Knowledge hub
DPDP Act glossary
Direct definitions of core DPDP Act 2023 and Rules 2025 terms. Each entry starts with a concise answer, followed by practical requirements and links to deeper guides.
Data Fiduciary
A Data Fiduciary is any person or organisation that decides why and how personal data is processed under India's Digital Personal Data Protection Act, 2023. If you collect user, customer, or employee data and set the purpose, you are likely the Data Fiduciary—not your vendor.
Data Principal
A Data Principal is the individual whose personal data is being processed—the customer, app user, job applicant, or employee. Under DPDP, they hold enforceable rights over that data and can raise grievances if obligations are not met.
Data Processor
A Data Processor processes personal data on behalf of a Data Fiduciary—cloud hosts, payroll vendors, email tools, analytics providers. Processors do not decide the purpose; they follow the Fiduciary's instructions under contract.
Significant Data Fiduciary (SDF)
A Significant Data Fiduciary is a class of Data Fiduciary designated by the Central Government based on data volume, sensitivity, risk, and related factors. SDFs carry extra duties beyond standard fiduciaries, including a resident Data Protection Officer and periodic audits.
Data Protection Board of India (DPBI)
The Data Protection Board of India is the regulatory authority established under the DPDP Act to oversee compliance, hear grievances, and impose penalties. Data Fiduciaries must notify the Board of personal data breaches in the form and manner prescribed by the Rules.
Consent Manager
A Consent Manager is a registered intermediary that helps Data Principals give, manage, review, and withdraw consent on behalf of Data Fiduciaries. Registration of Consent Managers is expected under the DPDP framework; fiduciaries must ensure their consent systems remain compatible.
Personal Data Breach
A personal data breach is any unauthorised access, disclosure, acquisition, sharing, use, alteration, destruction, or loss of personal data that compromises confidentiality, integrity, or availability. Accidental misconfigurations and insider errors count—not only hacking.
Data Principal Rights
Data Principal Rights are the statutory rights individuals hold over their personal data under DPDP—including access to a summary of data and processing, correction, erasure, grievance redressal, and nomination of another person to exercise rights on their behalf.
Grievance Redressal
Grievance redressal is the process by which a Data Fiduciary receives, acknowledges, and resolves complaints from Data Principals about how their personal data is handled. A published grievance contact and timely responses are core DPDP obligations.
Data Processing Agreement (DPA)
A Data Processing Agreement is the contract between a Data Fiduciary and a Data Processor that sets out processing instructions, security measures, sub-processor rules, breach-reporting duties, and assistance with Data Principal rights. It is the primary legal tool for vendor compliance under DPDP.