If you’re wondering what the sections under the Digital Personal Data Protection Act (DPDPA), 2023 say, you’re not alone. Many people search for quick, clear answers like “What are the key sections of DPDPA?”, “Which section talks about consent?”, or “What are user rights under DPDPA?” This blog gives you direct, simple explanations for the most important sections in the Act – no legal jargon, just plain English.
What does Section 2 of DPDPA define?
Section 2 of DPDPA lays the foundation by clearly defining important terms used throughout the law. For example, it tells us who the ‘Data Principal’ is (that’s you – the person whose data is being collected), and who the ‘Data Fiduciary’ is (the company or person collecting the data). It also defines what ‘Personal Data’ means – basically any data that can be used to identify you – like your name, phone number, Aadhaar number, or location. Other important definitions include ‘Consent’ and ‘Processing’. This section is important because everything else in the law depends on these definitions.
What is Section 4 about?
Section 4 of DPDPA is one of the most important sections. It says that no company or government body is allowed to collect your personal data unless they get your clear and informed consent first. That means they must tell you exactly what data they are collecting and why. You must also have the option to say yes or no easily. If you didn’t agree to it, they can’t use your data. This section is the base of most consent management platforms.
What should companies tell users before collecting data (Section 5)?
Section 5 of the Act makes it mandatory for companies to give users a clear notice before collecting any personal data. This notice must include: what data is being collected, why it is being collected, how long it will be stored, and how you can contact the company if you have questions. This helps users make an informed decision about whether they want to share their data or not.
Can users change their mind after giving consent? (Section 6)
Yes. Section 6 gives every user the right to withdraw their consent at any time. That means if you agreed earlier to share your data with a company but change your mind later, you can take back your permission. The company must then stop using your data for that purpose and delete it if needed. This gives you full control even after you’ve shared your data.
Are there any cases where companies don’t need consent? (Section 7)
Section 7 talks about situations where consent is not required. This includes legal requirements, like when the data is needed by the government or a court. It also includes emergency situations like medical emergencies, where there may not be time to get permission. But these exceptions are clearly defined and limited.
What are some legitimate uses of data without asking for consent? (Section 8)
Section 8 lists specific situations where companies can use your data without asking for your permission. This could include employment contracts, public research, or situations where the data is already available in public. However, even in these cases, companies must follow the law and protect your privacy.
What rights do users get under Section 9?
Section 9 gives several important rights to users. You have the right to ask a company what data they have on you. You can also ask them to correct any wrong or outdated information. Also, have the right to delete your data if you no longer want them to have it. And if a company doesn’t respect your rights, you can file a complaint. These rights put the user in charge of their own personal data.
What responsibilities do users have under Section 10?
Section 10 reminds users that with rights come responsibilities. You must give correct information when sharing your data. You shouldn’t misuse your rights under the Act or file false complaints. This section helps prevent misuse of the protections the law gives.
What does Section 11 say about big companies and data?
Section 11 talks about a special category called ‘Significant Data Fiduciaries’. These are companies that handle a large amount of sensitive data. They have more responsibilities. They must appoint a Data Protection Officer, do regular audits, and follow more rules. Examples might include banks, large e-commerce platforms, or healthtech companies.
How is children’s data protected under Section 13?
Section 13 provides extra protection for children under 18. Companies must get parental consent before collecting any data from children. They are also not allowed to show harmful or targeted ads to kids. This section is important for companies offering digital services to young users.
Can companies send data outside India? What does Section 15 say?
Section 15 covers the rules about sending personal data to other countries. The government will make a list of countries where data can be sent safely. If your data is sent to any other country, it must follow the conditions set by the government. This helps protect your data even when it leaves India.
Who will take action if a company breaks the law? (Sections 21 to 25)
Sections 21 to 25 set up the Data Protection Board of India. This board will look into complaints, investigate if a company has broken the rules, and decide on penalties. This gives users a formal way to report problems and hold companies accountable.
What penalties are mentioned under the DPDPA?
The DPDPA allows for strong penalties if a company fails to follow the rules. For example, if your data is leaked or misused, the company can be fined up to Rs. 250 crore. There are also fines for not respecting user consent, not protecting children’s data, or not having proper data safeguards in place.
Which sections should companies pay most attention to?
If you are a company that handles user data, especially in finance, education, healthcare or technology, you should carefully follow these sections:
- Section 4 (consent collection)
- Section 5 (notice to users)
- Section 6 (withdrawal of consent)
- Section 9 (user rights)
- Section 11 (rules for significant data fiduciaries)
- Section 13 (children’s data)
- Section 15 (cross-border data sharing)
- Sections 21 to 25 (penalties and board action)
These are the sections most commonly used in compliance policies, consent management platforms, and data protection systems.
understanding DPDPA sections
Each section in the DPDPA serves a specific purpose and protects users in a different way. If you are a business, knowing these sections is the first step to following the law. If you are a user, these sections are tools to protect your personal information. The goal of the DPDPA is clear: let people control their data, and make companies responsible for using it properly.
