Data Privacy Glossary

Any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. This definition encompasses AI systems, machine learning algorithms, and any software that processes personal data without human intervention at each step.

Independent assessment of a Significant Data Fiduciary's compliance with the Act, conducted annually by a Data Auditor registered with the Board. Audit reports must be submitted to the Board and form part of regulatory record.

The Telecom Disputes Settlement and Appellate Tribunal designated to hear appeals against orders of the Data Protection Board. Appeals must be filed within sixty days of the order, with possible extension of thirty days for sufficient cause.

Free, specific, informed, unconditional and unambiguous indication of the Data Principal's wishes by which they, by a clear affirmative action, signify agreement to the processing of their personal data for a specified purpose. Pre-ticked boxes and bundled consent do not satisfy this standard.

A person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

An individual who has not completed the age of eighteen years. Processing of children's data requires verifiable parental consent and is subject to prohibitions on tracking, behavioural monitoring, and targeted advertising.

Transfer of personal data to any country or territory outside India. Transfers are permitted unless the Central Government restricts transfer to a notified country or territory. Sectoral localisation requirements may impose additional restrictions.

A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The Data Fiduciary bears primary responsibility for lawful, fair, and transparent processing and is accountable for ensuring compliance with all DPDPA obligations.

The individual to whom the personal data relates. Where the individual is a child, the parent or lawful guardian acts as Data Principal. Where the individual is a person with disability, their lawful guardian acts as Data Principal.

Any person who processes personal data on behalf of a Data Fiduciary. The Data Processor acts solely on the instructions of the Data Fiduciary and does not determine the purpose or means of processing. The Data Fiduciary remains accountable for Processor actions.

The Data Protection Board of India established under Section 19, which adjudicates complaints, imposes penalties, and ensures compliance with the Act. The Board operates as an independent regulatory authority with powers to conduct inquiries and issue directions.

A systematic assessment of the potential impact of processing operations on the rights of Data Principals, required for Significant Data Fiduciaries before undertaking processing that poses significant risk. The DPIA must evaluate necessity, proportionality, and safeguards.

An individual appointed by a Significant Data Fiduciary who is based in India, responsible for ensuring compliance, acting as the point of contact for Data Principals, and representing the SDF before the Data Protection Board.

Personal data in digital form. This includes data that originates in digital form and data that is digitised from non-digital sources (such as paper forms that are subsequently scanned or entered into digital systems).

Release from the application of certain provisions of the Act for specified purposes including: national security, public order, research/statistics, legal proceedings, prevention of offences, and enforcement of legal rights.

Processing activities permitted without consent under Section 7, including: voluntary provision for specified purposes, State functions under law, medical emergencies, employment relationships, disasters and breakdowns, and whistle-blowing.

An itemised statement in clear and plain language that a Data Fiduciary must provide before or at the time of seeking consent, containing: personal data to be collected, purpose of processing, manner of exercising rights, and grievance redressal mechanism.

Any data about an individual who is identifiable by or in relation to such data. This includes directly identifying data (name, ID number) and indirectly identifying data (combinations that enable identification).

Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data.

A wholly or partly automated operation or set of operations performed on digital personal data, including: collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination, restriction, erasure, or destruction.

Financial sanction imposed by the Data Protection Board for contravention of Act provisions. The Schedule prescribes: failure to implement security safeguards (Section 8(5))—up to Rs. 250 Crore; failure to notify breach (Section 8(6))—up to Rs. 200 Crore; breach of children's data obligations (Section 9)—up to Rs. 200 Crore; breach of SDF obligations (Section 10)—up to Rs. 150 Crore; other contraventions—up to Rs. 50 Crore.

A proactive approach integrating privacy considerations into the design and development of systems, processes, and technologies from inception. Organisations should embed privacy safeguards into technical architecture rather than retrofitting compliance.

The right of a Data Principal to obtain from the Data Fiduciary: confirmation of whether personal data is being processed, a summary of personal data and processing activities, identities of other Data Fiduciaries and Processors with whom data has been shared, and other prescribed information.

The right of a Data Principal to have inaccurate or misleading personal data corrected, and to have personal data erased where it is no longer necessary for the purpose for which it was processed, or where consent has been withdrawn.

The right of a Data Principal to have complaints addressed by the Data Fiduciary through a designated grievance redressal mechanism. If unresolved within the prescribed period, the Data Principal may approach the Data Protection Board.

The right of a Data Principal to nominate any other individual who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in the manner prescribed.

A Data Fiduciary notified by the Central Government based on: volume of personal data processed, sensitivity of personal data, risk to rights of Data Principals, potential impact on sovereignty and integrity of India, and other prescribed factors. SDFs face enhanced obligations.

Reasonable security practices and procedures to prevent personal data breach, including technical measures (encryption, access controls, monitoring) and organisational measures (policies, training, incident response). Safeguards must be proportionate to data sensitivity.

Consent from the parent or lawful guardian of a child that is obtained through a verification mechanism that reasonably establishes the identity and authority of the consenting parent. Simple checkbox declarations are insufficient.