DPDPA Compliance Explained Through Real-Life Sector Scenario
Introduction
India’s Digital Personal Data Protection Act (DPDPA) 2023 is now the central law governing how organisations collect, store, process, share, and retain personal data. It applies to every business, regardless of size or sector, as long as they handle personal information such as names, phone numbers, ID documents, biometric data, financial details, location, or online behaviour.
However, most organisations still struggle with one key question:
“Does DPDPA apply to us, and how?”
The answer becomes clear when we look at real-life sector situations. Whether you run a hospital, a software company, an e-commerce startup, a school, a hotel, a travel agency, or a manufacturing plant, you fall under DPDPA if you collect or process personal data.
This guide breaks down real-world scenarios across multiple sectors and shows:
- What data is being collected
- Who is the Data Fiduciary and who is the Data Processor
- Why DPDPA applies
- What responsibilities each role carries
Key Definitions
Data Principal
The individual whose personal data is collected.
Examples:
- A patient
- A customer
- A student
- An employee
- A user of an app
They are the “owner” of their data under DPDPA.
Data Fiduciary
The organisation that determines why and how personal data will be processed.
Examples:
- A hospital
- A bank
- An e-commerce company
- A school
- A mobile app
- A hotel
The Data Fiduciary is responsible for compliance.
Data Processor
An organisation that processes data on behalf of a Data Fiduciary, without deciding anything about purpose or usage.
Examples:
- BPO call centre working for a telecom company
- SaaS CRM storing customer leads for a client
- IT outsourcing company processing HR data
- Diagnostic lab processing tests for hospitals
Processors follow instructions and maintain logs, but do not own the data.
Why Sector Use Cases Matter
Different industries handle different types of personal data, some basic, some sensitive, some legally mandatory to retain. Each sector has unique:
- Data workflows
- Retention obligations
- Third-party interactions
- Consent requirements
- Security expectations
Understanding real use cases makes it clear how DPDPA applies in day-to-day operations, not just legally but practically.
SECTOR-WISE USE CASES But Not Limited To
1. Healthcare Sector (Hospitals, Clinics, Labs, Telemedicine)
Healthcare handles some of the most sensitive personal data: medical history, prescriptions, reports, ID proofs, biometrics. Because of this, hospitals and diagnostic centres have some of the highest compliance responsibilities plus mandatory medical retention rules.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
The hospital collects patient details (medical history, Aadhaar, reports) and stores records even after discharge. |
Hospital = Data Fiduciary |
Handles highly sensitive health data; legal retention obligations apply. |
|
The diagnostic lab collects samples & phone numbers, sends digital reports, retains logs. |
Lab = Data Fiduciary |
Processes health data; must maintain logs and secure report delivery. |
|
Telemedicine platform collects symptoms, call recordings, prescriptions. |
Telemedicine App = Data Fiduciary |
Handles sensitive digital health data; must justify data retention. |
|
Govt hospitals store patient case sheets long-term. |
Govt Hospital = Data Fiduciary |
Health laws override deletion rights; statutory retention applies. |
Healthcare organisations often store data for years, sometimes decades, depending on state medical council rules. DPDPA allows this, but requires hospitals to:
- Maintain purpose limitation
- Secure sensitive data
- Provide rights to patients wherever legally feasible
- Delete ancillary data when no longer needed
Since healthcare data is highly sensitive, breaches can attract higher penalties.
2. Banking & Financial Services (Banks, NBFCs, Fintech, Tax Advisors)
This industry handles identification (ID), financial statements, credit history, and transaction records, all of which are considered sensitive.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
Bank collects KYC (Aadhaar, PAN, address proof); retains after account closure. |
Bank = Data Fiduciary |
RBI/NBFC laws mandate retention; DPDPA still requires secure handling. |
|
Lending a fintech app collects PAN, salary slip, repayment history. |
Fintech = Data Fiduciary |
Handles financial & identity data; must justify profiling activities. |
|
CA firm stores tax data, statements, financial records. |
CA Firm = Data Fiduciary |
Legal and audit retention overrides deletion requests. |
3. IT, SaaS & Outsourcing (BPO, CRM, Cloud Platforms, Tech Services)
Tech companies process massive amounts of customer, employee, and third-party data. Their role depends entirely on who decides the purpose of processing.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
SaaS CRM stores customer leads & contact lists for clients. |
Client = Fiduciary;
CRM = Processor |
CRM stores data on behalf of clients; must delete after the contract ends. |
|
BPO records customer service calls for telecom firms. |
Telecom = Fiduciary; BPO = Processor |
BPO must not use data for any purpose other than instruction sets. |
|
Mobile app collects location/camera permissions & login data. |
App Company = Data Fiduciary |
Controls how permissions are used; must ensure minimum retention. |
|
The SOC team monitors login logs, IP addresses, user activity for a company. |
Company = Data Fiduciary |
Security logs must be retained for at least one year. |
Nearly every IT company becomes a Data Processor at least once. This makes Data Processing Agreements (DPAs) essential and legally mandatory under DPDPA.
