AIBE 2026 – Digital Personal Data Protection Act, 2023

AIBE 2026 Revision Resource

Digital Personal Data
Protection Act, 2023

Complete Bare Act–Based Study Module · Section-wise · MCQs · Quick Revision

📘 No. 22 of 2023 📅 Assented: 11 Aug 2023 ⚖️ 44 Sections · 1 Schedule 🏛️ 9 Chapters

📋 Table of Contents

01 Introduction & Overview

02 Chapter-wise Study Tabs

03 Key Definitions Table

04 Data Fiduciary Obligations

05 Rights & Duties Table

06 Penalties Schedule

07 Act Structure Flowchart

08 Quick Revision Mind Map

09 Study Roadmap

10 Section-wise MCQs (20)

11 Argument-wise MCQs (20)

12 Statement-wise MCQs (20)

13 Short Answer Questions (15)

14 Descriptive Questions (8)

15 Complete Answer Key

16 AIBE Quick Revision Cards

📖 Introduction to the DPDP Act, 2023

🎯 Object & Purpose

The Act provides for processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such data for lawful purposes.

📱 What is Digital Personal Data?

Any data about an individual who is identifiable by or in relation to such data, existing in digital form (or non-digital form that is later digitised).

⚖️ Why Important for AIBE?

DPDP Act 2023 is the first standalone data protection legislation in India. It amended the IT Act 2000, RTI Act 2005, and TRAI Act 1997. Penalties, Board powers, and consent rules are high-yield AIBE topics.

🔒 Privacy & Lawful Processing

Processing is lawful only when the Data Principal gives free, specific, informed, unconditional and unambiguous consent, OR when it falls under certain legitimate uses listed in Section 7.

Ch. I
Preliminary

→

Ch. II
Obligations

→

Ch. III
Rights

→

Ch. IV
Special

→

Ch. V
Board

→

Ch. VI
Powers

→

Ch. VII
Appeals

→

Ch. VIII
Penalties

→

Ch. IX
Misc.

📚 Chapter-wise Study Tabs

Chapter I – Preliminary (Sections 1–3)

Simple English: The Act is officially called the "Digital Personal Data Protection Act, 2023." It shall come into force on the date the Central Government notifies in the Official Gazette. Different dates may be notified for different provisions.

📌 AIBE Takeaway

The Act was assented to on 11 August 2023 (No. 22 of 2023). Commencement is by notification — not on assent date. This is a classic exam trap.

⚠️ Common Trap

Students confuse the date of assent (11 August 2023) with the date of commencement. The commencement date is separately notified by the Central Government.

Key Definitions (Section 2):

Term	Definition (Simplified)	Key Point
Personal Data	Any data about an individual who is identifiable by or in relation to such data	Must identify the person
Digital Personal Data	Personal data in digital form	Core subject matter of the Act
Data Fiduciary	Person who determines the purpose and means of processing personal data	Can be individual, company, State, etc.
Data Principal	The individual to whom the personal data relates	For a child, includes parent/guardian
Data Processor	Person who processes data on behalf of a Data Fiduciary	Works under contract; distinct from Fiduciary
Child	Individual who has not completed the age of 18 years	No distinction between 13 and 18 here
Consent Manager	Registered person who acts as single point of contact for managing consent	Must be registered with the Board
Processing	Wholly or partly automated operation on digital personal data (collection, storage, use, sharing, erasure, etc.)	Very wide definition
Board	Data Protection Board of India established under Section 18	Not a court; functions as digital office
Significant Data Fiduciary	Any Data Fiduciary notified by Central Government under Section 10	Has additional obligations
Data Protection Officer (DPO)	Individual appointed by a Significant Data Fiduciary under §10(2)(a)	Must be India-based
Appellate Tribunal	TDSAT (Telecom Disputes Settlement and Appellate Tribunal) under TRAI Act 1997	Not a new body; existing TDSAT given new role

⚠️ Common Trap

Data Fiduciary ≠ Data Processor. The Fiduciary decides why and how; the Processor merely executes processing under a contract with the Fiduciary.

Applies to:

Processing of digital personal data within India (whether collected in digital form or collected in non-digital form and later digitised)
Processing of digital personal data outside India if done in connection with offering goods or services to Data Principals within India

Does NOT apply to:

Personal data processed by an individual for personal or domestic purposes (e.g., your personal contacts list)
Personal data made publicly available by the Data Principal herself, or by a person obligated by law to make it public

📌 Bare Act Illustration

X, while blogging, publicly makes her personal data available on social media → Act does NOT apply.

⚠️ Exam Trap

The Act has extra-territorial application — it applies even to data processing done outside India if it is in connection with offering goods or services to persons within India.

Chapter II – Obligations of Data Fiduciary (Sections 4–10)

A person may process personal data of a Data Principal only:

For a lawful purpose (any purpose not expressly forbidden by law), AND
Either with the Data Principal's consent, OR
For certain legitimate uses (listed in Section 7)

📌 Example

A hospital can process your health data without your explicit consent during a medical emergency (legitimate use under §7(f)), but for routine appointments, it needs your consent.

