← All articles · 24 April 2026 · compliance.hjlabs.in

DPDPA Section-by-Section Guide: All 44 Sections Explained

The DPDPA is a relatively short statute — 44 sections across 9 chapters — but each section has operational implications. This guide walks through them in order with the practical "what does this mean for my business" lens.

Chapter I — Preliminary (Sections 1-3)

Section 1 — Short title and commencement. The Act extends to India and to processing outside India of personal data of Data Principals in India.

Section 2 — Definitions. Key terms: Data Principal (the user), Data Fiduciary (you, the business), Data Processor (your vendors), Personal Data, Digital Personal Data, Processing.

Section 3 — Application. Applies to digital personal data only. Excludes domestic/personal use and publicly available data.

Chapter II — Obligations of Data Fiduciary (Sections 4-10)

Section 4 — Lawful processing. Processing must be for a lawful purpose with consent or under legitimate uses.

Section 5Notice. The famous notice section. Plain-language notice with categories of data, purposes, rights mechanism, and grievance contact. Use our generator to produce this.

Section 6Consent. Free, specific, informed, unconditional, unambiguous, clear affirmative action. Withdrawable as easily as given.

Section 7Legitimate uses. Closed list: voluntary disclosure, employment, public emergency, medical emergency, court order, public interest. There is no open balancing test.

Section 8General obligations. The longest section. Subsections cover: accuracy, security safeguards, breach notification, retention/erasure, contracts with processors. Pay close attention to 8(5) and 8(6).

Section 9Children. Verifiable parental consent. No tracking or targeted advertising to children. Penalty up to ₹200 crore.

Section 10Significant Data Fiduciary. Government can notify SDFs. Additional obligations: DPO in India, DPIA, audits.

Chapter III — Rights and Duties of Data Principal (Sections 11-15)

Section 11 — Right to information about processing.

Section 12 — Right to correction and erasure.

Section 13 — Right to grievance redressal — first to the Data Fiduciary, then to the Board.

Section 14 — Right to nominate.

Section 15 — Duties of the Data Principal — not file false complaints, comply with applicable laws.

Chapter IV — Special Provisions (Sections 16-17)

Section 16Cross-border transfer. Default allowed; Government can restrict to specific countries. See checklist item 12.

Section 17 — Exemptions. Government can exempt instrumentalities of the State and certain processing.

Chapter V — Data Protection Board of India (Sections 18-26)

Sections 18-26 establish the Board, its composition, terms, and powers. The Board is a digital-by-design adjudicatory body — most proceedings will be online.

Chapter VI — Appeal and ADR (Sections 27-31)

Section 27 — Appeals from Board orders go to TDSAT. Section 31 — Voluntary undertakings can settle proceedings.

Chapter VII — Penalties and Adjudication (Sections 32-34)

Section 32 — Penalties as per the Schedule. Section 33 — Factors for determining penalty. Section 34 — Crediting penalty to Consolidated Fund of India.

Chapter VIII — Miscellaneous (Sections 35-44)

Includes power of Central Government to make rules, the override provision, and the savings clause.

The Schedule — Penalty matrix

Quick reference: ₹250 crore (security), ₹200 crore (breach notify, children), ₹150 crore (SDF), ₹50 crore (other obligations), up to ₹10,000 on Data Principals.

How to use this reference

Print this guide. When you write your privacy policy, you will cite Section 5, 6, 8, 9, 11-14. When you draft a vendor DPA, you will cite Section 8(2). When you respond to a regulator, you will quote the precise sub-section. The text of the Act is freely available on MeitY's website.

Need a policy that already cites these sections? Use our DPDPA generator.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog