India's new data protection law

Introduction

India's Digital Personal Data Protection Act (DPDPA) establishes a comprehensive framework governing how organizations collect, process, store, and share digital personal data. This act came into effect on 11 August, 2023 and the rules were notified on 14 November, 2025. This Act sets the guidelines for handling digital personal data, balancing individuals’ rights to protect their data with organizations’ legitimate reasons for processing it.

To help operationalize these requirements, we’ve created a practical DPDPA compliance checklist for contract managers that you can refer to alongside this guide.

Introduction

Scope

The Act defines personal data as, "any data about an individual who is identifiable by or in relation to such data."

The Act is applicable for the processing of both digital and digitized personal data within the territory of India as well as outside it. Additionally, any activity related to offering goods and services to data principals within India falls under the purview of this Act.

However, the Act does not apply to the processing of data for domestic or personal purposes by individuals. Furthermore, it does not cover personal data that has been made publicly available.

Key stakeholders

(The definitions included here are as mentioned in the Act.)

Data Principal

A Data Principal is the individual to whom the personal data relates and where such individual is:
  • A child, including the parents or lawful guardian of the child.
  • A person with disability, including their lawful guardian, acting on their behalf.

Board

A regulatory body, or Board, refers to the Data Protection Board of India established by the Central Government under section 18 of this Act.

Consent Manager

A Consent Manager is a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

Data Fiduciary

A Data Fiduciary is any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data.

Data Processor

A Data Processor is any person who processes personal data on behalf of a Data Fiduciary.

Significant Data Fiduciary

A Significant Data Fiduciary refers to any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of this Act.

Data Protection Officer

A Data Protection Officer is an individual appointed by the Significant Data Fiduciary under clause (a.) of sub-section (2.) of section 10 of this Act.

Rights and duties of a Data Principal

Rights and duties of a Data Principal

Right to access information about personal data

Data Principals can ask for:
  • A summary of the personal data being processed.
  • The identities of other entities with whom the data has been shared.
  • Any other related information about their personal data and its processing.

Exemptions are made when data is shared with other entities for detecting or investigating offences.

Right to correction and erasure of personal data

Data Principals have the right for corrections, completion, updates, or erasure of their data for which they have previously given consent.

Upon receiving a request, it is the responsibility of the Data Fiduciary to correct the data if it is inaccurate, complete it if it is incomplete, update it if it is outdated, and erase it unless the data is required for a specific purpose or legal compliance.

Right of grievance redressal

Data Principals can raise grievances regarding data management with the respective Data Fiduciary or Consent Manager.

These entities must respond to grievances within a specified period. If the requirements are not met, the Data Principals can approach the central board.

Right to nominate

Data Principals can nominate another individual to exercise their data rights in case they're incapacitated (due to mental unsoundness or bodily infirmity) or deceased.

Duties of Data Principals

Data Principals must:
  • Comply with all other relevant laws.
  • Avoid impersonation.
  • Not suppress vital information when providing data for official documents or proofs.
  • Avoid lodging false grievances or complaints.
  • Provide authentic information when asking for corrections or erasure.

Inactivity of a Data Principal may trigger data deletion obligations for the Data Fiduciary, subject to applicable legal requirements.

