The Digital Personal Data Protection Act, 2023 – Executive Summary and Bare Act

The Digital Personal Data Protection Act, 2023 - Executive Summary and Bare Act
The Digital Personal Data Protection Act, 2023 - Executive Summary and Bare Act

Introduction to the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) was brought in after years of debate on privacy and data security in India. Until now, companies and government departments have relied on a patchwork of IT rules and scattered court decisions. That often created confusion, businesses were never sure what counted as lawful processing, and individuals had no simple way of asserting their privacy rights.

The DPDP Act tries to fill that gap. It gives a legal framework that tells organisations how they may collect and use personal data, for how long it can be retained, and under what circumstances it must be erased. At the same time, it recognises the rights of individuals to access, correct or delete their information. This shift makes privacy a concrete right, not just an abstract principle.

This note forms part of the Bare Act by Corrida Legal series. Alongside the official DPDP bare act PDF file, which you can download and read in full, we have prepared this executive summary so that business owners, compliance officers and students of law can grasp the essence of the law before going through the entire statute.

Purpose and Objectives of the DPDP Bare Act

The reason the Digital Personal Data Protection Act, 2023 was introduced lies in the growing gap between how fast India’s digital economy was expanding and how slow the law had been to catch up. Until this Act came into force, companies relied mainly on the IT Act, 2000 and some rules framed under it. Those provisions were drafted in an era when e- commerce was barely known in India, let alone social media platforms, fintech apps, or large-scale data analytics. In practice, this meant there was no clear guidance on how organisations could handle personal data, and individuals had little recourse when their privacy was compromised.

The DPDP bare act is an attempt to fix that. Its main objective is to put in place a framework that balances two competing needs: on one side, the individual’s right to privacy and control over personal information; on the other, the legitimate needs of businesses, government bodies and start-ups that must process data to deliver services. The Act sets down principles for consent, storage, and use of personal data, but also recognises that there are situations, like medical emergencies, state functions or compliance with law, where data must be processed even without explicit consent.

As part of the Bare Act by Corrida Legal series, this summary explains those objectives in simple terms. The official DPDP Act PDF file is also available for download, but the value of this note is in highlighting why the law was brought in and what balance it tries to achieve between individual rights and lawful data use.

Scope and Applicability of the DPDP Act

The Digital Personal Data Protection Act, 2023 sets out clearly where it applies and where it does not. This is one of the most important parts of the law because businesses often ask whether they fall under its reach. Unlike older IT rules that left many grey areas, the DPDP bare act provides a straightforward answer.

In simple terms, the Act covers the processing of digital personal data. That means any personal information collected online, or even collected offline but later digitised, is within its scope. It applies not only to companies and government departments operating inside India but also to entities outside India if they are offering goods or services to people located in India. This extra-territorial reach is significant because it brings foreign platforms and apps dealing with Indian users into the compliance net.

At the same time, the Act recognises that not every situation requires regulation. Certain uses of data are kept outside its scope.

The DPDP Act applies to:

  • Processing of personal data collected online.
  • Offline personal data that is later digitised.
  • Businesses, start-ups, and government agencies in India.
  • Foreign companies or platforms if they offer goods or services to individuals in India.

The DPDP Act does not apply to:

  • Personal or household use of data (for example, a person storing contacts in a phone book).
  • Data that has been voluntarily made public by the individual.
  • Certain exemptions given for state functions, law enforcement, and national security.

For professionals and compliance teams, this means the Act is wide enough to cover most business activity but still carves out space for everyday personal use.

This note, part of the Bare Act by Corrida Legal series, is written to make these boundaries easier to understand.

Key Definitions in the DPDP Bare Act

When you read any legislation, the first thing to watch for is how it defines its terms. The Digital Personal Data Protection Act, 2023 makes this very clear, because earlier IT rules never really spelt out what counted as “personal data” or what “consent” actually meant. That lack of clarity caused most of the disputes. The new DPDP bare act starts by laying down a vocabulary that everyone, companies, regulators, even ordinary users, has to follow.

For example, the Act uses the word Data Principal for the individual whose data is in question. If the person is a child, the parent or guardian steps into that role. If the person has a disability, it could be someone formally nominated to act on their behalf. The term Data Fiduciary is given to the entity that decides what to do with the data, whether that’s a government ministry, a big tech platform or a small start-up. Then there is the Data Processor, which is usually a third party carrying out the nuts and bolts of processing, think of a cloud provider storing information for someone else.

Another new idea is the Consent Manager. This is meant to be a neutral, registered platform that makes it easier for individuals to say yes, say no, or later change their mind about how their information is used. Finally, the Act defines Personal Data Breach, which covers situations where data is leaked, tampered with or lost in a way that affects its confidentiality or security.

Why do these definitions matter? Because the obligations in the law are tied to them. The moment a company falls into the box of “Data Fiduciary”, it carries duties about consent, storage and erasure. Without these clear terms, compliance would collapse into guesswork.

