DPDPA Section-by-Section Guide: All 44 Sections Explained
The DPDPA is a relatively short statute — 44 sections across 9 chapters — but each section has operational implications. This guide walks through them in order with the practical "what does this mean for my business" lens.
Chapter I — Preliminary (Sections 1-3)
Section 1 — Short title and commencement. The Act extends to India and to processing outside India of personal data of Data Principals in India.
Section 2 — Definitions. Key terms: Data Principal (the user), Data Fiduciary (you, the business), Data Processor (your vendors), Personal Data, Digital Personal Data, Processing.
Section 3 — Application. Applies to digital personal data only. Excludes domestic/personal use and publicly available data.
Chapter II — Obligations of Data Fiduciary (Sections 4-10)
Section 4 — Lawful processing. Processing must be for a lawful purpose with consent or under legitimate uses.
Section 5 — Notice. The famous notice section. Plain-language notice with categories of data, purposes, rights mechanism, and grievance contact. Use our generator to produce this.
Section 6 — Consent. Free, specific, informed, unconditional, unambiguous, clear affirmative action. Withdrawable as easily as given.
Section 7 — Legitimate uses. Closed list: voluntary disclosure, employment, public emergency, medical emergency, court order, public interest. There is no open balancing test.
Section 8 — General obligations. The longest section. Subsections cover: accuracy, security safeguards, breach notification, retention/erasure, contracts with processors. Pay close attention to 8(5) and 8(6).
Section 9 — Children. Verifiable parental consent. No tracking or targeted advertising to children. Penalty up to ₹200 crore.
Section 10 — Significant Data Fiduciary. Government can notify SDFs. Additional obligations: DPO in India, DPIA, audits.
Chapter III — Rights and Duties of Data Principal (Sections 11-15)
Section 11 — Right to information about processing.
Section 12 — Right to correction and erasure.
Section 13 — Right to grievance redressal — first to the Data Fiduciary, then to the Board.
Section 14 — Right to nominate.
Section 15 — Duties of the Data Principal — not file false complaints, comply with applicable laws.
Chapter IV — Special Provisions (Sections 16-17)
Section 16 — Cross-border transfer. Default allowed; Government can restrict to specific countries. See checklist item 12.
Section 17 — Exemptions. Government can exempt instrumentalities of the State and certain processing.
Chapter V — Data Protection Board of India (Sections 18-26)
Sections 18-26 establish the Board, its composition, terms, and powers. The Board is a digital-by-design adjudicatory body — most proceedings will be online.
Chapter VI — Appeal and ADR (Sections 27-31)
Section 27 — Appeals from Board orders go to TDSAT. Section 31 — Voluntary undertakings can settle proceedings.
Chapter VII — Penalties and Adjudication (Sections 32-34)
Section 32 — Penalties as per the Schedule. Section 33 — Factors for determining penalty. Section 34 — Crediting penalty to Consolidated Fund of India.
Chapter VIII — Miscellaneous (Sections 35-44)
Includes power of Central Government to make rules, the override provision, and the savings clause.
The Schedule — Penalty matrix
Quick reference: ₹250 crore (security), ₹200 crore (breach notify, children), ₹150 crore (SDF), ₹50 crore (other obligations), up to ₹10,000 on Data Principals.
How to use this reference
Print this guide. When you write your privacy policy, you will cite Section 5, 6, 8, 9, 11-14. When you draft a vendor DPA, you will cite Section 8(2). When you respond to a regulator, you will quote the precise sub-section. The text of the Act is freely available on MeitY's website.
Need a policy that already cites these sections? Use our DPDPA generator.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →