DataDefend top 6 compliance platform. Book a free demo
DPDPA Legal Glossary
Plain-language definitions of key terms under India's Digital Personal Data Protection Act (DPDPA) 2023. Use this as a quick reference for your compliance work.
Consent
Section 6, DPDP Act 2023
A free, specific, informed, unconditional, and unambiguous indication by the Data Principal through a clear affirmative action, signifying agreement to the processing of their personal data for a specified purpose. Consent must be granular — one purpose per consent, with no bundling.
Consent Artefact
DPDP Act 2023 & MeitY Draft Rules
A signed, machine-readable document or electronic record that captures the essence of consent given by a Data Principal, including who gave it, to whom, for what purpose, and when. Required under DPDPA for audit-ready compliance. DataDefend generates MeitY-compliant consent artefacts automatically.
Consent Manager
Section 3(6), DPDP Act 2023
An entity registered with the Data Protection Board of India that enables Data Principals to give, manage, review, and withdraw consent through an interoperable platform. Acts as a single point of contact for consent across multiple Data Fiduciaries.
Data Breach
Section 8(6), DPDP Act 2023
Any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. Significant Data Fiduciaries must notify the Data Protection Board and affected Data Principals without delay.
Data Fiduciary
Section 2(i), DPDP Act 2023
Any person (individual, company, firm, state, or body of persons) who alone or jointly with others determines the purpose and means of processing personal data. Equivalent to 'Data Controller' under GDPR. A Data Fiduciary bears primary accountability for DPDPA compliance.
Data Localisation
Section 16, DPDP Act 2023
The requirement to store and process certain categories of personal data exclusively within India. The Central Government may restrict cross-border transfer of specific data categories by notifying countries or territories to which transfer is permitted.
Data Principal
Section 2(j), DPDP Act 2023
The individual to whom the personal data relates. In the case of a child (below 18 years), the parent or lawful guardian. In the case of a person with disability, their lawful guardian. The Data Principal has rights including access, correction, erasure, and grievance redressal.
Data Processor
Section 2(k), DPDP Act 2023
Any person who processes personal data on behalf of a Data Fiduciary. Processes only as instructed by the Data Fiduciary. Must implement appropriate security safeguards. Does not determine the purpose or means of processing.
Data Protection Board of India (DPBI)
Section 18, DPDP Act 2023
The regulatory body established under the DPDP Act to adjudicate complaints, impose penalties, and ensure enforcement. Decisions can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Data Protection Officer (DPO)
Section 10(2), DPDP Act 2023
An individual appointed by a Significant Data Fiduciary to ensure compliance with the DPDP Act. The DPO must be based in India and serves as the point of contact for the Data Protection Board and Data Principals.
DSAR (Data Subject Access Request)
Sections 11–13, DPDP Act 2023
A formal request made by a Data Principal to exercise their statutory rights — including the right to access their personal data, correct inaccuracies, request erasure, or obtain a summary of processing activities. Data Fiduciaries must respond within a reasonable timeframe.
DPDPA / DPDP Act
The Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023 — India's primary legislation governing the processing of digital personal data. Received Presidential assent on 11 August 2023. Penalties for non-compliance can reach up to ₹250 crores per instance.
MeitY
Government of India
The Ministry of Electronics and Information Technology — the nodal ministry responsible for implementing the DPDP Act, notifying rules, and prescribing technical standards including the Consent Artefact specification.
Personal Data
Section 2(t), DPDP Act 2023
Any data about an individual who is identifiable by or in relation to such data. This includes name, address, phone number, email, location data, device identifiers, biometric data, financial data, and any other information that can directly or indirectly identify a person.
Privacy Impact Assessment (PIA)
Section 10(3)(b), DPDP Act 2023
A structured process to identify, assess, and mitigate privacy risks before undertaking a new project, system, or data processing activity. Required for Significant Data Fiduciaries and recommended as a best practice for all Data Fiduciaries.
Purpose Limitation
Section 8(3), DPDP Act 2023
Personal data collected for a specified purpose must be used only for that purpose. Once the purpose is served, the data must be erased unless retention is required by law. This is a foundational principle of DPDPA compliance.
Significant Data Fiduciary (SDF)
Section 10, DPDP Act 2023
A Data Fiduciary notified by the Central Government based on factors including volume and sensitivity of personal data processed, risk to national security, and potential impact on fundamental rights. SDFs have additional obligations including DPO appointment, Data Auditor engagement, and periodic PIA.
Verifiable Parental Consent
Section 9, DPDP Act 2023
Consent obtained from a parent or lawful guardian before processing personal data of a child (below 18 years). Data Fiduciaries must implement a mechanism to verify the age of the Data Principal and the identity of the parent. Profiling and behavioural tracking of children is prohibited.
Disclaimer: This glossary is for informational purposes only and does not constitute legal advice. Definitions are derived from the DPDP Act 2023 and associated MeitY draft rules. For legal guidance, consult a qualified data protection counsel.
Need help with DPDPA compliance? Talk to our experts →