Data Privacy
DPDP Act 2023: How India's Data Protection Law Impacts Your Contracts
What is an Dpdp Act 2023?
The Digital Personal Data Protection (DPDP) Act 2023 is India's comprehensive data privacy law. It regulates the processing of digital personal data, mandating consent notices, data fiduciaries' obligations, and individual rights.
Non-compliance isn't just a legal risk. It's a financial one: penalties under the DPDP Act can reach up to ₹250 crore per violation.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 is India's comprehensive data privacy law. It regulates how organizations (called Data Fiduciaries) collect, process, and store digital personal data of individuals (called Data Principals).
Key concepts you must understand:
🔒 Data Fiduciary
Any entity that determines the purpose and means of processing personal data. If your company collects customer information, you are a Data Fiduciary.
🔒 Data Processor
Any entity that processes data on behalf of a Data Fiduciary. This includes your cloud providers, analytics vendors, CRM tools, and payment processors.
🔒 Data Principal
The individual whose personal data is being processed. Your customers, employees, and users are all Data Principals.
🔒 Significant Data Fiduciary
Organizations processing data at scale that are notified by the government. They face additional obligations like mandatory Data Protection Officers and periodic audits.
How the DPDP Act Changes Your Contracts
1. Vendor & Data Processing Agreements
Every vendor that touches personal data needs a Data Processing Agreement (DPA). This must clearly specify:
- What data is being processed and for what purpose
- Duration and method of processing
- Security measures the processor must implement
- Obligations upon contract termination (data deletion/return)
- Sub-processor approval requirements
- Breach notification timelines
2. Employment Contracts
Employee data is personal data under the DPDP Act. Your employment contracts must now include:
- Clear notice about what employee data is collected
- Purpose of data collection (payroll, performance tracking, background checks)
- Employee rights to access and correct their data
- Data retention period after employment ends
3. Customer-Facing Terms of Service
Your terms of service and privacy policy are technically contracts with your users. Under the DPDP Act, they must provide:
- Clear, plain-language consent requests — no more buried legal jargon
- Purpose limitation — data collected for one purpose cannot be used for another without fresh consent
- Easy withdrawal mechanism — users must be able to withdraw consent as easily as they gave it
- Grievance redressal — contact details for a designated grievance officer
4. Cross-Border Data Transfer Agreements
The DPDP Act allows data transfers to countries not restricted by the central government. However, if your data flows to vendors or cloud servers abroad, your contracts must include:
- Confirmation that the receiving country is not on the restricted list
- Equivalent data protection standards by the receiving party
- Audit rights to verify compliance
Penalties for Non-Compliance
The DPDP Act imposes significant penalties based on the nature of the violation:
- Failure to take security safeguards: Up to ₹250 crore
- Failure to notify the Board of a data breach: Up to ₹200 crore
- Non-compliance with obligations regarding children's data: Up to ₹200 crore
- Non-compliance with additional obligations of Significant Data Fiduciary: Up to ₹150 crore
- Other violations: Up to ₹50 crore
DPDP Act Compliance Checklist for Contracts
Before signing or renewing any contract that involves personal data, verify:
- ☐ Consent mechanism: Is there a clear, informed, specific consent clause?
- ☐ Purpose limitation: Is data use restricted to the stated purpose?
- ☐ Data processor obligations: Are security and processing terms defined?
- ☐ Breach notification: Is there a mandatory breach reporting clause (72 hours)?
- ☐ Data retention: Is there a clear data retention and deletion policy?
- ☐ Cross-border transfer: If applicable, are transfer safeguards in place?
- ☐ Children's data: If processing data of minors, is verifiable parental consent included?
- ☐ Grievance officer: Is a grievance redressal mechanism specified?
- ☐ Audit rights: Can you audit the data processor's compliance?
- ☐ Termination obligations: Is data deletion/return on contract end specified?
Don't Sign Blindly. Protect Yourself.
Templates are just a start. Use Contract Shield's AI to scan your contract for hidden risks, unfair clauses, and Indian legal compliance issues — in 60 seconds.
Analyze Your Contract Free →What to Do Right Now
- Audit all existing contracts that involve personal data processing
- Add DPAs to every vendor and processor agreement
- Update terms of service with DPDP-compliant consent mechanisms
- Train your team on what constitutes personal data under the Act
- Appoint a grievance officer and display contact details prominently
- Use AI contract review to scan existing agreements for compliance gaps
The DPDP Act is not coming—it's here. Every contract your business signs from this point forward must account for data protection obligations. The cost of compliance is small. The cost of a ₹250 crore penalty is not.
Frequently Asked Questions
Does the DPDP Act apply to small businesses?
Yes. The DPDP Act applies to all Data Fiduciaries processing digital personal data within India, or processing data outside India if it relates to offering goods/services to data principals in India. There is no exemption based on company size. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
What is the penalty for non-compliance with DPDP Act?
Penalties can be severe, reaching up to ₹250 crore for failure to take reasonable security safeguards to prevent a data breach. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
Do I need a Data Protection Officer (DPO)?
You are only required to appoint a Data Protection Officer if the government designates your organization as a Significant Data Fiduciary based on the volume and sensitivity of data processed. Specifically, Section 17 of the Copyright Act 1957 stipulates that the creator is the first owner of copyright unless there is a written contract assigning these rights to another entity, such as an employer or client.
Can I process data without consent under DPDP Act?
Generally, no. Consent is mandatory. However, the Act allows processing for certain legitimate uses without consent, such as for employment purposes, medical emergencies, or complying with court orders. Such clauses are subject to the Arbitration and Conciliation Act 1996, which provides the legal framework for domestic arbitration, enforcement of awards, and judicial intervention limits in commercial disputes.
How does India's DPDP Act 2023 affect commercial contracts?
The Digital Personal Data Protection (DPDP) Act 2023 requires contracts involving data processing to explicitly define the obligations of the Data Processor. Businesses must obtain clear, unconditional consent, specify processing purposes, and implement robust security safeguards, facing penalties up to Rs 250 crore for non-compliance.
Related reads: GDPR vs DPDP Act Comparison · Contract Compliance Checklist · E-Contracts India Guide