DPDP Rules, 2025 are now in effect. See where your business stands, in 3–5 minutes.Find out — free →
Industry Guide · Training Institutes

Your institute does not just teach students. It collects, shares and stores student data every day.

From enquiry forms and admission records to WhatsApp groups, parent phone numbers, student photos, LMS tools, attendance data, fee records and placement profiles — training institutes handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise.

Most institutes think they run classes. They also run a quiet little data factory.

Start Training Institute Risk Scan 3 minutes · 10 questions · free · no login
Student DataParent DetailsMinorsWhatsApp GroupsLMS ToolsStudent PhotosTestimonialsAttendanceFee RecordsPlacement Data

Your student-data risk map

The free scan scores your institute across these five areas. Here is what each one looks at.

Student data collection risk

Names, parent numbers, age/class, ID proof, marks, fees, photos and health data — across enquiry forms, Google Forms, WhatsApp and counsellor spreadsheets.

First move: Standardise intake to one controlled channel and collect only what each purpose actually needs.

Minor & parental consent risk

Students below 18 — admissions, attendance, photos, LMS use and marketing all need verifiable parent/guardian consent under Section 9.

First move: Record student age and capture verifiable parental consent at admission, with evidence you can produce later.

Communication & marketing risk

WhatsApp groups exposing parent/student numbers; student photos, result screenshots, testimonials and demo videos used in ads.

First move: Separate batch updates from promotion, document consent for any student media, and add a removal process.

LMS, vendor & platform risk

LMS, online tests, CRM, payment, attendance/biometric, marketing tools and placement partners — all in your data chain.

First move: Keep a vendor register: review what each tool stores, who can access it, and what's shared with partners.

Retention & rights readiness risk

Old leads, admission records, test scores, attendance, student photos, payments and placement profiles kept indefinitely.

First move: Adopt a documented retention schedule with an annual deletion/archive review.

How the 3-minute scan works

1

Answer 10 quick questions

About your student data, minors, intake channels, WhatsApp, marketing media, LMS/vendors, sharing and retention. ~3 minutes.

2

See your readiness score + risk map

A 0–100 DPDPA readiness score, your risk band, and five training-institute risk areas.

3

Get your priority fixes + checklist

The five controls to start with, plus the Training Institute DPDPA Starter Checklist.

Start Training Institute Risk Scan

What the scan checks

Ten plain-English questions across your real student-data workflows.

What type of training business you run and the student data you hold
Whether you enrol students below 18, and how parental consent is obtained
How admission, enquiry and fee information reaches your institute
How WhatsApp groups and broadcast lists are used with students and parents
Whether student photos, results, testimonials or recordings are used in marketing
Which LMS, CRM, payment, attendance and marketing tools process student data
What student data is shared with recruiters, colleges, partners or franchisees
How long old student records are retained after course completion

Training institute DPDPA questions

Does the DPDPA apply to training institutes and coaching centres?

Yes. Training institutes and coaching centres collect personal data at every stage of the student lifecycle — enquiries, admissions, fee records, attendance, placements, and marketing. This makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. All institutes, including small coaching centres, are covered.

Do we need parental consent to collect data from students under 18?

Yes. Section 9 of the DPDPA and the DPDP Rules, 2025 require verifiable parental or guardian consent before processing personal data of children under 18. This applies to admissions forms, attendance systems, and marketing communications. Standard consent checkboxes signed by the student alone are not sufficient.

Are our enquiry and admissions forms DPDPA-compliant?

Most are not. Common issues include no consent notice explaining purpose and data use, marketing consent bundled with admission processing, no mention of data sharing with third parties, and no information on the right to withdraw consent. Each form must include a clear, specific notice and separate consent checkboxes for different purposes.

Can we use a student's placement data — salary, employer name — for marketing testimonials?

Not without separate, specific consent. Salary and employer details are personal data. Using them for marketing testimonials or social proof requires explicit written consent from the placed student that covers this specific use. The consent obtained at admission does not extend to this purpose.

Can we use student photos or result screenshots in our marketing?

Only with documented consent — and for students under 18, verifiable parental consent. Photos, classroom videos, result screenshots and testimonials are personal data. Using them on social media, ads or your website without separate, specific consent is a common and serious gap, and the exposure is higher when minors appear in the content.

Take the free scan

10 questions · 3 minutes · free · no login. Get your institute's DPDPA readiness score.

Start Training Institute Risk Scan →

Free Guide

DPDPA compliance guide for Indian businesses.

Download the Guide →

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.