Every request for consent must be accompanied or preceded by a notice informing the Data Principal of:

(i) The personal data and purpose for which it will be processed
(ii) How to exercise rights (withdraw consent / approach Board)
(iii) How to complain to the Board

Existing consent (pre-Act): Where consent was given before commencement of the Act, the Data Fiduciary must give a similar notice "as soon as reasonably practicable." Processing may continue until consent is withdrawn.

The Data Principal must be given the option to access the notice in English or any language in the 8th Schedule to the Constitution.

⚠️ Exam Trap

Notice is mandatory even for pre-Act consents. Failure to give notice = breach of Section 5.

Consent must be: Free · Specific · Informed · Unconditional · Unambiguous with a clear affirmative action.

Consent is limited to personal data necessary for the specified purpose (data minimisation principle).

Withdrawal of Consent [§6(4)]: Data Principal can withdraw consent at any time with the same ease as giving it. Consequences of withdrawal are borne by the Data Principal.

After withdrawal [§6(6)]: Data Fiduciary must cease processing within a reasonable time, and must also cause Data Processors to stop.

Consent Manager [§6(7)–(9)]: Data Principal may manage consent through a Consent Manager. The Consent Manager must be registered with the Board.

Burden of proof [§6(10)]: In any proceeding, the Data Fiduciary must prove that notice was given and consent was obtained.

⚠️ Exam Trap

A waiver of the right to file a complaint with the Board as part of consent is INVALID (§6(2) illustration). Data Principals cannot waive statutory rights through consent clauses.

Processing is permitted WITHOUT fresh consent in 9 situations:

Clause	Legitimate Use
(a)	Data Principal voluntarily provided data for specified purpose and has not objected
(b)	State processing for subsidies, benefits, services, certificates, licences, permits
(c)	State processing for functions under law or for sovereignty/integrity/security
(d)	Fulfilling legal obligation to disclose information to State
(e)	Compliance with court/tribunal judgment or decree
(f)	Medical emergency — threat to life or immediate threat to health
(g)	Medical treatment during epidemic, outbreak of disease, or public health threat
(h)	Safety/assistance during disaster or breakdown of public order
(i)	Employment purposes — prevention of corporate espionage, trade secrets, confidentiality

📌 Example

During COVID-19, a hospital could process patient data without separate consent under §7(g) — public health emergency exemption.

§8(1): Responsible for compliance even if Data Processor commits a breach
§8(2): Can appoint Data Processor only under a valid contract
§8(3): Must ensure data accuracy/completeness if used for decisions affecting the Data Principal or shared with another Fiduciary
§8(4): Must implement appropriate technical and organisational measures
§8(5): Must take reasonable security safeguards to prevent data breach
§8(6): On data breach → must notify the Board AND each affected Data Principal
§8(7): Must erase data when: (a) consent withdrawn, or (b) specified purpose no longer served
§8(9): Must publish contact info of DPO (or contact person)
§8(10): Must establish effective grievance redressal mechanism

⚠️ Exam Trap

The Data Fiduciary is responsible for the Data Processor's acts. You cannot escape liability by outsourcing processing.

Child = under 18 years
Must obtain verifiable consent of parent/lawful guardian before processing
Prohibited: Processing likely to cause detrimental effect on child's well-being
Prohibited: Tracking or behavioural monitoring of children
Prohibited: Targeted advertising directed at children
Central Government may notify certain Fiduciaries who may be exempt from §9(1) and (3) if their processing is verifiably safe

📌 Example

A gaming app targeting children cannot track their usage patterns or show them targeted ads without the verifiable consent of their parent.

Central Government may notify any Data Fiduciary as a Significant Data Fiduciary based on factors including:

Volume and sensitivity of personal data processed
Risk to rights of Data Principal
Potential impact on sovereignty and integrity of India
Risk to electoral democracy, security of State, public order

Additional obligations of Significant Data Fiduciary:

Appoint a Data Protection Officer (DPO) — must be India-based, responsible to Board of Directors
Appoint an independent data auditor for compliance evaluation
Conduct periodic Data Protection Impact Assessment (DPIA)
Conduct periodic audit

⚠️ Exam Trap

DPO is only required for Significant Data Fiduciary, not every Data Fiduciary. The DPO must be based in India.

Chapter III – Rights and Duties of Data Principal (Sections 11–15)

A Data Principal has the right to obtain from the Data Fiduciary:

(a) A summary of personal data being processed and the processing activities
(b) Identities of all other Data Fiduciaries and Data Processors with whom data was shared
(c) Any other prescribed information

Exception [§11(2)]: The right under (b) and (c) does not apply when data was shared with a Data Fiduciary authorised by law for prevention/detection/investigation of offences or cyber incidents.

A Data Principal has the right to:

Correction of inaccurate or misleading personal data
Completion of incomplete personal data
Updating of personal data
Erasure of personal data

The Data Fiduciary must erase data on request, unless retention is necessary for the specified purpose or compliance with law.

⚠️ Exam Trap

The right to erasure is not absolute. Data Fiduciary can refuse erasure if retention is legally required (e.g., bank records under banking law).

Data Principal has the right to readily available grievance redressal from Data Fiduciary or Consent Manager.

Important: The Data Principal must first exhaust grievance redressal with the Data Fiduciary before approaching the Board. This is a mandatory pre-condition.

