Complete DPDP Act 2023 guide — citizen + business reference 2026

The Digital Personal Data Protection Act, 2023 is India's first comprehensive personal-data protection law. It binds every “data fiduciary” — public + private + non-profit — that processes personal data of Indian citizens digitally. It creates citizen rights (access, correction, erasure, grievance) and an enforcement body (the Data Protection Board) with ₹250 crore penalties.

• Covered (data fiduciaries): companies, public authorities, government departments, NGOs, hospitals, schools, banks, telcos, social-media platforms, employers, e-commerce sites, AI service providers — anyone processing personal data of Indian citizens digitally.
• Significant Data Fiduciaries (SDFs): a sub-set notified by the Central Government based on volume + sensitivity + risk + sovereignty impact. SDFs have extra obligations (in-India DPO, audits, Data Protection Impact Assessment).
• Excluded: purely personal / domestic processing by individuals (your phone contacts), anonymised data (cannot identify a person), publicly available data (subject to clarifications). Journalism is partially exempt under §17(2)(b).
• Not covered: data of foreign nationals processed in India for foreign principals (subject to Section 17(1) carve-outs).

1. Access — confirm whether your data is being processed; what categories; with whom shared.
2. Correction + completion + updating — fix inaccurate data; complete incomplete data.
3. Erasure — when the processing purpose is exhausted, demand deletion.
4. Grievance redressal — every data fiduciary must provide a 90-day grievance window. Escalation to Data Protection Board (DPB).
5. Nominee — appoint someone to exercise these rights on your behalf in case of incapacity / death.

• Notice (§5) — concise, clear, accessible — with an itemised list of data categories + purposes + retention.
• Consent (§6) — free, specific, informed, unambiguous, capable of being withdrawn.
• Legitimate uses (§7) — narrow grounds where consent is not needed (e.g., medical emergency, employment).
• Accuracy + completeness (§8(3)) — keep data accurate.
• Security safeguards (§8(5)) — reasonable, technical and organisational. Failure → ₹250 crore penalty.
• Breach reporting (§8(6)) — to DPB and affected data principals within 72 hours.
• Retention limit (§8(7)) — delete after purpose is exhausted (with statutory exceptions).
• Children's data (§9) — additional safeguards; verifiable parental consent.
• Persons with disability — guardian consent.

• Data Protection Officer (DPO) — based in India, accountable to the board, contact details published.
• Periodic Data Protection Impact Assessment (DPIA) — for new high-risk processing.
• Periodic audit by independent auditor.
• Other measures — to be notified by Government in DPDP Rules.

This is the most important DPDP-RTI overlap.

Before 14 November 2025:

§8(1)(j) RTI Act — “*information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:* Provided that *the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.*”

After 14 November 2025 (post §44(3) DPDP): The proviso is DELETED. The substantive test for “personal information” remains. The public-interest balance now sits entirely in §8(2) of the RTI Act — which is unchanged (“Notwithstanding anything in the Official Secrets Act, 1923 nor any of the exemptions permissible under sub-section (1), a public authority may allow access to information, if the public interest in disclosure outweighs the harm to the protected interests”).

What this means in practice:

1. Citation of *Girish Deshpande* (2013) 1 SCC 212 + *CPIO SC v. Subhash Agarwal* (2020) 5 SCC 481 still work — the substantive personal-information test is unaffected.
2. Citation of the old §8(1)(j) proviso (“cannot be denied to Parliament”) NO LONGER WORKS in your RTI appeals. Use §8(2) public-interest balance instead.
3. The proviso change has been criticised as a regression by RTI activists; multiple petitions are pending in the Supreme Court.

Penalties are imposed by the Data Protection Board after notice + hearing. Appeal lies to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) — note: TDSAT was designated for DPDP appeals (not a separate body).

• Established under §18.
• Online by design — proceedings are digital-first.
• Powers — adjudication, penalty, direction to cease processing, undertakings.
• Composition — Chairperson + members; appointed by Central Government.
• Procedure — DPDP Rules 2025 chapter VIII; appeals to TDSAT under §29.

The rules supplement the Act. Key chapters:

1. Chapter I-II — Definitions, notice format
2. Chapter III — Consent + consent-manager
3. Chapter IV — Security safeguards (technical + organisational)
4. Chapter V — Breach notification process
5. Chapter VI — Children + persons with disability
6. Chapter VII — SDF + DPO + audits + DPIA
7. Chapter VIII — DPB procedure
8. Chapter IX — Cross-border transfer (negative-list approach)
9. Chapter X — Miscellaneous

• Default rule: cross-border transfer of personal data is permitted.
• Negative list: the Central Government may notify a list of countries to which transfer is prohibited. As of May 2026, no country is on the negative list.
• Sector-specific overrides: RBI, IRDAI, SEBI may have stricter rules for their sectors (e.g., banking-data localisation).

• For public authorities: file a §6(1) RTI for your own records + parallel DPDP grievance if the public authority is a data fiduciary handling your data badly.
• For private companies: file a DPDP grievance at the data fiduciary; escalate to DPB. RTI is unavailable (private companies are not public authorities).
• For third-party records of someone else: §11 third-party consultation under RTI + post-DPDP §8(1)(j) personal-information test (without the old proviso).

1. Aadhaar / PAN / Voter ID held wrong — file DPDP correction request to the relevant authority + parallel RTI for the file noting.
2. Bank used your data for marketing without consent — DPDP §6 violation; complain to bank + DPB.
3. Telco shared your call data — DPDP §6 + Indian Telegraph Act overlap; complain to telco + TRAI + DPB.
4. Hospital lost your health records — DPDP §8(5)/§8(6) violation; report breach to DPB + parallel medical-council complaint.
5. Employer disclosed your health data — DPDP + §8(1)(j) RTI (if employer is public authority) overlap; file both.

1. §44(3) RTI amendment — multiple PILs pending in the Supreme Court arguing the deletion of the old proviso unduly restricts RTI. Hearing list updated quarterly.
2. Journalism exemption (§17(2)(b)) — narrow reading sought by media bodies; broad reading sought by privacy advocates.
3. Government exemptions (§17(1)-(3)) — challenged for being too wide.
4. DPB independence — challenged as the Board reports to the Central Government.

1. Step 1 — Identify the data fiduciary (the company / public authority handling your data).
2. Step 2 — File a written grievance with the data fiduciary's DPO / grievance officer (every data fiduciary must publish DPO contact). Statutory window: 90 days.
3. Step 3 — If unsatisfied, file with the Data Protection Board at the (notified) DPB portal. The DPB Rules 2025 chapter VIII govern the procedure.
4. Step 4 — DPB issues notice + hearing + order. Appeal lies to TDSAT under §29.
5. Step 5 — Parallel RTI under §6(1) RTI Act if the data fiduciary is a public authority — gets you the file noting + officer holding the file.

• Digital Personal Data Protection Act, 2023 (Act 22 of 2023). IndiaCode.
• Digital Personal Data Protection Rules, 2025 — Gazette of India, 14 November 2025.
• Right to Information Act, 2005 — §8(1)(j), §8(2), §11. Full text.
• Justice K S Puttaswamy v. Union of India (2017) 10 SCC 1 — Constitution Bench, privacy as fundamental right under Article 21.
• Girish Ramchandra Deshpande v. CIC (2013) 1 SCC 212 — personal-information test.
• CPIO Supreme Court v. Subhash Chandra Agarwal (2020) 5 SCC 481 — Constitution Bench, public-interest balance.
• Government of India, PRS Legislative Research summary of DPDP Bill (2023).
• Internet Freedom Foundation + NCPRI RTI activist analyses of §44(3) impact.

• Puttaswamy v. UoI — privacy as fundamental right
• CPIO SC v. Subhash Agarwal — Constitution Bench
• Girish Deshpande — §8(1)(j) test
• RTI Act section-by-section explainer
• Case-law database (300+)
• AI RTI Drafter
• First Appeal Builder

Last reviewed: 4 May 2026 by RTI Wiki editorial team. DPDP Act + Rules + DPB procedure cross-checked against Gazette of India notifications. §44(3) RTI impact verified against MeitY clarifications + RTI activist analyses.