Consent, Legitimate Uses, and Data Rights Under the DPDP Act, 2023

Abstract

This paper explains the main provisions of the Digital Personal Data Protection Act, 2023 by focusing on Sections 4 to 15. These sections describe how personal data can be collected and used, the importance of taking clear and valid consent, and the situations where data can be processed without consent. The paper also discusses the responsibilities of Data Fiduciaries, including keeping data accurate, safe, and deleting it when it is no longer needed. Special rules for protecting children’s data and the additional duties of Significant Data Fiduciaries are also highlighted. Further, the rights of Data Principal such as accessing their data, correcting it, requesting its deletion, and raising grievances are explained in a simple manner. Finally, the paper outlines the basic duties expected from individuals while sharing their personal data. Overall, this paper gives an easy and structured understanding of how these sections of the DPDP Act aim to protect people’s privacy and promote responsible use of digital personal data in India.

Introduction

The Digital Personal Data Protection Act, 2023, is a law enacted by the Parliament of India on August 11th, 2023 (No. 22 of 2023). The main objective of this legislation is to regulate the processing of digital personal data. It serves to balance two critical needs: recognizing the right of individuals to protect their personal data while also accommodating the necessity to process that data for various lawful purposes. There are few main key actors need to be known to understand the laws.

1. Data Principal (DP) – DP is the person whose data was given for processing. In case of children the DP will be child parent or lawful guardian^[1].
2. Data Fiduciary (DF) – DF is the person who is processing the data of DP^[2]
3. Consent Manager (CM) – A Consent Manager does not see or store personal data, it only manages consent flows.^[3]
4. Data Processor is the person who acts on behalf of DF for processing the data^[4]

Grounds for Processing the Data

Under section 4 personal data can be processed on two grounds

1. When DP gave her consent
2. In case of certain legitimate uses under section 7 of DPDP ACT^[5]

When DP gave her consent

Consent given by DP should be free, unambiguous, unconditional and specific with a clear affirmative action to have an agreement to process personal data of data principle for specified purpose and data should be limited until for that purpose. Any part of this consent under section 6(1) violates any provision of Act then it will be invalid. The request for consent should be clear and plain language and also data principle has an option to request in English or any other language and the particular request must be provided contact details of data protection officer contact details of any authorized person who can address the queries related to consent or data processing. DP shall have right to withdraw her consent at any time. Consequences of such withdrawal shall be borne by DP. In case if data is processed before the withdrawal then it will not have any effect. If DP withdraws her consent then DF within reasonable time seize or stop the processing of her personal data. Data fiduciary also must ensure that data processors to stop the processing the data but there is an exception where in case the processing can still continue without the consent if it is required or authorized under this act or rules or if it is required or authorized by any other Indian law. DP can review manage or withdraw her consent to data fiduciary through a consent manager. The consent manager shall be responsible and act on behalf of data principal. Consent manager shall be registered with the board. In case if any question regarding valid consent is arises then data fiduciary has to prove that the data principle was given notice and gave consent in accordance with the ACT.^[6]

Once DP gave consent, DF need to inform the DP regarding purpose for which data is processed, explain her right to withdraw consent under section 6(4) also explain the manner in which DP can make complaint to the Board^[7]

In case of certain legitimate uses under section 7 of DPDP ACT

DF can process data of data principle for following uses

1.  For the specified purpose DP voluntary provided personal data where DF has no need consent of DP to use with her personal data.
2.  For state or instrumentalities of the state to provide the benefits to DP like any benefits
3. For the performance of any function under law by the state
4.  For the fulfilling any obligation under any law
5. For compliance with the state with any judgement
6. For medical emergency
7.  To provide medical treatment or health services
8. To provide safety measure during the disaster or any breakdown of the public
9.  For the purpose of the employment^[8]

General Obligations of DF

Section 8 laid down the general obligations of DF. DF will be responsible irrespective of any agreement to contrary or failure of DP to carry out duties This responsible extends to processing done by data fiduciary or data processor on its behalf. DF can appoint data processor on his behalf under valid contract and can only process data regarding goods and services of DP. Data Fiduciaries must ensure accuracy when the data is used to decide affecting the DP OR disclosed to another DF. DF shall implement technical and organizational measures. DF must take reasonable safeguard to prevent personal data breach, in case of breach of personal data DF inform Data Protection Board and DP in a prescribed manner.  Data need to be erased upon withdrawal consent of DP or when the purpose for which the data has been taken is no longer served and also need to ensure data processor also erase that personal data. Erasure happens only on request, or when purpose is finished , whichever is earlier.DF must publish Business Contact details of data protection board or other authorized person to answer question about the data processing DF shall establish effective mechanism to address the grievance of DP^[9].

Processing of Children’s Data

Section 9 of DPDP Act lay down about the processing data of children where before processing personal data of children or a person with disability. DF must obtain consent from parent or a lawful guardian. DF should not undertake such processing of personal data the likely Cause any determinantal effect on well-being of the child. DF cannot drag children in online or monitor their behavior or use targeted advertising aimed at their children. The Act allows exemptions for certain fiduciaries notified by government^[10].