Obligations of the Data Fiduciary

The key obligations of the Data Fiduciary are as follows:
  • Data Fiduciaries must comply with the provisions of this Act and the applicable Rules under all circumstances and be responsible for the data processing by themselves or by the Data Processor.
  • Data Fiduciaries can use Data Processors to process personal data on its behalf only under a valid contract that defines the scope, purpose, and safeguards for such processing.
  • Data Fiduciaries must publish a clear and accessible notice specifying:
    • The personal data being collected.
    • The purpose for which it is being collected and processed.
    • The manner in which Data Principals may exercise their rights.
    • The contact details or communication link for grievance redressal.
  • Consent must be free, specific, informed, unconditional, and based on clear affirmative action.
  • Data Fiduciaries must employ suitable technical and organizational measures to follow the Act's provisions and must safeguard personal data against breaches, including when processed by data processors.
  • Data Fiduciaries shall retain relevant logs and associated personal data for a period of one year, unless retention for a longer period is required under any law for the time being in force.
  • Certain classes of Data Fiduciaries, including specified e-commerce, online gaming, and social media intermediaries above prescribed user thresholds, must delete personal data within three years from the Data Principal's last interaction or the commencement of the Rules, whichever is later.
  • If there is a data breach, Data Fiduciaries shall provide immediate intimation to the Data Protection Board of India and the affected Data Principals, and submit a detailed report to the Board within seventy-two (72) hours in the prescribed manner, along with measures taken to mitigate harm.
  • Data should be erased when the Data Principal withdraws consent or when its purpose is no longer served. If a law requires retention, retention shall be permitted only where required for compliance with any law for the time being in force.
  • Data Principals must be notified at least forty-eight (48) hours prior to the erasure of their personal data. This is also applicable only in the above case.
  • The purpose of retaining data is considered invalid if the Data Principal does not approach the data fiduciary or exercise any related rights for a set period.
  • Data Fiduciaries and Significant Data Fiduciaries must publicly share contact details of their Data Protection Officer or a representative who can address queries about personal data processing.
  • Data Fiduciaries must have a system to address grievances of Data Principals within the prescribed timelines.
Obligations of the Data Fiduciary

Obligations of the Significant Data Fiduciary

The significant data fiduciary must fulfill the following obligations:
  • Appoint a Data Protection Officer who will represent them under this Act, be based in India, be answerable to the organization's primary governing entity such as the Board of Directors, and act as the primary point of contact for grievance redressal.
  • Select an independent auditor for compliance assessment and undergo annual independent audits in the manner prescribed under the Rules.
  • Carry out regular Data Protection Impact Assessments that highlight the rights of Data Principals, the purposes of data processing, the associated risks, and measures adopted to mitigate such risks.
  • Undertake periodic audits and align with other prescribed measures consistent with this Act.
  • Significant Data Fiduciaries shall also undertake assessments relating to algorithmic transparency and fairness, where automated decision-making systems materially impact Data Principals.
  • Enhanced due diligence must be exercised with respect to technical and organizational safeguards, with regard to the volume and sensitivity of personal data processed.

Monitoring children's personal data

Before handling the personal data of children or individuals with disabilities under guardianship, Data Fiduciaries are obligated to secure verifiable consent from either the child's parent or the guardian in the manner prescribed under the Rules, including verification of the identity and age of the parent or guardian, and must implement appropriate safeguards to ensure that such processing does not harm the well-being of the child.

They must ensure that the data processing will not negatively impact a child's welfare and are strictly barred from tracking, behaviourally monitoring, or directing targeted ads at children.

Certain categories of Data Fiduciaries, such as healthcare providers, educational institutions, and child transport service providers, may be exempt from specific parental consent requirements, subject to prescribed conditions.

Transfer of personal data outside India

The Central Government has the authority to set rules that may restrict a Data Fiduciary from transferring personal data for processing to specific foreign countries or regions. However, any current Indian law that provides more stringent protection or tighter restrictions on the export of personal data will continue to be in effect and take precedence.

Transfer of personal data outside India

Exemptions

Provisions of this Act don’t apply in cases where:
  • Data processing is necessary for legal rights or claims.
  • Data processing is done by courts, tribunals, or any other body which is entrusted by law in India.
  • Data is processed for preventing, detecting, or investigating any offense.
  • Data of individuals outside India is processed based on a contract with someone outside India.
  • Data processing is necessary for corporate restructurings like mergers or demergers approved by the authority.
  • Processing is to determine the financial standing of a loan defaulter.
(For more details on exemptions, please refer to Chapter IV of this law.)

Penalties

  • Breach of provisions of the Act or Rules for which no separate penalty is specified: Up to ₹250 crore.
  • Failure of the Data Fiduciary to prevent a personal data breach: Up to ₹200 crore.
  • Failure to notify the Board or the affected individual about a data breach: Up to ₹200 crore.
  • Breach regarding children's data obligations: Up to ₹150 crore.
  • Breach in observance of duties by the Data Principal: Up to ₹10,000.
  • Violation of voluntary undertaking accepted by the Board: Penalty applicable for the original breach under section 28.
  • Breach of any other provision of the Act or its rules: Up to ₹50 crore.

