Indian Privacy Laws — DPDP Act 2023 Access Request Requirements
Indian data protection requirements under the Digital Personal Data Protection Act 2023. Data Principal rights, consent framework, and compliance obligations.
Last updated: 2026-05-10
India's Digital Personal Data Protection Act 2023 (DPDP Act) was enacted on 11 August 2023, marking the country's first comprehensive data protection legislation. The Act establishes a consent-based framework for the processing of digital personal data and creates a set of enforceable rights for individuals (called Data Principals). However, the detailed rules required to operationalize many of the Act's provisions are still being finalized.
The DPDP Act applies to the processing of digital personal data within India, as well as to processing outside India if it relates to offering goods or services to individuals in India. There is no revenue threshold or company size exemption currently defined in the Act itself — applicability is determined by the nature of the processing activity, not the size of the organization.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney or data protection professional for guidance specific to your organization.
Enforcement rules pending: As of early 2026, the Indian government has not yet finalized and published all of the rules required to fully implement the DPDP Act. The Data Protection Board of India (DPB) is not yet fully operational. Specific requirements — including timelines for responding to access requests, the designation criteria for Significant Data Fiduciaries, and the detailed obligations of Consent Managers — may change once the rules are issued. The information on this page reflects the Act as enacted and should be treated as subject to revision.
Key Concepts
The DPDP Act introduces terminology that differs from the GDPR and other privacy frameworks:
- Data Principal: The individual whose personal data is being processed (equivalent to "data subject" under the GDPR)
- Data Fiduciary: The entity that determines the purpose and means of processing personal data (equivalent to "data controller")
- Consent Manager: A registered intermediary that helps Data Principals manage their consent preferences across multiple Data Fiduciaries
- Significant Data Fiduciary: A category of Data Fiduciary subject to additional obligations, to be designated by the government based on criteria such as volume of data processed, sensitivity, and risk to Data Principals
Enforcement
The Data Protection Board of India (DPB) is established under the DPDP Act as the enforcement body. The DPB will adjudicate complaints, conduct inquiries, and impose penalties. However, as of early 2026, the Board has not yet been fully constituted or made operational.
Penalties under the DPDP Act can be substantial. The maximum penalty for a single breach is INR 250 crore (approximately USD 30 million). Specific penalty amounts for different categories of non-compliance are set out in the Act's schedule — for example, failure to implement reasonable security safeguards to prevent a data breach carries a maximum penalty of INR 250 crore, while failure to notify the Board and affected Data Principals of a breach carries a maximum of INR 200 crore.
Data Principal Rights
The DPDP Act grants Data Principals the following rights:
- Right to access: Data Principals can request a summary of the personal data being processed about them and the processing activities being carried out
- Right to correction and erasure: Data Principals can request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the stated purpose
- Right to grievance redressal: Data Principals can raise grievances with the Data Fiduciary, and if unsatisfied, escalate to the Data Protection Board
- Right to nominate: Data Principals can nominate another individual to exercise their rights in the event of death or incapacity
Consent-Based Framework
The DPDP Act uses notice and consent as the primary lawful basis for processing personal data. Before collecting data, a Data Fiduciary must provide a clear notice in plain language describing the data being collected and the purpose of processing. Consent must be free, specific, informed, unconditional, and unambiguous. Data Principals have the right to withdraw consent at any time, and withdrawal must be as easy as giving consent.
The Act also recognizes certain legitimate uses — processing without explicit consent for purposes such as compliance with court orders, medical emergencies, and employment-related processing — but consent remains the default basis.
Significant Data Fiduciary Obligations
Data Fiduciaries designated as Significant Data Fiduciaries will face additional requirements, including appointing a Data Protection Officer based in India, conducting periodic data protection impact assessments, and engaging independent data auditors. The specific criteria for this designation will be set out in the forthcoming rules.
Guides
- DPDP Act Access Request Requirements — full compliance breakdown including Data Principal rights, response obligations, and penalties
Related Resources
- How to Respond to a DSAR — step-by-step response process
- DSAR Response Deadlines — deadline comparison across jurisdictions