Significant Data Fiduciaries

A Significant Data Fiduciary (SDF) is a classification assigned by the Central Government to Data Fiduciaries or classes of Data Fiduciaries based on factors such as the volume and sensitivity of personal data processed, the risk posed to the rights of the Data Principal, and potential impacts on national concerns like the sovereignty and integrity of India, the security of the State, electoral democracy, and public order. Processing the personal data of children is also considered in this assessment. Due to these high-risk factors, SDFs must fulfill several additional obligations: they must appoint a Data Protection Officer (DPO) who is based in India, is responsible to the Board of Directors or governing body, and serves as the point of contact for grievance redressal. Furthermore, the SDF is mandated to appoint an independent data auditor to evaluate their compliance with the Act. Finally, SDFs must undertake specific periodic measures, including conducting a Data Protection Impact Assessment (DPIA) a process that describes the rights of Data Principals and assesses and manages the risk to those rights as well as carrying out periodic audits^[11].

Rights and Duties of DP

1. Right to Access

DP has right to access information about personal data from DF like summary of personal data being processed or processing activities undertaken or the identities of all other data fiduciaries and data processor with whom the personal data has been shared also description of personal data shared with the other DF. Whereas this particular right to access information about personal data under section 11 does not apply when personal data is shared with another data fiduciary authorized by law and the sharing is in response of a return request for prevention detection or investigation of offenses or prosecution or punishment of offenses.^[12]

2. Right to Correction, Completion, and Erasure

DP shall have right to correction completion updating and eraser of personal data for processing of data which she previously given consigned upon request of DP. DF shall correct the inaccurate information complete the incomplete personal detail, update the personal data. DP must submit the request for erasure in the prescribed manner to DF. Once request is received, the DF must erase the personal data. Whereas the erasure is not required if retaining data is necessary for specified purpose or required for compliance with any law.^[13]

3. Right to Grievance Redressal

Data Principal has the right to readily available means of grievance redressal provided by the Data Fiduciary or Consent Manager. This redressal mechanism addresses any act or omission by the Fiduciary or Manager related to their obligations concerning the Principal’s personal data or the exercise of the Principal’s rights under the Act. The Data Fiduciary or Consent Manager is legally required to respond to such grievances within a prescribed period from the date of receipt, noting that this period may vary for different classes of Data Fiduciaries. Importantly, the DP must give the DF a minimum opportunity first of redressing her grievance using these available means with the Fiduciary or Consent Manager before they are allowed to approach the supervisory Board^[14].

4. Right to Nominate

DP shall have right to nominate any other individual in prescribed manner in case of death or incapacity of DP.^[15]

Duties of DP

Under section 15 of DPDP Act there are some duties of DP

1. Need to comply with laws.
2. Not to impersonate or misrepresentation of another person.
3. Not to suppress any material information while providing personal data to DF.
4. Not to register false complaint with board.
5. Need to furnish authentic information.^[16]

Conclusion

The Digital Personal Data Protection Act, 2023, is a significant step in strengthening India’s commitment to protecting individual privacy in the digital era. Sections 4 through 15 of this article comprise the functional backbone of the Act, outlining how personal data should be acquired, processed, stored, and secured. Together, these principles create a structured framework that carefully balances individual rights, organizational obligations, and technology realities. At the foundation of this theoretical framework is the concept of informed and meaningful consent. By requiring free, precise, and unambiguous agreement, the Act empowers every individual to take control of their personal information. At the same time, acknowledging legitimate usage guarantees that critical public activities, legal duties, and emergency services are not jeopardized. This balanced strategy minimizes abuse while assuring efficient administrative and societal operations.

The Act also imposes strict requirements on Data Fiduciaries, requiring them to maintain accuracy, implement security protections, prevent breaches, delete data when no longer needed, and respond to complaints. These responsibilities represent a transition toward responsible and accountable data governance. The Act goes even further for high-risk companies, creating the notion of Significant Data Fiduciaries, who must adhere to stricter compliance requirements such as appointing a Data Protection Officer, conducting audits, and executing Data Protection Impact Assessments. Equally essential are the rights offered to Data Principals, such as access, correction, erasure, grievance redressal, and nomination, which all contribute to increased user autonomy. By imposing duties on Data Principals as well, the Act assures fairness on both parties and prohibits abuse of the system.

In essence, the DPDP Act of 2023 establishes a more transparent, secure, and accountable digital economy. As India’s digital footprint grows, these provisions serve an important role in fostering trust, encouraging responsible data use, and protecting each individual’s dignity and privacy.

[1] Section 2(j) of DPDP ACT 2023

[2] Section 2(i) of DPDP ACT 2023

[3] Section 2 (g) of DPDP ACT 2023

[4] Section 2 (k) of DPDP ACT 2023

[5] Section 4 of DPDP ACT 2023

[6] Section 6 of DPDP ACT 2023

[7] Section 5 of DPDP ACT 2023

[8] SECTION 7 OF DPDP ACT 2023

[9] Section 8 of DPDP ACT 2023

[10] Section 9 of DPDP ACT 2023

[11] Section 10 of DPDP ACT 2023

[12] Section 11 of DPDP ACT 2023

[13] Section 12 of DPDP ACT 2023

[14] Section 13 of DPDP ACT 2023

[15] Section 14 of DPDP ACT 2023

[16] Section 15 of DPDP ACT 2023