DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem
DPDPA Guide

Who Does DPDPA Apply To?

DPDPA applies to any entity that processes personal data of Indian residents digitally — including MSMEs, recruiters, CA firms, D2C brands, and B2B operators. If you collect a name, email, or phone number, you are covered. This guide explains scope, exemptions, and what it means for your business today.

The DPDPA applies broadly to any entity that processes personal data of Indian citizens. Understanding whether you are covered is the essential first step in your compliance journey.

The Short Answer

If your business collects, stores, or processes any personal data of individuals located in India — including just a name, email address, or mobile number — the DPDPA likely applies to you.

Data Fiduciaries vs Data Processors

The Act distinguishes between two key roles:

Data Fiduciary — Any person (including a company, firm, or individual) who alone or jointly determines the purpose and means of processing personal data. If you decide what data to collect, why to collect it, and how to use it, you are a Data Fiduciary.

Data Processor — Any person who processes personal data on behalf of a Data Fiduciary. For example, a cloud storage provider, payroll processor, or marketing automation tool.

Most businesses are Data Fiduciaries for at least some of their data processing activities. Some may also be Data Processors in their relationship with clients.

Are There Exemptions?

The Act provides some exemptions:

  • Processing of personal data for personal or domestic purposes (not a business)
  • Processing by government instrumentalities for specific purposes
  • Processing for prevention, detection, investigation, or prosecution of offences
  • Personal data made publicly available by the Data Principal themselves

The government may also notify additional exemptions for specific categories of businesses through Rules. Until any such exemption is formally notified, all businesses collecting personal data should plan for compliance.

Territorial Scope

The DPDPA applies to:

  • Processing within India — regardless of where the data controller is located
  • Processing outside India — if done in connection with offering goods or services to individuals in India

This means even foreign companies offering services to Indian users are covered.

What Happens If You Ignore It?

Penalties for non-compliance can reach ₹250 crore per instance. The Data Protection Board has the power to conduct inquiries and impose penalties after due process. Compliance is not optional.

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.

Educational content only. This guide is for educational purposes and does not constitute legal advice. Please consult a qualified data protection lawyer for formal legal opinions specific to your business situation.
What is DPDPA?Key Terms