BACK TO DPDP ACT
DPDP Act 2023

Section 2

Definitions

THE STATUTE

Original Text

In this Act, unless the context otherwise requires, — (i) 'consent manager' means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform; (j) 'Data Fiduciary' means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; (k) 'Data Principal' means the individual to whom the personal data relates; (m) 'Data Processor' means any person who processes personal data on behalf of a Data Fiduciary; (n) 'personal data' means any data about an individual who is identifiable by or in relation to such data; (q) 'processing' means wholly or partly automated operation or set of operations performed on digital personal data and includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, sharing, disclosure and erasure or destruction.

Simplified

Section 2's definitions structure the entire DPDP Act's regulatory architecture. 'Personal data' is broadly defined — any data about an identifiable individual. Unlike GDPR, the DPDP Act does not separately categorise 'special categories' of sensitive data, though the Central Government has power to notify additional obligations for certain categories. 'Data Fiduciary' replaces the GDPR's 'data controller' — the entity that decides why and how personal data is processed. The term 'fiduciary' is significant: it imports a duty of trust and care toward the data subject, going beyond mere legal compliance. 'Data Principal' is the individual whose data is processed — they are the rights-holder under the Act. 'Data Processor' handles data on behalf of the Fiduciary. 'Consent Manager' is a novel DPDP concept: a registered intermediary that helps individuals manage consent across multiple platforms — analogous to a consent aggregator. 'Processing' is defined very broadly: collection, storage, use, sharing, and deletion all qualify. Notably, the DPDP Act applies only to 'digital personal data' — handwritten or physical records are not covered unless they are subsequently digitised.

Common Queries

The DPDP Act 2023 received Presidential assent on 11 August 2023 but has not been brought fully into force at once — Section 1(3) provides for phased commencement by Central Government notification. Different provisions are being notified at different dates, allowing the government to build the Data Protection Board infrastructure before full compliance obligations go live.
Yes. Section 1(2) extends the Act to India and also applies to processing outside India that is connected with offering goods or services to Data Principals in India. An Indian company with international operations that processes data of Indian users even outside India must comply.
The Act applies to all Data Fiduciaries by default, but the Central Government can exempt classes of small businesses or startups under Section 17(4). Until a specific exemption is notified, even small businesses processing digital personal data technically have DPDP obligations — though enforcement priority will likely focus on larger entities first.
The IT Act 2000 and its SPDI Rules 2011 were piecemeal, lacked enforcement teeth, had unclear extra-territorial reach, did not create Data Principal rights, and predated the explosion of digital data collection. The DPDP Act creates a comprehensive rights-based framework mandated by the Supreme Court's recognition of privacy as a fundamental right in Puttaswamy (2017).

Legal Context

The terminology choices in DPDP reflect a conscious indigenisation of GDPR concepts. 'Data Fiduciary' instead of 'data controller' signals an aspirational standard; 'Data Principal' instead of 'data subject' frames the individual as an active participant rather than a passive subject. The 'Consent Manager' is a uniquely Indian innovation, responding to the fragmented consent landscape across digital services. These definitional choices will be elaborated through DPDP Rules which the Central Government is developing.

Key Rules & Provisions

Only 'digital personal data' is covered — physical records excluded unless digitised.

'Data Fiduciary' introduces a higher standard of duty than 'data controller' used in GDPR.

'Consent Manager' is a new regulatory category with no direct GDPR equivalent.

No explicit separate 'sensitive personal data' category — Central Government to notify additional obligations.

Related Case Laws

Justice K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

The 9-judge bench's recognition of informational privacy as a facet of the fundamental right to privacy under Article 21 directly shapes how the definitions in Section 2 — particularly 'personal data' and 'Data Principal' — must be interpreted: as rights-bearing concepts, not mere regulatory labels.