Personal Data
Any data about an individual who is identifiable by or in relation to such data — the foundational concept of the DPDP Act 2023.
Full Definition
The DPDP Act 2023 defines 'personal data' (Section 2(t)) as any data about an individual who is identifiable by or in relation to such data. The definition is deliberately broad and technology-neutral: it covers names, phone numbers, email addresses, biometric data, location data, financial records, health data, and any other information that can be linked to an identifiable person. Unlike the GDPR which separately defines 'sensitive personal data' ('special categories'), the DPDP Act's tiered approach creates heightened obligations for 'sensitive' categories through rules rather than defining them explicitly in the Act. The Act covers only digital personal data — paper records are outside its scope (unlike GDPR which covers both).
In Indian Law
DPDP Act 2023, Section 2(t). The Act applies to processing of digital personal data within India and processing of digital personal data outside India if connected with offering goods or services to Data Principals in India (Section 1(2)). 'Sensitive personal data' is not separately defined in the Act but the Central Government can specify categories warranting enhanced protection under Section 17. The constitutional foundation is the Supreme Court's recognition in K.S. Puttaswamy v. Union of India (2017) that informational privacy — including control over one's personal data — is a fundamental right under Article 21.
Related Legal Sections
Landmark Cases
K.S. Puttaswamy v. Union of India (2017) (2017) 10 SCC 1 — Privacy as fundamental right; constitutional mandate for data protection legislation
Frequently Asked Questions
Is an IP address 'personal data' under the DPDP Act?
It depends on whether the IP address can identify an individual in context. A dynamic IP address by itself may not be personal data; but when combined with other data (login records, user profile), it likely identifies an individual and becomes personal data.
Does the DPDP Act cover paper records?
No. The DPDP Act explicitly covers 'digital personal data' only. Paper records, physical files, and non-digital information are outside its scope — unlike the GDPR which covers both digital and manual filing systems.