Data & Privacy

Consent for processing personal data in India must be free, informed, specific, unambiguous, and given through a clear affirmative action, as mandated by the Digital Personal Data Protection Act, 2023.

Under the Digital Personal Data Protection Act, 2023 (DPDPA), you have rights to access, correction, erasure, grievance redressal, and data portability (where technically feasible) of your personal data.

Yes, you can withdraw consent for data processing at any time under India’s Digital Personal Data Protection Act, 2023. The data fiduciary must stop processing your data promptly upon withdrawal.

Under India's Digital Personal Data Protection Act, 2023, personal data may be processed without consent for specific legitimate uses — including compliance with law, judicial proceedings, medical emergencies, and employment-related purposes — provided such processing is necessary and proportionate.

Yes, companies in India may process personal data for research without consent under certain conditions, provided they anonymise the data and comply with safeguards under the Digital Personal Data Protection Act, 2023.

As a data principal in India, you have rights to access, correction, erasure, and grievance redressal under the Digital Personal Data Protection Act, 2023 — and corresponding duties like providing accurate information and cooperating with verifications.

Under the Digital Personal Data Protection Act, 2023 (DPDPA), a data fiduciary must notify the Data Protection Board of India and affected individuals without undue delay upon becoming aware of a personal data breach that is likely to cause harm.

If your Aadhaar data was leaked, you may file a complaint with the UIDAI, seek compensation under the Aadhaar Act, and approach civil or criminal courts depending on the nature of the breach.

Penalties for violations of the Digital Personal Data Protection Act, 2023 (DPDPA) range from ₹50 crore to ₹250 crore, depending on the nature and severity of the breach.

Yes, you can claim compensation for a data breach under Section 43A of the IT Act, 2000, if a body corporate fails to protect sensitive personal data and causes wrongful loss or gain.

You can file a complaint about data misuse in India under the Digital Personal Data Protection Act, 2023, by submitting it to the Data Protection Board of India (DPBI) — either online or in writing — within 30 days of becoming aware of the breach.

Yes, a company can transfer your data outside India, but only if certain conditions under the Digital Personal Data Protection Act, 2023 are met — including adequacy determination or valid contracts.

A 'significant data fiduciary' in India is determined by the Data Protection Authority based on factors like volume and sensitivity of personal data processed, turnover, risk of harm, and use of emerging technologies.

Yes, you can appeal within 30 days to the First Appellate Authority under the RTI Act, and further to the Central or State Information Commission if needed.

Under the RTI Act, 2005, certain information is exempt from disclosure — including national security, cabinet papers, and personal information unrelated to public activity — subject to public interest override.

Yes, Aadhaar number is personal data under the Digital Personal Data Protection Act, 2023, as it identifies an individual and falls within the statutory definition.

Under the RTI Act, 2005, public authorities must proactively publish 17 categories of information—including budgets, organisational structure, decision-making processes, and details of subsidies—within 120 days of the Act’s commencement.

Yes, your employer can monitor work emails in India, as long as it is done for legitimate business purposes and complies with the IT Act and reasonable privacy expectations.

Yes, your child’s data is specially protected under the Digital Personal Data Protection Act, 2023, which treats children under 18 as 'children' and imposes strict restrictions on processing their data.

Section 66A of the IT Act, 2000 criminalised sending 'offensive' or 'menacing' electronic messages but was struck down by the Supreme Court in 2015 as unconstitutional and violative of free speech.

No, Indian law does not currently mandate that companies appoint a Data Protection Officer (DPO). The Digital Personal Data Protection Act, 2023, does not include a DPO requirement.

The Data Protection Board of India (DPBI) is a statutory body established under the Digital Personal Data Protection Act, 2023 to oversee compliance, adjudicate breaches, and impose penalties for violations of data protection rules.

You can request removal directly from the website, file a complaint with the intermediary under IT Rules 2021, or approach a court for a takedown order under defamation law.

Under India's Digital Personal Data Protection Act, 2023, you have the right to request erasure of your personal data from a social media platform, and they must comply unless an exception applies. If they refuse, you may file a complaint with the Data Protection Board of India.