DPDP Sections6 min read

DPDP Act Section 5 Explained: The Notice Requirement for Data Fiduciaries

A definitive guide for compliance leaders on Section 5 of the DPDP Act, detailing how enterprises must deploy multi-language, itemised notices to ensure verifiable consent and build regulator-ready audit trails.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

The Section 5 Notice Requirement

Section 5 of the Digital Personal Data Protection Act, 2023 establishes the foundation for lawful data processing by mandating strict transparency before data collection. It dictates that whenever an enterprise asks an individual for consent to process their data, that request must be accompanied or preceded by a highly specific notice. This cannot be a generic, hidden privacy policy tucked away in a website footer. The notice must clearly itemise the personal data being collected, the exact purpose for its processing, and the mechanisms available for the individual to exercise their rights or file a grievance. The operational challenge multiplies because enterprises must offer this notice in English and any language specified in the Eighth Schedule to the Constitution.

Exact Statutory Text Anchors

Section 5(1) clearly states that every request made to a Data Principal under Section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary. This notice must inform the individual of three key elements. First, under Section 5(1)(i), it must state the personal data and the purpose for which the same is proposed to be processed. Second, under Section 5(1)(ii), it must detail the manner in which the individual may exercise her rights under sub-section (4) of Section 6 and Section 13. Third, Section 5(1)(iii) requires detailing the manner in which the Data Principal may make a complaint to the Board.

Section 5(3) introduces a significant engineering requirement by stating the Data Fiduciary shall give the Data Principal the option to access the contents of this notice in English or any language specified in the Eighth Schedule to the Constitution. The DPDP Rules, 2025 add crucial operational specifics, requiring these to be itemised notices rather than monolithic legal agreements. The Act provides a clear illustration of this in practice. If an individual opens a bank account using a mobile app and opts for a live, video-based customer identification process for KYC, the bank must provide a Section 5 notice before capturing that video data.

Who This Binds And When

This section places a direct legal obligation on Data Fiduciaries who determine the purpose and means of processing digital personal data. Consent is the primary basis for processing, except where Section 7 legitimate uses apply, meaning the vast majority of customer and employee touchpoints will require a Section 5 compliant notice. The rule applies strictly to data processed within India, and processing outside India connected to offering goods or services to Data Principals in India.

For a Head of Compliance at a large enterprise, this obligation binds marketing, HR, and product development teams simultaneously. Every digital form, application flow, and API endpoint that collects personal data must be audited. While the liability sits with the Data Fiduciary, you must also ensure your vendors and Data Processors display compliant notices when collecting data on your behalf. Failing to synchronize notice updates across these diverse endpoints will break your compliance posture.

How To Comply Step By Step

When recommending budget for DPDP readiness, you will inevitably face stakeholder pushback about adopting yet another dashboard or overlapping with existing GRC tools. You must clearly explain that standard risk registers cannot natively intercept front-end web traffic to log which language notice a user viewed. Building a regulator-ready posture requires cross-functional coordination, clear control owners, and automated evidence packs.

1. Map data collection points against your RoPA. The control owner is your IT or Product lead. The required evidence artifact is a verified Record of Processing Activities that flags every web form and application screen where personal data is captured, confirming a notice delivery mechanism exists prior to data entry.

2. Draft and translate itemised notices. The control owner is the Legal and Compliance team. The evidence artifact is a version-controlled repository of Section 5 notices. These must be translated into English and all applicable Eighth Schedule languages, ensuring the translated content strictly matches the English legal intent.

3. Implement dynamic consent capture. The control owner is Software Engineering. The evidence artifact is a system-generated audit log proving the user was presented with the itemised notice, and optionally toggled their preferred language, before they triggered a valid consent event under Section 6.

4. Maintain immutable audit trails. The control owner is the Head of Compliance. The evidence artifact is a centralized reporting dashboard demonstrating exact notice version mapping to specific user consent artefacts. This ensures you can prove exactly what legal text a user saw on a specific date if audited by the Data Protection Board.

Penalties For Getting It Wrong

Failing to provide a compliant notice under Section 5 fundamentally invalidates any subsequent consent gathered under Section 6. Processing digital personal data without valid consent or a legitimate use exposes the enterprise to severe financial risk. General non-compliance with the provisions of the Act and Rules carries a penalty ceiling of up to 50 crore rupees under the Schedule to the Act. The Data Protection Board will weigh aggravating factors, such as the duration of the non-compliance and the volume of Data Principals affected, when determining the final fine.

Intersections With Other Sections

Section 5 acts as the operational gateway to Section 4, which dictates that processing must occur only for a lawful purpose based on valid consent or legitimate uses. The notice also links directly to Section 13, as it must explicitly instruct the Data Principal on how to exercise their right to correction, erasure, and grievance redressal. It is important to distinguish this pre-processing notice from post-incident obligations. If a breach occurs, the Rules, 2025 require breach notification via intimation to affected Data Principals without delay plus a detailed report to the Data Protection Board within 72 hours.

Deadline Pressure And Next Steps

Exactly 311 days remain until the DPDP hard compliance deadline of 13 May 2027. Enterprise compliance teams cannot afford to rely on manual spreadsheets or legacy risk management tools to track notice versions across hundreds of digital interfaces. Implementing multi-language support and version-controlled consent logs requires significant engineering lead time. You need a centralized mechanism that binds the legal text drafted by compliance to the code deployed by engineering.

Evaluate whether your current setup successfully links Section 5 notices to verifiable consent logs across all languages. Run a section-level gap check at freescan.complydp.com to identify integration missing links before the deadline expires. Establishing clear control owners today is the only way to ensure your evidence packs are regulator-ready tomorrow.

Sources

  • Digital Personal Data Protection Act, 2023 - Section 5
  • Digital Personal Data Protection Act, 2023 - Section 4
  • Digital Personal Data Protection Rules, 2025

Frequently asked questions

Do we have to translate our entire privacy policy into all Eighth Schedule languages?

Section 5(3) specifically requires that the notice accompanying a consent request must be accessible in English or any language specified in the Eighth Schedule. This applies to the itemised notice detailing the specific data collected and its purpose, rather than your entire corporate privacy policy.

Can we use our existing GRC tool to manage Section 5 compliance?

While traditional GRC tools excel at managing risk registers and high-level policies, they typically lack the technical ability to link specific notice versions to digital consent logs. DPDP compliance requires an evidence pack proving the user saw the exact notice before giving consent, which usually demands dedicated consent management infrastructure.

Is consent the absolute requirement for processing all digital personal data?

No. Consent is the primary basis for processing, except where Section 7 legitimate uses apply. However, for any process that does rely on consent, that consent is legally invalid unless preceded by a compliant Section 5 notice.

What is the penalty if our applications fail to display the required notice?

A missing or non-compliant notice invalidates the consent. Processing data without valid consent falls under general non-compliance with the Act, exposing the Data Fiduciary to a penalty ceiling of up to 50 crore rupees according to the Schedule.

How long do we have to implement these multi-language notices?

There are exactly 311 days remaining until the DPDP Act hard compliance deadline of 13 May 2027. Enterprises must begin mapping their RoPA to specific notice delivery points immediately to allow enough time for engineering deployment.