DPDP Act16 May 2026 8 min read

Who Does the DPDP Act Apply To? Applicability Guide

Understand DPDP Act applicability — which entities, data types, and processing activities fall within scope, and what exemptions exist for Indian and foreign companies.

Key Takeaways

The DPDP Act applies to all digital personal data processed in India, regardless of company size or sector.
Foreign companies offering goods or services to Indian residents fall within scope even if they have no India office.
Purely personal or domestic processing is exempt, as is data made publicly available by the Data Principal.
Central Government can exempt certain classes of Data Fiduciaries or processing activities by notification.
There is no "small business" exemption in the Act itself — though the Rules may create differentiated obligations.

In this guide

Who Is Covered: The Data Fiduciary Test
Territorial Scope: India and Extraterritorial Reach
What Data Is In Scope
Statutory Exemptions
Government and National Security Exemptions
Foreign Companies Serving Indian Customers
Practical Applicability Test for Your Business

Who Is Covered: The Data Fiduciary Test

Section 3(a) of the DPDP Act provides the primary applicability test. The Act applies to any "Data Fiduciary" — defined in Section 2(i) as any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. "Person" here includes companies, firms, LLPs, individuals, associations, and government bodies.

If your company collects names, email addresses, phone numbers, or any other data that can identify a natural person, and you decide why and how that data is processed, you are a Data Fiduciary and the Act applies to you. There is no minimum threshold for the volume of data or number of individuals affected.

Companies acting purely as Data Processors — processing data only on another entity's instructions — are not the primary obligated party under the statute, but they remain subject to contractual obligations imposed by Data Fiduciaries and must maintain appropriate security safeguards.

Territorial Scope: India and Extraterritorial Reach

The DPDP Act has two territorial triggers under Section 3. First, it applies to processing of digital personal data collected within India — this covers almost every Indian company and startup. Second, it applies to processing outside India if it is in connection with offering goods or services to Data Principals located in India.

The extraterritorial limb mirrors GDPR's Article 3(2) "targeting" criterion. A US-based HR software company whose Indian enterprise clients upload employee data to the platform must comply. A UK e-commerce retailer shipping to Indian customers must comply. Physical presence in India is irrelevant.

What is not covered: data about Indian residents that is processed in India but relates to activities undertaken outside India is still covered. The test is the location of the Data Principal at the time of collection, not the location of the processor.

What Data Is In Scope

"Personal data" under Section 2(t) means any data about an identifiable individual. Unlike the earlier IT (Amendment) Bill 2022, the enacted DPDP Act does not separately categorise "sensitive personal data" — all personal data is subject to the same foundational framework, with certain categories (children's data, Significant Data Fiduciary data) carrying additional obligations.

The Act covers digital personal data — data in digital form, or data originally collected in non-digital form that has been digitised. Purely paper-based records that are never digitised are outside scope. In practice, the overwhelming majority of business data is already digital or will be digitised.

Employee data, customer data, vendor contact data, and data collected through websites, apps, and APIs all fall within scope. Data that has been de-identified (so that no individual can be identified from it) is outside the definition of personal data and therefore outside the Act's scope — but re-identification risk must be genuinely managed.

Statutory Exemptions

Section 3(c) exempts personal data processed by an individual for personal or domestic purposes — a person maintaining a personal contacts list or home accounts spreadsheet is not a Data Fiduciary. This exemption does not extend to sole proprietorships or freelancers processing client data in a commercial context.

Section 3(d) exempts personal data that is made publicly available by the Data Principal or under a legal obligation. If an individual posts their name and role on LinkedIn, processing that data for legitimate business purposes (e.g., a recruiter searching for candidates) is exempt. However, aggregating publicly available data at scale to build profiling databases is a grey area that may attract scrutiny.

The Central Government has broad powers under Section 17(2) to exempt any Data Fiduciary or class of Data Fiduciaries from specified provisions. Draft Rules have indicated possible differentiated regimes for startups and small data fiduciaries, but nothing is confirmed. Companies should plan for full compliance and treat any future exemption as a bonus.

