Digital Personal

Data Protection Act

2023 (DPDPA)
By: Salot and Shah Associates
www.salotandshah.com [email protected]
 Overview
Introduction
Key Definitions
Applicability and Scope
Core Principles of DPDPA
Rights of Data Principal
Obligations of Data Fiduciary
Consent Framework
Data Protection Board of India
Miscellaneous
Penalties
www.salotandshah.com [email protected]
Introduction
In an increasingly digitized world, the volume and sensitivity of personal data being processed has grown exponentially. India,
as one of the largest digital economies, faced growing demands for a dedicated data protection law to safeguard individuals’
privacy rights. The Digital Personal Data Protection Act, 2023 was introduced to address these concerns and lay the foundation
for responsible data governance.
Background Why DPDP enacted? Objective
Earlier laws like the IT Act, 2000 offered To address increasing concerns over To protect individuals’ digital
limited data protection. data misuse, breaches, and surveillance. personal data while ensuring
Puttaswamy (2017) case declared To provide a structured framework for legitimate data use.
privacy a fundamental right. processing digital personal data with To establish the rights and remedies
The Srikrishna Committee (2018) adequate safeguards. available to Data Principals.
proposed a draft law. To support India’s growing digital To define the obligations of Data
Led to the enactment of the DPDP Act, economy and facilitate cross-border Fiduciaries and enable enforcement
2023. trust in data practices. through the Data Protection Board of
India.
www.salotandshah.com [email protected]
 Key Definitions
Consent Manager: A person registered with the Board, who acts as a single point of
contact to enable a Data Principal to give, manage, review and withdraw her consent
through an accessible, transparent and interoperable platform.
Data Fiduciary: Any person who alone or in conjunction with other persons determines
the purpose and means of processing of personal data
Data Principal: The individual to whom the personal data relates and where such
individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a
person with disability, includes her lawful guardian, acting on her behalf
Data Protection Officer (DPO): Significant Data Fiduciaries must appoint a DPO based in
India to ensure compliance with the DPDP Act. The DPO serves as the point of contact for
authorities.
Personal Data: Any data about an individual who is identifiable by or in relation to such
data
Significant Data Fiduciary: Any Data Fiduciary or class of Data Fiduciaries as may be
notified by the Central Government.
www.salotandshah.com [email protected]
 Applies to digital personal data processed in India,
whether collected digitally or digitized after being
01 collected offline.
Example: A hospital in Delhi digitizes handwritten
patient records — the Act applies.
Applies to data processing outside India if it involves
02 offering goods or services to individuals in India.
Applicability
Example: A U.S.-based e-commerce website collects
delivery details from Indian customers — the Act
applies.
and Does not apply to personal/domestic use of
Scope 03 personal data by an individual.
Example: A person storing family contacts or
managing a personal photo album — the Act does
not apply.
Does not apply to publicly available personal data,
04 made available by the Data Principal or under a
legal obligation.
Example: A person shares their phone number on
social media, or a government agency publishes
public records — the Act does not apply.
www.salotandshah.com [email protected]
 CORE PRINCIPLES
Lawful and Free and
Transparent informed
use consent
1 2 3 4 5
Data Data Storage
Collection Minimization limitation
www.salotandshah.com [email protected]
 RIGHTS OF DATA PRINCIPAL
The Digital Personal Data Protection (DPDP) Act, 2023, grants several rights to
data principals, empowering them to control their personal data.
Right to access Right to Right to Right of Right to
information correction erasure of grievance nominate
about personal personal data redressal
data
www.salotandshah.com [email protected]
OBLIGATIONS OF DATA FIDUCIARY
Data Minimization Transparency & Accountability
Collect the minimum amount of Should be transparent about their
personal data necessary for the data processing practices
specific purpose
Data Fiduciaries are
Purpose Limitation obligated to handle Data Breach Notification
Personal data should only be used personal data lawfully, Notify both the relevant authorities
for the purpose for which it was fairly, and responsibly, and the affected data principals, in
collected ensuring transparency, case of data breach
accuracy, and security of
the data. They must also
obtain valid consent from
Data Accuracy and Quality Data Principals, respect
Fair & Reasonable Processing
their rights, and implement
Data fiduciaries must ensure that Process personal data in a way that
safeguards to prevent
the personal data they hold is is fair, reasonable, and respectful of
misuse, unauthorized
accurate, complete, and up-to-date. individuals' privacy rights.
access, or data breaches.
