bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,319 +1,319 @@
1
- # DPDPA — Section-by-Section Reference
2
-
3
- Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
- 44 Sections across 9 Chapters.
5
-
6
- ---
7
-
8
- ## Chapter I — Preliminary (Sections 1–3)
9
-
10
- ### Section 1 — Short Title, Extent, Commencement and Application
11
- Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
- - Extends to the whole of India
13
- - Commencement by phased notification in the Official Gazette
14
- - Applies to digital personal data processing within India AND processing outside India
15
- related to offering goods or services to individuals located in India
16
-
17
- ### Section 2 — Definitions
18
- 28 defined terms including:
19
-
20
- | Term | Definition |
21
- |------|-----------|
22
- | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
- | **Board** | Data Protection Board of India |
24
- | **Child** | Individual who has not completed **18 years of age** |
25
- | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
- | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
- | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
- | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
- | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
- | **Digital personal data** | Personal data in digital form |
31
- | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
- | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
- | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
- | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
- | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
-
37
- ### Section 3 — Application (Territorial Scope)
38
- The Act applies to:
39
- - Processing of digital personal data **within India**, and
40
- - Processing **outside India** if it relates to offering goods or services to individuals
41
- located in India at the time the personal data is collected
42
-
43
- Partial exemption: Processing under contracts with foreign entities of data of
44
- Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
-
46
- ---
47
-
48
- ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
-
50
- ### Section 4 — Grounds for Processing Personal Data
51
- Two and only two lawful bases:
52
- - **(a) Consent** as specified in Section 6
53
- - **(b) Certain legitimate uses** as enumerated in Section 7
54
-
55
- No other lawful basis exists. Processing outside these two grounds is unlawful.
56
-
57
- ### Section 5 — Notice to Data Principal
58
- Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
- - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
- - As a standalone, independent document (not bundled in T&Cs)
61
- - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
-
63
- **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
-
65
- **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
-
67
- ### Section 6 — Consent
68
- Consent must be:
69
- - **Free** — not conditioned on acceptance of services
70
- - **Specific** — for a particular specified purpose
71
- - **Informed** — given after receiving the Section 5 notice
72
- - **Unconditional** — no conditions or coercion
73
- - **Unambiguous** — expressed by clear affirmative action
74
-
75
- **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
-
77
- **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
-
79
- **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
-
81
- **Section 6(6):** Consent obtained in violation of these requirements is void.
82
-
83
- ### Section 7 — Certain Legitimate Uses (Closed List)
84
- Eight enumerated legitimate uses where consent is NOT required:
85
-
86
- 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
- 2. State benefits, subsidies, services, certificates, licenses, or permits
88
- 3. State functions under Indian law or interests of sovereignty/security/integrity
89
- 4. Legal obligation to disclose to State or its instrumentalities
90
- 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
- 6. Disaster management per the Disaster Management Act, 2005
92
- 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
- 8. Other prescribed purposes as notified by Central Government
94
-
95
- > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
-
97
- This list is **exhaustive**. No general "legitimate interests" balancing test.
98
-
99
- ### Section 8 — General Obligations of Data Fiduciary
100
- Every Data Fiduciary must:
101
-
102
- 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
- 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
- 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
- 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
- 5. **Direct Processors to erase** data upon termination of processing engagement
107
- 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
- 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
-
110
- **Section 8(7) — Retention and Erasure:**
111
- Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
- - Withdrawal of consent (unless retention required by law)
113
- - Purpose fulfilment
114
- - Section 12(3) erasure request
115
-
116
- ### Section 9 — Processing of Children's Personal Data
117
- **Age threshold:** Under 18 years.