This note, prepared as part of the Bare Act by Corrida Legal series, is not a replacement for the official text. The full language is available in the DPDP Act PDF file and through the DPDP Act bare act download option, but what we are doing here is showing the practical meaning of these words so that businesses and compliance teams can actually work with them.

Grounds for Processing Digital Personal Data

The DPDP Act is built around one principle: you cannot handle personal data unless there is a lawful ground for it. Most of the time, that ground will be consent. And consent here isn’t a token tick-box at the end of a page, the Act requires it to be real. A person should know what they are agreeing to, the purpose for which their information is being taken, and they must be free to change their mind later.

informed, and it has to be capable of being withdrawn. In practice, this is where many businesses will run into trouble. Those endless, unreadable privacy policies will not be enough. If a company makes it difficult for someone to withdraw consent, they will be in breach.

At the same time, the Act recognises that not every situation allows for prior consent. It would be absurd to expect a hospital to chase paperwork during an emergency, or a government office to issue subsidies only after written approvals from each beneficiary. That is why the Act creates a second ground, legitimate use. These are special cases where data can be processed without consent. Some of the common ones are:

  • when the government carries out official functions,
  • in a medical emergency,
  • in disaster response,
  • when compliance with a law or court order makes it necessary,
  • or when the State provides subsidies, benefits or certificates.

The idea is to strike a balance. On one hand, individuals should have a real say over their personal data. On the other, institutions need the room to function when consent is impractical or impossible.

For organisations, this becomes the first test before any processing begins: either get valid consent, or show that the use falls under one of the listed legitimate grounds. If neither is true, the processing itself is unlawful.

This explanation is part of the Bare Act by Corrida Legal series. The full language is available in the DPDP Act PDF file and through the official DPDP Act bare act download, but this summary helps to understand not just the rule but also the thinking behind it.

Rights and Duties of Data Principals

The DPDP Act does not stop at defining how companies and government departments should handle data. It also gives rights to the individual, called the Data Principal in the Act, and attaches some duties to them as well. This was missing earlier under Indian law, where the burden was mostly on organisations.

The rights are designed to give people actual control over their personal data:

  • Right to access information – a person can ask a company or authority how their data is being used, for what purpose, and whether it has been shared further.
  • Right to correction and erasure – if the information is wrong, incomplete or no longer needed, the individual has a right to have it corrected or even erased.
  • Right to grievance redressal – if someone feels their rights under the Act have been ignored, they can raise a complaint first with the Data Fiduciary (the company/authority), and if that fails, with the Data Protection Board.
  • Right to nominate – individuals may nominate another person to exercise their rights if they pass away or are unable to act.

But the law also recognises that rights come with responsibilities. A Data Principal cannot misuse these provisions. The DPDP bare act clearly says individuals must:

  • provide information that is accurate and not misleading,
  • not impersonate another person,
  • not file false or frivolous grievances.

In practice, this means the law expects both sides to act responsibly. Companies must be transparent and respectful of personal data, and individuals must not game the system with fake requests or inaccurate information.

This note, part of the Bare Act by Corrida Legal series, gives the working sense of these provisions. For the exact statutory wording, readers can always look at the DPDP Act PDF file or use the official DPDP Act bare act download for the complete text.

Obligations of Data Fiduciaries

When an organisation qualifies as a Data Fiduciary under the DPDP bare act, it takes on clear legal responsibilities. The Act places the burden on the entity that decides why and how data will be used. This is true whether the body is a government department, a social media platform, or a small company collecting employee records.

The obligations can be grouped under a few broad heads:

  • Transparency – the Data Fiduciary must tell the individual what data is being collected, for what purpose, and how it will be used.
  • Accuracy – if decisions about people depend on the data, it must be kept accurate and up to date.
  • Security – the organisation has to take reasonable safeguards to prevent leaks, breaches or unauthorised access.
  • Retention – data cannot be stored forever; once the purpose is over or consent is withdrawn, it has to be erased unless a law requires it to be kept.
  • Grievance handling – a proper system must be in place to handle complaints. This cannot be a dead email address or an unanswered phone line.

On top of these general duties, the Act singles out two sensitive areas.

Children’s Data

Any processing of a child’s personal data requires verifiable parental consent. More importantly, the Act bans targeted advertising and behavioural tracking of minors. Platforms that have built their business models around such practices will have to redesign them.

Significant Data Fiduciaries (SDFs)

Some entities, because of the scale or nature of data they handle, will be notified as “Significant”. They face stricter

requirements:

  • appointment of a Data Protection Officer based in India,
  • regular independent audits, and
  • Data Protection Impact Assessments before starting high-risk processing.

The underlying message is simple: the bigger the risk to individuals, the higher the compliance bar.

For companies, this is not a matter of copy-pasting a privacy policy anymore. It calls for investment in systems, people and processes. For individuals, it means there is finally a statutory framework making someone answerable when personal data is collected and used.

This explanation is part of the Bare Act by Corrida Legal series. For those who want to see the law in its exact words, the DPDP Act PDF file and the official DPDP Act bare act download remain the sources of reference.

