DPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalisedDPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalised
[01]Reference · The Act in full

The DPDP Act 2023, section by section.

All 44 sections of India's Digital Personal Data Protection Act, 2023 — what each one says in plain English, what it means for a product team, and (where relevant) how Crawlshark covers it. Use it as a working reference, not legal advice.

Sections
44
Chapters
7
Schedule
Penalties
Last updated
29 Jun 2026
[1–§3]Chapter I

Preliminary

What the Act is called, what its words mean, and where it applies.

3 sections · §1–§3
§1

Short title and commencement

What it says
Names the Act the 'Digital Personal Data Protection Act, 2023' and lets the Central Government appoint when each provision takes effect.
What it means for you
Different sections can switch on at different dates via gazette notification — plan rollouts around the Rules, not the Act passage date.
§2

Definitions

What it says
Defines the operative vocabulary: personal data, processing, Data Principal, Data Fiduciary, Data Processor, consent, Consent Manager, child, person with disability, gain/loss, digital office and more.
What it means for you
Almost every dispute under the Act turns on these definitions. If you process anything that can identify a natural person, you are a Data Fiduciary.
§3

Application of Act

What it says
Applies to digital personal data processed within India, and to processing outside India that offers goods or services to Data Principals in India.
What it means for you
Extra-territorial reach: a SaaS based anywhere that targets Indian users is in scope. Pure household / personal use is excluded.
How Crawlshark covers itCrawlshark is India-resident by default (ap-south-1) and supports cross-border tenants with §16 transfer controls.
[4–§10]Chapter II

Obligations of Data Fiduciaries

The substantive rules: lawful basis, notice, consent, security, children, and Significant Data Fiduciaries.

7 sections · §4–§10
§4

Grounds for processing personal data

What it says
Permits processing only on the basis of (a) consent, or (b) certain 'legitimate uses' listed in §7.
What it means for you
There is no 'legitimate interest' catch-all like GDPR Art. 6(1)(f). If you cannot map a purpose to consent or to one of the §7 grounds, you cannot process.
§5

Notice

What it says
Before or at the time of seeking consent, the Data Fiduciary must give an itemised notice describing the personal data, the purpose, how rights can be exercised and how to complain to the Board. Must be available in English and the 22 Eighth Schedule languages.
What it means for you
Bundled, vague privacy policies fail §5. Notices must be purpose-by-purpose and language-switchable.
How Crawlshark covers itCrawlshark renders signed, versioned §5 notices in all 22 scheduled languages from one source-of-truth.
§6

Consent

What it says
Consent must be free, specific, informed, unconditional, unambiguous, with a clear affirmative action, and limited to data necessary for the specified purpose. Withdrawal must be as easy as giving consent. Consent may be managed through registered Consent Managers.
What it means for you
Pre-ticked boxes, dark patterns, take-it-or-leave-it bundles and 'we will keep processing for related purposes' clauses are invalid.
How Crawlshark covers itConsent Ledger gives every grant a signed receipt, purpose binding and one-tap withdrawal that fan-outs to downstream systems in under 30 seconds.
§7

Certain legitimate uses

What it says
Lists narrowly defined uses that do not require fresh consent — voluntary disclosure by the Principal for a specified purpose, State functions in the public interest, compliance with court orders, medical emergencies, epidemics, disasters, and employment-related processing.
What it means for you
These are exhaustive and narrowly construed. Marketing, analytics and personalisation are not §7 grounds.
§8

General obligations of Data Fiduciary

What it says
Fiduciaries are accountable for processors, must ensure accuracy, implement reasonable security safeguards, notify the Board and affected Principals of breaches, erase data when purpose is met or consent withdrawn, and publish contact details of a Data Protection Officer or person able to answer queries.
What it means for you
The catch-all accountability section. §8(6) sets the 72-hour-class breach notification expectation operationally enforced by the Rules.
How Crawlshark covers itBreach War Room pre-stages roles, regulator templates and multilingual Data Principal notices to file inside the §8(6) window.
§9

