Skip to main content

Scope & Applicability of DPDPA

The Digital Personal Data Protection Act (DPDPA), 2023, along with its Draft Rules of 2025, establishes a framework that applies broadly across entities and sectors in India. Its scope is deliberately wide to ensure that any processing of personal data affecting individuals within India is governed by uniform standards of accountability, transparency, and security.

  • The Act applies to all processing of digital personal data that takes place within the territory of India, regardless of whether the processing entity is located in India or abroad.
  • The Act applies to entities outside India when they process personal data in connection with offering goods or services to individuals located within India.
  • The Act applies equally to government departments, public authorities, and private organizations, thereby creating a uniform regulatory environment across both public and private sectors.
  • The Act specifically recognizes certain entities as Significant Data Fiduciaries, based on factors such as the volume and sensitivity of data processed, the potential impact on national interests, or the risks posed to individuals. These entities are subject to additional responsibilities such as data protection audits, impact assessments, and the appointment of a Data Protection Officer.
  • The Act applies to Consent Managers, who are independent intermediaries registered with the Data Protection Board, and who are required to enable individuals to manage, review, and withdraw consent with transparency and ease.
  • The Act does not apply to the processing of data that is rendered anonymous in such a way that individuals cannot be identified, since anonymized data falls outside the scope of personal data.
  • The Act permits exemptions for processing carried out for certain legitimate state functions, such as providing benefits, licenses, or services, provided that such processing complies with prescribed safeguards.
  • The Act provides further exemptions for processing carried out solely for research, statistical, or archival purposes, subject to conditions that ensure data is not misused.

The applicability of DPDPA is immediate once the Rules come into force, and organizations must prepare proactively. This means reviewing existing data practices, updating consent mechanisms, implementing secure data management systems, and establishing processes for breach notifications and grievance redressal. Any delay in readiness can expose organizations to regulatory penalties, reputational damage, and restrictions on their ability to operate in India’s digital ecosystem.