One question at a time · 20 questions · 4 minutes · No sign-up
The Digital Personal Data Protection Act, 2023 applies to every business that collects or processes personal data of individuals in India digitally — regardless of size, revenue, or location. E-commerce, SaaS, EdTech, healthcare, freelancers, social sellers — all are covered. The DPDP Rules, 2025 (notified November 13, 2025) specify the operational requirements: consent flows, security safeguards, breach reporting, and more. Non-compliance can attract penalties up to ₹250 crore per violation. Read our complete guide →
The DPDP Rules 2025, notified November 13, 2025 (Rule 3–16 effective May 13, 2027), add several critical operational requirements: (1) 1-year minimum retention of processing logs for all Data Fiduciaries (Rule 6 + Rule 8); (2) 48-hour advance notice before deletion for large platforms; (3) Grievance redressal must be completed within 90 days (Rule 9); (4) Every personal data breach triggers DPBI notification within 72 hours — no minimum severity threshold (Rule 7); (5) Consent notice must be standalone and independent of any other document (Rule 3); (6) Verifiable parental consent for minors must use identity verification, including DigiLocker (Rule 10).
Per the DPDP Act schedule: ₹250 crore — failure to implement reasonable security safeguards ; ₹200 crore — failure to notify DPBI of breach within 72 hours ; ₹200 crore — processing children's data without verifiable parental consent ; ₹150 crore — failure to meet Significant Data Fiduciary (SDF) obligations; ₹50 crore each — no privacy policy, processing without consent, no Grievance Officer, retaining data beyond purpose, or ignoring erasure requests. See full breakdown →
Yes — and this is one of the most common misconceptions. Amazon's or Flipkart's DPDP compliance covers their own data processing, not yours. As a marketplace seller, you independently receive and process customer data (order details, contact info, returns). You are separately required to have your own privacy policy, consent mechanism, and data handling process. Every seller portal login where you see customer data makes you a Data Fiduciary under the DPDP Act.
Rule 6 and Rule 8 of the DPDP Rules 2025 introduce a 1-year minimum retention floor for all Data Fiduciaries. Processing logs, associated traffic data, and certain system records must be retained for at least one year to support breach detection, investigation, and lawful requests — even if you would otherwise delete them sooner. This is a new requirement not present in the DPDP Act itself. After the 1-year minimum, data that has served its purpose must be erased unless another law (e.g. GST Act) requires longer retention.