4. Education (Schools, Colleges, Coaching Centres)
Education institutions hold personal and sensitive data about minors, including addresses, ID proofs, medical information, and academic performance.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
School stores student records, parent contacts, medical info. |
School = Data Fiduciary
|
School processes children’s data; consent must be obtained from parents/guardians, not the student. |
|
Coaching centre collects parent phone numbers for updates. |
Coaching Centre = Data Fiduciary |
Coaching centre collects data of minors; consent must come from parents. |
Key Point:
For students below 18 years, consent must come from a parent or lawful guardian. The school/coaching centre must also verify the parent’s identity before collecting or processing the child’s data.
Since children’s data attracts higher penalties under DPDPA, schools and coaching centres must:
- Ensure parental consent
- Restrict profiling
- Securely handle and transfer student records
- Delete when operationally no longer needed
5. Travel & Mobility (Bus Operators, Airlines, Ride Apps, Travel Agents)
Travel businesses collect identification, location data, and itinerary information, all considered sensitive when misused.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
Bus operator collects name, phone, boarding point. |
Bus Operator = Data Fiduciary |
Must retain booking logs for minimum one year. |
|
Ride-hailing app tracks live location during trip. |
Ride App = Data Fiduciary |
Must not store location longer than operationally necessary. |
|
Travel agency collects passport details for bookings. |
Travel Agency = Data Fiduciary |
Passport data requires secure handling; sensitive ID processing. |
Travel firms often share passenger data with hotels, airlines, and government systems. This makes third-party contracts and secure data transfers critical.
6. Retail, E-Commerce & Hospitality
Retailers and hotels commonly collect names, phone numbers, addresses, and ID proofs.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
E-commerce site stores address & phone for deliveries. |
E-commerce = Data Fiduciary |
Must retain order logs for at least one year. |
|
Grocery delivery app collects customer names, phone numbers, addresses. |
Grocery delivery app = Data Fiduciary |
Even small businesses must delete unnecessary customer data. |
|
Hotel scans guest ID (Aadhaar, passport) at check-in. |
Hotel = Data Fiduciary |
Govt mandates ID retention; must ensure secure storage. |
Small businesses often assume DPDPA doesn’t apply, but it does. Even a small Instagram seller collecting addresses becomes a Data Fiduciary.
7. Manufacturing & Workplace
Workplaces collect personal employee data for payroll, attendance, visitor management, and security.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
Company collects biometric attendance of employees. |
Company = Data Fiduciary |
Biometric data is sensitive; strict retention and security required. |
|
Visitor management system logs name, ID, entry/exit time. |
Company = Data Fiduciary |
Security logs must be stored for audits for at least one year. |
Manufacturing companies often operate CCTV systems and biometric systems — both involve sensitive data requiring strong security.
8. Government & Public Services
Government bodies frequently collect personal data for public services, registration, and compliance.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
Municipal corporation collects citizen records (property tax, certificates, complaints). |
Municipal Body = Data Fiduciary |
Statutory retention overrides deletion requests. |
Government bodies get partial exemptions under DPDPA because they process data for public functions such as welfare delivery, law enforcement, and issuing certificates. They may not need consent and may retain data even if a citizen requests deletion when the law requires it. However, these exemptions do not remove their responsibility. Government departments must still secure citizen data, prevent unauthorized access, and ensure the data is used only for the intended public purpose. For example, a municipal body may keep property tax records but must still protect the database from misuse or leakage.
9. Legal & Forensic Services
Law firms store extremely sensitive documents and evidence.
| Use Case | Fiduciary / Processor | Why DPDPA Applies |
|---|---|---|
|
Lawyer stores case files, financial data, client documents. |
Lawyer = Data Fiduciary |
Legal retention requirements apply. |
|
Forensics company accesses personal data during investigation. |
Forensics Firm = Processor (for Govt) |
Must maintain logs; sensitive processing under government rules. |
Legal entities must store files for several years based on statutory requirements. DPDPA allows this but expects strict security.
Conclusion
The DPDPA applies to any organisation that collects, stores, or processes personal data, irrespective of size, employee count, or industry. Whether you operate a hospital, a fintech app, a school, a retail store, a travel agency, or a small home business, you become a Data Fiduciary if you decide how and why data is used.
Understanding real-life sector scenarios helps organisations:
- Identify their role (Fiduciary vs Processor)
- Understand what data they hold
- Clarify why DPDPA applies
- Assess business risks
- Implement proper retention, deletion, and consent mechanisms
- Strengthen contracts with processors
- Build trust with customers
DPDPA is not just a legal requirement, it is a framework for responsible data governance. Organisations that adopt compliance early will not only avoid penalties but also build long-term customer confidence and operational resilience.
At ComplyPlanet, we help you build exactly that with legal, operational, and technical expertise to ensure your organization is DPDPA compliant, credible, and future-ready.