⚠️ Exam Trap

Direct complaint to the Board without first exhausting the Data Fiduciary's grievance mechanism is not permitted. Grievance redressal is a prerequisite.

A Data Principal may nominate another individual to exercise her rights in the event of her death or incapacity.

"Incapacity" means inability to exercise rights due to unsoundness of mind or infirmity of body.

📌 Example

Priya nominates her daughter to manage her data privacy rights. If Priya becomes mentally incapacitated, her daughter can exercise rights such as requesting erasure or correction of Priya's data.

The Data Principal must:

(a) Comply with applicable laws while exercising rights
(b) Not impersonate another person while providing personal data
(c) Not suppress material information for State-issued documents (ID, address proof, etc.)
(d) Not register a false or frivolous grievance or complaint with a Data Fiduciary or Board
(e) Furnish only verifiably authentic information when exercising right to correction or erasure

⚠️ Exam Trap

Data Principals also have duties, not just rights. Filing a false complaint = breach of §15(d). Penalty for breach of duties: up to ₹10,000.

Chapter IV – Special Provisions (Sections 16–17)

Central Government may, by notification, restrict transfer of personal data by a Data Fiduciary to countries/territories outside India.

The Section does not restrict any existing law that provides higher protection for cross-border data transfer.

⚠️ Exam Trap

There is no blanket ban on cross-border data transfer. The Central Government may restrict transfer to specific countries — but this is notification-based, not automatic.

§17(1) — Chapter II & III do not apply where:

Clause	Exemption Ground
(a)	Processing to enforce legal right or claim
(b)	Court/tribunal/regulatory body performing judicial or quasi-judicial function
(c)	Prevention, detection, investigation, prosecution of offences
(d)	Processing of data of non-India Data Principals under contract with a foreign person
(e)	Processing for scheme of compromise, merger, amalgamation, demerger approved by court
(f)	Ascertaining financial info of a loan defaulter (as per IBC 2016 definitions)

§17(2) — Entire Act does not apply to:

(a) State instrumentality notified by Central Government for sovereignty, State security, public order
(b) Research, archiving or statistical purposes (if no decision-specific use)

§17(3): Central Government may notify certain Data Fiduciaries (including startups) as exempt from Sections 5, 8(3), 8(7), 10, and 11.

§17(5): Within five years of commencement, Central Government may suspend any provision for specified Data Fiduciaries.

⚠️ Exam Trap

Even under §17(1) exemptions, §8(1) (fiduciary responsibility) and §8(5) (security safeguards) still apply — they are explicitly excluded from the exemption carve-out.

Chapter V – Data Protection Board of India (Sections 18–26)

§18: Central Government establishes the Data Protection Board of India. It is a body corporate with perpetual succession, common seal, and power to sue and be sued. Headquarters: as notified by Central Government.

§19: Board consists of a Chairperson + such number of Members as Central Government may notify. Appointed by Central Government in prescribed manner.

Qualifications: Person of ability, integrity, and standing with special knowledge or practical experience in data governance, law, ICT, digital economy, consumer protection, or related fields. At least one Member must be an expert in law.

§20: Term = 2 years, eligible for re-appointment. Salary as prescribed; cannot be varied to their disadvantage after appointment.

§21 — Disqualifications:

Adjudged insolvent
Convicted of offence involving moral turpitude
Physically or mentally incapable
Acquired prejudicial financial/other interest
Abused position to the detriment of public interest

Natural justice: Cannot be removed without opportunity of being heard.

§22: Resignation effective from date Central Government permits relinquishment, or 3 months from notice, or successor entering office — whichever is earliest. One-year cooling-off period after ceasing office (cannot accept employment with any Data Fiduciary against whom proceedings were initiated, without prior approval).

§23: Board may transact business by digital means. Acts not invalid merely because of vacancy, defect in constitution, or irregularity in procedure. Senior-most Member discharges functions of Chairperson during his absence.

§24: Board may appoint officers and employees with Central Government's prior approval.

§25: Chairperson, Members, officers and employees are deemed public servants under Section 21 of IPC (now BNS).

§26 — Chairperson's Powers:

General superintendence of all administrative matters
Authorise officers to scrutinise complaints/intimations
Allocate proceedings among individual Members or groups

Chapter VI – Powers, Functions & Procedure of Board (Sections 27–28)

The Board can act:

(a) On receipt of intimation of personal data breach (§8(6)) — direct urgent remedial measures and inquire and impose penalty
(b) On complaint by Data Principal / reference by Central or State Government / court direction — inquire and impose penalty
(c) On complaint about Consent Manager's breach of obligations
(d) On intimation of breach of Consent Manager's registration conditions
(e) On reference by Central Government about intermediary's breach (§37(2))

Board may issue directions after giving opportunity of being heard and recording reasons. Persons must comply with directions.

Board may modify, suspend, withdraw or cancel its directions on representation.

The Board is an independent body and functions as a digital office — proceedings are digital by design.

