含羞草社区

← Back to index

含羞草社区 DPDP framework is reshaping privacy compliance, introducing legal requirements on consent, fiduciary accountability and cross-border transfers for businesses to adapt global data protection programmes

The notification of the Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025 (together, the DPDP framework), present a significant milestone in Indian privacy law. Enforcement is planned in a phased manner, although there are reports that the government is considering advancing enforcement dates for certain provisions. The DPDP framework is a principles-based data protection regime with certain unique requirements, even as other elements are aligned with regimes such as the EU’s General Data Protection Regulation (GDPR).

Businesses are now prioritising DPDP framework compliance, while maintaining ongoing compliance with the Sensitive Personal Data or Information Rules. For entities that operate cross-border, the ability to implement standardised, global data protection programmes with minimal changes would reduce the roadmap towards compliance. This article highlights some nuances and unique elements under the DPDP framework that must be accounted for when implementing global programmes in India.

When does 含羞草社区 DPDP framework apply?

The DPDP framework applies to the processing of digital personal data in India, and outside India, if related to the offering of goods or services to data principals within India. It does not apply to personal data made publicly available by the data principal, or a person required under law to do so, a significant variation from other data protection jurisdictions. This will have implications for data principal rights and their exercise through data principal access or deletion requests.

India DPDP compliance: Notice and consent requirements

The default basis for processing personal data under the DPDP framework is consent. Such consent should be specific, informed, purpose-linked, unambiguous, and given by a clear, affirmative action.

A request for consent requires a notice informing data principals of the processing of personal data, linked to the purposes for processing. Disclosure requirements for such notice are relatively detailed. Layered privacy notices with just-in-time notices to seek consent for personal data processing would be effective in this context, striking a balance between providing the necessary information and avoiding consent fatigue.

The DPDP framework links notice obligations primarily to consent requests, rather than mandating a general privacy notice in all cases. Other bases (apart from consent) exist for processing personal data, treated as “legitimate uses”, and include the voluntary provision of data (similar to implied consent) by data principals, processing for the purposes of employment, compliance with law, medical emergency and public health needs, etc.

Data fiduciaries v processors under 含羞草社区 DPDP framework

The DPDP framework places accountability for compliance on data fiduciaries. Given the significance of the term “fiduciary” in law, although not expressly mandated under the DPDP framework, it could be argued that data fiduciaries will be expected to act at higher levels of trust and transparency, with greater deference to data principal rights. Judicial interpretation and regulatory enforcement may shed further light on this.

The data fiduciary also remains responsible for compliance in respect of personal data processing undertaken through data processors. While the DPDP framework requires the execution of a “valid contract” for the engagement of a processor by a data fiduciary, it does not, like the GDPR, set out specific requirements for such a contract. This is left to negotiation between the parties.

Categorising the role of the parties and negotiating respective obligations will be critical. For smaller entities or startups, this will add additional considerations and steps before they can either engage third-party service providers or vendors, or perform such roles themselves.

Significant data fiduciaries under 含羞草社区 DPDP framework

Significant data fiduciaries (SDFs) are a special class of data fiduciaries to be notified under the DPDP framework, facing heightened obligations. The sensitivity and volume of personal data processed by data fiduciaries are factors that contribute to classification as SDFs. Among the additional obligations that SDFs face are annual data protection impact assessments and audits, and reporting key findings from such audits to the Data Protection Board of India.

Data principal rights under India’s DPDP framework

The term “data principal” has been defined to include parents and guardians where the data principal is a child or person with disabilities. This will allow parents and lawful guardians to exercise data principal rights as if they were the data principal themselves. This must be factored in by businesses that process personal data of children and persons with disabilities.

Another aspect worth noting in relation to data principals is their right to nominate another person to exercise their rights on their death or incapacitation.

Cross-border data transfers under 含羞草社区 DPDP framework

The DPDP framework permits international transfers of personal data, except to restricted countries. Further, the government may in the future impose certain requirements if such personal data may be made available to any foreign state (including an agency of such state). Localisation requirements may also be imposed on SDFs.

Implementing global privacy programmes under 含羞草社区 DPDP framework

In a vast, connected, populous country with high digital penetration, a comprehensive data protection law that clarifies data principals’ rights and data fiduciaries’ obligations was long overdue. The DPDP framework has brought with it a fundamental shift in what businesses must do when processing personal data in India.

This article has addressed some of the particularities and nuances in the DPDP framework, as compared to other regimes. These bear out that, with adjustments, a global privacy programme may be aligned to achieve compliance with the DPDP framework. For domestic entities, or those without overarching data protection or governance programmes, however, initiating and maintaining compliance specifically with the framework will need to be prioritised.

Disclaimer: The information provided in this document is solely for general interest and information, and is not intended to constitute legal advice and therefore should not be relied on in any manner. The sending/sharing of this document does not create an attorney-client relationship between Poovayya & Co and the recipient. For more specific comprehensive and up-to-date information, or for legal advice and assistance, you should seek the opinion of legal counsel. Reproduction, distribution and/or republication of this document or the content of this document is prohibited unless you have obtained prior written permission from Poovayya & Co.