DPDPA 2023, Section by Section
Plain-English explainers for every key section of India's Digital Personal Data Protection Act 2023. Each page includes the verbatim statute language, what it means in practice, which industries it applies to, and the exact ₹ penalty exposure for non-compliance.
Section 4 — Grounds for Processing Personal Data
The two lawful bases under DPDPA 2023: consent and legitimate uses. The starting point for every Data Fiduciary.
Section 5 — Notice
What every Data Fiduciary must tell Data Principals before processing — itemised purpose, rights, language requirements.
Section 6 — Consent
The "free, specific, informed, unconditional, unambiguous" standard plus withdrawal rights.
Section 7 — Legitimate Uses
The narrow exceptions where processing without consent is allowed — voluntary provision, employment, medical emergencies.
Section 8 — General Obligations of Data Fiduciary
Accuracy, security safeguards, retention limits, breach notification, grievance redressal.
Section 9 — Processing of Children's Data
Verifiable parental consent for under-18s, plus prohibition on tracking and targeted advertising.
Section 12 — Right to Correction and Erasure
Data Principal rights to access, correct, complete, update, and erase personal data.
Section 33 — Penalties
The Schedule — up to ₹250 crore for security failure, ₹200 crore for breach notification failure.
Need help applying DPDPA to your workflow?
Free 48-hour compliance audit by our DPDPA specialists.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.