Process:

Board determines if there are sufficient grounds to proceed
If insufficient → close proceedings with written reasons
If sufficient → conduct inquiry following principles of natural justice
Same powers as a civil court under CPC 1908 (summoning witnesses, receiving affidavit evidence, inspecting documents)
Board shall not prevent access to premises or seize equipment that affects day-to-day functioning
Can issue interim orders during inquiry
On completion: close proceedings OR proceed to Section 33 (impose penalty)
If complaint is false/frivolous → can issue warning or impose costs on complainant

⚠️ Exam Trap

The Board has civil court powers under CPC but is NOT a civil court itself. It is a regulatory body functioning as a digital office.

Chapter VII – Appeal and Alternate Dispute Resolution (Sections 29–32)

Any person aggrieved by a Board order may appeal to the Appellate Tribunal (TDSAT).

Appeal must be filed within 60 days of receiving the order
Tribunal may condone delay if sufficient cause is shown
Tribunal endeavours to dispose appeal within 6 months; if not, must record reasons
Tribunal functions as a digital office

Further appeal against TDSAT orders: under Section 18 of the TRAI Act 1997 (i.e., to the High Court / Supreme Court as applicable).

TDSAT orders are executable as a decree of a civil court. The Tribunal may also transmit the order to a civil court for execution.

If the Board thinks a complaint may be resolved by mediation, it may direct parties to attempt mediation through a mutually agreed mediator or as provided by law.

At any stage of proceedings, the Board may accept a voluntary undertaking from any person to:

Take specific action within a determined time, or
Refrain from taking certain action, or
Publicise the undertaking

Acceptance of voluntary undertaking = bar on proceedings (for contents of undertaking).

If person fails to honour the undertaking → breach deemed to be breach of the Act → Board proceeds under Section 33 (penalties).

⚠️ Exam Trap

Voluntary undertaking is accepted during proceedings — it can even be accepted before inquiry is complete. Board can vary terms with the person's consent.

Chapter VIII – Penalties and Adjudication (Sections 33–34)

If the Board concludes that a breach is significant, it may impose monetary penalty as per the Schedule (after giving opportunity of being heard).

Factors for determining penalty amount [§33(2)]:

Nature, gravity and duration of breach
Type and nature of personal data affected
Repetitive nature
Gain realised or loss avoided due to breach
Mitigation steps taken and their timeliness
Proportionality and effectiveness
Likely impact of penalty on the person

⚠️ Exam Trap

The penalty is monetary only — there is no criminal imprisonment provision in the DPDP Act 2023. This is very different from many other Indian regulatory statutes.

All sums realised as penalties are credited to the Consolidated Fund of India — not to the Board's own funds or to the Data Principal as compensation.

⚠️ Exam Trap

Penalties go to the Consolidated Fund of India, NOT to the affected Data Principal. The Data Principal has no entitlement to penalty proceeds.

Chapter IX – Miscellaneous (Sections 35–44)

No suit, prosecution or legal proceedings shall lie against Central Government, Board, Chairperson, Member, officer or employee for anything done in good faith under the Act.

§36: Central Government may require the Board, any Data Fiduciary, or intermediary to furnish information.

§37 — Blocking of access: Central Government (or authorised officer) may direct blocking of access to information/platforms hosted by a Data Fiduciary if:

Board has imposed monetary penalty on two or more occasions, AND
Board advises blocking is in the interest of general public

After giving the Data Fiduciary an opportunity to be heard. The blocking direction is issued to government agencies or intermediaries. "Computer resource", "information" and "intermediary" have meanings from the IT Act 2000.

⚠️ Exam Trap

Blocking under §37 requires penalties on at least two occasions — one penalty is not sufficient. Also, the Board advises; the Central Government decides.

§38: The Act is in addition to, not in derogation of, other laws. In case of conflict, provisions of the DPDP Act shall prevail.

§39: No civil court has jurisdiction over matters for which the Board is empowered. No injunction shall be granted by any court in respect of Board actions.

§40: Central Government may make rules by notification, with prior publication condition.

§41: Rules and certain notifications must be laid before each House of Parliament for a total of 30 days.

§42: Central Government may amend the Schedule by notification, but no amendment can increase any penalty to more than twice the original amount.

§43: Power to remove difficulties: Central Government may make provisions by order within 3 years of commencement.

§44 — Key Amendments made by this Act:

TRAI Act 1997: TDSAT's jurisdiction expanded to include DPDP Act appeals
IT Act 2000: Section 43A (compensation for failure to protect data) was omitted; Section 81 proviso amended to include DPDP Act
RTI Act 2005: Section 8(1)(j) amended — now simply reads "information which relates to personal information" (broader exemption from disclosure)

⚠️ Exam Trap

Section 43A of IT Act 2000 (body corporate compensation) has been omitted by the DPDP Act 2023. The DPDP Act is now the governing framework for data protection penalties.

