DPDPA 2023 Glossary

Any person or organisation that determines the purpose and means of processing personal data.

§2(i), DPDPA 2023

The individual whose personal data is being collected, stored, or processed by a Data Fiduciary.

§2(j), DPDPA 2023

Any person or entity that processes personal data on behalf of a Data Fiduciary under contract.

§2(k), DPDPA 2023

Any data about an individual who is identifiable by or in relation to such data.

§2(t), DPDPA 2023

Personal data that exists in digital form, whether collected digitally or digitised from non-digital sources.

§2(n), DPDPA 2023

Categories of personal data requiring enhanced protection due to their intimate or consequential nature.

§3(n), DPDPA 2023

Data revealing racial origin, political opinions, religious beliefs, health, sexual orientation, or biometrics.

§3(n), DPDPA 2023; Rule 6, Rules 2025

Personal data irreversibly transformed so that the individual cannot be identified by any means whatsoever.

§2(b), DPDPA 2023

Personal data processed so identification requires additional separately-held information, but remains reversible.

§2(t), DPDPA 2023; Rule 6(1), Rules 2025

Any operation performed on digital personal data including collection, storage, use, sharing, or erasure.

§2(x), DPDPA 2023

Any unauthorised processing, accidental disclosure, acquisition, sharing, or loss of personal data.

§8(6), DPDPA 2023; Rule 7, Rules 2025

Transfer of personal data from India to another country, permitted unless the destination is specifically restricted.

§16, DPDPA 2023

Decisions made about individuals solely by automated means without meaningful human involvement in the process.

§2(x), DPDPA 2023; Rule 6(1)(b), Rules 2025

Automated processing of personal data to evaluate, analyse, or predict individual behaviour or characteristics.

§2(x), DPDPA 2023; Rule 6(1), Rules 2025

Personal data of any individual below 18 years of age, requiring verifiable parental consent for processing.

§9, DPDPA 2023; Rule 10, Rules 2025

The systematic process of obtaining, recording, and managing lawful consent from Data Principals for processing.

§6, DPDPA 2023; Rule 3, Rules 2025

A mandatory disclosure informing Data Principals about data collection purposes, rights, and processing details.

§5, DPDPA 2023; Rule 3, Rules 2025

Personal data must only be processed for the specific, stated purpose for which consent was originally obtained.

§6(1), DPDPA 2023

Collecting only the personal data that is strictly necessary and adequate for the stated processing purpose.

§6(1), DPDPA 2023; Rule 6(1)(a), Rules 2025

Personal data must not be retained longer than necessary for the purpose for which it was collected.

§8(7), DPDPA 2023; Rule 8, Rules 2025

Data Fiduciaries must ensure personal data is accurate, complete, and up-to-date for its intended purpose.

§8(3), DPDPA 2023

Mandatory reporting of personal data breaches to the Data Protection Board and affected individuals within 72 hours.

§8(6), DPDPA 2023; Rule 7, Rules 2025

A formal risk assessment evaluating how data processing activities impact the privacy rights of individuals.

§10(2), DPDPA 2023; Rule 12, Rules 2025

A comprehensive register documenting all personal data processing activities, purposes, and data flows within an organisation.

§8, DPDPA 2023; Rule 6, Rules 2025

Embedding data protection principles into the design and architecture of systems from the very beginning.

§8(4), DPDPA 2023; Rule 6(1), Rules 2025

Default system settings must provide the highest level of privacy protection without requiring user action.

§8(4), DPDPA 2023; Rule 6(1), Rules 2025

A mandatory contract between a Data Fiduciary and Data Processor governing the processing of personal data.

§8(2), DPDPA 2023; Rule 6(2), Rules 2025

A third party engaged by a Data Processor to assist in processing personal data on behalf of the Data Fiduciary.

§8(2), DPDPA 2023

A documented schedule specifying how long each category of personal data is kept and when it must be deleted.

§8(7), DPDPA 2023; Rule 8, Rules 2025

The mandatory requirement to erase personal data when consent is withdrawn or the processing purpose is fulfilled.

§8(7), DPDPA 2023; Rule 8(2), Rules 2025

A Data Principal's right to obtain confirmation and a summary of their personal data being processed.

§11(1)(a), DPDPA 2023; Rule 12, Rules 2025

A Data Principal's right to have inaccurate or incomplete personal data corrected, completed, or updated.

§11(1)(b), DPDPA 2023; Rule 12, Rules 2025

A Data Principal's right to have their personal data completely erased when processing is no longer necessary.

§11(1)(c), DPDPA 2023; Rule 8, Rules 2025

A Data Principal's right to have grievances about data processing addressed by the Fiduciary and the DPB.

§11(1)(d), DPDPA 2023; Rule 14, Rules 2025

A Data Principal's right to designate another person to exercise their data rights in case of death or incapacity.

