DPDPA Suite
The Act · Plain-English

The DPDP Act 2023,
section by section.

All 44 sections across 9 chapters — official text, plain-English commentary, and the platform modules that operationalise each one.

Chapter 1

Preliminary

Sec. 1

Short title and commencement

Establishes the name and staged commencement. Companies should track government notifications because different sections can switch on at different times.

Read
Sec. 2

Definitions

Foundational vocabulary. Every role in the platform — tenants, principals, vendors, consent managers — maps directly to a definition here.

Read
Sec. 3

Application of the Act

Extra-territorial reach. Even India-targeting foreign businesses must comply. Onboarding wizard checks this for each tenant.

Read
Chapter 2

Obligations of Data Fiduciary

Sec. 4

Grounds for processing personal data

Two-track lawful basis: consent (§6) OR legitimate use (§7). Drives the lawful_basis dropdown on every consent purpose.

Read
Sec. 5

Notice

Drives the Notices module: each notice must satisfy a §5 checklist (purpose, data list, rights, grievance route, DPB complaint route, language coverage).

Read
Sec. 6

Consent

Core of the Consent Management module and SDK. §6(4) parity test ensures withdrawal UX matches the grant UX.

Read
Sec. 7

Certain legitimate uses

When a purpose uses §7, the consent widget is bypassed but the lawful_basis must be recorded and the Notice still applies. Reflected in lawful_basis dropdown.

Read
Sec. 8

General obligations of Data Fiduciary

Cross-cuts almost every module: Vendor contracts, Incident response (breach notification), Retention/erasure jobs, Grievance Officer in Settings.

Read
Sec. 9

Processing of personal data of children

Adds a "Children's Data" toggle per consent purpose, triggers parental-consent flow in the widget, and a hard-block on tracking purposes when enabled.

Read
Sec. 10

Additional obligations of Significant Data Fiduciary

Tenant flag is_sdf unlocks the SDF dashboard tab: DPO directory, annual DPIA cadence, audit export.

Read
Chapter 3

Rights and Duties of Data Principal

Sec. 11

Right to access information about personal data

DSAR type = ACCESS. SLA tracked under §13 grievance redressal.

Read
Sec. 12

Right to correction and erasure of personal data

DSAR types = CORRECTION, UPDATION, ERASURE.

Read
Sec. 13

Right of grievance redressal

DSAR module SLA timer (typically 30 days). Escalation path: Fiduciary → Board.

Read
Sec. 14

Right to nominate

Adds a nominee_contact field to consent records and to the DSAR submission form.

Read
Sec. 15

Duties of Data Principal

Surfaced as disclaimer on the public DSAR portal and on the consent widget.

Read
Chapter 4

Special Provisions

Sec. 16

Processing of personal data outside India

New data_transfers register + Vendor hosting_country field auto-flags transfers to restricted destinations.

Read
Sec. 17

Exemptions

DPIA includes an "Exemption claim" branch with required justification text.

Read
Chapter 5

Data Protection Board of India

Sec. 18

Establishment of Board

Reference. Drives the "Escalate to DPB" action in Incidents and DSARs.

Read
Sec. 19

Composition and qualifications

Reference content for Act Explorer.

Read
Sec. 20

Salary, allowances and conditions

Reference content for Act Explorer.

Read
Sec. 21

Disqualifications, resignation, removal

Reference content for Act Explorer.

Read
Sec. 22

Officers and employees of Board

Reference content for Act Explorer.

Read
Sec. 23

Meetings of Board

Reference content.

Read
Sec. 24

Authentication of orders

Reference content.

Read
Sec. 25

Members and officers to be public servants

Reference content.

Read
Sec. 26

Functions of Chairperson

Reference content.

Read
Chapter 6

Powers, Functions, and Procedure of Board

Sec. 27

Powers and functions of Board

Drives the "DPB complaint packet" export from Incident response.

Read
Sec. 28

Procedure to be followed by Board

Reference content; informs how complaint packets are structured.

Read
Chapter 7

Appeal and Alternate Dispute Resolution

Sec. 29

Appeal to Appellate Tribunal

Captured as escalation path in incident timeline.

Read
Sec. 30

Orders passed in appeal

Reference content.

Read
Sec. 31

Alternate Dispute Resolution

"Initiate mediation" action on DSAR and Incident records.

Read
Sec. 32

Voluntary undertaking

Reference content; informs Incident remediation flow.

Read
Chapter 8

Penalties and Adjudication

Sec. 33

Penalties

Powers the on-dashboard Penalty Calculator and AI Assistant exposure scores.

Read
Sec. 34

Crediting sums realised to Consolidated Fund

Reference content.

Read
Chapter 9

Miscellaneous

Sec. 35

Action by Central Government to be confidential

Drives the "Regulatory Notifications" feed surfacing on the dashboard.

Read
Sec. 36

Power to call for information

Reference; tenants should be ready with audit-grade records.

Read
Sec. 37

Power to block access to information

Reference.

Read
Sec. 38

Consistency with other laws

Reference; the AI Assistant cross-checks for IT Act, RBI, SEBI overlap.

Read
Sec. 39

Bar of jurisdiction of civil courts

Reference content.

Read
Sec. 40

Power of Central Government to make rules

The "Rules Tracker" — the DPDP Rules 2025 are the operational substance the platform monitors and applies.

Read
Sec. 41

Power of Board to make regulations

Reference content.

Read
Sec. 42

Laying of rules and regulations before Parliament

Reference content.

Read
Sec. 43

Power to amend the Schedule

Penalty Calculator must update when Schedule is amended.

Read
Sec. 44

Power to remove difficulties; consequential amendments

Important: RTI amendment narrows personal-information disclosure exemptions; AI Assistant flags any tenant flow that touches RTI requests.

Read