

The DPDP Act 2023 is organized into 9 chapters and 44 sections, plus a penalty schedule. Most business owners do not need to read all 44. They need a DPDP Act section wise summary of the dozen or so sections that actually change how they operate. That is exactly what this page gives you, in plain language.
With the DPDP Rules 2025 notified on 14 November 2025, every one of these sections is now backed by an active regulator and a live penalty framework, so understanding them is no longer optional homework.
No cost. No obligation. Get your compliance gap report.
| Section(s) | What It Covers | What It Means for Your Business |
|---|---|---|
| 3 | Where the Act applies | Covers digital personal data processed in India, and foreign processing connected to offering goods or services here. Personal or domestic use and data made publicly available by the person themselves are outside the Act. |
| 4-5 | Grounds for processing and notice | You may process personal data only with consent or under a listed legitimate use, and you must give a clear, itemized notice before or when asking for consent. |
| 6 | Consent | Consent must be free, specific, informed, unconditional, unambiguous, and a clear affirmative action. No pre-ticked boxes, and withdrawal must be as easy as giving consent. |
| 7 | Legitimate uses | The short list of consent-free grounds: voluntary provision, employment, government functions, medical emergencies, disasters, and legal obligations. Nothing like GDPR's "legitimate interest". |
| 8 | Data Fiduciary duties | Security safeguards, accuracy, breach reporting, data deletion when the purpose is served, grievance handling, and responsibility for your vendors. |
| 9 | Children's data | Verifiable parental consent for under-18s; no tracking, behavioral monitoring, or targeted ads at minors. Misuse sits in the Rs 200 Cr penalty tier. |
| 10 | Significant Data Fiduciaries | Government-designated high-volume or high-risk businesses get extra duties: India-based DPO, annual independent audits, and periodic DPIAs. |
| 11-14 | Rights of Data Principals | Your customers can access, correct, and erase their data, raise grievances (the DPDP Rules 2025 set a 90-day resolution window), nominate a representative, and withdraw consent. |
| 15 | Duties of Data Principals | Individuals have duties too: no impersonation, no false information, and no false or frivolous complaints, which carry a Rs 10,000 penalty. |
| 16 | Cross-border transfers | A blacklist model: transfers are allowed except to government-restricted countries. Sector rules such as RBI payment data localisation still apply. |
| 17 | Exemptions | Enforcing legal rights and claims, courts and tribunals, crime prevention and investigation, government and national security purposes, and research and statistics. (Personal use and publicly available data sit under Section 3.) See our full DPDP Act exemptions guide. |
| 18 onward | Data Protection Board of India | The adjudicating body, active since November 2025: it takes complaints, investigates breaches, and imposes penalties. Appeals go to TDSAT. |
| 33 | Penalties | Read with the schedule: up to Rs 250 Cr for missing security safeguards, Rs 200 Cr for breach-reporting failures or children's data misuse, Rs 150 Cr for SDF failures, Rs 50 Cr for other violations. |
Think of Sections 4-8 as your day-to-day operating rules (notice, consent, duties), Section 9 as the special regime if you ever touch children's data, Sections 11-14 as the customer-facing processes you must build, and Sections 17 and 33 as the boundaries: what is exempt, and what non-compliance costs.
In practice, compliance means mapping each of these sections to a working system in your business: consent records for Section 6, a breach runbook for Section 8, a grievance workflow for Sections 11-14, and vendor contracts because Section 8 keeps you responsible for your processors. Not sure whether the Act covers you at all? Start with DPDP Act applicability or the quick 5-minute DPDP Act summary.
See how all these sections come together into one practical compliance plan, deadlines, penalties, checklist, and services included.
The Act has 9 chapters and 44 sections, plus a penalty schedule. For most businesses, the sections that matter day to day are 4-6 (notice and consent), 7 (legitimate uses), 8 (duties), 9 (children), 10 (SDF), 11-14 (rights), 16-17 (transfers and exemptions), and 33 (penalties).
Section 6. Consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action, with withdrawal as easy as giving it. Sections 4 and 5 set the notice requirements and lawful grounds around it.
Section 33, read with the penalty schedule: up to Rs 250 crore for missing security safeguards, Rs 200 crore for failing to report a breach or misusing children's data, Rs 150 crore for SDF failures, and Rs 50 crore for other violations, applied per violation.
You need to comply with every section that applies to your processing. Which ones those are depends on your data, your customers, and your sector. Our free audit maps the Act's sections to your actual business and tells you exactly which gaps to close.
Our free audit maps every relevant section of the Act to your systems and shows you what to fix first.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.