§11(1)(e), DPDPA 2023; Rule 13, Rules 2025

The ability to receive personal data in a structured, machine-readable format for transfer to another service.

§11, DPDPA 2023

A Data Principal's unconditional right to withdraw previously given consent at any time with equal ease.

§6(6), DPDPA 2023; Rule 3, Rules 2025

A formal request from a Data Principal exercising any of their rights under the DPDPA against a Data Fiduciary.

§11, DPDPA 2023; Rules 12-14, Rules 2025

The mandatory deadline within which Data Fiduciaries must respond to Data Principal rights requests under DPDPA.

§11, DPDPA 2023; Rule 14, Rules 2025

A Data Principal's right to know what data is collected, why, and with whom it has been shared.

§5, DPDPA 2023; Rule 3, Rules 2025

The independent statutory body responsible for adjudicating DPDPA complaints and imposing penalties on violators.

§18-26, DPDPA 2023

A designated senior official responsible for overseeing an organisation's DPDPA compliance and rights management.

§10(2), DPDPA 2023; Rule 9, Rules 2025

A Data Fiduciary designated by the Government due to data volume, sensitivity, or risk to national security.

§10, DPDPA 2023; Rule 12, Rules 2025

A registered entity that manages consent on behalf of Data Principals, acting as their authorised intermediary.

§6(9), DPDPA 2023; Rule 4, Rules 2025

A designated contact person within a Data Fiduciary responsible for receiving and resolving Data Principal complaints.

§8(5), DPDPA 2023; Rule 9, Rules 2025

A member of the Data Protection Board who hears and decides on complaints and penalty proceedings.

§20-22, DPDPA 2023

The formal procedure for Data Principals to file complaints with the Data Protection Board against non-compliant Fiduciaries.

§24-26, DPDPA 2023

The statutory penalties ranging from Rs 10,000 to Rs 250 crore for various categories of DPDPA violations.

Schedule, DPDPA 2023

The comprehensive set of legal duties imposed on every Data Fiduciary by DPDPA Sections 5 through 10.

§5-10, DPDPA 2023

The mandatory periodic auditing of data processing practices by an independent auditor for Significant Data Fiduciaries.

§10(2), DPDPA 2023; Rule 12, Rules 2025

The systematic categorisation of personal data by sensitivity level to apply proportionate security controls.

§8(4), DPDPA 2023; Rule 6(1), Rules 2025

Cryptographic protection of personal data while stored in databases, file systems, or backup media.

§8(4), DPDPA 2023; Rule 6(1)(a), Rules 2025

Cryptographic protection of personal data while being transmitted between systems over networks.

§8(4), DPDPA 2023; Rule 6(1)(a), Rules 2025

Mechanisms ensuring only authorised personnel can access personal data based on their role and business need.

§8(4), DPDPA 2023; Rule 6(1), Rules 2025

Requirements to store and process certain categories of personal data within India's territorial boundaries.

§16, DPDPA 2023; Sectoral regulations

Reasonable technical and organisational measures to protect personal data from unauthorised access and breaches.

§8(4), DPDPA 2023; Rule 6, Rules 2025

Systematic identification and evaluation of security weaknesses in systems that process personal data.

§8(4), DPDPA 2023; Rule 6(1), Rules 2025

A documented procedure for detecting, containing, notifying, and recovering from personal data breach incidents.

§8(6), DPDPA 2023; Rule 7, Rules 2025

A visual representation of how personal data moves through systems, processes, and third parties within an organisation.

§8, DPDPA 2023; Rule 6, Rules 2025

Any database, application, or system that stores personal data and serves as an authoritative source for that data.

§8, DPDPA 2023; Rule 6, Rules 2025

The legal ground under DPDPA that justifies an organisation's processing of personal data.

§4, DPDPA 2023

Specific situations under DPDPA Section 7 where personal data can be processed without obtaining consent.

§7, DPDPA 2023

Exemption allowing government entities to process personal data for delivery of subsidies, services, and benefits.

§7(b), DPDPA 2023; Rule 5, Rules 2025

Limited exemption permitting processing of personal data for research and statistical purposes under certain conditions.

§7(c), DPDPA 2023

Exemption from certain DPDPA provisions for processing personal data in the course of journalism or whistleblowing.

§17(2)(a), DPDPA 2023

Government power to exempt any agency from DPDPA obligations in the interest of national security and sovereignty.

§17(1), DPDPA 2023

Situations where consent is legally presumed to exist based on the Data Principal's voluntary provision of data.

§7, DPDPA 2023

Consent that is given freely without coercion, bundling with unrelated services, or detriment for refusal.

§6(1), DPDPA 2023

Unambiguous consent given through a clear affirmative action specifically for the stated processing purpose.

§6(1), DPDPA 2023; Rule 3, Rules 2025

Authenticated consent from a parent or guardian required before processing any child's personal data under DPDPA.

§9(1), DPDPA 2023; Rule 10, Rules 2025