, such as EdTech startups or gamified learning apps, must implement age-gating, parental approval flows, and have a record of the guardian’s identity. Failing to do so would not just a breach the consent requirements under DPDP Act, it can also trigger potential violations under child protection laws in India.

Drafting Consent Forms and Privacy Policies the Right Way

Drafting legally compliant consent forms is no longer a one-time exercise. Every new use case, especially involving AI, profiling, or analytics, requires a review. Some key drafting pointers:

• Use plain language and short sentences;
• Avoid ambiguous terms like “may”, “could”, “from time to time”;
• List purposes distinctly, avoid catch-all language;
• Translate into vernacular languages where applicable;
• Store timestamped logs of consent given; and
• Use layered notices where space is limited (e.g. app flows).

Additionally, your privacy policy must reflect actual practices. If it is mentioned that data is deleted after 6 months, the logs must prove that. Any mismatch can turn into a Section 34 violation, especially if users file grievances or demand proof.

Data Collection Compliance Workflow for Businesses

For most companies, the actual collection of customer data begins with a form, an API, or a third-party plugin. But from a legal standpoint, collection begins with consent and ends with proof. Between these two ends lie a number of operational steps, most of which are often overlooked or misaligned. A legally defensible workflow isn’t just about having a privacy policy, it’s about connecting the data journey with what the law actually requires.

This section offers a practical lens on how to build a data compliance flow.

Mapping The Data Flow

Before jumping to templates or checklists, businesses need to ask: what data are they collecting, and how is it moving?

Start by documenting:

• Each form, pop-up, or API where personal data enters;
• The purpose behind collecting each data point;
• Whether the user is made aware at the point of entry;
• How the data is being stored, processed, or transferred; and
• Whether any third parties are involved (cloud storage, CRM, analytics tools).

Step-by-Step Legal Workflow

Here’s how a legally compliant data collection process is expected to function under DPDP Act:

Step	Activity	Legal Hook (DPDP Act)	Notes
1	Data Mapping	Internal control	Identify what qualifies as “personal data” first
2	Notice Issuance	Sec. 5	Must precede collection. Not just policy uploads
3	Consent Capture	Sec. 6	Consent must be explicit, granular, revocable
4	Purpose-Use Binding	Sec. 4 & 7	No post-collection repurposing without new consent
5	Storage Allocation	Sec. 8(3)	Secure systems, define retention period upfront
6	Rights Enablement (Access, Erasure)	Sec. 11, 12	Ensure internal teams can act on user requests
7	Audit Trails / Logs	Implicit under Sec. 9	Maintain records to prove compliance, especially for consent

Templates That Aren’t Just Formalities

Most consent templates or privacy notices online are either copy-paste jobs from Western frameworks or so generic that they’re legally meaningless. Under the current law, templates must be:

• Contextual: written for the actual services;
• Informed: explaining purposes, not hiding behind jargon;
• Stored: maintain logs (email confirmation, checkbox flags, timestamps); and
• Withdrawable: with a button, an email ID, or a portal (not just silence).

Internal Checklist for Compliance Teams

Before rolling out a feature or launching a product that involves personal data collection, the internal team should check the following:

• Have they created a field-level data inventory?
• Are all form fields tagged with purpose and legal basis?
• Is consent being captured in a way that is stored and verifiable?
• Is the storage tied to a defined data retention policy under DPDP Act?
• Can users withdraw consent or request deletion easily?
• Are all third-party vendors under appropriate data processing agreements?
• Is the policy updated to reflect this flow?

How to Store Customer Data Legally in India

The second half of compliance begins once the data is in the actual hands. Collection is one part, storage is where most breaches, audit failures, and fines arise. A business that stores personal data must not only know where the data resides, but also who has access, how long it’s kept, and under what security layers.

As more companies adopt cloud-first models or outsource storage to third-party providers, the issue isn’t just infrastructure. It’s legal accountability.

Location of Servers and the Data Localisation Question

The DPDP Act does not impose an express data localisation requirement. However, this does not mean that businesses are free to store personal data anywhere without restriction.

The key considerations are:

• Is the country where the data is stored “notified” by the Indian Government as per Section 16 of the DPDP Act?
• Is the data capable of being accessed from India in real time?
• Do contractual safeguards (Standard Contractual Clauses or SCCs) exist between the business and the foreign storage provider?

For sensitive use-cases (financial, health, children’s data), localisation or mirrored servers within India may still be advisable, even if not mandatory.

Secure Storage Practices ,  Not Just IT, But Law

The law expects businesses to implement “reasonable security safeguards” under Section 8(5) of the Act. But what’s considered “reasonable” will vary by industry.

At a minimum, businesses are expected to implement:

• Encryption at rest and in transit;
• Role-based access controls (RBAC);
• Secure backup protocols;
• Anonymisation or pseudonymisation, where relevant; and
• Logs of who accessed data, when, and for what purpose.

