As technology advances rapidly and Artificial Intelligence becomes more prevalent across different sectors, it gets imperative for countries to update their laws to tackle modern technological challenges. For a developing nation like India, which is striving for technological progress in every sphere, processing of digital personal data is paramount. This involves recognizing individuals’ rights to safeguard their personal data and ensuring it is not misused by those who control it.

With this in mind, the Central Government of India introduced the Digital Personal Data Protection Act, 2023 (“DPDP Act”). This Act, which received the Presidential assent on August 11, 2023, will come into force upon notification in the Official Gazette. In furtherance of this Act, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) for public consultation, which concluded on March 5, 2025. These DPDP Rules will play a crucial role in shaping the regulatory framework for implementing the DPDP Act, placing additional obligations on Data Fiduciaries.

This article aims to assist the stakeholders i.e. Data Fiduciary , to understand the necessary changes and amendments required to align their existing internal policies, agreements and manuals with the DPDP Act.

Before we go further, let us understand a few important terms. A ‘Data Principal’ refers to the individual to whom the personal data relates and where such individual is (i) a child, includes the parents or lawful guardians of the child; (ii) a person with disability, includes her lawful guardian, acting on her behalf. The other important term is ‘personal data’, which includes any data about an individual who is identifiable by or in relation to, such data. 

Applicability:

The DPDP Act applies to the processing of digital personal data within Indian territory, whether collected in digital form or converted from non-digital to digital. It also extends its jurisdiction to the processing of digital personal data outside India if it relates to offering of goods or services to Data Principal within Indian territory.

Obligations of Data Fiduciary:

Some of the important obligations of Data Fiduciary are as follows :

  1. Lawful Purpose: Data Fiduciary must process personal data for lawful purposes with the consent of the Data Principal, or for legitimate reasons.
  • Consent: Section 6 provides that:
  • Consent from Data Principal must be freely given, specific, informed, unconditional, and clear. It should involve a clear affirmative action and be limited to the necessary personal data for the specified purpose.
  • Requests for consent should be in simple language, with the option to access them in English or any language specified under Eighth Schedule to the Constitution of India.
  • Data Principal should be provided with contact details of a Data Protection Officer or such authorized personnel for exercising their rights under the DPDP Act.
  • Data Principal have the right to withdraw consent at any time, although this does not affect the legality of data processing done prior to withdrawal.
  1. Notice: Section 5 provides that Data Fiduciary must inform Data Principal about any requests for consent through a notice. This notice should inform Data Principal about the personal data collected, its purpose, how to exercise their rights and how to file complaint to the Board.

General Obligations of Data Fiduciary:

  1. Compliance: Data Fiduciary is responsible for complying with the DPDP Act and its rules regarding any data processing, whether done directly or through a Data Processor .
  2. Data Protection: Data Fiduciary must safeguard personal data in its possession to prevent breaches. In case of a breach, Data Fiduciary must notify the Board and affected Data Principal.
  3. Data Retention: Personal data should be erased upon withdrawal of consent or when the specified purpose is no longer relevant, unless retention is required by law.

Processing of Personal Data Outside India:

  • Section 16 provides that the Central Government may restrict the transfer of personal data for processing to certain countries or territories outside India.

In light of these requirements under DPDP Act, all Data Fiduciary are advised to review and revise their existing rules and policies to ensure compliance once the DPDP Act comes into effect.