Processing of personal data of children

What it says
Requires verifiable parental consent before processing any child's data (under 18), bans behavioural tracking, targeted advertising and any processing likely to cause harm to children. Government may exempt classes of Fiduciaries for specified purposes.
What it means for you
If your product reaches a single child user without verifiable parental consent, you are non-compliant — age-gating alone is not enough.
How Crawlshark covers itCrawlshark ships age-gating, parental verification flows and a children's-data audit trail aligned to §9.
§10

Additional obligations of Significant Data Fiduciary

What it says
The Central Government can designate a class of Fiduciary as 'Significant' based on volume and sensitivity of data, risk to electoral democracy, security of the State, public order, and similar factors. SDFs must appoint a India-resident DPO, an independent data auditor, and conduct periodic DPIAs and audits.
What it means for you
Large consumer apps, fintechs and ad-tech platforms should plan as if they will be notified as SDFs.
How Crawlshark covers itSDF Checklist tracks DPIA evidence, auditor reports and DPO records for board-ready disclosure.
[11–§15]Chapter III

Rights & Duties of Data Principals

What individuals can ask for, how grievances are handled, who they may nominate, and what they must do in return.

5 sections · §11–§15
§11

Right to access information about personal data

What it says
A Data Principal who has consented may request a summary of personal data being processed, the processing activities, and the identities of other Fiduciaries / Processors with whom it has been shared.
What it means for you
You must be able to assemble a per-Principal view across every microservice, warehouse and processor.
How Crawlshark covers itDSR Automation joins consent + identity + warehouse data into a §11 access pack in minutes.
§12

Right to correction and erasure of personal data

What it says
Principals may request correction of inaccurate data, completion of incomplete data, updating, and erasure of data no longer necessary for the purpose (unless retention is required by law).
What it means for you
Erasure must propagate to processors and backups; retention must be defensible against a specific statutory clock.
§13

Right of grievance redressal

What it says
Principals have the right to a readily available means of grievance redressal provided by the Fiduciary or Consent Manager, with a response within a prescribed period. The Board is the appellate path.
What it means for you
You need a published Grievance Officer, an intake channel, an SLA and a closure log — not just a support email.
§14

Right to nominate

What it says
A Data Principal may nominate another individual to exercise their rights in the event of death or incapacity.
What it means for you
Estate planning meets data rights — your DSR portal must accept and verify a nominee's request.
§15

Duties of Data Principal

What it says
Principals must comply with applicable law, not impersonate, not suppress material information, not file false or frivolous complaints, and provide authentic information in correction requests. Breach of these duties is itself penalised under §33 read with the Schedule.
What it means for you
Fiduciaries can document and report bad-faith requests. Build verification and abuse-protection into your DSR intake.
[16–§17]Chapter IV

Special Provisions

Cross-border transfers and exemptions for research, archiving, startups and government use.

2 sections · §16–§17
§16

Transfer of personal data outside India

What it says
The Central Government may, by notification, restrict transfers of personal data to specified countries or territories.
What it means for you
Default is permissive (allow-all except listed), but designate India as the resident jurisdiction wherever feasible, and design for a future restricted-country list.
How Crawlshark covers itap-south-1 + ap-south-2 by default; cross-border routes are policy-gated per tenant.
§17

Exemptions

What it says
Carves out State processing for sovereignty / security, law-enforcement, prevention of offences, research / archiving / statistical purposes (subject to standards), and limited exemptions for startups notified by the Government. Provisions other than §8(1) and §8(5) may be deferred for some Fiduciaries.
What it means for you
Exemptions are narrow and conditional. Do not treat your product as exempt without a specific notification to rely on.
[18–§28]Chapter V

Data Protection Board of India

Establishment, composition, qualifications, disqualifications, officers, powers and proceedings of the Board.