118
-
119
- **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
-
121
- **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
- - Tracking or behavioural monitoring of children
123
- - Targeted advertising directed at children
124
- - Any processing likely to cause detrimental effect on child's well-being
125
-
126
- **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
-
128
- **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
-
130
- ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
-
132
- **Designation:** Central Government notifies entities as SDFs based on:
133
- - Volume and sensitivity of data processed
134
- - Risk of harm to Data Principals' rights
135
- - Impact on India's sovereignty, integrity, security
136
- - Risk to electoral democracy or public order
137
-
138
- **Additional obligations (beyond Section 8):**
139
- - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
- - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
- - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
- - **Data localization** — specified data categories must remain within India (when notified)
143
- - **Comply with any other prescribed measures** as directed by government
144
-
145
- ---
146
-
147
- ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
-
149
- ### Section 11 — Right to Access Information
150
- Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
- - Summary of personal data being processed
152
- - Description of the processing activities (purpose, legal basis, duration)
153
- - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
- - Description of personal data shared with each recipient
155
-
156
- ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
- Data Principals may:
158
- - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
- - **(12(1)(b))** Request completion of incomplete personal data
160
- - **(12(1)(c))** Request updating of outdated personal data
161
- - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
-
163
- **Limitations on erasure (Section 12(4)):**
164
- Data Fiduciaries may refuse erasure where:
165
- - Retention necessary for the specified purpose
166
- - Retention required by law (statutory record-keeping)
167
- - Retention necessary to enforce/defend legal rights or claims
168
-
169
- ### Section 13 — Right of Grievance Redressal
170
- - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
- - Mechanism must be accessible, responsive, and as prescribed by rules
172
- - Data Fiduciaries must respond within the prescribed timeframe
173
- - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
-
175
- ### Section 14 — Right to Nominate
176
- Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
- - Death of the Data Principal, or
178
- - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
-
180
- Nominees exercise rights as if they were the Data Principal.
181
-
182
- ### Section 15 — Duties of Data Principal
183
- Data Principals must:
184
- - Comply with all applicable laws when exercising rights
185
- - Not register false or frivolous complaints with Fiduciaries or the Board
186
- - Not furnish false particulars or suppress material information
187
- - Not impersonate another individual
188
- - Not misuse their rights to harass Data Fiduciaries
189
-
190
- Breach of these duties: penalty up to **₹10,000** (personal liability).
191
-
192
- ---
193
-
194
- ## Chapter IV — Special Provisions (Sections 16–17)
195
-
196
- ### Section 16 — Transfer of Personal Data Outside India
197
- **Mechanism: Blacklist approach**
198
-
199
- Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
-
201
- **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
-
203
- **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
-
205
- **Operational guidance:**
206
- - Transfers permitted to all countries absent a notification
207
- - Apply contractual safeguards with recipients regardless
208
- - Do not assume permanent unrestricted status; plan for potential future restrictions
209
- - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
-
211
- ### Section 17 — Exemptions
212
- Exemptions from Chapters II, III, and Section 16:
213
-
214
- | # | Category | Scope of Exemption |
215
- |---|----------|-------------------|
216
- | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
- | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
- | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
- | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
- | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
- | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
- | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
- | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
- | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
- | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
-
227
- ---
228
-
229
- ## Chapter V — Data Protection Board of India (Sections 18–26)
230
-
231
- ### Section 18 — Establishment
232
- Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
-
234
- ### Section 19 — Composition
235
- - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
- - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
-
238
- ### Section 20–21 — Tenure and Removal
239
- Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
-
241
- ### Section 22–23 — Officers, Employees, and Public Servant Status
242
- Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
-
244
- ### Section 24 — Chairperson's Powers
245
- Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
-
247
- ### Section 25 — Powers and Functions of the Board
248
- - Receive and adjudicate complaints from Data Principals
249
- - Investigate personal data breaches
250
- - Issue financial penalties
251
- - Issue binding compliance directions
252
- - Facilitate alternate dispute resolution
253
- - Accept voluntary undertakings from Data Fiduciaries
254
-
255
- ### Section 26 — Procedure
256
- Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
-
258
- ---
259
-
260
- ## Chapter VI — Appeals and ADR (Sections 27–32)
261
-
262
- ### Section 27 — Appeal to TDSAT
263
- Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
-
265
- ### Section 28 — TDSAT Orders Executable as Civil Decree
266
- TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
-
268
- ### Section 29 — Alternate Dispute Resolution
269
- Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
-
271
- ### Section 30 — Voluntary Undertaking
272
- Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
-
274
- ### Section 31 — Limitation for Filing Complaint
275
- Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
-
277
- ### Section 32 — Protection of Actions Taken in Good Faith
278
- Board members and staff protected from civil/criminal liability for good faith actions.