The exact penalty shall be determined by the Board based on the nature, gravity, and duration of the breach.

A phased implementation guide for the DPDPA

The government has introduced a three-phased timeline for the DPDPA implementation. With the Rules notified on 13 November 2025, this phased rollout allows businesses to move from awareness to operational readiness in a planned and manageable manner, giving organizations a structured path to full compliance.

Phase 1: Immediate actions

This phase sets the foundation of compliance. Rules 1, 2, and 17 to 21 came into force on 13 November 2025, the date on which the Rules were notified. This phase focuses on building awareness, governance, and a compliance game plan. This phase lays the groundwork for smooth implementation in later phases. Some immediate priorities include:

Setting up your compliance team

Establish a core privacy team and designate a DPO based on the rules.

Conducting data inventory and mapping

Include all stakeholders across websites, apps, and other necessary channels.

Enforcing data principal rights

Your organization should be ready to receive and respond to data principals' request and have a grievance redressal system on the website and app where the grievances are addressed within 90 days.

Data retention and deletion

By now you should have defined what categories of data you want to retain and for how long. You must have a system in place to delete the data of users who have been inactive for more than three years. You should also have a mechanism to inform the users 48 hours in advance before the deletion. Identify and map what personal data your organization collects, processes, and stores.

Review and update the existing data protection policies and contracts

Start updating your privacy policies, data handling guidelines, security protocols, and existing contracts to align with the DPDPA rules.

Build awareness and training

Educate your organization about the new law, terminologies, and obligations.

Phase 2: Consent management readiness

This phase focuses on implementing Rule 4, which focuses on the readiness of the Consent Managers. This rule comes into force one year from 13 November 2025.

Implement Consent Manager integration

Integrate with or subscribe to a registered consent manager platform or service.

Redesign consent flows

Update how you obtain consent from the data principals to meet the DPDPA standards.

Phase 3: Achieving complete compliance

By the end of this phase, the remaining Rules (3, 5 to 16, 22, and 23) shall come into force eighteen (18) months from 13 November 2025. Key preparedness before this deadline includes the following steps.

Launch updated privacy notices

Have the DPDPA-compliant privacy notices published to users, customers, and all other stakeholders.

Data security and breach response mechanisms

You must confirm that all access controls and encryption mechanisms are in place. You must have the data logs of all activities for at least one year. In case of a breach, you must have a process to inform the affected individuals and file an incident report with the Data Protection Board within 72 hours.

Cross-border data transfers

For data transfers outside the jurisdiction of India, ensure that all transfers meet the new rules, and stay updated on any government notifications of disallowed regions.

Enhanced measures for the significant data fiduciaries

Organizations classified as significant data fiduciaries must meet the additional requirements as stated in the law. They should appoint the data protection officer who will be a channel to communicate with the Board. They should conduct a data protection impact assessment and conduct annual data audits. They should also bring transparency measures for algorithms or AI use.

Final compliance checks

Before the 18-month period for implementation, organizations should conduct final compliance checks and audits to ensure no boxes are left unticked. It might be a good practice to run simulations of various scenarios to ensure that all lingering gaps are fixed.

By the end of Phase 3, organizations should be fully compliant and ready for the DPDPA. Having said that, compliance is not a one-time project, but a continuous responsibility. Compliance should become an essential part of organizational functioning by having measures such as regular audits, periodic training, and updates to the existing policies.

The impact of the DPDPA on contract management

Whenever a new law or regulation emerges in the industry that you operate in, it invariably impacts your business and its contracts. Specifically, two broad alterations emerge:

  • Changes in the language of your contracts to reflect the new provisions in the law/regulation.
  • Introduction of new procedures and controls in your contract management process to ensure compliance.

The DPDPA is no exception to this phenomenon. It necessitates the following transformation in the contract management process of an organization.

Changes in contractual languages

Enhanced rights of Data Principals

The DPDPA provides enhanced rights to the Data Principals, including the right to be informed, the right to correction, erasure, and more. Contracts must now reflect and accommodate these expanded rights, specifying the roles and responsibilities of each party.

