Skip to main content

Key Definitions under DPDPA

To understand the framework of the Digital Personal Data Protection Act (DPDPA), 2023, it is essential to become familiar with its core definitions. These terms are consistently used throughout the Act and the Draft Rules of 2025, and they form the foundation for interpreting rights, duties, and obligations.

Data Principal

A Data Principal is the individual to whom the personal data relates, and this includes both children and persons with disabilities who are represented by lawful guardians.

Data Fiduciary

A Data Fiduciary is the entity that determines the purpose and means of processing personal data, and it bears primary responsibility for ensuring that data is collected and processed lawfully and fairly.

Data Processor

A Data Processor is any entity that processes personal data on behalf of a Data Fiduciary, and it is bound by contractual obligations and the security safeguards imposed by the Act.

Significant Data Fiduciary (SDF)

A Significant Data Fiduciary (SDF) is a category of Data Fiduciaries that are notified by the Central Government based on the volume and sensitivity of data processed, the risk posed to rights of individuals, or the potential impact on national interest, and these entities must comply with additional obligations such as audits, Data Protection Impact Assessments, and the appointment of a Data Protection Officer.

Consent Manager

A Consent Manager is an independent, registered entity that enables individuals to manage, grant, and withdraw consent in an accessible, transparent, and secure manner, and it is accountable to the Data Protection Board.

Data Protection Board of India

The Data Protection Board of India is the regulatory authority established under the Act to monitor compliance, investigate breaches, resolve grievances, and impose penalties.

Personal Data Breach

A Personal Data Breach is defined as any unauthorized processing of personal data or accidental disclosure, alteration, loss, or destruction of such data that compromises confidentiality, integrity, or availability.

Processing

Processing refers to the full range of operations performed on personal data, including collection, storage, use, sharing, disclosure, or erasure, whether carried out by automated means or otherwise.

Personal Data

Personal Data refers to any data about an individual who is identifiable by or in relation to such data, whether directly or indirectly, through digital means.

Anonymized Data

Anonymized Data is information that cannot identify an individual once it has been processed in a manner that irreversibly prevents identification, and such data is excluded from the scope of the Act.

By defining these roles and terms, the DPDPA creates clarity in accountability, ensuring that:

  • Individuals understand their rights
  • Organizations recognize their duties
  • Regulators can enforce compliance effectively