279
-
280
- ---
281
-
282
- ## Chapter VII — Penalties (Sections 33–34)
283
-
284
- ### Section 33 — Financial Penalties
285
- **Penalty Schedule:**
286
-
287
- | Violation | Maximum Penalty |
288
- |-----------|----------------|
289
- | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
- | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
- | Violation of children's data obligations (Section 9) | ₹200 crore |
292
- | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
- | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
- | Other violations | ₹50 crore |
295
- | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
-
297
- **Section 33(2) — Seven factors for penalty determination:**
298
- 1. Nature and gravity of the violation
299
- 2. Scale of impact on Data Principals
300
- 3. Frequency (first-time vs. repeated)
301
- 4. Promptness of remediation and cooperation
302
- 5. Proportionality to violator's financial condition
303
- 6. Intentionality vs. negligence
304
- 7. Other prescribed factors
305
-
306
- ### Section 34 — Crediting of Penalties
307
- All penalty amounts credited to the Consolidated Fund of India.
308
-
309
- ---
310
-
311
- ## Chapter VIII — Miscellaneous (Sections 35–44)
312
-
313
- ### Section 35 — Power to Make Rules
314
- Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
-
316
- ### Section 36–44
317
- Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
-
319
- **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.
1
+ # DPDPA — Section-by-Section Reference
2
+
3
+ Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
4
+ 44 Sections across 9 Chapters.
5
+
6
+ ---
7
+
8
+ ## Chapter I — Preliminary (Sections 1–3)
9
+
10
+ ### Section 1 — Short Title, Extent, Commencement and Application
11
+ Establishes the short title: "Digital Personal Data Protection Act, 2023."
12
+ - Extends to the whole of India
13
+ - Commencement by phased notification in the Official Gazette
14
+ - Applies to digital personal data processing within India AND processing outside India
15
+ related to offering goods or services to individuals located in India
16
+
17
+ ### Section 2 — Definitions
18
+ 28 defined terms including:
19
+
20
+ | Term | Definition |
21
+ |------|-----------|
22
+ | **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
23
+ | **Board** | Data Protection Board of India |
24
+ | **Child** | Individual who has not completed **18 years of age** |
25
+ | **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
26
+ | **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
27
+ | **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
28
+ | **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
29
+ | **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
30
+ | **Digital personal data** | Personal data in digital form |
31
+ | **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
32
+ | **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
33
+ | **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
34
+ | **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
35
+ | **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
36
+
37
+ ### Section 3 — Application (Territorial Scope)
38
+ The Act applies to:
39
+ - Processing of digital personal data **within India**, and
40
+ - Processing **outside India** if it relates to offering goods or services to individuals
41
+ located in India at the time the personal data is collected
42
+
43
+ Partial exemption: Processing under contracts with foreign entities of data of
44
+ Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
45
+
46
+ ---
47
+
48
+ ## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
49
+
50
+ ### Section 4 — Grounds for Processing Personal Data
51
+ Two and only two lawful bases:
52
+ - **(a) Consent** as specified in Section 6
53
+ - **(b) Certain legitimate uses** as enumerated in Section 7
54
+
55
+ No other lawful basis exists. Processing outside these two grounds is unlawful.
56
+
57
+ ### Section 5 — Notice to Data Principal
58
+ Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
59
+ - In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
60
+ - As a standalone, independent document (not bundled in T&Cs)
61
+ - Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
62
+
63
+ **Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
64
+
65
+ **Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
66
+
67
+ ### Section 6 — Consent
68
+ Consent must be:
69
+ - **Free** — not conditioned on acceptance of services
70
+ - **Specific** — for a particular specified purpose
71
+ - **Informed** — given after receiving the Section 5 notice
72
+ - **Unconditional** — no conditions or coercion
73
+ - **Unambiguous** — expressed by clear affirmative action
74
+
75
+ **Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
76
+
77
+ **Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
78
+
79
+ **Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
80
+
81
+ **Section 6(6):** Consent obtained in violation of these requirements is void.
