Skip to main content

Step 03 - Draft or Update Privacy Notices

The DPDPA requires every organization (Data Fiduciary) to provide individuals with a clear, standalone privacy notice before processing their personal data.

A compliant privacy notice must:

  • Explain what personal data is being collected.
  • State why the data is being collected (the purpose).
  • Provide details of whom to contact for questions or complaints (Grievance Officer or DPO).
  • Explain how individuals can exercise their rights (access, correction, erasure, withdrawal of consent).
  • Be written in clear and simple language, available in English and local languages.
Example

An insurance company updating its claim portal must add a notice that explains:

“We are collecting your Aadhaar and medical records to process your claim. For questions, please contact our Grievance Officer at grievance@abcinsurance.com.”

Critical Point

The privacy notice cannot be hidden in lengthy terms and conditions. It must be standalone, simple, and multilingual so that every Data Principal can understand it.