Key Terms in Simple Language

Understanding DPDPA starts with knowing its vocabulary. These terms appear throughout the Act and in compliance guidance. Here is what each term means in practice.

Data Principal

A Data Principal is the individual whose personal data is being collected or processed. Under DPDPA, Data Principals have rights — to access, correct, and erase their data, and to raise grievances. In plain terms: your customers, candidates, students, and employees are Data Principals when you collect their data.

Data Fiduciary

A Data Fiduciary is any person (individual, company, or organisation) who alone or jointly determines the purpose and means of processing personal data. If you decide what data to collect, why to collect it, and how to use it, you are a Data Fiduciary.

Key obligation: Data Fiduciaries carry the primary compliance burden under DPDPA — consent, notice, security, rights response, and breach notification.

Data Processor

A Data Processor processes personal data on behalf of a Data Fiduciary — but does not determine the purpose or means of processing independently. Examples include cloud storage providers, payroll processors, ATS vendors, and email marketing platforms.

Key obligation: Data Processors must act only on the instructions of the Data Fiduciary and must sign a Data Processing Agreement (DPA). They have limited but real obligations under DPDPA.

Significant Data Fiduciary (SDF)

A business can be designated as a Significant Data Fiduciary by the Central Government based on volume of data processed, sensitivity of data, risk to individuals, or risk to national security. SDFs face additional obligations including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and algorithmic transparency requirements.

Personal Data

Any data about an individual that can directly or indirectly identify them. This includes obvious data (name, PAN, Aadhaar, mobile number, email) and less obvious data (IP address, location data, device identifiers, behavioural data tied to an individual).

Sensitive Personal Data

The Act and its rules may specify categories of data that attract heightened protection. This typically includes financial data, health data, biometric data, and data of children.

Consent

Under DPDPA, consent must be free, specific, informed, unconditional, and unambiguous. It must be sought through a clear affirmative action — not pre-ticked boxes or silence.

Notice

A notice is the disclosure provided to a Data Principal before or at the time of collecting their data. It must specify what data is being collected, for what purpose, and how they can exercise their rights.

Data Processing Agreement (DPA)

A contractual agreement between a Data Fiduciary and a Data Processor setting out the terms on which personal data may be processed, including security standards, permitted sub-processors, and breach notification obligations.

Data Protection Board of India (DPBI)

The regulatory authority established under DPDPA. It adjudicates complaints, conducts inquiries, and can impose penalties. The Board is being constituted under the phased implementation of the DPDP Rules, 2025, which were notified on 14 November 2025.

Data Protection Impact Assessment (DPIA)

A formal assessment of the risks to individuals arising from a particular data processing activity. Mandatory for Significant Data Fiduciaries; best practice for all businesses handling large volumes of sensitive data.

Legitimate Uses (Deemed Consent)

Section 7 of DPDPA allows processing of personal data without explicit consent for certain legitimate purposes — including employment-related processing, medical emergencies, public health, and state functions. These are narrow exceptions, not a general opt-out from consent requirements.