Data Retention & Deletion Under Indian Law

For many companies, especially those with aggressive expansion or customer acquisition models, personal data tends to accumulate across business units, often with little thought given to how long it should be retained. Over time, this creates a silent compliance risk. And in the post-DPDP Act world, keeping user data “just in case” is no longer a legally safe posture.

The law, as it stands today, is quite clear in principle: once the reason for which you collected the data is served, you are no longer entitled to keep it, unless there’s a very specific legal or regulatory reason to do so. That’s where retention becomes not just a policy question, but a statutory obligation. Companies asking “how to legally collect & store customer data in India” must now factor in how they’re going to stop storing it, too.

When Does Data Retention Become Illegal?

Let’s say a fintech app collects Aadhaar, PAN, and contact details for KYC. The user then deletes their account, and the company continues to retain the data indefinitely, without legal basis. That’s a clear violation of Section 8(7) of the DPDP Act.

In simpler terms, data that no longer serves a lawful or declared purpose must be deleted or irreversibly anonymised. That doesn’t mean deletion whenever convenient, it means deletion as a rule, with exceptions made only when another law permits holding the data longer.

To remain compliant, companies should ask themselves:

• Does the company know the retention period for each type of personal data we collect?
• Is that period mentioned in the privacy policy or user notice?
• Does the backend systems actually delete the data after that period?

If the answer to any of the above is unclear or negative, the organisation likely lacks a lawful data retention policy under thecompliance framework.

What Sectoral Regulators Expect

The DPDP Act establishes the foundational principle regarding data retention, but the practical obligations often take shape through sector-specific regulations. Here’s how regulators expect companies to behave with respect to stored data:

Sector	Regulator	Minimum Retention Period (Guideline)
Banking & NBFCs	RBI	5 years post closure of account (KYC norms)
Insurance	IRDAI	7 years for claims and policy-related data
Securities & Brokers	SEBI	Typically 5–7 years, based on investor category
Health Sector	State/Clinical Norms	3–5 years; can vary by state regulation
E-commerce	–	Notified voluntarily; advisable to adopt 2–3 year policy

What the User Can Demand

One of the most powerful rights granted under the DPDP Act is the right to erasure. Once a customer’s data is no longer required, or if they withdraw consent, they can ask the business to erase their data. That puts the onus on businesses to ensure they can:

• Identify what data belongs to the user;
• Confirm if any retention is legally required;
• Initiate deletion or anonymisation without delay;
• Communicate clearly once the request has been fulfilled; and
• Keep internal logs that deletion occurred, with a basic timestamp trail.

Failure to respond to user deletion requests could be treated as a breach, not just a service issue. That’s particularly true if the data retained relates to minors, health records, or government-issued identifiers.

Penalties for Non-Compliance with DPDP Act

Under the Digital Personal Data Protection Act, 2023, compliance is no longer limited to preventing data breaches, it extends to the integrity and design of data handling systems. Many businesses, particularly those outside traditionally regulated sectors, have historically viewed penalties as event-driven, triggered only by actual misuse or unauthorized disclosure. The DPDP Act shifts this perspective significantly by treating procedural lapses, such as delays in responding to data principal requests, inadequate consent mechanisms, or failure to implement proper deletion protocols as standalone violations.

This represents a structural change in how enforcement is approached. The law focuses not just on harmful outcomes but on systemic preparedness. Mishandling data, whether through retention beyond lawful purpose, lack of opt-out functionality, or administrative omissions, can attract regulatory scrutiny even in the absence of any external incident. In essence, compliance is now proactive, not reactive. Businesses must demonstrate operational accountability at every stage of the data lifecycle, regardless of whether any actual harm has occurred.

 Sections 33 and 34 of the Digital Personal Data Protection Act, 2023 outline the framework for financial penalties. While the fines are subject to statutory caps, the real significance lies in how these penalties are exercised. The language of the statute grants the Data Protection Board considerable discretion, allowing for context-sensitive enforcement. This is intentional and reflects a broader regulatory philosophy that considers both conduct and consequence.

Penalties vary depending on the nature of the violation: breaches affecting personal data rights can attract fines up to ₹200 crore; serious security failures without demonstrable remediation efforts may warrant even steeper penalties. Failure to delete personal data upon a user’s request can lead to a ₹50 crore penalty, and procedural lapses such as not responding to data access requests or omitting required privacy notices are still punishable, albeit at lower thresholds. Importantly, enforcement decisions will account not only for the incident itself but also for the preventive and corrective measures taken. Compliance under the DPDP Act now demands operational readiness. Businesses must be prepared for regulatory scrutiny, not in theory, but as a practical possibility.

Under Section 8(6), the Act places a clear duty on companies to notify both the Data Protection Board and affected individuals in the event of a personal data breach that is likely to cause harm.