Government and National Security Exemptions

Section 17(2)(a) allows the Central Government to exempt government instrumentalities from specified obligations in the interest of sovereignty, security, public order, friendly relations with foreign states, or prevention of incitement to offences. This is a broad national security carve-out similar to those found in most data protection laws globally.

Section 17(2)(b) permits the Central Government to modify the application of the Act to Data Principals outside India through bilateral or multilateral agreements. This provision is relevant for India's digital trade negotiations.

These exemptions are not self-operative — they require specific notifications. Until notified, government entities are also subject to the Act's obligations, though enforcement against government bodies may follow a different practical path given the Board's composition and accountability structure.

Foreign Companies Serving Indian Customers

If your company is incorporated outside India but offers services to Indian residents — whether B2C (e-commerce, apps, platforms) or B2B (SaaS, cloud services, outsourcing) — you must assess DPDP Act applicability. The test is whether you are "offering goods or services" to persons in India, not whether you actively market to India.

Foreign companies within scope must appoint a point of contact in India for the Data Protection Board (the Rules will specify requirements analogous to GDPR's Article 27 representative). They must also implement consent mechanisms, privacy notices in scheduled languages if practicable, and data breach notification procedures.

For global companies already GDPR-compliant, the DPDP Act overlap is significant but not identical. Key differences include the absence of a legitimate interests basis, no data protection impact assessment mandate for all high-risk processing (only for Significant Data Fiduciaries), and a different cross-border transfer framework. You cannot assume GDPR compliance equals DPDP compliance.

Practical Applicability Test for Your Business

Run through these four questions. First: do you collect or process any data that could identify a living natural person? Second: is that data in digital form, or has it been digitised? Third: do you determine the purpose or means of that processing (making you a Data Fiduciary)? Fourth: is the processing within India, or connected with services offered to Indian residents?

If you answer yes to all four, the DPDP Act applies to you. The next step is to identify whether you are a Significant Data Fiduciary (additional obligations) and whether you process children's data (highest penalty tier). Use AuditPath's DPDP obligation tracker to map each answer to the specific controls you need to implement.

Do not fall into the trap of assuming the Act does not apply because you are a B2B company, a startup, or a foreign entity. The scope is deliberately broad. The compliance investment now is far smaller than a ₹250 crore penalty or a Data Protection Board inquiry later.

Frequently Asked Questions

Does the DPDP Act apply to non-profit organisations in India?

Yes. "Person" under the Act includes any legal entity. Non-profits that process personal data of donors, volunteers, or beneficiaries are Data Fiduciaries subject to the Act. They may benefit from future government notifications creating differentiated regimes, but no such exemption exists yet.

We are a SaaS company and our customers upload personal data to our platform. Are we a Data Fiduciary or a Data Processor?

Typically, you are a Data Processor for customer-uploaded data (you process it on your customer's instructions) and a Data Fiduciary for data you collect directly — such as your own customer accounts, billing data, and marketing lists. Many SaaS companies are simultaneously both, for different data sets.

Is there a size threshold — does the DPDP Act only apply to large companies?

The Act itself has no size threshold. All Data Fiduciaries — including startups and MSMEs — are subject to its provisions. The Rules may create lighter obligations for smaller entities, but this is not confirmed. Plan for full compliance and treat any future relaxation as an upside.

Our company only processes employee data. Does the DPDP Act apply?

Yes. Employee data is personal data. Section 17(2)(a) allows the government to exclude employee data from certain provisions, and the Draft Rules have indicated some relaxations for employment-related processing, but these are not yet finalised. Treat employee data as in-scope until notified otherwise.

We process only publicly available data — scraped from LinkedIn and company websites. Are we in scope?

Partially. Section 3(d) exempts data made publicly available by the Data Principal. However, aggregating, enriching, or repurposing such data at scale — especially for profiling or targeting — may fall outside this exemption and attract scrutiny. The safer course is to apply privacy-by-design principles even to publicly available data.