11 sections · §18–§28
§18

Establishment of Board

What it says
Establishes the Data Protection Board of India as a body corporate with perpetual succession, common seal and the power to sue and be sued.
What it means for you
There is now one statutory regulator for personal data in India — replacing the Adjudicating Officer regime under IT Act §43A.
§19

Composition and qualifications of Board

What it says
The Board has a Chairperson and other Members appointed by the Central Government, with prescribed qualifications in data governance, law, technology, regulation, dispute resolution or related fields.
What it means for you
Expect a technocratic regulator rather than a purely judicial one — proceedings are digital-first.
§20

Terms and conditions of appointment and service of Chairperson and Members

What it says
Sets tenure, eligibility, removal grounds and post-tenure restrictions on Board members.
What it means for you
Independence is structured but not absolute; rules and notifications will refine these conditions.
§21

Disqualifications for appointment as Chairperson or Member

What it says
Sets out grounds on which a person is disqualified from appointment — insolvency, conviction for an offence involving moral turpitude, unsoundness of mind, and similar bars.
What it means for you
Board appointments are filtered for integrity at the front door, which matters when you challenge an order or seek recusal.
§22

Resignation by Chairperson or Member

What it says
Allows a Chairperson or Member to resign by written notice to the Central Government and prescribes how the vacancy is treated until filled.
What it means for you
Continuity of Board proceedings is preserved across resignations — your matter does not lapse because a member exits.
§23

Salary, allowances and other terms of officers and employees

What it says
Empowers the Central Government to prescribe salaries, allowances and conditions of service for officers and employees of the Board.
What it means for you
Operational capacity of the Board scales by executive notification rather than fresh legislation.
§24

Officers and other employees of the Board

What it says
Authorises the Board to appoint officers and employees needed to discharge its functions, with terms and conditions as prescribed.
What it means for you
Expect the Board to staff up specialist investigators and forensic capability over time — not just generalist civil servants.
§25

Members and officers of Board to be public servants

What it says
Members, officers and employees of the Board are deemed public servants under §21 of the Indian Penal Code (now BNS).
What it means for you
Misleading or bribing Board personnel is a criminal exposure on top of any DPDP penalty.
§26

Powers of Chairperson

What it says
Vests general superintendence, direction and management of Board affairs in the Chairperson, including constitution of benches and allocation of business.
What it means for you
Procedural decisions on which bench hears your matter are administrative — expect speed.
§27

Powers, functions and procedure of Board

What it says
Powers include directing remedial or mitigation measures on breach, inquiring into complaints, summoning persons, examining records and imposing penalties; the Board may also regulate its own procedure.
What it means for you
The Board can investigate suo moto. Audit trails and incident logs need to be exportable on demand.
§28

Proceedings before Board

What it says
Proceedings are digital by default. The Board has the powers of a civil court for summoning, examining on oath, requiring documents and receiving evidence on affidavit.
What it means for you
You will be served digitally, file digitally, and be examined digitally. Compliance ops needs to mirror that workflow.
[29–§34]Chapter VI

Penalties & Adjudication

Appeal to the Appellate Tribunal, alternate dispute resolution, voluntary undertakings, financial penalties and crediting of sums.

6 sections · §29–§34
§29

Appeal to Appellate Tribunal

What it says
Any person aggrieved by an order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within the prescribed period.
What it means for you
TDSAT is the appellate authority — not a civil court. Engage telecom / data counsel familiar with it.
§30

Orders passed by Appellate Tribunal

What it says
Tribunal orders are executable as decrees of a civil court and the Tribunal may regulate its own procedure.
What it means for you
An adverse appellate order is directly enforceable; settle or appeal further to the Supreme Court timely.
§31

Alternate dispute resolution

What it says
The Board may direct that a complaint be resolved by mediation or other ADR process.
What it means for you
Build a defensible record so that mediation starts from your evidence, not the complainant's.
§32

Voluntary undertaking

What it says
The Board may accept a voluntary undertaking from a Fiduciary in lieu of proceedings, which once accepted bars further proceedings on the same facts but is enforceable on breach.
What it means for you
Self-reporting with a remediation plan is a real option — but only if you can show evidence the plan is working.
§33

