AMLEGALSDPDPAVibe Data Privacy
Reference

Data Privacy Glossary

Authoritative definitions of key terms under the Digital Personal Data Protection Act, 2023. Each definition includes statutory references for direct verification.

A

Automated

Core Definitions

Any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data. This definition encompasses AI systems, machine learning algorithms, and any software that processes personal data without human intervention at each step.

DPDPA Section 2(b)

Audit

Compliance Requirements

Independent assessment of a Significant Data Fiduciary's compliance with the Act, conducted annually by a Data Auditor registered with the Board. Audit reports must be submitted to the Board and form part of regulatory record.

DPDPA Section 10(2)(c)

Appellate Tribunal

Regulatory Bodies

The Telecom Disputes Settlement and Appellate Tribunal designated to hear appeals against orders of the Data Protection Board. Appeals must be filed within sixty days of the order, with possible extension of thirty days for sufficient cause.

DPDPA Section 42

C

Consent

Consent Framework

Free, specific, informed, unconditional and unambiguous indication of the Data Principal's wishes by which they, by a clear affirmative action, signify agreement to the processing of their personal data for a specified purpose. Pre-ticked boxes and bundled consent do not satisfy this standard.

DPDPA Section 6

Consent Manager

Consent Framework

A person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

DPDPA Section 26

Child

Special Categories

An individual who has not completed the age of eighteen years. Processing of children's data requires verifiable parental consent and is subject to prohibitions on tracking, behavioural monitoring, and targeted advertising.

DPDPA Section 2(f)

Cross-Border Transfer

International

Transfer of personal data to any country or territory outside India. Transfers are permitted unless the Central Government restricts transfer to a notified country or territory. Sectoral localisation requirements may impose additional restrictions.

DPDPA Section 17

D

Data

Core Definitions

A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

DPDPA Section 2(h)

Data Fiduciary

Key Actors

Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The Data Fiduciary bears primary responsibility for lawful, fair, and transparent processing and is accountable for ensuring compliance with all DPDPA obligations.

DPDPA Section 2(i)

Data Principal

Key Actors

The individual to whom the personal data relates. Where the individual is a child, the parent or lawful guardian acts as Data Principal. Where the individual is a person with disability, their lawful guardian acts as Data Principal.

DPDPA Section 2(j)

Data Processor

Key Actors

Any person who processes personal data on behalf of a Data Fiduciary. The Data Processor acts solely on the instructions of the Data Fiduciary and does not determine the purpose or means of processing. The Data Fiduciary remains accountable for Processor actions.

DPDPA Section 2(k)

Data Protection Board

Regulatory Bodies

The Data Protection Board of India established under Section 19, which adjudicates complaints, imposes penalties, and ensures compliance with the Act. The Board operates as an independent regulatory authority with powers to conduct inquiries and issue directions.

DPDPA Section 19

Data Protection Impact Assessment

Compliance Requirements

A systematic assessment of the potential impact of processing operations on the rights of Data Principals, required for Significant Data Fiduciaries before undertaking processing that poses significant risk. The DPIA must evaluate necessity, proportionality, and safeguards.

DPDPA Section 10(2)(b)

Data Protection Officer

Key Actors

An individual appointed by a Significant Data Fiduciary who is based in India, responsible for ensuring compliance, acting as the point of contact for Data Principals, and representing the SDF before the Data Protection Board.

DPDPA Section 10(2)

Digital Personal Data

Core Definitions

Personal data in digital form. This includes data that originates in digital form and data that is digitised from non-digital sources (such as paper forms that are subsequently scanned or entered into digital systems).

DPDPA Section 2(n)

E

Exemption

Exemptions

Release from the application of certain provisions of the Act for specified purposes including: national security, public order, research/statistics, legal proceedings, prevention of offences, and enforcement of legal rights.

DPDPA Section 18

L

Legitimate Uses

Lawful Bases

Processing activities permitted without consent under Section 7, including: voluntary provision for specified purposes, State functions under law, medical emergencies, employment relationships, disasters and breakdowns, and whistle-blowing.

DPDPA Section 7

N

Notice

Consent Framework

An itemised statement in clear and plain language that a Data Fiduciary must provide before or at the time of seeking consent, containing: personal data to be collected, purpose of processing, manner of exercising rights, and grievance redressal mechanism.

DPDPA Section 5

P

Personal Data

Core Definitions

Any data about an individual who is identifiable by or in relation to such data. This includes directly identifying data (name, ID number) and indirectly identifying data (combinations that enable identification).

DPDPA Section 2(t)

Personal Data Breach

Security & Breach

Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data.

DPDPA Section 8(6)

Processing

Core Definitions

A wholly or partly automated operation or set of operations performed on digital personal data, including: collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination, restriction, erasure, or destruction.

DPDPA Section 2(x)

Penalty

Enforcement

Financial sanction imposed by the Data Protection Board for contravention of Act provisions. The Schedule prescribes: failure to implement security safeguards (Section 8(5))—up to Rs. 250 Crore; failure to notify breach (Section 8(6))—up to Rs. 200 Crore; breach of children's data obligations (Section 9)—up to Rs. 200 Crore; breach of SDF obligations (Section 10)—up to Rs. 150 Crore; other contraventions—up to Rs. 50 Crore.

DPDPA Schedule

Privacy by Design

Best Practices

A proactive approach integrating privacy considerations into the design and development of systems, processes, and technologies from inception. Organisations should embed privacy safeguards into technical architecture rather than retrofitting compliance.

Industry Standard

R

Right of Access

Data Principal Rights

The right of a Data Principal to obtain from the Data Fiduciary: confirmation of whether personal data is being processed, a summary of personal data and processing activities, identities of other Data Fiduciaries and Processors with whom data has been shared, and other prescribed information.

DPDPA Section 11

Right to Correction and Erasure

Data Principal Rights

The right of a Data Principal to have inaccurate or misleading personal data corrected, and to have personal data erased where it is no longer necessary for the purpose for which it was processed, or where consent has been withdrawn.

DPDPA Section 12

Right to Grievance Redressal

Data Principal Rights

The right of a Data Principal to have complaints addressed by the Data Fiduciary through a designated grievance redressal mechanism. If unresolved within the prescribed period, the Data Principal may approach the Data Protection Board.

DPDPA Section 13

Right to Nominate

Data Principal Rights

The right of a Data Principal to nominate any other individual who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in the manner prescribed.

DPDPA Section 14

S

Significant Data Fiduciary

Key Actors

A Data Fiduciary notified by the Central Government based on: volume of personal data processed, sensitivity of personal data, risk to rights of Data Principals, potential impact on sovereignty and integrity of India, and other prescribed factors. SDFs face enhanced obligations.

DPDPA Section 10(1)

Security Safeguards

Security & Breach

Reasonable security practices and procedures to prevent personal data breach, including technical measures (encryption, access controls, monitoring) and organisational measures (policies, training, incident response). Safeguards must be proportionate to data sensitivity.

DPDPA Section 8(4)

V

Verifiable Parental Consent

Special Categories

Consent from the parent or lawful guardian of a child that is obtained through a verification mechanism that reasonably establishes the identity and authority of the consenting parent. Simple checkbox declarations are insufficient.

DPDPA Section 9(1)

Select a term to view details

30

Defined Terms

13

Categories

2025

Rules Referenced