82
+
83
+ ### Section 7 — Certain Legitimate Uses (Closed List)
84
+ Eight enumerated legitimate uses where consent is NOT required:
85
+
86
+ 1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
87
+ 2. State benefits, subsidies, services, certificates, licenses, or permits
88
+ 3. State functions under Indian law or interests of sovereignty/security/integrity
89
+ 4. Legal obligation to disclose to State or its instrumentalities
90
+ 5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
91
+ 6. Disaster management per the Disaster Management Act, 2005
92
+ 7. Medical emergencies and safeguarding individuals during disasters or epidemics
93
+ 8. Other prescribed purposes as notified by Central Government
94
+
95
+ > **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
96
+
97
+ This list is **exhaustive**. No general "legitimate interests" balancing test.
98
+
99
+ ### Section 8 — General Obligations of Data Fiduciary
100
+ Every Data Fiduciary must:
101
+
102
+ 1. **Appoint Data Processors under contract** — valid written contract per Rule 16
103
+ 2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
104
+ 3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
105
+ 4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
106
+ 5. **Direct Processors to erase** data upon termination of processing engagement
107
+ 6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
108
+ 7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
109
+
110
+ **Section 8(7) — Retention and Erasure:**
111
+ Data Fiduciaries must erase data from their systems and from Processors' systems upon:
112
+ - Withdrawal of consent (unless retention required by law)
113
+ - Purpose fulfilment
114
+ - Section 12(3) erasure request
115
+
116
+ ### Section 9 — Processing of Children's Personal Data
117
+ **Age threshold:** Under 18 years.
118
+
119
+ **Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
120
+
121
+ **Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
122
+ - Tracking or behavioural monitoring of children
123
+ - Targeted advertising directed at children
124
+ - Any processing likely to cause detrimental effect on child's well-being
125
+
126
+ **Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
127
+
128
+ **Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
129
+
130
+ ### Section 10 — Additional Obligations of Significant Data Fiduciaries
131
+
132
+ **Designation:** Central Government notifies entities as SDFs based on:
133
+ - Volume and sensitivity of data processed
134
+ - Risk of harm to Data Principals' rights
135
+ - Impact on India's sovereignty, integrity, security
136
+ - Risk to electoral democracy or public order
137
+
138
+ **Additional obligations (beyond Section 8):**
139
+ - **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
140
+ - **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
141
+ - **Annual independent data audit** — by qualified external auditor; report submitted to the Board
142
+ - **Data localization** — specified data categories must remain within India (when notified)
143
+ - **Comply with any other prescribed measures** as directed by government
144
+
145
+ ---
146
+
147
+ ## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
148
+
149
+ ### Section 11 — Right to Access Information
150
+ Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
151
+ - Summary of personal data being processed
152
+ - Description of the processing activities (purpose, legal basis, duration)
153
+ - Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
154
+ - Description of personal data shared with each recipient
155
+
156
+ ### Section 12 — Right to Correction, Completion, Updating, and Erasure
157
+ Data Principals may:
158
+ - **(12(1)(a))** Request correction of inaccurate or misleading personal data
159
+ - **(12(1)(b))** Request completion of incomplete personal data
160
+ - **(12(1)(c))** Request updating of outdated personal data
161
+ - **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
162
+
163
+ **Limitations on erasure (Section 12(4)):**
164
+ Data Fiduciaries may refuse erasure where:
165
+ - Retention necessary for the specified purpose
166
+ - Retention required by law (statutory record-keeping)
167
+ - Retention necessary to enforce/defend legal rights or claims
168
+
169
+ ### Section 13 — Right of Grievance Redressal
170
+ - Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
171
+ - Mechanism must be accessible, responsive, and as prescribed by rules
172
+ - Data Fiduciaries must respond within the prescribed timeframe
173
+ - **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
174
+
175
+ ### Section 14 — Right to Nominate
176
+ Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
177
+ - Death of the Data Principal, or
178
+ - Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
179
+
180
+ Nominees exercise rights as if they were the Data Principal.
181
+
182
+ ### Section 15 — Duties of Data Principal
183
+ Data Principals must:
184
+ - Comply with all applicable laws when exercising rights
185
+ - Not register false or frivolous complaints with Fiduciaries or the Board
186
+ - Not furnish false particulars or suppress material information
187
+ - Not impersonate another individual
188
+ - Not misuse their rights to harass Data Fiduciaries
189
+
190
+ Breach of these duties: penalty up to **₹10,000** (personal liability).