📖 Important Definitions — Quick Reference Table

Term	Section	Key Elements	Exam Tip
Personal Data	§2(t)	Any data about an identifiable individual	Must identify the person
Digital Personal Data	§2(n)	Personal data in digital form	Core subject of Act
Data Fiduciary	§2(i)	Determines purpose and means of processing	Controller equivalent
Data Principal	§2(j)	Individual to whom data relates; for child = parent/guardian	Rights holder
Data Processor	§2(k)	Processes on behalf of Data Fiduciary	Under contract only
Child	§2(f)	Under 18 years	No 13-year threshold
Consent Manager	§2(g)	Single point of contact for consent management; Board-registered	Must be registered
Processing	§2(x)	Wholly/partly automated operations on digital personal data	Includes erasure too
Personal Data Breach	§2(u)	Unauthorised/accidental compromise of confidentiality, integrity, availability	Notification mandatory
Significant Data Fiduciary	§2(z)	Notified by Central Government under §10	Additional obligations
DPO	§2(l)	Appointed by Significant Data Fiduciary; India-based	Only for SDF
Appellate Tribunal	§2(a)	TDSAT under TRAI Act 1997 §14	Not a new body
Board	§2(c)	Data Protection Board of India; body corporate	Digital by design
Specified Purpose	§2(za)	Purpose mentioned in notice by Data Fiduciary	Links notice to consent
Certain Legitimate Uses	§2(d)	Uses referred to in §7	No consent needed

⚙️ Data Fiduciary Obligations — Summary Table

Section	Obligation	Applies To
§5	Give notice before or with consent request	All Data Fiduciaries
§6(1)	Obtain free, specific, informed, unconditional, unambiguous consent	All Data Fiduciaries
§6(6)	Cease processing after consent withdrawal (within reasonable time)	All Data Fiduciaries
§8(1)	Remain responsible for Data Processor's acts	All Data Fiduciaries
§8(2)	Engage Data Processor only under valid contract	All Data Fiduciaries
§8(3)	Ensure data accuracy before decision-making or sharing	All Data Fiduciaries
§8(5)	Implement security safeguards to prevent data breach	All Data Fiduciaries
§8(6)	Notify Board + affected Data Principals of data breach	All Data Fiduciaries
§8(7)	Erase data when purpose served or consent withdrawn	All Data Fiduciaries
§8(10)	Establish grievance redressal mechanism	All Data Fiduciaries
§9(1)	Obtain verifiable parental consent for children's data	All Data Fiduciaries
§9(2)	No processing harmful to child's well-being	All Data Fiduciaries
§9(3)	No tracking/behavioural monitoring/targeted ads for children	All Data Fiduciaries
§10(2)(a)	Appoint India-based DPO responsible to Board of Directors	Significant Data Fiduciaries only
§10(2)(b)	Appoint independent data auditor	Significant Data Fiduciaries only
§10(2)(c)	Conduct periodic DPIA and audit	Significant Data Fiduciaries only

👤 Rights & Duties of Data Principal — Summary Table

✅ Rights of Data Principal

Section	Right
§11	Right to access information — summary of data, identities of third parties who received data
§12	Right to correction, completion, updating and erasure of personal data
§13	Right of grievance redressal from Data Fiduciary or Consent Manager
§14	Right to nominate another person to exercise rights in case of death or incapacity

⚠️ Duties of Data Principal

Section	Duty
§15(a)	Comply with applicable laws while exercising rights
§15(b)	Not impersonate another person while providing data
§15(c)	Not suppress material information for State documents
§15(d)	Not register false or frivolous grievance/complaint
§15(e)	Furnish only verifiably authentic information for correction/erasure requests

💰 Penalties — The Schedule [See §33(1)]

Sl.No.	Breach	Maximum Penalty	Memory Aid
1	Failure to take reasonable security safeguards to prevent personal data breach (§8(5))	₹250 Crore	🔴 Highest — Safeguards
2	Failure to notify Board or Data Principal of personal data breach (§8(6))	₹200 Crore	🟠 Notification failure
3	Breach of additional obligations related to children (§9)	₹200 Crore	🟠 Children's data
4	Breach of additional obligations of Significant Data Fiduciary (§10)	₹150 Crore	🟡 SDF obligations
5	Breach of duties by Data Principal (§15)	₹10,000	🟢 Data Principal duties
6	Breach of voluntary undertaking accepted by Board (§32)	Up to applicable extent	🔵 Voluntary undertaking
7	Breach of any other provision of this Act or rules	₹50 Crore	🟣 General breach

📌 Key Points: All penalties are monetary only — no imprisonment. Penalties go to Consolidated Fund of India. Central Government can amend Schedule but cannot increase any penalty to more than twice the original amount (§42).

🔀 DPDP Act Structure — Flowchart

🧠 Quick Revision Mind Map

🗺️ AIBE 2026 Study Roadmap — DPDP Act

Read the Bare Act

Read all 44 sections of the DPDP Act 2023 once end-to-end. Focus on the illustrations provided in the Act — they are direct exam material.

Foundation · 2 Days

↓

Master Key Definitions (§2)

Memorise all 27 definitions. Especially: Data Fiduciary vs. Data Processor, Data Principal, Child, Consent Manager, SDF, DPO, Appellate Tribunal, Personal Data Breach.

High Priority · 1 Day

↓

Chapter II — Obligations (§4–10)

Master the Notice + Consent + Withdrawal framework. Learn all 9 legitimate uses under §7. Memorise obligations under §8. Note children and SDF obligations separately.

Very High Priority · 2 Days

↓

Chapter III — Rights and Duties (§11–15)

Learn all 4 rights. Note the duties of Data Principal under §15. Remember: grievance redressal must be exhausted before approaching Board. Nomination right under §14.

