Personal Data Definition Under DPDP Act 2023
What counts as personal data under India's DPDP Act 2023? This guide covers the definition, edge cases like IP addresses and employee data, and what falls outside scope.
- Personal data under Section 2(t) means any data about an identifiable natural person — the definition is intentionally broad.
- There is no separate "sensitive personal data" category in the DPDP Act; all personal data is subject to the same framework.
- Anonymised and de-identified data falls outside scope only if re-identification is genuinely not possible.
- Business contact data (names, email addresses on company letterhead) is personal data when it identifies individuals.
- Employee data, customer data, and vendor contact data are all personal data subject to the Act.
In this guide
The Statutory Definition: Section 2(t)
Section 2(t) of the DPDP Act 2023 defines "personal data" as "any data about an individual who is identifiable by or in relation to such data." This definition is deliberately concise and broad — it does not enumerate specific data types. Any data that, on its own or in combination with other data, can identify a living natural person is personal data.
This technology-neutral definition captures data categories that did not exist when older Indian legislation was drafted: biometric templates, location histories, clickstream data, voice recordings, and AI-generated inferences about individuals. If the output links back to an identifiable person, it is personal data.
"Individual" means a natural person — not a legal entity (company, trust, LLP). Data about a company's financial performance or a corporation's registered address is not personal data under the DPDP Act. But data about the company's CEO, its employees, or an individual director is personal data.
The Identifiability Test
The critical word in Section 2(t) is "identifiable." Data need not identify an individual on its face — it need only be capable of identifying them when combined with other reasonably available information. A user ID number is personal data if it can be linked to a name through a database lookup, even if the number alone means nothing.
This is the same "reasonable means" standard used in GDPR's Recital 26 — you assess identifiability by considering all reasonable means that could be used by you or others to identify the person, taking into account costs, time, and available technology. Data that requires extraordinary effort to link to an individual may be considered outside scope; data that can be trivially cross-referenced is personal data.
The identifiability test has practical implications for data sharing. If you share a dataset with a partner who has access to additional data that makes your records identifiable, the shared data is personal data — even if it was not identifiable in your own hands.
No Separate Sensitive Data Category
The IT (Amendment) Act 2008 and SPDI Rules 2011 created a "sensitive personal data or information" (SPDI) category — passwords, financial data, health data, biometrics, sexual orientation. The DPDP Act deliberately does not replicate this structure. All personal data is subject to the same foundational consent, security, and rights framework.
This does not mean the DPDP Act treats all personal data identically. The Act creates heightened obligations for specific contexts: (a) children's data, where parental consent and additional safeguards are required; and (b) Significant Data Fiduciary classifications, which may be triggered by high sensitivity of the data processed. But these are entity-classification and context-based distinctions, not a formal "special categories" regime.
For companies transitioning from SPDI Rules compliance, this means your existing tiered approach to health, financial, or biometric data remains best practice — even if the statutory requirement is now uniform. The Data Protection Board may also issue guidance or standards that effectively create heightened expectations for inherently sensitive data types.
Common Edge Cases: IP Addresses, Device IDs, Cookies
IP addresses are personal data in most contexts. A dynamic IP address assigned to a specific user session can be linked to an individual through ISP records; a static IP belonging to a home network is clearly personal. Analytics platforms, server logs, and CDN access logs that capture IP addresses are processing personal data.
Device identifiers (IMEI numbers, advertising IDs, hardware fingerprints) are personal data when they are consistently associated with an individual device and user. Persistent cookies that track users across sessions and sites are personal data under the identifiability test, which is why consent for non-essential cookies is a DPDP Act obligation.
Email addresses are unambiguously personal data. Names combined with employer information are personal data. Phone numbers are personal data. Location coordinates — even without a name — can identify a person's home, workplace, or patterns of life and are personal data. When in doubt, treat data as personal data; the cost of over-classifying is low compared to the risk of under-classifying.
Employee and HR Data
Employee data is personal data. Names, Aadhaar numbers, PAN numbers, salary details, performance appraisals, leave records, biometric attendance data, and health information collected for insurance or wellness programmes are all personal data of the employee.
The DPDP Act's Section 17(2)(a) allows the Central Government to exclude certain processing activities — including employment-related processing — from specified provisions. The Draft Rules indicate some relaxations for employment contexts, particularly around consent (given the power imbalance in employment relationships). However, these exemptions are not yet finalised.
Until employment-context exemptions are notified, treat all employee data as subject to full DPDP Act obligations. This means: updated employment contracts with data processing disclosures, HR system access controls, defined retention periods, and a process to respond to employee access and erasure requests.
Anonymisation and De-identification
Section 2(t) excludes anonymised data from the definition of personal data. The Act defines "anonymised data" as data that has been irreversibly processed such that the individual cannot be identified. The key word is "irreversibly" — if the anonymisation can be reversed, or if the data can be combined with other data to re-identify individuals, it is not anonymised under the Act.
Pseudonymisation — replacing identifiers with codes but retaining a mapping table — does not constitute anonymisation under the DPDP Act. Pseudonymised data remains personal data because re-identification is possible through the mapping table. The security obligation for pseudonymised data is the protection of the mapping table.
Genuine anonymisation requires technical rigour: k-anonymity, differential privacy, or similar techniques that provide mathematical guarantees against re-identification. "Anonymisation" achieved simply by removing names while retaining age, location, and occupation data is insufficient — such data can often be re-identified with readily available external datasets.
What Falls Outside the Definition
Data about legal entities (companies, trusts, government bodies) rather than natural persons is outside scope. Aggregate statistics that cannot be linked to individuals — total revenue, number of transactions, industry averages — are not personal data. Genuinely anonymised data, as described above, is outside scope.
Data about deceased individuals is a nuanced area. The DPDP Act defines "Data Principal" to include nominees (Section 14) who can exercise rights on behalf of a deceased person. So while a deceased person is not a living individual, their data is not entirely outside the framework — nominees can assert rights over it.
Data that was made publicly available by the Data Principal themselves (e.g., public social media posts, published articles with bylines) has a statutory exemption under Section 3(d) for processing that respects the context of original disclosure. However, aggregating such data at scale or using it for purposes the individual would not have anticipated remains a grey area.
Frequently Asked Questions
Is a business email address like firstname.lastname@company.com personal data?
Is data about Indian citizens stored outside India still subject to the DPDP Act?
Does DPDP Act apply to data about NRIs (Non-Resident Indians)?
Can we avoid DPDP Act obligations by only collecting aggregate analytics data?
How does the DPDP Act definition compare to GDPR's definition of personal data?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free