1. §11 — Right to information about processing (similar to GDPR Art. 15)
2. §12 — Right to correction + erasure (similar to Art. 16-17, but with limits)
3. §13 — Right to grievance redressal — file with Fiduciary first; escalate to DPB
4. §14 — Right to nominate — appoint another individual to exercise rights upon death/incapacity

Notably absent: data portability, right to object to processing (compared to GDPR).

Every Fiduciary must:

1. Process for lawful purpose only
2. Implement reasonable security safeguards
3. Notify the DPB + affected data principals of breaches
4. Erase data when purpose is fulfilled (and inform Processors)
5. Publish business contact for grievance officer

SDFs (notified by Government):

1. Appoint Data Protection Officer (DPO) based in India
2. Conduct Data Protection Impact Assessment (DPIA) for high-risk processing
3. Conduct periodic audits by independent Data Auditors

Likely SDFs: large e-commerce, healthcare aggregators, banking, telco.

1. Verifiable parental consent required for processing children's data (<18)
2. Cannot do tracking, behavioural monitoring, targeted advertising at children
3. Cannot cause harm to children
4. DPB can exempt platforms that demonstrate verifiable safe processing

Default: data can flow to any country EXCEPT those notified as restricted by Central Government.

This is more permissive than GDPR's adequacy decisions. The restricted list (when notified) becomes the bottleneck.

Quiz available from your course dashboard.

• ← Course overview
• Next: Final exam — DPDP Act 2023 + Rules 2026 Crash Course

Last reviewed: 24 April 2026.