High Priority · 1 Day

↓

The Schedule — Penalties

Memorise all 7 penalty entries. Know the descending order: ₹250Cr → ₹200Cr (x2) → ₹150Cr → ₹50Cr → ₹10,000. Remember: no imprisonment, penalties to CFI.

Very High Priority · 1 Day

↓

Board and Appeals (Ch. V–VII)

Understand Board's setup, term, disqualification, public servant status. Learn appeal to TDSAT (60 days), §30 decree execution, §31 mediation, §32 voluntary undertaking.

Medium Priority · 1 Day

↓

§44 Amendments + Miscellaneous

Study what the DPDP Act amended: IT Act §43A (omitted), RTI §8(1)(j) (amended), TRAI Act (TDSAT jurisdiction expanded). §38 (Act prevails on conflict), §39 (bar of jurisdiction).

Medium Priority · 1 Day

↓

Practice MCQs + Quick Revision

Solve all 60 MCQs in this module. Review answer key. Use quick revision cards for last-hour revision. Focus on trap questions and penalty amounts.

Final Step · 2 Days

✏️ Short Answer Questions (15 Questions)

1. What is the difference between a Data Fiduciary and a Data Processor under the DPDP Act, 2023?

2. What are the essential elements of valid consent under Section 6 of the DPDP Act?

3. List any five "certain legitimate uses" under Section 7 for which no consent is required.

4. What obligations does a Data Fiduciary have under Section 8(6) and 8(7) of the DPDP Act?

5. What additional obligations are imposed on a Significant Data Fiduciary under Section 10?

6. List all four rights available to a Data Principal under Chapter III of the DPDP Act, 2023.

7. What are the duties of a Data Principal under Section 15?

8. When does Section 3(c) exclude the application of the DPDP Act?

9. What is the role of a Consent Manager under the DPDP Act?

10. What are the disqualifications for appointment as Chairperson or Member of the Board under Section 21?

11. Within how many days must an appeal against a Board order be filed before the Appellate Tribunal?

12. What is the maximum penalty for breach of obligations related to children's data under the Schedule?

13. What are the key amendments made by Section 44 of the DPDP Act to the IT Act, 2000?

14. Under Section 37, what are the conditions required before the Central Government can direct blocking of a Data Fiduciary's platform?

15. How does Section 38 of the DPDP Act deal with conflicts between the DPDP Act and other laws?

📝 Descriptive / Long Answer Questions (8 Questions)

DQ1.

Consent, Notice and Withdrawal under the DPDP Act, 2023

Explain the Notice and Consent framework under Sections 5 and 6 of the DPDP Act, 2023. What are the elements of valid consent? How is consent given through a Consent Manager? Discuss the right to withdraw consent and its consequences as provided in the Bare Act.

DQ2.

General Obligations of a Data Fiduciary (Section 8)

Critically examine the general obligations imposed on a Data Fiduciary under Section 8 of the DPDP Act, 2023. What are the consequences of a personal data breach? Can a Data Fiduciary escape liability by assigning processing to a Data Processor?

DQ3.

Rights of Data Principal and Role of Grievance Redressal

Enumerate and explain all the rights conferred on a Data Principal under Chapter III of the DPDP Act, 2023. Discuss the right to nominate and the grievance redressal mechanism. What duties does the Data Principal owe under Section 15?

DQ4.

The Schedule of Penalties under the DPDP Act, 2023

Discuss the penalty framework under the DPDP Act, 2023. Explain all seven penalty entries in the Schedule. What factors guide the Board in determining penalty amounts? How does Section 42 limit the Central Government's power to amend the Schedule?

DQ5.

Data Protection Board of India — Constitution, Powers and Procedure

Describe the constitution, qualification, term, and disqualification of the Data Protection Board of India. Explain the Board's powers under Section 27 and the procedure under Section 28. How does the Board's digital-by-design approach differ from traditional regulatory bodies?

DQ6.

Exemptions under Section 17 of the DPDP Act

Explain the various exemptions from the provisions of the DPDP Act, 2023 under Section 17. When do exemptions under Section 17(1) apply? What is the significance of Section 17(2)(a) and (b)? Are there exemptions even for Significant Data Fiduciaries?

DQ7.

Amendments Made by DPDP Act 2023 to Other Laws

Explain the amendments made by Section 44 of the DPDP Act, 2023 to the IT Act 2000, the TRAI Act 1997, and the RTI Act 2005. What was Section 43A of the IT Act, and why was it omitted? How does the amendment to Section 8(1)(j) of the RTI Act affect the right to information?

DQ8.

Obligations of Significant Data Fiduciary and Processing of Children's Data

What criteria does the Central Government consider when notifying a Data Fiduciary as Significant under Section 10? Discuss the additional obligations imposed. Separately explain the special protections available to children under Section 9, including prohibition on tracking and targeted advertising.