Security Safeguards Consent Management
Implement appropriate measures to Obtain valid, informed, and freely
protect personal data from given consent.
unauthorized access, disclosure,
alteration, or destruction.
www.salotandshah.com [email protected]
 Consent Framework
Valid Consent Consent Manager Deemed Consent for
legitimate use
Voluntary data sharing
Consent must be free, specific, A Consent Manager is an
Government Subsidies & Benefits
informed, unconditional, and authorized, independent, and
National Security & State
unambiguous, given through a accountable platform that
Functions
clear affirmative action. enables Data Principals to
Legal Obligations
It must relate to a specified manage, review, and withdraw
Judicial or Legal Compliance
purpose and allow the Data their consent.
Medical Emergencies
Principal to withdraw consent at Must be registered with the Data Public health response such as
any time. Protection Board of India. pandemic
Disaster & Public order response
Example: A user ticking a checkbox to Example: A government-approved Example: A hospital collecting
allow a fintech app to access their KYC portal where users can see and revoke patient data during a medical
details for account verification. consents given to various digital service emergency without explicit
providers. consent.
www.salotandshah.com [email protected]
Data Protection Board of India
The Board shall be a body corporate under the aforesaid name, having perpetual succession and a common seal. It shall
have the power, subject to the provisions of this Act, to acquire, hold, and dispose of both movable and immovable property,
and to enter into contracts. The Board shall also have the capacity, in its said name, to sue and be sued.
Constitution Powers & Functions Adjudication
The Board consists of a Chairperson and Enforces compliance with the DPDP Act The Board conducts digital-by-default
such other Members as may be notified by and related rules. proceedings, ensuring efficiency and
the Central Government. Directs remedial or mitigation measures accessibility.
All appointments are made by the Central in case of breaches. Adopts a summary inquiry process
Government as per prescribed procedure. Can issue orders to Data Fiduciaries, before issuing any directions or
Members must be individuals of ability, Significant Data Fiduciaries, and Consent penalties.
integrity, and standing, with expertise in Managers. Offers Data Principals and Fiduciaries a
fields like data governance, law, ICT, Has the power to investigate, summon chance to be heard.
dispute resolution, or digital economy; at evidence, and conduct inquiries. Appeals against Board decisions lie
least one must be a legal expert. Can impose penalties for violations of the with the Telecom Disputes Settlement
Act. and Appellate Tribunal (TDSAT).
www.salotandshah.com [email protected]
 Personal Data of Children and Persons with Disabilities:
Obtain verifiable parental or guardian consent before
01 processing the personal data of children or persons with
disabilities. The government may exempt certain fiduciaries
or purposes if the processing is verifiably safe and meets
prescribed conditions.
Miscellaneous
Cross-Border data transfer: Central Government
02 may, by notification, restrict the transfer of personal
data by a Data Fiduciary to any country or territory
outside India, as specified in such notification.
Exemptions: Data Fiduciaries are exempted to
03 process the personal data under the following
exemptions:
Legal, Judicial, and Regulatory Processing
Contractual, Corporate, and Financial Processing
State and Research-Related Exemptions
Startups and Time-Bound Relaxations
www.salotandshah.com [email protected]
 PENALTIES
₹250 crore
Maximum penalty for breaches of
obligations related to personal ₹150 crore
data and failure to take reasonable For non-compliance by Significant
security safeguards to protect data Data Fiduciaries (SDF) with their
breach extra duties.
₹10,000
₹200 crore
For breach of duties of the Data
Failure to give notice upon breach
Principal.
of personal data
₹200 crore
For failing to protect children's
data or for violating children-
₹50 crore
specific provisions.
For breach of any other obligations
www.salotandshah.com [email protected]
THANK YOU!
Salot and Shah Associates
9328669060
www.salotandshah.com
503, 5th Floor, Phoenix Complex,
Opp New Girish Cold Drinks, Vijay X Roads,
to, Commerce Six Road, Navrangpura,
Ahmedabad, Gujarat 380009.
[email protected]