ATB LEGAL
Dispute Resolution Employment Corporate & Commercial Personal Status Intellectual Property Regulatory & Compliance International Trade Insights People About Contact Us

Data Protection & Privacy in India

Data Protection & Privacy in India

India’s Digital Personal Data Protection Act 2023 (DPDPA), with its implementing Rules notified in November 2025, marks a fundamental shift in how businesses must handle personal data in India. Every organisation that processes personal data of individuals in India — whether Indian or foreign, and whether the processing takes place in India or abroad in connection with offering goods or services to those individuals, is subject to the Act’s requirements. ATB Legal advises on DPDPA compliance, consent framework design, data principal rights implementation, cross-border transfer restrictions, and Data Protection Board proceedings.

India’s data protection law is not a future obligation — compliance timelines are running. Organisations that begin now will be positioned to meet the compliance timeline before enforcement begins within 18 months from November, 2025. Early preparation reduces the work required as the deadline approaches.

OUR DATA PROTECTION & PRIVACY SERVICES

Data Protection & Privacy in India: DPDPA 2023

The Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 — notified by MeitY on 13 November 2025 — establish India’s first comprehensive data protection regime. The Act applies to any processing of digital personal data within India, and extraterritorially to processing outside India where it is connected to offering goods or services to individuals in India. Core compliance provisions come into force 18 months from the notification date — approximately May 2027. The Data Protection Board of India is being constituted now. Organisations that process personal data of Indian residents should begin their compliance programmes immediately.

Consent Framework and Data Fiduciary Obligations

The DPDPA replaces the Information Technology (SPDI) Rules 2011 as the primary data protection instrument — though the SPDI Rules remain operative during the phased transition. The Act establishes a consent-first framework: personal data may generally be processed only with the free, specific, informed, and unambiguous consent of the Data Principal. Every Data Fiduciary must provide a clear and plain language notice describing the personal data to be collected and the purposes for processing — before or at the time of seeking consent. Consent can be withdrawn at any time, and the withdrawal mechanism must be as easy as the consent mechanism itself. ATB Legal advises on consent architecture, notice design, and the contractual and technical arrangements required to make consent management operationally viable across a business.

Data Principal Rights and Grievance Redressal

Data Principals have defined rights under the DPDPA: the right to access information about their personal data being processed; the right to correction and erasure of inaccurate  

or incomplete data; the right to nominate a person to exercise their rights in the event of death or incapacity; and the right to raise grievances. Every Data Fiduciary must establish a grievance redressal mechanism within the ambits of DPDP Act, 2023. Consent can be withdrawn at any time. ATB Legal assists organisations in designing and implementing data principal rights frameworks — covering the processes, timelines, and documentation required to respond to rights requests and grievances within the Act’s prescribed timeframes.

Cross-Border Data Transfer Restrictions

The transfer of personal data outside India is restricted under the DPDPA. The Central Government has the power to restrict transfers to specific countries, and to permit transfers only to countries or entities meeting prescribed conditions. The permitted country list has not yet been finalised. For organisations with data flows between India and the UAE, India and the UK, or India and the EU, this restriction is a significant structuring consideration. ATB Legal advises on cross-border data transfer arrangements, the contractual frameworks required for compliant transfers, and the interaction between the DPDPA’s transfer restrictions and the existing requirements under the Information Technology Act 2000 and SPDI Rules.

Data Protection Board, Penalties, and Significant Data Fiduciaries

The Data Protection Board of India is an independent adjudicatory body empowered to receive complaints, conduct inquiries, and impose penalties. Penalties under the Act can reach up to Rs 250 crore for specified breaches including obligations relating to children’s data processing and data breach notification. MeitY may designate certain organisations as Significant Data Fiduciaries — carrying additional obligations including periodic Data Protection Impact Assessments, data audits, and the appointment of a Data Protection Officer and independent data auditor. ATB Legal advises on Data Protection Board obligations, assists with Data Protection Impact Assessments, and provides representation in Board proceedings.

Frequently Asked Questions- Data Protection & Privacy

Does the DPDPA apply to my organisation?

The DPDPA applies to any person processing digital personal data within India, and extraterritorially to any person processing personal data outside India in connection with offering goods or services to Indian residents. Both Indian and foreign organisations are subject to the Act. Exemptions exist for certain government entities, personal or household use, and research purposes.

When do DPDPA compliance obligations come into force?

The DPDP Rules 2025 were notified on 13 November 2025. Core compliance provisions — consent requirements, data principal rights, and data fiduciary obligations — come into force approximately May 2027 (18 months from notification). Data Protection Board establishment provisions are already operative. Organisations should begin compliance programmes now.

What is a Data Fiduciary and what are its obligations?

A Data Fiduciary is any person who determines the purpose and means of processing personal data. Obligations include: providing a clear consent notice before data collection; obtaining free, specific, informed, and unambiguous consent; maintaining security safeguards; erasing data when the purpose is fulfilled or consent is withdrawn; responding to data principal rights requests; and establishing a grievance mechanism. Significant Data Fiduciaries carry additional obligations including impact assessments and audits.

Read More

Our Team of
Lawyers and Experts

View All

Representative Experience

Technology Company — DPDPA Compliance Readiness Assessment
Advised an Indian technology company processing personal data across India, the UAE, and the UK on its DPDPA compliance readiness. The mandate covered a data mapping exercise, gap assessment against DPDPA Data Fiduciary obligations, consent notice and mechanism design, data principal rights response framework, cross-border transfer analysis for UAE and UK data flows, and a phased implementation roadmap aligned with the Act’s 18-month compliance timeline.

GCC Company — Cross-Border Data Transfer Structuring
Advised a GCC-based company offering digital services to Indian consumers on the applicability of the DPDPA to its India operations. The mandate covered extraterritorial jurisdiction analysis, data processing agreement review, consent architecture design for the India user base, and advisory on the interim arrangements required pending finalisation of the permitted country transfer list.

Manufacturing Group — Employee Data Compliance Framework
Advised an Indian manufacturing group on the implications of the DPDPA for employee personal data — covering consent requirements for employment-related data collection, employee data principal rights, HR system data retention and erasure obligations, the interaction between the DPDPA framework and existing employment contracts, and recommended updates to the group’s HR policies and data handling procedures.