India data protection and privacy
India privacy obligations now combine the DPDP Act and Rules, DPB India, RBI payment-data storage, and FIU recordkeeping requirements.
Privacy control stack
Privacy framework
The DPDP Act, 2023 is the general law for digital personal data. It applies to digital personal data processed in India and also to processing outside India where goods or services are offered to individuals in India.
The operational layer now includes the DPDP Rules, 2025, the partial commencement notification, and the Data Protection Board of India notification. The result is a phased implementation profile rather than a single go-live date for all duties.
DPDP obligations do not displace sectoral storage and retention rules. RBI payment-system data must still be stored only in India, and FIU-IND still requires at least five years of AML identity and transaction records for VDA reporting entities.
Privacy matrix
| Topic | Rule | Operational effect |
|---|---|---|
| General privacy law | DPDP Act, 2023. | Rights and obligations baseline. |
| Rules and timing | DPDP Rules, 2025 and commencement notification. | Phased implementation rather than one-date commencement. |
| Board process | DPB India notification. | Authority layer for the DPDP framework. |
| Payment-data storage | RBI storage FAQ. | India-only storage requirement for payment-system data. |
| AML retention | FIU Guidelines, 2026. | Keep identity and AML records for at least five years. |
| Cross-border transfers | DPDP Rules, 2025. | Remain subject to central-government requirements under the DPDP framework. |