TRADE AND COMMERCE LEXICON
DPDP ACT 2023
Digital Personal Data Protection Act 2023 · India's Personal Data Protection Law · Also referred to as: DPDP Act, India PDPA, India Data Protection Law
DEFINITION
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive legislation governing the collection, processing, storage, and transfer of digital personal data. Enacted on 11 August 2023 and assented to by the President of India on 11 August 2023, the DPDP Act establishes rights for data principals (individuals whose data is processed) and obligations for data fiduciaries (entities that determine the purpose and means of processing personal data). It is India's first comprehensive data protection law, replacing the patchwork of data protection provisions previously found in the Information Technology Act 2000 and its rules.
For trade facilitators, commission agents, and businesses engaged in India-EU cross-border trade, the DPDP Act is directly relevant because: (a) they collect and process personal data of individuals (business contacts, directors, employees of counterparties) in the course of their commercial operations; and (b) cross-border data transfers to EU entities must be handled in a manner consistent with both the DPDP Act and the EU GDPR — creating a bilateral data protection compliance landscape.
KEY DEFINITIONS
OBLIGATIONS OF DATA FIDUCIARIES
Notice
Before collecting personal data, a Data Fiduciary must provide notice to the Data Principal — in English or any of the 22 official languages of India — specifying: what personal data is being collected; the purpose for which it will be processed; the manner in which the Data Principal may exercise their rights; and the grievance redressal mechanism. The notice must be clear, plain, and easy to understand.
Consent Management
Where consent is the basis for processing: consent must be sought through a clear, separate, and specific request — not bundled into terms and conditions. A Data Principal may withdraw consent at any time. Upon withdrawal, the Data Fiduciary must stop processing and, within a reasonable time, delete the personal data — unless retention is required by law.
Data Quality and Purpose Limitation
A Data Fiduciary must ensure that personal data is accurate, complete, and consistent — particularly where it may affect the Data Principal's rights or where it is used in a decision-making process. Data must be used only for the purpose for which consent was given — not for any secondary purpose without fresh consent.
Security Safeguards
Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches — including encryption, access controls, audit logs, and employee training. In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and the affected Data Principals in a prescribed format and within a prescribed timeline (to be notified in implementing rules).
Data Retention and Erasure
Personal data must not be retained beyond the period necessary for the purpose for which it was collected — unless retention is required by law. Upon achieving the purpose or upon withdrawal of consent, the Data Fiduciary must erase the data. The period of retention must be defined and communicated in the notice to the Data Principal.
Grievance Redressal
Every Data Fiduciary must establish a grievance redressal mechanism — a designated person (or contact point) to receive and resolve data protection complaints from Data Principals. The contact details must be published and made accessible.
RIGHTS OF DATA PRINCIPALS
DATA PROTECTION BOARD OF INDIA
The Data Protection Board of India (DPBI) is the regulatory and adjudicatory body established under the DPDP Act. It is responsible for: receiving and investigating complaints from Data Principals; imposing penalties on Data Fiduciaries for violations; and issuing directions and advisory opinions on data protection matters. The DPBI is a digital-by-design body — most proceedings will be conducted digitally.
Penalties under the DPDP Act: Up to INR 250 crore (approximately EUR 28 million) for failure to take reasonable security safeguards resulting in a personal data breach. Up to INR 200 crore for failure to notify a breach. Up to INR 50 crore for other violations. These penalties are significant — on par with GDPR penalties for major violations.
DPDP ACT vs. EU GDPR — KEY COMPARISONS
PRACTICAL IMPLICATIONS FOR TRADE FACILITATORS
KYC data: Personal data collected as part of KYC / AML due diligence (director names, passport copies, UBO declarations) is personal data under the DPDP Act. A notice must be provided at collection; data must be retained only for the required AML period (5 years from end of relationship) and then erased.
CRM and contact databases: Business contact data (names, emails, phone numbers) collected from networking, trade fairs, or online platforms is personal data. Ensure a notice is provided (or that a legitimate use basis applies) and that data is not retained beyond what is necessary.
Cross-border transfers: Sharing Indian individuals' personal data with EU counterparties — e.g. sharing a KYC file with a European co-facilitator — must be consistent with the cross-border transfer rules once the whitelist is notified. Currently, transfers proceed pending notification.
EU GDPR interaction: If the trade facilitator also processes personal data of EU individuals (EU buyer contacts, directors) — both the DPDP Act and EU GDPR apply simultaneously. The higher standard applies in each case.
