Data Protection & Privacy Law

Data Protection & Privacy Law

Data protection law in India has undergone a significant transformation with the enactment of the Digital Personal Data Protection (DPDP) Act, 2023. Alongside this domestic framework, organisations operating across borders must also comply with international regulations such as the General Data Protection Regulation (GDPR) of the European Union.

This page provides an overview of the key areas covered under data protection and privacy law, which forms a core focus of this practice.

The Digital Personal Data Protection Act, 2023 (DPDP Act)

The DPDP Act establishes a framework for the processing of digital personal data in India. Key features include:

  • Data Fiduciaries and Data Principals: The Act defines entities that determine the purpose and means of data processing as “Data Fiduciaries” and individuals whose data is processed as “Data Principals.”
  • Consent-Based Processing: Personal data may generally be processed only upon the free, specific, informed, unconditional, and unambiguous consent of the Data Principal.
  • Rights of Data Principals: Individuals have the right to access information about their data, correct or erase data, and seek grievance redressal.
  • Obligations of Data Fiduciaries: Organisations must implement appropriate technical and organisational measures to protect data, appoint a Data Protection Officer (where applicable), and comply with data localisation requirements as notified.
  • Significant Data Fiduciaries: The Central Government may designate certain entities as Significant Data Fiduciaries based on the volume and sensitivity of data processed, subjecting them to additional obligations.
  • Cross-Border Data Transfers: Transfer of personal data outside India is permitted only to countries notified by the Central Government.
  • Data Protection Board: A statutory body empowered to adjudicate complaints and impose penalties for non-compliance.

General Data Protection Regulation (GDPR)

The GDPR applies to organisations established in the European Union (EU) as well as organisations outside the EU that offer goods or services to, or monitor the behaviour of, individuals in the EU. Indian companies with EU customers or EU-based operations may fall within the scope of GDPR. Key requirements include lawful bases for processing, data subject rights, Data Protection Impact Assessments (DPIAs), and mandatory breach notification.

Key Areas of Practice

Compliance Programmes

Assisting organisations in mapping their data flows, identifying applicable legal obligations under the DPDP Act, GDPR, and other applicable laws, and building or reviewing internal compliance frameworks.

Privacy Policies and Notices

Drafting and reviewing privacy policies, consent notices, and cookie policies in compliance with applicable legal requirements and in clear, plain language accessible to end users.

Data Processing Agreements

Drafting and negotiating agreements between Data Fiduciaries and Data Processors (under the DPDP Act) and between Controllers and Processors (under GDPR), including sub-processing arrangements and standard contractual clauses for cross-border transfers.

Privacy Impact Assessments

Conducting or advising on Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new or modified data processing activities, products, or systems.

Data Breach Response

Advising on breach identification, containment, and notification obligations under applicable law, including obligations to notify the Data Protection Board (under DPDP Act) and supervisory authorities (under GDPR).

Cross-Border Data Transfers

Advising on mechanisms for lawful transfer of personal data outside India and to/from the EU, including standard contractual clauses, adequacy decisions, and binding corporate rules.

Sector-Specific Compliance

Advising on data protection obligations in specific sectors such as fintech, healthtech, e-commerce, and SaaS, where sector-specific regulations may apply in addition to the DPDP Act.

Frequently Asked Questions

Does the DPDP Act apply to my organisation?

The DPDP Act applies to the processing of digital personal data within India, and to processing outside India if it relates to profiling of individuals within India or offering of goods or services to individuals within India. If your organisation collects, stores, uses, or shares personal data in digital form relating to individuals in India, it is likely to fall within scope.

When will the DPDP Act Rules be enforced?

The DPDP Rules, 2025 have been published.  Please check https://hexlex.in/dpdp-act-and-rules-implementation-timeline/ for the dates of implementation of various provisions.

Does GDPR apply to Indian companies?

GDPR applies on the basis of establishment in the EU or on the basis of targeting EU individuals (the “targeting criterion”). Indian companies that have EU-based customers, process data of EU individuals, or have offices/subsidiaries in the EU should assess whether GDPR applies to their operations.

What is a Data Protection Officer (DPO)?

Under the DPDP Act, certain Significant Data Fiduciaries may be required to appoint a Data Protection Officer who serves as the point of contact for the Data Protection Board and data principals. Under GDPR, a DPO is mandatory for public authorities, organisations engaged in large-scale systematic monitoring, or large-scale processing of special categories of data.

Scroll to Top