🔑 Complete Answer Key

Section-wise MCQ Answers (SW1–SW20)

SW1BAssented 11th August 2023 (§1)

SW2CChild = not completed 18 years (§2(f))

SW3BDetermines purpose and means of processing (§2(i))

SW4BExtra-territorial application for goods/services to Indian Data Principals (§3(b))

SW5CNo 30-day restriction; consent can be withdrawn at any time with comparable ease (§6(4))

SW6CData Fiduciary bears the burden of proof (§6(10))

SW7BMust notify both Board and each affected Data Principal (§8(6))

SW8BTracking/behavioural monitoring and targeted advertising prohibited (§9(3))

SW9CDPO required only for Significant Data Fiduciary (§10(2)(a))

SW10CMandatory to exhaust Data Fiduciary's grievance mechanism first (§13(3))

SW11BUnsoundness of mind or infirmity of body (§14(2))

SW12BState instrumentality notified for sovereignty/security/public order (§17(2)(a))

SW13BBoard established under Section 18

SW14C2 years, eligible for re-appointment (§20(2))

SW15BTDSAT under TRAI Act 1997 (§2(a))

SW16C60 days from receipt of order (§29(2))

SW17D₹250 crore — highest penalty for security safeguards breach (Schedule Sl.1)

SW18CCredited to Consolidated Fund of India (§34)

SW19BSection 43A of IT Act 2000 omitted by §44(2)(a)

SW20BNot more than twice the original amount (§42(1))

Argument-wise MCQ Answers (AW1–AW20)

AW1BContact list not necessary for telemedicine — data minimisation principle (§6(1) illustration)

AW2CWaiver of right to complain = infringement of Act = invalid (§6(2) illustration)

AW3CData Fiduciary remains responsible for Data Processor's acts (§8(1))

AW4BGive notice as soon as practicable; continue processing until withdrawal (§5(2))

AW5BMedical emergency — §7(f) legitimate use

AW6B§3(c)(ii) — public data voluntarily made available by Data Principal is excluded

AW7BRetention for legal compliance allowed (§8(7)(a) — illustration II)

AW8BDPO must be India-based — §10(2)(a)(ii)

AW9CMust exhaust Data Fiduciary's grievance mechanism first (§13(3))

AW10BEmployment/corporate espionage is a legitimate use under §7(i)

AW11BMust record reasons in writing for delay (§29(7))

AW12BBreach of undertaking = breach of Act; Board proceeds under §33 (§32(5))

AW13BPenalty on two or more occasions required (§37(1)(a))

AW14BConsequences borne by Data Principal; prior processing remains legal (§6(5))

AW15BResearch/archiving exempt if no decision-specific use and prescribed standards followed (§17(2)(b))

AW16B§7(h) — safety/assistance during disaster

AW17BDisqualified but natural justice requires opportunity of being heard before removal (§21(2))

AW18BBoard may issue warning or impose costs on complainant (§28(12))

AW19C§3(b) applies to services offered TO Data Principals IN India; UK residents are outside India

AW20BIT Act §43A omitted by DPDP Act §44(2)(a); only monetary Board penalties apply now

Statement-wise MCQ Answers (ST1–ST20)

ST1BStatement I is wrong — personal/domestic processing is excluded from Act (§3(c))

ST2BI is wrong — contract required (§8(2)); II is correct (§8(1))

ST3AI correct (§6(1)); II wrong — consent can be withdrawn at any time (§6(4))

ST4AI correct — DPO must be India-based; II wrong — only SDF needs DPO (§10(2)(a))

ST5CBoth correct — ₹250Cr highest (Schedule Sl.1); DP duties breach = ₹10,000 (Schedule Sl.5)

ST6AI correct (§28(1)); II wrong — Board has civil court powers, not criminal court powers (§28(7))

ST7AI correct (§2(a)); II wrong — appeal within 60 days, not 30 days (§29(2))

ST8DBoth wrong — penalties go to CFI (§34), not Data Principal; no imprisonment under Act

ST9CBoth correct — §13(3) and §14(1)

ST10CBoth correct — §44(2)(a) omitted §43A of IT Act; §44(3) amended RTI §8(1)(j)

ST11AI correct — must be Board-registered (§6(9)); II wrong — Consent Manager acts on behalf of Data Principal, not Fiduciary (§6(7))

ST12BI wrong — DPDP Act prevails in conflict (§38(2)); II correct (§39)

ST13CBoth correct — §17(1) expressly excludes §8(1) and §8(5); §17(5) gives 5-year window

ST14AI correct (§18(2)); II wrong — term is 2 years, eligible for re-appointment (§20(2))

ST15AI correct (§9(1)); II wrong — child = under 18, not 16 (§2(f))

ST16CBoth correct — §32(1) and §32(4)

ST17BI wrong — not a blanket ban; II correct — Central Government may restrict transfer to notified countries (§16(1))

ST18CBoth correct — §14(1) nomination right; §15(d) and Schedule Sl.5 for false complaint penalty

ST19AI correct (§7(e)); II wrong — §7(e) includes judgment relating to civil claims under foreign law; no requirement for foreign court approval

ST20CBoth correct — at least one law expert required (§19(3)); Board can transact digitally (§23(1))

⚡ AIBE Quick Revision Cards

📅 Key Dates

Assented: 11 Aug 2023
Act No.: 22 of 2023
Sections: 44
Schedule: 1
Commencement: By Central Govt notification

📖 Key Definitions

Child = under 18 years
Data Fiduciary = determines purpose + means
Data Processor = processes on behalf of DF
Consent Manager = single point of contact
Appellate Tribunal = TDSAT

✅ Consent Rules

Must be: Free, Specific, Informed, Unconditional, Unambiguous
Withdrawal: at any time, with comparable ease
Burden of proof: on Data Fiduciary
Notice: in English or 8th Schedule language