Role of the Data Protection Board of India

The DPDP Act doesn’t just state rights and obligations and leave them floating. It creates a body, the Data Protection Board of India, to make sure those words are backed by enforcement. It’s not a huge bureaucracy; the design is for a specialised authority that looks at data protection issues alone.

What the Board is expected to do is fairly direct:

  • take up complaints when an individual (the Data Principal) says their rights have been ignored,
  • check if companies or government bodies have handled a data breach properly — reported it, fixed it, informed people,
  • direct organisations to fall in line when they skip key duties like giving proper notice or erasing data on request,
  • and, when necessary, impose penalties after holding an inquiry.

The Board has powers that give it weight. It can call for information, summon parties, conduct hearings, and its directions are binding.

Think of practical scenarios. Suppose a fintech app loses user data to a breach and quietly buries the incident. Under the DPDP bare act, the Board can open an inquiry, demand answers, and levy fines. Or imagine an employee who keeps asking for outdated HR records to be deleted. If the company keeps dodging the request, the individual can approach the Board, which has the power to order deletion.

The larger point is that India finally has a forum for data protection disputes. Before this law, there was no single place to complain about misuse of personal data. With the Board in place, there is at least a structured process, companies know they can be called up, and individuals know their grievance has a home.

This explanation, part of the Bare Act by Corrida Legal series, is meant to make the role of the Board clear without the legal jargon. For the precise statutory language, readers should refer to the DPDP Act PDF file or the official DPDP Act bare act download.

Penalties and Non-Compliance under the DPDP Act

The DPDP bare act would carry little weight if it did not also create consequences for ignoring it. That is why the law sets up a framework of penalties that can be imposed by the Data Protection Board of India. These are not symbolic fines; the amounts can be significant enough to push even large companies to take compliance seriously.

Fines and Sanctions

The Act provides for hefty financial penalties depending on the nature of the violation. For instance:

  • Failure to take reasonable safeguards against a data breach can invite penalties running into hundreds of crores.
  • Not notifying the Board or the individuals affected about a breach can trigger separate fines.
  • Breaching obligations regarding children’s data, such as failing to verify parental consent, is treated as a serious

offence.

The scale of fines is designed to ensure that non-compliance is more expensive than compliance.

Corporate and Individual Liability

Although penalties are imposed on organisations (the Data Fiduciaries), the law does not completely shield individuals. Directors, officers and managers responsible for decision-making may also find themselves accountable if violations happen under their watch. In practice, this means compliance cannot be left only to the IT team, boards and senior management must pay attention.For companies, the real risk is reputational as much as financial. A large fine imposed by the Board will not only impact the bottom line but also damage public trust. For individuals, the risk lies in losing control over their personal data unless organisations treat compliance as part of governance rather than an afterthought.

Exemptions and Special Provisions

Like most laws, the DPDP bare act does not apply in every situation. The drafters knew there are cases where strict application of the Act would either slow down essential functions or make research and global business impossible. So the Act includes certain exemptions and special provisions.

Government Processing

Some government functions are carved out from the usual consent and notice rules. For example, processing data for the purpose of national security, law enforcement, or carrying out official duties may not require prior consent. This does not mean there is no accountability, but it recognises that the State cannot be paralysed by procedural requirements in sensitive areas.

Research and Statistical Uses

The Act also permits personal data to be processed for research, archiving, or statistical purposes in a manner that safeguards individual rights. Universities, think tanks, and even companies conducting surveys often need data that cannot practically be collected with consent from every individual. By allowing this, the law encourages innovation and policy research while still requiring safeguards against misuse.

Cross-Border Data Transfers

One of the most debated aspects was whether data should be locked inside India. The DPDP Act PDF file makes it clear that cross-border transfer of personal data is allowed, but subject to restrictions notified by the government. In other words, companies can transfer data outside India unless the destination country has been specifically barred. This gives businesses flexibility, especially those using global cloud services, while giving the government power to block transfers to jurisdictions considered risky.

In practice, these exemptions are limited but significant. They strike a balance: the State can carry on core functions, researchers can keep working, and businesses can still operate across borders. At the same time, the Act ensures that individual rights are not casually brushed aside.

This explanation, part of the Bare Act by Corrida Legal series, is meant to highlight how these carve-outs work in real life. For the exact statutory language, you should refer to the DPDP Act bare act download or check the official DPDP Act PDF file.

Conclusion – Simplifying the DPDP Act with Corrida Legal

The DPDP bare act is India’s first real attempt to bring order to how personal data is handled. It sets down rules for consent, gives people rights to access and erase their data, and creates duties for companies and government bodies that use it. It also sets up the Data Protection Board, which means enforcement is no longer an open question.

For businesses, the message is straightforward: compliance is no longer optional. Data Fiduciaries must adopt safeguards, deal with grievances, and be ready for penalties if they slip. For individuals, the law finally gives privacy some teeth, rights can be enforced, and there is a forum to hear complaints.

As part of the Bare Act by Corrida Legal series, this summary has tried to capture the main takeaways in plain terms. The details, of course, sit in the statute itself.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including GurgaonMumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    To Top