Liabilities and indemnities

Given the DPDPA's rigorous penalties for data breaches and non-compliance, contracts must carefully address liabilities and indemnities. Thus, organizations would now be required to refine indemnity clauses to manage potential risks and liabilities.

Data breach notification

Contracts need to clearly lay out the processes, responsibilities, and timelines for data breach notifications. The DPDPA necessitates that affected Data Principals and the Board are duly informed.

Data transfers

In light of the DPDPA's strict guidelines on international data transfers, contracts need to integrate provisions like standard contractual clauses to ensure data that is transferred outside of India remains protected.

Record keeping

The DPDPA mandates that certain entities, like the Data Fiduciaries, maintain a comprehensive log of their data processing activities. This means contracts must now have clauses concerning record maintenance, accessibility, and auditing.

Changes to the contract management processes

Vendor management

The DPDPA emphasizes that organizations should be answerable not just for their own adherence to the law, but also for their vendors' and subcontractors' compliance. This translates to a need for a rigorous procedure to gauge and oversee the DPDPA compliance of third-party entities.

Review and update

Given the stricter data protection mandates of DPDPA, organizations need to periodically revisit and update their existing contracts to ensure they're in line with the latest requirements.

Data processing agreements (DPAs)

If an organization engages a Data Processor (as a third party) to process personal data on its behalf, DPDPA requires that a valid contract (i.e., DPA) is in place between the Data Fiduciary and the Data Processor. Contract managers must be adept at incorporating and understanding these agreements.

Training and awareness

The complex requirements of the DPDPA make it imperative for contract management professionals to have a thorough understanding of its provisions. Regular training, combined with internal audits and activity tracking, is vital to ensure consistent compliance and to address any potential oversights promptly.

DPDPA implementation checklist for contract managers

It is important for contract managers to ensure that their contracts are aligned with the DPDPA. The law requires contract managers to embed the data protection clauses into their contracts. They also need to ensure that their operational workflows are aligned with the DPDPA.

We have created a practical checklist for contract managers or anyone involved with contracts to ensure compliance with the DPDPA across their entire contract lifecycle.

This checklist helps contract managers to:
  • Identify contracts involving personal data.
  • Strengthen Data Processing Agreements.
  • Address consent and children's data obligations.
  • Embed breach notification and audit rights.
  • Align retention, deletion, and cross-border clauses.
  • Prepare for Significant Data Fiduciary requirements to be aligned.

How a contract management software can help you stay compliant with the DPDPA

Centralized contract repository

A centralized digital repository for storing all contracts is essential in ensuring their easy accessibility, searchability, and manageability. For compliance with the DPDPA, such a system is invaluable. For instance, with a centralized repository coupled with advanced analytics, organizations can swiftly identify and isolate contracts containing specific DPDPA clauses that may require modification to remain compliant.

Template standardization

Contract management solutions often provide standardized templates. Organizations can create DPDPA-compliant templates to ensure every new contract meets the necessary requirements, reducing the risk of non-compliance.

Version control

As contracts undergo revisions, it is essential to maintain a clear record of changes, especially concerning data protection clauses. Contract management software typically offers version control features to track versions.

Obligations management

Obligations related to the DPDPA can be complex and time-sensitive. Contract management software aids in capturing and tracking these obligations. Whether it is periodic audits or specific data handling commitments, automated alerts ensure that organizations never miss a deadline, thereby ensuring compliance and fostering trust with stakeholders.

Access controls

The DPDPA emphasizes the principle of data minimization and restricted access—and business contracts comprise a lot of critical data. Contract management software allows organizations to set granular user permissions, ensuring only authorized individuals can access specific contracts or data.

Audit trails

In compliance with the DPDPA's mandates, it is vital for organizations to ensure transparency and accountability in their data handling processes. Contract management systems can provide comprehensive audit trails detailing who accessed a contract, when, and what changes they made.

Data management

The DPDPA mandates that organizations should not retain personal data beyond its necessary duration. Contract management software aids in this aspect by evaluating metadata within the CLM system and examining contract content. This ensures timely deletion or anonymization of data in compliance with DPDPA guidelines.