⚙️ §8 Key Obligations

Data Processor contract: mandatory
Security safeguards: prevent breach
Breach notification: Board + Data Principal
Data erasure when purpose served
Grievance mechanism: mandatory

💰 Penalty Quick Reference

Security safeguards: ₹250 Crore
Breach notification: ₹200 Crore
Children's data: ₹200 Crore
SDF obligations: ₹150 Crore
General breach: ₹50 Crore
DP duties: ₹10,000
Credited to: CFI

🔒 Children's Data (§9)

Verifiable parental consent required
No processing harmful to well-being
No tracking/behavioural monitoring
No targeted advertising
Central Govt can notify exemptions

🏛️ Board Key Facts

Body corporate — perpetual succession
Term: 2 years, re-appointable
At least 1 Member = law expert
Digital office by design
Civil court powers under CPC
Members = Public Servants (§25)

⚖️ Appeals

Board → TDSAT (60 days to appeal)
TDSAT → HC/SC (via TRAI Act §18)
Disposal target: 6 months
TDSAT order = civil court decree
Mediation possible (§31)

📌 §44 Amendments

IT Act §43A: Omitted
IT Act §81: DPDP Act added
IT Act §87(2)(ob): Omitted
RTI §8(1)(j): Amended (personal information)
TRAI Act §14(c): TDSAT gets DPDP jurisdiction

🛡️ Key Exemptions (§17)

Personal/domestic processing (§3(c))
Legal proceedings (§17(1)(a)–(f))
State security/sovereignty (§17(2)(a))
Research/archiving (§17(2)(b))
Startups can be notified for exemption (§17(3))

👤 Data Principal Rights

§11: Right to Access Information
§12: Right to Correction & Erasure
§13: Right of Grievance Redressal
§14: Right to Nominate
§15: Duties (not a right)
Must exhaust §13 before Board

🔑 AIBE Trap Points

Commencement ≠ date of assent
No imprisonment in DPDP Act
Penalty → CFI, NOT to victim
Consent Manager acts for DP, not DF
Blocking = 2 penalties (not 1)
DPO = only for SDF
Board = civil powers, not criminal

📋 Table of Contents

📖 Introduction to the DPDP Act, 2023

🎯 Object & Purpose

📱 What is Digital Personal Data?

⚖️ Why Important for AIBE?

🔒 Privacy & Lawful Processing

📚 Chapter-wise Study Tabs

Chapter I – Preliminary (Sections 1–3)

Chapter II – Obligations of Data Fiduciary (Sections 4–10)

Chapter III – Rights and Duties of Data Principal (Sections 11–15)

Chapter IV – Special Provisions (Sections 16–17)

Chapter V – Data Protection Board of India (Sections 18–26)

Chapter VI – Powers, Functions & Procedure of Board (Sections 27–28)

Chapter VII – Appeal and Alternate Dispute Resolution (Sections 29–32)

Chapter VIII – Penalties and Adjudication (Sections 33–34)

Chapter IX – Miscellaneous (Sections 35–44)

📖 Important Definitions — Quick Reference Table

⚙️ Data Fiduciary Obligations — Summary Table

👤 Rights & Duties of Data Principal — Summary Table

✅ Rights of Data Principal

⚠️ Duties of Data Principal

💰 Penalties — The Schedule [See §33(1)]

🔀 DPDP Act Structure — Flowchart

🧠 Quick Revision Mind Map

🗺️ AIBE 2026 Study Roadmap — DPDP Act

Read the Bare Act

Master Key Definitions (§2)

Chapter II — Obligations (§4–10)

Chapter III — Rights and Duties (§11–15)

The Schedule — Penalties

Board and Appeals (Ch. V–VII)

§44 Amendments + Miscellaneous

Practice MCQs + Quick Revision

❓ Section-wise MCQs (20 Questions)

💬 Argument-wise MCQs (20 Questions)

📋 Statement-wise MCQs (20 Questions)

✏️ Short Answer Questions (15 Questions)

📝 Descriptive / Long Answer Questions (8 Questions)

Consent, Notice and Withdrawal under the DPDP Act, 2023

General Obligations of a Data Fiduciary (Section 8)

Rights of Data Principal and Role of Grievance Redressal

The Schedule of Penalties under the DPDP Act, 2023

Data Protection Board of India — Constitution, Powers and Procedure

Exemptions under Section 17 of the DPDP Act

Amendments Made by DPDP Act 2023 to Other Laws

Obligations of Significant Data Fiduciary and Processing of Children's Data

🔑 Complete Answer Key

Section-wise MCQ Answers (SW1–SW20)

Argument-wise MCQ Answers (AW1–AW20)

Statement-wise MCQ Answers (ST1–ST20)

⚡ AIBE Quick Revision Cards

📅 Key Dates

📖 Key Definitions

✅ Consent Rules

⚙️ §8 Key Obligations

💰 Penalty Quick Reference

🔒 Children's Data (§9)

🏛️ Board Key Facts

⚖️ Appeals

📌 §44 Amendments

🛡️ Key Exemptions (§17)

👤 Data Principal Rights

🔑 AIBE Trap Points