Digital Personal Data Protection Act, 2023
The Gazette of India Extraordinary
Published by Authority
Uploaded by the Manager, Government of India Press, Minto Road, New Delhi-110002
Published by the Controller of Publications, Delhi-110054
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as follows:
This document is an official publication as per the Gazette of India.
Chapter 1: Preliminary
Article 1
Section (1): This Act may be called the Digital Personal Data Protection Act, 2023.
Section (2): It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
Article 2: Definitions
In this Act, unless the context otherwise requires,—
- Section (a): "Appellate Tribunal" means the Telecom Disputes Settlement and Appellate Tribunal established under article 14 of the Telecom Regulatory Authority of India Act, 1997;
- Section (b): "automated" means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
- Section (c): "Board" means the Data Protection Board of India established by the Central Government under article 18;
- Section (d): "certain legitimate uses" means the uses referred to in article 7;
- Section (e): "Chairperson" means the Chairperson of the Board;
- Section (f): "child" means an individual who has not completed the age of eighteen years;
- Section (g): "Consent Manager" means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
- Section (h): "data" means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
- Section (i): "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
- Section (j): "Data Principal" means the individual to whom the personal data relates and where such individual is—
Section (i): a child, includes the parents or lawful guardian of such a child;
Section (ii): a person with disability, includes her lawful guardian, acting on her behalf; - Section (k): "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary;
- Ascertainable number of additional definitions omitted for brevity...
Article 3
Subject to the provisions of this Act, it shall—
- Section (a): apply to the processing of digital personal data within the territory of India where the personal data is collected—
Section (i): in digital form; or
Section (ii): in non-digital form and digitised subsequently; - Section (b): also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
- Section (c): not apply to—
Section (i): personal data processed by an individual for any personal or domestic purpose; and
Section (ii): personal data that is made or caused to be made publicly available by—
Section (A): the Data Principal to whom such personal data relates; or
Section (B): any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
Illustration: X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.
Chapter 2: Obligations of Data Fiduciary
Article 4
Section (1): A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,—
- Section (a): for which the Data Principal has given her consent; or
- Section (b): for certain legitimate uses.
Section (2): For the purposes of this article, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.
Article 5
Section (1): Every request made to a Data Principal under article 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,—
- Section (i): the personal data and the purpose for which the same is proposed to be processed;
- Section (ii): the manner in which she may exercise her rights under sub-section (4) of article 6 and article 13; and
- Section (iii): the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.
Illustration: X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with notice to X, describing the personal data and the purpose of its processing.
Additional sub-sections and illustrations omitted for brevity...
Article 6
Section (1): The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Illustration: X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
Additional sub-sections and illustrations omitted for brevity...
Article 7
A Data Fiduciary may process personal data of a Data Principal for any of following legitimate uses, namely:—
- Section (a): for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.
- Section (b): for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where—
Section (i): she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or
Section (ii): such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government.
Illustration: X, a pregnant woman, enrols herself on an app or website to avail of government's maternity benefits programme, while consenting to provide her personal data for the purpose of availing of such benefits. Government may process the personal data of X processing to determine her eligibility to receive any other prescribed benefit from the government.
Additional clauses omitted for brevity...
Article 8
Section (1): A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.
Additional sub-sections and illustrations omitted for brevity...
Article 9
Section (1): The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
Additional sub-sections omitted for brevity...
Article 10
Section (1): The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—
- Section (a): the volume and sensitivity of personal data processed;
- Section (b): risk to the rights of Data Principal;
Additional factors and sub-sections omitted for brevity...
Chapter 3: Rights and Duties of Data Principal
Article 11
Section (1): The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in Section (a): of article 7, for processing of personal data, upon making to it a request in such manner as may be prescribed,—
- Section (a): a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
- Section (b): the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
- Section (c): any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
Article 12
Section (1): A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in Section (a): of article 7, in accordance with any requirement or procedure under any law for the time being in force.
Additional sub-sections omitted for brevity...
Article 13
Section (1): A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
Additional sub-sections omitted for brevity...
Article 14
Section (1): A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.
Additional sub-sections omitted for brevity...
Article 15
A Data Principal shall perform the following duties, namely:—
- Section (a): comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
- Section (b): to ensure not to impersonate another person while providing her personal data for a specified purpose;
Additional duties omitted for brevity...
Chapter 4: Special Provisions
Article 16
Section (1): The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.
Additional sub-sections omitted for brevity...
Article 17
Section (1): The provisions of Chapter 2, except sub-sections (1) and (5) of article 8, and those of Chapter 3 and article 16 shall not apply where—
- Section (a): the processing of personal data is necessary for enforcing any legal right or claim;
- Section (b): the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function;
Illustration: X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly loan repayment instalment on the date on which it falls due. Y may process the personal data of X for ascertaining her financial information and assets and liabilities.
Additional clauses and sub-sections omitted for brevity...
Chapter 5: Data Protection Board of India
Article 18
Section (1): With effect from such date as the Central Government may, by notification, appoint, there shall be established, for the purposes of this Act, a Board to be called the Data Protection Board of India.
Additional sub-sections omitted for brevity...
Article 19
Section (1): The Board shall consist of a Chairperson and such number of other Members as the Central Government may notify.
Additional sub-sections omitted for brevity...
Article 20
Section (1): The salary, allowances and other terms and conditions of service of the Chairperson and other Members shall be such as may be prescribed, and shall not be varied to their disadvantage after their appointment.
Additional sub-sections omitted for brevity...
Article 21
Section (1): A person shall be disqualified for being appointed and continued as the Chairperson or a Member, if she—
- Section (a): has been adjudged as an insolvent;
- Section (b): has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;
Additional clauses and sub-sections omitted for brevity...
