AMLEGALS
Abstract layered document sheets dissolving into light, representing DPDPA policies
DPDPA-Aligned Policies

A DPDPA policy is a promise
you must be able to keep.

Under DPDPA, your privacy notice and policies are not marketing copy — they are statutory representations the Data Protection Board can hold you to. AMLEGALS drafts your policy suite from your real processing inventory, so each document is accurate, defensible and operable, aligned to the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.

Request Policy DraftingView Policy Suite
6+

Core Policy Documents

Section 5

Statutory Notice

Counsel

Drafted & Reviewed

Operable

Not Just On Paper

Why Policy Accuracy Matters

Your Policy Is Evidence — For or Against You

A privacy notice that describes processing you do not perform, or omits processing you do, is not a harmless formality — it is a documented inconsistency the Data Protection Board can use against you. The fastest way to fail a DPDPA inquiry is to be contradicted by your own policy.

That is why we never relabel a template. We draft from your actual data inventory and lawful-basis map, so the policy you publish matches the processing you perform. A DPDPA policy is only protective when it is true.

The cheapest policy is the one copied from someone else. It is also the one most likely to be used against you. Accuracy is the only economy that matters here.

The Policy Suite

The DPDPA Policy Suite

Section 5

Privacy Notice

The public-facing notice given before or at the time of collection — itemised personal data, specified purpose, rights and withdrawal mechanism, and the route to complain to the Board, in plain language and the required languages.

Includes
  • Itemised data and purpose
  • Rights and withdrawal mechanism
  • Board complaint route
  • Multi-language readiness
Internal

Data Protection Policy

The internal governance policy that allocates accountability, defines roles, sets the rules for collection, use, sharing and security, and binds employees and processors to DPDPA-aligned conduct.

Includes
  • Roles and accountability
  • Processing rules
  • Security obligations
  • Employee and processor binding
Section 8

Retention & Erasure Policy

A policy that defines how long each category of data is kept and the triggers for lawful erasure once the purpose is served or consent is withdrawn, supporting the purpose-limitation duty.

Includes
  • Category-wise retention
  • Erasure triggers
  • Purpose-limitation logic
  • Audit trail of deletion
Section 8(6) & Rule 7

Breach Response Policy

The policy governing detection, escalation, and notification of a personal data breach to the Data Protection Board and affected Data Principals in the prescribed form and manner.

Includes
  • Detection and escalation
  • Board notification
  • Data Principal notification
  • Post-incident review
Section 9 & Rule 10

Children’s Data Policy

A policy for verifiable parental consent, age assurance, and the prohibition on tracking, behavioural monitoring and targeted advertising directed at children, subject to Rule 12 exemptions.

Includes
  • Verifiable parental consent
  • Age-assurance approach
  • No behavioural tracking
  • Rule 12 exemptions
Sections 11–13

Rights & Grievance Policy

The procedure enabling access, correction, completion, updating, erasure and nomination, and a readily available grievance redressal mechanism with defined response timelines.

Includes
  • Access and correction handling
  • Erasure and nomination
  • Grievance mechanism
  • Response timelines
Related Resources

Document Bank

DPDPA document and template library.

Open →

DPDPA Contracts

Data processing agreements and clauses.

Open →

Compliance Checklist

Where each policy fits in your programme.

Open →

Compliance Requirements

The statutory basis for each policy.

Open →
Get It Right

Request DPDPA Policy Drafting

Tell us about your processing. A senior practitioner will respond within one working day with a scoped drafting proposal.

Request Policy Drafting

A senior practitioner will respond within one working day.

Your information is handled in accordance with our privacy obligations. No spam, ever.

Insights & Answers

What practitioners and boards are asking

What policies are required for DPDPA compliance?

A complete DPDPA policy suite includes a privacy notice satisfying the itemised disclosures of Section 5; a consent policy governing how free, specific, informed and revocable consent is captured and withdrawn; a data retention and erasure policy reflecting the storage-limitation principle of Section 8(7); a data breach response policy aligned to Section 8(6) and Rule 7; a Data Principal rights policy operationalising Sections 11 to 14; and, for Significant Data Fiduciaries, a DPIA and audit policy under Section 10 and Rule 12. Children’s data handling under Section 9 and Rule 10 should be addressed in a dedicated policy or section.

What must a DPDPA-compliant privacy notice contain?

Under Section 5, the notice must, in clear and plain language, itemise the personal data being collected and the specific purpose of processing; describe how the Data Principal may exercise rights and withdraw consent; explain how to lodge a complaint with the Data Protection Board; and be made available in English and the languages in the Eighth Schedule to the Constitution. The 2025 Rules reinforce that the notice must be standalone, understandable and not bundled with unrelated terms.

How often should DPDPA policies be reviewed?

Policies should be reviewed at least annually and on every material trigger — a change in processing purposes, a new processor or cross-border flow, a breach, a regulatory update, or a corporate transaction. Significant Data Fiduciaries should align the review cadence with their annual DPIA and audit obligations under Rule 12 so that policy, practice and evidence remain consistent.

Are template privacy policies sufficient for DPDPA compliance?

No. A generic or GDPR-derived template will not satisfy the DPDPA, which has its own notice content, consent standard, breach timeline and children’s-data rules. Policies must map to the organisation’s actual data flows and be backed by working processes and evidence; a document that does not reflect real practice offers no defence before the Board.