DPDPA 2023 · Section 5

DPDPA 2023 Section 5: Notice to Data Principal

Section 5 of the Digital Personal Data Protection Act, 2023 (DPDPA) requires every Data Fiduciary in India to give the Data Principal a clear, itemised notice — in English or any of the 22 Eighth Schedule languages — describing what personal data is being collected, the specific purpose of processing, how to exercise rights, and how to complain to the Data Protection Board, either before or at the time of seeking consent. The notice is the legal trigger that makes downstream consent valid; without it, no lawful processing can begin.

Key facts

Statute	Digital Personal Data Protection Act, 2023
Section	5 (Notice)
Effective	Phased rollout 2025-2026 (Draft Rules Jan 2025)
Penalty ceiling	Up to Rs 250 crore for breach of Data Fiduciary duties
Applies to	All Data Fiduciaries processing digital personal data in India
Languages	English plus the 22 Eighth Schedule languages

What Section 5 says

Section 5 sits at the heart of the DPDPA's consent architecture. Every Data Fiduciary — a wedding photographer, a school, a marathon organiser, a hospital chain, a hotel, or an HR team — must serve a notice listing the personal data collected, the specific purpose, the means to withdraw consent, exercise rights under Sections 11-14, and complain to the Data Protection Board. For data collected before the Act under prior consent, Section 5(2) mandates a fresh notice as soon as reasonably practicable. The notice must be a standalone artefact, not buried in terms of service, and served before or at the time consent is requested.

"Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board." — DPDPA 2023, Section 5(1)

What it means in practice

Notice must be served before or at the time consent is requested — never after data collection has begun.
It must itemise exactly what personal data is collected and the specific purpose; bundled or vague purposes are non-compliant.
It must be available in English and any of the 22 Eighth Schedule languages at the Data Principal's option.
It must explain how to withdraw consent, exercise access/correction/erasure rights, and complain to the Data Protection Board.
For pre-Act data collected under earlier consent, a fresh Section 5(2) notice must be sent as soon as reasonably practicable.
The notice must be a standalone, accessible artefact — not hidden inside long-form terms and conditions.

Who Section 5 applies to

Wedding and event photographers handling guest images and contact lists
Event management companies running corporate, sports, and cultural events
Schools and ed-tech platforms (with additional Section 9 child-data duties)
Marathon and sports event organisers capturing bib, timing, and photo data
Corporates and HR teams processing employee and candidate data
Healthcare providers, hospitals, and diagnostic chains handling patient records
Hotels, hospitality groups, and OTAs collecting guest ID and stay data
Retail brands and e-commerce platforms running loyalty and CRM programs
Media houses, news organisations, and ad agencies handling subject and audience data
Photo studios, production houses, and content creators collecting model and client data

Common violations

Photographer uploads gallery without notice

A wedding photographer publishes a client gallery on a public link without ever serving guests a Section 5 notice describing what images are stored, the purpose, and how to request takedown.

School collects child data via app without itemised purpose

An ed-tech app onboards students with a generic privacy policy instead of a standalone notice listing each data field, purpose, and the parental complaint route to the Data Protection Board.

Hotel scans Aadhaar at check-in with no notice

A hospitality chain photocopies or scans guest ID documents at the reception desk without presenting a written notice in the guest's preferred language explaining retention purpose and rights.

Marathon organiser sells participant photos

An event organiser monetises finish-line photographs to a sponsor without disclosing that secondary commercial purpose in the original Section 5 notice served at registration.

HR team onboards employees with buried clause

A corporate HR team embeds data-processing terms inside a 30-page employment contract instead of issuing a separate, itemised Section 5 notice covering payroll, background checks, and biometric attendance.

Hospital reuses old patient data without fresh notice

A diagnostic chain continues to process patient records collected before the DPDPA came into force without sending the fresh Section 5(2) notice required for legacy data.

Penalty for breach

Breach of the obligations of a Data Fiduciary under the DPDPA — including failure to serve a compliant Section 5 notice — attracts a financial penalty of up to Rs 250 crore per instance under the Schedule to the Act, imposed by the Data Protection Board of India after inquiry. Repeat or systemic non-compliance can compound across affected Data Principals, and reputational exposure (especially for schools, hospitals, and listed corporates) typically exceeds the statutory fine.

Use the DPDPA Penalty Calculator to estimate your exact exposure.

Frequently asked questions

Does a wedding photographer really need to issue a written notice to every guest?

Yes. Under Section 5, every Data Principal whose personal data (including face images) is processed for an identifiable purpose must receive a notice. In practice, photographers satisfy this via the host couple's invitation, venue signage, and a website privacy notice covering gallery uploads.

Can a school bundle the Section 5 notice into its admission form?

No. The notice must be a standalone, itemised document. Schools must additionally comply with Section 9 (verifiable parental consent for children under 18) — the Section 5 notice is served to the parent or lawful guardian.

What languages must the notice be available in?

English and any of the 22 languages listed in the Eighth Schedule of the Constitution, at the Data Principal's option. Hotels, hospitals, and retail chains operating across states should prepare regional-language versions.

Do hotels need a fresh notice for guests who stayed before the DPDPA came into force?

Yes. Section 5(2) requires Data Fiduciaries to issue a fresh notice to Data Principals whose data was collected under earlier consent, as soon as reasonably practicable after the Act commences.

Is a privacy policy on a corporate website enough to satisfy Section 5?

Usually not. A privacy policy is a general document; Section 5 requires a specific, itemised notice tied to each processing purpose, served at the point of consent. HR teams, ad agencies, and ed-tech firms should issue purpose-specific notices in addition to the policy.

What happens if a marathon organiser forgets to serve the notice?

Processing without a valid Section 5 notice renders the downstream consent invalid. The Data Protection Board can impose a penalty of up to Rs 250 crore and direct deletion of the unlawfully processed data.

Does Section 5 apply to B2B contact data collected by ad agencies and media houses?

Yes, where the contact data identifies a natural person. Even business email addresses tied to an individual fall within 'digital personal data' under Section 2(t), so the Section 5 notice obligation is triggered.

Related sections

Not sure if your workflow complies with Section 5?

Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.