

"Who does DPDP apply to?" is the first question every business owner asks, and the answer is broader than most expect. The DPDP Act applicability rules cover any entity that processes digital personal data in India, plus foreign entities offering goods or services to people in India. There is no turnover threshold, no headcount limit, and no small-business carve-out.
The simplest test in the Act's logic: if you collect even one customer's email digitally, you are a Data Fiduciary and the law applies to you. That covers shops, clinics, schools, startups, agencies, and enterprises alike.
No cost. No obligation. Get your compliance gap report.
All digital personal data processed within India is covered, regardless of who processes it or how big they are.
Foreign entities offering goods or services to people in India must comply too, even with no office or server in India.
The Act covers digital personal data, but offline data that is later digitized (scanned forms, typed-up records) counts fully.
No turnover, revenue, or employee-count exemption exists. MSMEs and startups are covered exactly like large enterprises.
The exclusions are narrow, and they rarely help a business.
Note what is not on this list: small businesses, B2B companies, offline-first shops with a WhatsApp customer list, or businesses that "only" hold employee data. If your data touches a computer, the Act applies. If you run an MSME, see our dedicated DPDP for small business guide.
| Question | If Yes... |
|---|---|
| Do you store customer names, emails, or phone numbers digitally? | The DPDP Act applies to you |
| Do you have employees whose records sit in any software or spreadsheet? | The DPDP Act applies to you |
| Do you scan or type paper forms into a computer? | That digitized data is covered |
| Are you a foreign company selling to customers in India? | The DPDP Act applies to that data |
| Is your only "data" your own family contacts on your personal phone? | You are excluded (personal/domestic use) |
Now that you know the Act applies, see everything it requires: consent, security, breach reporting, penalties, and how to get compliant.
Any entity processing digital personal data in India, plus foreign entities offering goods or services to people in India. There is no turnover or size threshold: collecting even one customer's email digitally makes you a Data Fiduciary.
The Act covers digital personal data only, but offline data that is later digitized (a scanned form, a typed-up register) is fully covered. Since almost every business digitizes data somewhere, purely offline exclusion rarely helps in practice.
Yes. The Act has extraterritorial scope: foreign entities offering goods or services to people in India must comply for that data, even without an office or server in India.
Personal data processed for purely personal or domestic use, and most personal data made publicly available by the individual or under a legal obligation. Section 17 adds narrow exemptions for government, research, and legal purposes, but none of these amount to a business exemption.
Our free audit shows exactly which obligations apply to your business and where you fall short today.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.