Scope and Key Definitions Under DPDP Act
- Blog|Company Law|
- 4 Min Read
- By Taxmann
- |
- Last Updated on 4 May, 2025
The Digital Personal Data Protection (DPDP) Act, 2023 outlines a broad yet well-defined scope to determine when and how it applies to the processing of personal data. The Act applies to the processing of digital personal data within India, regardless of whether the data was originally collected in digital form or subsequently digitised. Additionally, its territorial scope extends to entities located outside India if they process personal data in connection with offering goods or services to individuals in India or engage in profiling of Indian users.
Table of Contents
- Why Scope Matters
- Territorial Reach
- Material Scope – Digital, Not Paper
- Bright‑Line Exclusions
- Key Definitions under DPDP Act
- Extraterritorial Compliance Checklist
- Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.
1. Why Scope Matters
Before diving into consent, rights or penalties, an organisation must ask – Does the Digital Personal Data Protection Act (DPDP Act) 2023 apply to this activity? Section 3 of the Act sets a deliberately wide net, but also carves clear exclusions. Understanding this boundary prevents over-compliance (wasting resources on purely offline data) and under-compliance (missing extraterritorial obligations).
2. Territorial Reach
Scenario | Covered? | Reasoning |
Bank in Mumbai processes customer KYC data | Yes | Processing occurs in India (Section 3 (1)(a)). |
German e‑commerce site ships to Delhi customers & stores their emails on EU servers | Yes | Processing outside India but in connection with offering goods/services to persons in India (Sec 3 (1)(b)). |
Singapore analytics firm profiles browsing behaviour of Indian users via cookies | Yes | “Profiling” + users in India triggers the extraterritorial clause. |
The Canadian HR BPO unit processes the payroll of US employees only | No* | Personal data of Data Principals not in India; exempt under Sec 17 (4)(d). |
* Unless the same unit separately processes Indian data, only that slice falls within scope.
3. Material Scope – Digital, Not Paper
The DPDP Act governs “digital personal data” – any personal data in digital form, whether originally collected online or later digitised (Sec 2 (h), 2 (i)). Purely paper records that never enter an electronic system remain outside.
Compliance tip – once a paper record is scanned or typed into any IT system, all subsequent processing of that file is subject to the Act.
4. Bright‑Line Exclusions
- Personal or domestic use – e.g. a family’s shared photo folder (Sec 3 (2)(a)).
- Self‑published or statutorily‑published data – résumés voluntarily posted on LinkedIn; director details in MCA21 (Sec 3 (2)(b)).
- Government exemptions – notified agencies for sovereignty, security, public order (Sec 17 (2)(a)).
- Processing for legal proceedings, law enforcement or court orders (Sec 17 (2)(b)).
- Archival, research, statistical purposes under conditions (Sec 17 (4)(a)).
Where an exemption applies, only the specified provisions lift; others (notably reasonable security) may still bind if not expressly waived.
5. Key Definitions under DPDP Act
Term (Sec 2) | Practical Meaning |
Data Principal | The Individual to whom personal data relates. For minors (<18 years) and persons with disabilities (requiring lawful guardianship), the parent/guardian is deemed the Data Principal. |
Data Fiduciary | Any person (natural or legal) who alone or in conjunction with others determines the purpose and means of processing personal data”. |
Data Processor | Any person who processes data on behalf of a data Fiduciary – e.g. cloud host, payroll vendor. |
Personal Data | Any data about an individual who is identifiable by or in relation to such data. No separate “sensitive” category; all personal data protected uniformly. |
Digital Personal Data | Personal data in electronic form. |
Processing | Any automated operation or set of operations performed on digital personal data. This includes collection, storage, retrieval, use, sharing, disclosure, erasure, etc. |
Personal Data Breach | Any Unauthorised processing or accidental disclosure, loss, alteration, loss, or access that compromises the confidentiality, integrity or availability of personal data. |
Significant Data Fiduciary (SDF) | The fiduciary is notified by the government based on factors such as volume and sensitivity of personal data processed, risk to sovereignty and integrity of India, potential impact on electoral democracy, national security, public order or such other factors as may be prescribed. |
6. Extraterritorial Compliance Checklist
- Identify Indian Touch‑points – sales, website traffic, profiling cookies.
- Appoint an India‑facing contact – advisable even if not an SDF.
- Update privacy notice – reference applicability of DPDP Act.
- Prepare for Board inquiries – DPB can seek information cross‑border via mutual legal assistance.
- Contractual safeguards – incorporate DPDP clauses with Indian processors.
7. Conclusion
Scope analysis is the first compliance gate. If an activity falls inside the Act, the organisation must next implement consent or legitimate‑use protocols; if outside, document the rationale to evidence good‑faith assessment.
Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied