DPDP Act 2025 Knowledge Base

Search official rules, penalties, and compliance guidelines for India's Digital Personal Data Protection law.

Latest Updates

Is the consent notice required to give contact details?

Yes. The notice must include the contact details of a Data Protection Officer or another person who can answer...
Read More

What makes consent valid under Section 6 of the DPDP Act?

Consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative act...
Read More

Must a Data Fiduciary maintain data accuracy?

Yes. Where data is used to make a decision affecting the Data Principal or is shared, it must be complete, acc...
Read More

What is the right to correction and erasure?

A Data Principal can request correction, completion, updating and erasure of their personal data held by a Dat...
Read More

How are DPDP penalties determined by the Board?

Based on the nature, gravity and duration of the breach, the type and sensitivity of data, repetitive nature, ...
Read More

What is data minimisation under the DPDP framework?

Collecting and processing only the personal data necessary for the specified purpose....
Read More

Can the Government exempt certain agencies from the DPDP Act?

Yes. The Government may exempt certain instrumentalities of the State for reasons such as national security, s...
Read More

Can a Data Principal find out with whom their data was shared?

Yes. They can request the identities of the Data Fiduciaries and processors with whom their personal data has ...
Read More

What is a personal data breach under the DPDP framework?

Any unauthorised processing, disclosure, acquisition, sharing, loss or alteration of personal data that compro...
Read More

Are startups given any relaxation under the DPDP Act?

The Government may notify certain Data Fiduciaries, including startups, for lighter obligations on notice and ...
Read More

When must personal data be erased under the DPDP Act?

When the purpose is no longer being served and retention is not required by law, the data and references enabl...
Read More

What is the purpose limitation principle?

Personal data may be processed only for the specific lawful purpose for which consent was given or the legitim...
Read More

Can a Data Fiduciary engage a Data Processor freely?

Only under a valid contract. The Data Fiduciary remains accountable for compliance....
Read More

Who is a Data Fiduciary under the DPDP Act?

Any person who, alone or together with others, determines the purpose and means of processing personal data....
Read More

What is a Data Protection Impact Assessment (DPIA)?

A structured assessment of the rights of Data Principals and the risks posed by processing, required annually ...
Read More

What user-count threshold triggers the 3-year retention rule for online gaming?

Fifty lakh (5 million) registered users in India....
Read More

Is verifiable parental consent mandatory for children's data?

Yes. A Data Fiduciary must obtain verifiable consent of a parent or lawful guardian before processing a child'...
Read More

What does Schedule I of the DPDP Rules cover?

The registration conditions and duties of Consent Managers, including net worth and audit-trail requirements....
Read More

Does the Data Protection Board operate as a digital office?

Yes. The Board functions digitally; complaints can be filed and tracked online via a portal and mobile app....
Read More