Encryption and security

To protect personal data, contract management software that align with DPDPA compliance offer robust encryption protocols, both for data in transit and at rest. This reduces the risk of unauthorized data breaches.

AI-powered insights and automation

AI can automatically analyse contracts to identify data protection clauses, flag risks, and detect deviations from approved templates. It helps extract key terms, such as retention periods, consent requirements, and third-party obligations, enabling faster and more accurate reviews. By continuously monitoring contracts, AI can surface compliance gaps early and provide actionable insights, helping organizations stay ahead of DPDPA requirements.

About Zoho Contracts

With more than 25 years of history, Zoho is trusted by more than 100 million users worldwide. Zoho Contracts is our AI-powered contract management solution. It provides an all-in-one CLM solution, allowing businesses to streamline the contract lifecycle on a singular platform. This eliminates the need for multiple apps, reducing contract cycle times and operational costs.

Our platform features advanced analytics for strategic insights, detailed activity monitoring, and targeted obligation management to boost compliance, mitigate risks, and improve productivity. Below are some key features of Zoho Contracts.

Zoho Contracts uses AI to identify key clauses, extract critical data, summarize content, and translate contracts. It also helps surface risks, flag deviations from standard templates, and provide contextual insights. This enables teams to review contracts faster, maintain consistency, and take a more proactive approach to compliance and decision-making. Explore upcoming AI capabilities on our product roadmap.

Eliminate the need for a separate word processor, email application, e-signature software, spreadsheet system, document management software, and calendar. Zoho Contracts encompasses all of these software to manage your contracts.

Leverage the power of our native authoring capabilities, which are built on a full-blown word processor that has been refined over 15 years of R&D. Write contracts instantly with the help of our predefined templates, the exhaustive clause library, and intuitive collaboration features. Import your contracts in the draft, signed, or even expired states, and manage them all in Zoho Contracts.

Create your own approval workflows, both sequential and parallel. Approvers can add contextual comments before approving or rejecting a contract.

Provide secure access to contracts for counterparty contacts through password-protected links. They can engage in synchronous collaboration, propose modifications, annotate with contextual comments, set comment visibility, track negotiation history, and compare changes.

Set the signing order consisting of various categories of signatories, including those from your organization, counterparties, and additional representatives, and secure legally binding signatures.

Zoho Contracts' automatically generated amendment letters capture the entire contract history as well as all changes that were made in the current amendment. The letter templates are available for renewals, extensions, and terminations as well.

Choose to auto-renew your contracts. Stay updated on renewal opportunities with in-app and email alerts.

Get insights from 40+ standard reports across different aspects of contract management. Get a high-level overview of your contracts at a glance with a personalized dashboard.

Track activities at the individual contract, user, and stage levels. Audit, access, and download logs ensure improved auditability. The data protection settings allow you to delete and anonymize counterparty data on demand.

Contextually track and manage obligations from within the contract. Allocate tasks to appropriate business stakeholders and schedule reminders. Keep abreast of the ongoing fulfilment of tasks using reports centred on obligations.

Sales reps can initiate a contract and track its status from Zoho CRM. They can also initiate negotiation, signing, renewal, and amendment requests.

For more information on product features, pricing, and resources, please visit our Zoho Contracts website.

FAQs

The Digital Personal Data Protection Act (DPDPA) is India's data protection law that governs how organizations collect, process, store, and share digital personal data while safeguarding individuals' rights.

A Data Fiduciary is any entity or person that determines the purpose and means of processing personal data, making them responsible for ensuring compliance with the Act.

The DPDPA requires organizations to update contracts with data protection clauses, define responsibilities for data handling, include breach notification terms, and ensure compliance across vendors and third parties.

Contract managers should identify contracts involving personal data, update agreements with DPDPA-compliant clauses, monitor vendor compliance, and align retention and deletion practices across the contract lifecycle.

Contract management software helps centralize contracts, standardize templates, track obligations, enforce access controls, and provide audit trails, making it easier to manage and demonstrate compliance.

Disclaimer: This e-book does not provide legal advice on the DPDPA. Its objective is to support organizations in developing contract management systems that facilitate compliance. If you have any queries concerning the law, we strongly recommend consulting with your legal counsel and data privacy expert.

Download PDF