The DPDP Act does not specify a fixed timeline (e.g., 72 hours) for notification, unlike some global regimes. Instead, it provides regulatory flexibility, and detailed notification requirements are expected to be prescribed through future rules or regulations. However, the underlying principle is clear that delay or failure to notify may be viewed as non-compliance, especially if it results in harm to individuals. Businesses are therefore expected to have in place clear breach detection, escalation, and communication protocols. Regulatory scrutiny is not limited to the breach itself but extends to how it was managed.

Best Practices for Legal Compliance

By now it’s clear that merely publishing a privacy policy doesn’t equate to compliance. The DPDP Act has introduced layered obligations, some explicit, others inferred, and businesses that don’t operationalise these will find themselves exposed.

Below are key best practices that go beyond box-checking. These are functional components that enable a business to prove, the compliances under DPDP Act 2023.

Draft a Real (Not Template-Based) Internal Data Protection Policy

An internal policy should include:

• Map every category of personal data under DPDP Act 2023 handled by the company;
• Define legal basis for each type of processing;
• Set deletion timelines, even if provisional;
• Designate internal data custodians by department;
• Include a response plan for access, correction, and erasure requests; and
• Outline when data can be sent to vendors, and under what contracts.

Such internal policy  should be revised at least once a year. More often if new products, jurisdictions, or integrations are added.

Appoint a Data Protection Officer

While only Significant Data Fiduciaries are required to appoint a data protection officer under the DPDP Act, most businesses, especially those handling user-facing personal data, should assign one . Even a partial DPO function, if documented, shows governance.

The DPO (or a similar delegate) should:

• Be reachable via the contact listed in your privacy notice;
• Maintain logs of user requests under Section 11;
• Supervise breach notification processes;
• Escalate incidents to the Board and help with compliance audits; and
• Liaise with engineering on backend deletion and opt-out protocols.

Conduct DPIAs for High-Risk Use Cases

Data Protection Impact Assessments (DPIAs) aren’t expressly mandated for all businesses under the Act, but they are a best practice wherever high-risk processing is involved.

What to include in a DPIA:

• A plain-language summary of the processing;
• Purpose and legal basis under the Act;
• Risks to users (reidentification, harm, bias, misuse);
• Safeguards applied: encryption, access limitation, deletion timelines; and
• Residual risk and whether alternatives were considered.

Vendor Agreements and Data Audit Trails

Businesses should update vendor agreements to include clear data protection obligations and ensure subcontractors are contractually bound under the DPDP framework. Additionally, they must maintain verifiable data audit trails to demonstrate accountability and enable regulatory review if required. Minimum expectations includes:

• Processor must act only on written instructions;
• Sub-processing must require consent;
• Data must be returned or deleted on termination;
• Location of servers must be disclosed;
• Cross-border safeguards, if any, must be described; and
• Vendor must support data subject request handling.

DPDP vs. GDPR – Key Divergences Emerging

Many Indian businesses still think that if they’re GDPR-compliant, they’re covered under DPDP. That’s an oversimplification. For example:

Principle	GDPR	DPDP Act 2023
Age of consent	16 (can vary)	18 (strict, with no lower limit)
Sensitive data definition	Defined, includes health, race	No formal category, but implied
Breach notification window	72 hours	“Promptly” – undefined
DPO mandate	Based on scale & type	Mandatory for “Significant” only
Cross-border transfer rules	Adequacy-based, formalised	Government notified list pending

DPDP is lighter in some respects (no fines for processors, fewer definitions), but stricter in others, especially around children’s data and consent structure.

What to Watch in 2025–26

• The Government is expected to issue the first set of rules and notifications under Section 16. This will define which jurisdictions are safe for offshore storage and which are not. If your business relies on global SaaS tools, such rules and notifications would affect your business.
• Sectoral regulators such as RBI and SEBI may soon integrate DPDP-like requirements into their regular inspection checklist. This means businesses can’t assume DPDP is a standalone compliance project. It will blend with existing mandates.
• Also expected is a pilot grievance redressal system from the Board, likely starting with high-volume sectors (e-commerce, healthcare, education). Businesses must assign internal escalation points or risk procedural default.

Conclusion – How to Legally Collect & Store Customer Data in India

The DPDP Act, 2023 is not a procedural formality ,  it’s a material shift in how businesses interact with personal data. The businesses cannot afford to treat it as a legal checkbox. At its core, the Act demands that businesses understand the data they collect, justify why they need it, secure it, limit its use, and delete it when it’s no longer necessary.

The obligations don’t just apply to the internal compliances or legal teams,  they cascade to product, engineering, vendor management, and customer support as well. What matters now is demonstrable compliance including clear records, written policies, secure infrastructure, and grievance handling.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including Gurgaon, Mumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.