Article 22
Section (1): The Chairperson or any other Member may give notice in writing to the Central Government of resigning from her office, and such resignation shall be effective from the date on which the Central Government permits her to relinquish office, or upon expiry of a period of three months from the date of receipt of such notice, or upon a duly appointed successor entering upon her office, or upon the expiry of the term of her office, whichever is earliest.
Additional sub-sections omitted for brevity...
Article 23
Section (1): The Board shall observe such procedure in regard to the holding of and transaction of business at its meetings, including by digital means, and authenticate its orders, directions and instruments in such manner as may be prescribed.
Additional sub-sections omitted for brevity...
Article 24
The Board may, with previous approval of the Central Government, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of this Act, on such terms and conditions of appointment and service as may be prescribed.
Article 25
The Chairperson, Members, officers and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of Section 21: of the Indian Penal Code.
Chapter 6: Powers, Functions, and Procedure
Article 26
The Chairperson shall exercise the following powers, namely:—
- Section (a): general superintendence and giving direction in respect of all administrative matters of the Board;
- Section (b): authorise any officer of the Board to scrutinise any intimation, complaint, reference or correspondence addressed to the Board; and
Additional clauses omitted for brevity...
Article 27
Section (1): The Board shall exercise and perform the following powers and functions, namely:—
- Section (a): on receipt of an intimation of personal data breach under sub-section (6) of article 8, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act;
Additional clauses and sub-sections omitted for brevity...
Article 28
Section (1): The Board shall function as an independent body and shall, as far as practicable, function as a digital office, with the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design, and adopt such techno-legal measures as may be prescribed.
Additional sub-sections omitted for brevity...
Chapter 7: Appeal and Alternate Dispute Resolution
Article 29
Section (1): Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal.
Additional sub-sections omitted for brevity...
Article 30
Section (1): An order passed by the Appellate Tribunal under this Act shall be executable by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the powers of a civil court.
Additional sub-sections omitted for brevity...
Article 31
If the Board is of the opinion that any complaint may be resolved by mediation, it may direct the parties concerned to attempt resolution of the dispute through such mediation by such mediator as the parties may mutually agree upon, or as provided for under any law for the time being in force in India.
Article 32
Section (1): The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under article 28.
Additional sub-sections omitted for brevity...
Chapter 8: Penalties and Adjudication
Article 33
Section (1): If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.
Additional sub-sections omitted for brevity...
Article 34
All sums realised by way of penalties imposed by the Board under this Act, shall be credited to the Consolidated Fund of India.
Chapter 9: Miscellaneous
Article 35
No suit, prosecution or other legal proceedings shall lie against the Central Government, the Board, its Chairperson and any Member, officer or employee thereof for anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder.
Article 36
The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for.
Article 37
Section (1): The Central Government or any of its officers specially authorised by it in this behalf may, upon receipt of a reference in writing from the Board that—
- Section (a): intimates the imposition of monetary penalty by the Board on a Data Fiduciary in two or more instances; and
- Section (b): advises, in the interests of the general public, the blocking for access by the public to any information generated, transmitted, received, stored or hosted, in any computer resource that enables such Data Fiduciary to carry on any activity relating to offering of goods or services to Data Principals within the territory of India.
Additional sub-sections omitted for brevity...
Article 38
Section (1): The provisions of this Act shall be in addition to and not in derogation of any other law for the time being in force.
Additional sub-sections omitted for brevity...
Article 39
No civil court shall have the jurisdiction to entertain any suit or proceeding in respect of any matter for which the Board is empowered under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power under the provisions of this Act.
Article 40
Section (1): The Central Government may, by notification, and subject to the condition of previous publication, make rules not inconsistent with the provisions of this Act, to carry out the purposes of this Act.
Additional sub-sections omitted for brevity...
Article 41
Every rule made and every notification issued under article 16 and article 42 of this Act shall be laid, as soon as may be after it is made, before each House of Parliament...
Additional details omitted for brevity...
Article 42
Section (1): The Central Government may, by notification, amend the Schedule, subject to the restriction that no such notification shall have the effect of increasing any penalty specified therein to more than twice of what was specified in it when this Act was originally enacted.
Additional sub-sections omitted for brevity...
Article 43
Section (1): If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as may appear to it to be necessary or expedient for removing the difficulty.
Additional sub-sections omitted for brevity...
Article 44
Section (1): In article 14 of the Telecom Regulatory Authority of India Act, 1997, in clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, namely:—
- Section (i): the Appellate Tribunal under the Information Technology Act, 2000;
- Section (ii): the Appellate Tribunal under the Airports Economic Regulatory Authority of India Act, 2008; and
- Section (iii): the Appellate Tribunal under the Digital Personal Data Protection Act, 2023.
Additional amendments omitted for brevity...
Schedule: Penalties
| Sl. No. | Breach of provisions of this Act or rules made thereunder | Penalty |
|---|---|---|
| 1. | Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of article 8. | May extend to two hundred and fifty crore rupees. |
| 2. | Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of article 8. | May extend to two hundred crore rupees. |
| 3. | Breach in observance of additional obligations in relation to children under article 9. | May extend to two hundred crore rupees. |
| 4. | Breach in observance of additional obligations of Significant Data Fiduciary under article 10. | May extend to one hundred and fifty crore rupees. |
| 5. | Breach in observance of the duties under article 15. | May extend to ten thousand rupees. |
| 6. | Breach of any term of voluntary undertaking accepted by the Board under article 32. | Up to the extent applicable for the breach in respect of which the proceedings under article 28 were instituted. |
| 7. | Breach of any other provision of this Act or the rules made thereunder. | May extend to fifty crore rupees. |
DR. REETA VASISHTA
Secretary to the Govt. of India