DPDPA Insights

Consent under DPDPA is not merely a checkbox exercise. It is an ongoing relationship between Data Fiduciary and Data Principal that demands architectural precision.

"Personal data may be processed by a Data Fiduciary only in accordance with the provisions of this Act and for a lawful purpose for which the Data Principal has given her consent."

— DPDPA Section 4(1)

Data Principal rights are not passive entitlements. They impose affirmative obligations on Data Fiduciaries to establish intake mechanisms, response workflows, and tracking systems.

"The Data Principal shall have the right to obtain from the Data Fiduciary confirmation whether personal data of such Data Principal is being or has been processed."

— DPDPA Section 11(1)

Breach notification is not merely a compliance checkbox. It is a moment of institutional accountability where preparation, speed, and transparency determine regulatory and reputational outcomes.

"In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach."

— DPDPA Section 8(6)

Cross-border data transfers under DPDPA operate on a negative list model. Freedom to transfer exists unless the destination is notified as restricted. This architectural choice prioritises operational flexibility while reserving sovereign control.

"The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary to such country or territory outside India as may be so notified."

— DPDPA Section 16(1)

Significant Data Fiduciary status transforms compliance from operational to strategic. The designation triggers enhanced obligations that require board-level engagement and dedicated resources.

"The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary having regard to the factors referred to in sub-section (2)."

— DPDPA Section 10(1)