Data Privacy

DPDP Act 2023: How India's Data Protection Law Impacts Your Contracts

Q: Does the DPDP Act apply to small businesses?

Yes. The DPDP Act applies to all Data Fiduciaries processing digital personal data within India, or processing data outside India if it relates to offering goods/services to data principals in India. There is no exemption based on company size.

Q: What is the penalty for non-compliance with DPDP Act?

Penalties can be severe, reaching up to ₹250 crore for failure to take reasonable security safeguards to prevent a data breach.

Q: Do I need a Data Protection Officer (DPO)?

You are only required to appoint a Data Protection Officer if the government designates your organization as a Significant Data Fiduciary based on the volume and sensitivity of data processed.

Q: Can I process data without consent under DPDP Act?

Generally, no. Consent is mandatory. However, the Act allows processing for certain legitimate uses without consent, such as for employment purposes, medical emergencies, or complying with court orders.

February 12, 2026 • 9 min read

India's Digital Personal Data Protection Act 2023 (DPDP Act) is no longer just a policy discussion—it's now law. If your business collects, processes, or stores personal data of Indian citizens, every contract you sign (from vendor agreements to employment contracts) needs to be DPDP-compliant.

Non-compliance isn't just a legal risk. It's a financial one: penalties under the DPDP Act can reach up to ₹250 crore per violation.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India's comprehensive data privacy law. It regulates how organizations (called Data Fiduciaries) collect, process, and store digital personal data of individuals (called Data Principals).

Key concepts you must understand:

🔒 Data Fiduciary

Any entity that determines the purpose and means of processing personal data. If your company collects customer information, you are a Data Fiduciary.

🔒 Data Processor

Any entity that processes data on behalf of a Data Fiduciary. This includes your cloud providers, analytics vendors, CRM tools, and payment processors.

🔒 Data Principal

The individual whose personal data is being processed. Your customers, employees, and users are all Data Principals.

🔒 Significant Data Fiduciary

Organizations processing data at scale that are notified by the government. They face additional obligations like mandatory Data Protection Officers and periodic audits.

How the DPDP Act Changes Your Contracts

1. Vendor & Data Processing Agreements

Every vendor that touches personal data needs a Data Processing Agreement (DPA). This must clearly specify:

What data is being processed and for what purpose
Duration and method of processing
Security measures the processor must implement
Obligations upon contract termination (data deletion/return)
Sub-processor approval requirements
Breach notification timelines

2. Employment Contracts

Employee data is personal data under the DPDP Act. Your employment contracts must now include:

Clear notice about what employee data is collected
Purpose of data collection (payroll, performance tracking, background checks)
Employee rights to access and correct their data
Data retention period after employment ends

3. Customer-Facing Terms of Service

Your terms of service and privacy policy are technically contracts with your users. Under the DPDP Act, they must provide:

Clear, plain-language consent requests — no more buried legal jargon
Purpose limitation — data collected for one purpose cannot be used for another without fresh consent
Easy withdrawal mechanism — users must be able to withdraw consent as easily as they gave it
Grievance redressal — contact details for a designated grievance officer

4. Cross-Border Data Transfer Agreements

The DPDP Act allows data transfers to countries not restricted by the central government. However, if your data flows to vendors or cloud servers abroad, your contracts must include:

Confirmation that the receiving country is not on the restricted list
Equivalent data protection standards by the receiving party
Audit rights to verify compliance

Penalties for Non-Compliance

The DPDP Act imposes significant penalties based on the nature of the violation:

Failure to take security safeguards: Up to ₹250 crore
Failure to notify the Board of a data breach: Up to ₹200 crore
Non-compliance with obligations regarding children's data: Up to ₹200 crore
Non-compliance with additional obligations of Significant Data Fiduciary: Up to ₹150 crore
Other violations: Up to ₹50 crore

DPDP Act Compliance Checklist for Contracts

Before signing or renewing any contract that involves personal data, verify:

☐ Consent mechanism: Is there a clear, informed, specific consent clause?
☐ Purpose limitation: Is data use restricted to the stated purpose?
☐ Data processor obligations: Are security and processing terms defined?
☐ Breach notification: Is there a mandatory breach reporting clause (72 hours)?
☐ Data retention: Is there a clear data retention and deletion policy?
☐ Cross-border transfer: If applicable, are transfer safeguards in place?
☐ Children's data: If processing data of minors, is verifiable parental consent included?
☐ Grievance officer: Is a grievance redressal mechanism specified?
☐ Audit rights: Can you audit the data processor's compliance?
☐ Termination obligations: Is data deletion/return on contract end specified?

Don't Sign Blindly.

Templates are just a start. Use AI to scan your specific contract for hidden risks and unfair clauses in 60 seconds.

Analyze Your Contract Free →

What to Do Right Now

Audit all existing contracts that involve personal data processing
Add DPAs to every vendor and processor agreement
Update terms of service with DPDP-compliant consent mechanisms
Train your team on what constitutes personal data under the Act
Appoint a grievance officer and display contact details prominently
Use AI contract review to scan existing agreements for compliance gaps

The DPDP Act is not coming—it's here. Every contract your business signs from this point forward must account for data protection obligations. The cost of compliance is small. The cost of a ₹250 crore penalty is not.

Frequently Asked Questions

Does the DPDP Act apply to small businesses?

Yes. The DPDP Act applies to all "Data Fiduciaries" processing digital personal data within India, or processing data outside India if it relates to offering goods or services to data principals in India. There is no general exemption based on company size or turnover.

What is the penalty for non-compliance with DPDP Act?

Penalties are high and determined by the Data Protection Board. The maximum penalty is ₹250 crore for failure to take reasonable security safeguards to prevent a data breach. Other penalties range from ₹50 crore to ₹200 crore for various violations.

Do I need a Data Protection Officer (DPO)?

You are only required to appoint a specific Data Protection Officer (DPO) if the government designates your organization as a "Significant Data Fiduciary" (SDF). SDFs are typically large organizations processing high volumes of sensitive data. Regular Data Fiduciaries need only appoint a person to handle grievances.

Can I process data without consent under DPDP Act?

Generally, no. Consent must be free, specific, informed, unconditional, and unambiguous. However, Section 7 of the Act allows processing for certain "legitimate uses" without explicit consent, such as for employment purposes, medical emergencies, or complying with court orders.