Employment context: For IT recruitment mandates where the facilitator processes CV data of Indian professionals for EU placement — each candidate must provide consent for processing and transfer of their data to EU employers. A clear privacy notice and consent mechanism is essential.
RELATED DOCUMENTS IN THIS LIBRARY
Doc 101 — Lexicon Entry: DPDP Act 2023 — All Frontier Global Nexus
| Personal Data | Any data about an individual who is identifiable by or in relation to such data. Includes: names, email addresses, phone numbers, photographs, identification documents (Aadhaar, PAN, passport), biometric data, financial data, and location data. Does NOT include data that has been anonymised in a manner prescribed by the Central Government. |
|---|---|
| Data Principal | The individual to whom the personal data relates — i.e. the data subject. In trade facilitation, data principals include: directors and employees of Principals and Introduced Parties; individual business contacts; visa applicants (for IT recruitment mandates). |
| Data Fiduciary | Any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. In trade facilitation, the trade facilitator is a Data Fiduciary for the personal data of its business contacts and counterparty personnel. |
| Significant Data Fiduciary (SDF) | A Data Fiduciary designated by the Central Government as "significant" based on: volume of personal data processed; sensitivity of data; risk to rights of data principals; national security implications; and public order considerations. SDFs face additional obligations including appointment of a Data Protection Officer and periodic Data Protection Impact Assessments. The threshold for SDF designation is yet to be notified — likely to be large-scale data processors. |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary — under a contract. A CRM software provider that stores the trade facilitator's contact database is a Data Processor. |
| Consent | A Data Fiduciary may process personal data only on the basis of consent of the Data Principal or for certain legitimate uses (see below). Consent must be free, specific, informed, unconditional, and unambiguous — given through a clear affirmative action. |
| Legitimate Uses | Processing without consent is permitted for: purposes for which the Data Principal has voluntarily provided data; compliance with legal obligations; State functions and public interest; medical or public health emergencies; and employment-related processing. B2B contact data (business email and phone of company directors and employees) may qualify as a legitimate use in many trade facilitation contexts. |
| Cross-Border Transfer | Transfer of personal data outside India to a notified country or territory. The Central Government will notify countries to which transfers are permitted (a "whitelist" approach — the inverse of the GDPR's approach). The whitelist has not yet been published; pending notification, transfers proceed under the current framework. |
| Right to Information | The right to obtain a summary of the personal data processed and the processing activities undertaken — upon a request to the Data Fiduciary. |
|---|---|
| Right to Correction and Erasure | The right to correct inaccurate or misleading personal data; to complete incomplete data; and to erase personal data where it is no longer necessary for the purpose for which consent was given. |
| Right to Grievance Redressal | The right to have grievances relating to data processing addressed by the Data Fiduciary and, if unsatisfied, to appeal to the Data Protection Board of India. |
| Right to Nominate | The right to nominate another individual to exercise data protection rights in the event of the Data Principal's death or incapacity. |
| No right to data portability (currently) | Unlike GDPR, the DPDP Act does not currently include a right to data portability (the right to receive personal data in a machine-readable format for transfer to another service provider). This may be introduced in implementing rules. |
| Feature | DPDP Act 2023 | EU GDPR |
|---|---|---|
| Scope | Digital personal data only | Personal data in any form |
| Territorial scope | India; cross-border if offering goods/services to Indian DPs | EU; extraterritorial if targeting EU residents |
| Lawful bases | Consent; Legitimate uses (narrower list) | 6 lawful bases incl. legitimate interests |
| Cross-border transfers | Whitelist approach (permitted countries to be notified) | Adequacy; SCCs; BCRs; derogations |
| Data portability | Not included (may be added in rules) | Yes — Article 20 |
| DPO requirement | For SDFs (threshold to be notified) | For certain controllers/processors |
| Max. penalty | INR 250 crore (approx. EUR 28M) | EUR 20M or 4% of global turnover |
| Implementing rules | Pending — Act is in force; rules to be notified | Fully in force since 2018 |
| Related Document | Relevance |
|---|---|
| Doc 11 — Data Processing Agreement (GDPR) | The DPA template for EU GDPR compliance — used alongside DPDP Act compliance for cross-border data sharing with EU counterparties. |
| Doc 88 — AML/Sanctions/Data Protection Checklist | Part D covers both DPDP Act 2023 obligations and EU GDPR compliance for trade facilitators — with a practical 9-item DPDP checklist. |
| Doc 21 — Sanctions Screening Procedure | Involves collection and processing of personal data — DPDP Act notice and retention obligations apply to sanctions screening records. |