191
+
192
+ ---
193
+
194
+ ## Chapter IV — Special Provisions (Sections 16–17)
195
+
196
+ ### Section 16 — Transfer of Personal Data Outside India
197
+ **Mechanism: Blacklist approach**
198
+
199
+ Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
200
+
201
+ **Current status (April 2026):** No countries have been notified. All transfers currently permitted.
202
+
203
+ **Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
204
+
205
+ **Operational guidance:**
206
+ - Transfers permitted to all countries absent a notification
207
+ - Apply contractual safeguards with recipients regardless
208
+ - Do not assume permanent unrestricted status; plan for potential future restrictions
209
+ - Sensitive data categories: apply enhanced protection even when transfer is technically permitted
210
+
211
+ ### Section 17 — Exemptions
212
+ Exemptions from Chapters II, III, and Section 16:
213
+
214
+ | # | Category | Scope of Exemption |
215
+ |---|----------|-------------------|
216
+ | (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
217
+ | (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
218
+ | (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
219
+ | (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
220
+ | (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
221
+ | (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
222
+ | (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
223
+ | (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
224
+ | (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
225
+ | (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
226
+
227
+ ---
228
+
229
+ ## Chapter V — Data Protection Board of India (Sections 18–26)
230
+
231
+ ### Section 18 — Establishment
232
+ Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
233
+
234
+ ### Section 19 — Composition
235
+ - **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
236
+ - **Members** — Notified number; appointed by Central Government; similar qualification criteria
237
+
238
+ ### Section 20–21 — Tenure and Removal
239
+ Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
240
+
241
+ ### Section 22–23 — Officers, Employees, and Public Servant Status
242
+ Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
243
+
244
+ ### Section 24 — Chairperson's Powers
245
+ Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
246
+
247
+ ### Section 25 — Powers and Functions of the Board
248
+ - Receive and adjudicate complaints from Data Principals
249
+ - Investigate personal data breaches
250
+ - Issue financial penalties
251
+ - Issue binding compliance directions
252
+ - Facilitate alternate dispute resolution
253
+ - Accept voluntary undertakings from Data Fiduciaries
254
+
255
+ ### Section 26 — Procedure
256
+ Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
257
+
258
+ ---
259
+
260
+ ## Chapter VI — Appeals and ADR (Sections 27–32)
261
+
262
+ ### Section 27 — Appeal to TDSAT
263
+ Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
264
+
265
+ ### Section 28 — TDSAT Orders Executable as Civil Decree
266
+ TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
267
+
268
+ ### Section 29 — Alternate Dispute Resolution
269
+ Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
270
+
271
+ ### Section 30 — Voluntary Undertaking
272
+ Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
273
+
274
+ ### Section 31 — Limitation for Filing Complaint
275
+ Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
276
+
277
+ ### Section 32 — Protection of Actions Taken in Good Faith
278
+ Board members and staff protected from civil/criminal liability for good faith actions.
279
+
280
+ ---
281
+
282
+ ## Chapter VII — Penalties (Sections 33–34)
283
+
284
+ ### Section 33 — Financial Penalties
285
+ **Penalty Schedule:**
286
+
287
+ | Violation | Maximum Penalty |
288
+ |-----------|----------------|
289
+ | Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
290
+ | Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
291
+ | Violation of children's data obligations (Section 9) | ₹200 crore |
292
+ | SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
293
+ | Breach of voluntary undertaking (Section 30) | ₹50 crore |
294
+ | Other violations | ₹50 crore |
295
+ | Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
296
+
297
+ **Section 33(2) — Seven factors for penalty determination:**
298
+ 1. Nature and gravity of the violation
299
+ 2. Scale of impact on Data Principals
300
+ 3. Frequency (first-time vs. repeated)
301
+ 4. Promptness of remediation and cooperation
302
+ 5. Proportionality to violator's financial condition
303
+ 6. Intentionality vs. negligence
304
+ 7. Other prescribed factors
305
+
306
+ ### Section 34 — Crediting of Penalties
307
+ All penalty amounts credited to the Consolidated Fund of India.
308
+
309
+ ---
310
+
311
+ ## Chapter VIII — Miscellaneous (Sections 35–44)
312
+
313
+ ### Section 35 — Power to Make Rules
314
+ Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
315
+
316
+ ### Section 36–44
317
+ Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
318
+
319
+ **Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.