Penalties

What it says
Penalties are prescribed in the Schedule and adjudicated by the Board having regard to the nature, gravity and duration of breach, type and sensitivity of data affected, repetitive nature, gains made or losses avoided, and mitigation taken.
What it means for you
Up to ₹250 Cr for failure to take reasonable security safeguards (§8(5)); ₹200 Cr each for breach-notification failures (§8(6)) and children's data violations (§9); ₹150 Cr for SDF additional obligations (§10); ₹50 Cr for any other Fiduciary breach; ₹10,000 for Data Principal duty breaches.
How Crawlshark covers itCrawlshark surfaces a live penalty-exposure ledger so executives can see risk in INR, by section.
§34

Crediting sums to Consolidated Fund of India

What it says
Penalties collected under the Act are credited to the Consolidated Fund of India.
What it means for you
Penalties are punitive, not restitutive — affected Principals have a separate civil path for damages.
[35–§44]Chapter VII

Miscellaneous

Good-faith protection, information-call powers, blocking directions, rule-making and consequential amendments.

10 sections · §35–§44
§35

Protection of action taken in good faith

What it says
No suit, prosecution or other legal proceeding lies against the Government, the Board, the Chairperson, Members, officers or employees for anything done in good faith under the Act.
What it means for you
Regulator personnel are statutorily protected — engagement strategy should focus on the institution, not individuals.
§36

Power to call for information

What it says
The Central Government may require the Board or any Fiduciary to furnish information for the purposes of the Act.
What it means for you
Government information requests have a statutory basis — treat them with the same rigour as a Board inquiry.
§37

Power of Central Government to issue directions to block access

What it says
On a reference from the Board or otherwise, the Government may direct intermediaries to block access in the interests of the general public, after Fiduciary has been afforded an opportunity of being heard.
What it means for you
Repeated material non-compliance can lead to blocking orders against your service — operational continuity risk, not just financial.
§38

Consistency with other laws

What it says
The Act is in addition to, and not in derogation of, any other law for the time being in force. In case of inconsistency, the DPDP Act prevails to the extent of the inconsistency.
What it means for you
Sectoral laws (RBI, SEBI, IRDAI, ABDM) continue to apply; where they conflict with DPDP, DPDP wins.
§39

Bar of jurisdiction of civil courts

What it says
No civil court has jurisdiction to entertain any suit or proceeding in respect of any matter the Board or Appellate Tribunal is empowered to determine.
What it means for you
Forum-shopping is closed off — the regulator is the first port of call.
§40

Power to make rules

What it says
The Central Government may make rules to carry out the provisions of the Act on a wide range of subjects — consent management, notice form, breach intimation, children's verification, DPO qualifications, transfer restrictions and more.
What it means for you
The Rules operationalise almost every obligation. Read the Act and the DPDP Rules 2025 together.
§41

Laying of rules and notifications

What it says
Rules and notifications must be laid before each House of Parliament for a specified period, and Parliament may modify or annul them.
What it means for you
Parliamentary scrutiny is built in — expect drafts and consultations before final rules.
§42

Power to amend Schedule

What it says
The Government may, by notification, amend the Schedule that contains the penalty matrix, subject to a statutory cap.
What it means for you
Penalty quanta can change without a fresh amendment to the Act — track gazette notifications closely.
§43

Amendments to specified enactments

What it says
Effects consequential amendments to other laws — notably the Information Technology Act, 2000 (omits §43A, amends §81) and the Right to Information Act, 2005 (narrows the §8(1)(j) personal-information exemption).
What it means for you
The IT Act §43A 'sensitive personal data or information' (SPDI) regime is sunset; DPDP is now the operative law for personal data, and RTI requests for personal information are read more strictly.
§44

Power to remove difficulties (and consequential provisions)

What it says
If any difficulty arises in giving effect to the Act, the Government may make such provisions, not inconsistent with the Act, as appear necessary, within three years of commencement; carries the residual and consequential provisions of the Act.
What it means for you
Expect transitional orders and clarifications during the first compliance cycle.
[08]Use this reference

Map every section to a control, in one sprint.

Crawlshark turns §5 notices, §6 consent, §8 security, §9 children's data, §11–§14 rights and §16 transfers into shipping product modules — with evidence ready for the Board.