← Back to DPDP Act 2023 (India)
📋 DPDP Act Document Templates
Below are structured templates for key compliance documents. Adapt these to your client's specific context. Each template lists the sections that must be included — fill in organisation-specific details during implementation.
Consent Notice Template (Section 5 & 6)
1
1. Identity and contact details of the Data Fiduciary (company name, registered address, contact email)
2
2. Categories of personal data being collected (list each category: name, email, phone, etc.)
3
3. Purpose of processing for each data category (be specific: 'to deliver your order' not 'to improve services')
4
4. How the Data Principal can exercise rights: access, correction, erasure, grievance
5
5. Grievance Officer contact details (name, designation, email, address)
6
6. Right to file a complaint with the Data Protection Board of India
7
7. How to withdraw consent (clear instructions, link to preference centre)
8
8. Details of any cross-border data transfers
9
9. Retention period for each category of data
10
10. Language selection (English + applicable scheduled languages)
Data Processing Agreement (DPA) Template
1
1. Definitions — Data Fiduciary, Data Processor, Personal Data, Processing, Data Breach (aligned with DPDP Act)
2
2. Scope of processing — what data, for what purpose, for how long
3
3. Processor obligations — process only on documented instructions of the Fiduciary
4
4. Security measures — encryption, access controls, audit logging (minimum standards)
5
5. Sub-processor restrictions — prior written consent required, flow-down of obligations
6
6. Breach notification — Processor must notify Fiduciary within 24-48 hours of discovery
7
7. Data Principal rights assistance — Processor must help Fiduciary fulfil access/correction/erasure requests
8
8. Audit rights — Fiduciary can audit Processor's compliance with the DPA
9
9. Data return and deletion — upon termination, return or securely delete all personal data
10
10. Liability and indemnification — penalty pass-through for Processor-caused breaches
11
11. Cross-border transfer restrictions — Processor must not transfer data outside India to restricted countries
12
12. Term, termination, and survival clauses
Data Principal Rights Request Form
1
1. Requestor details — full name, contact information, account/customer ID (for identity verification)
2
2. Type of request — Access / Correction / Erasure / Grievance / Nomination
3
3. Details of request — specific data concerned, reason for request
4
4. For Correction requests — current incorrect data and correct data to be substituted
5
5. For Erasure requests — confirmation of consent withdrawal (if applicable)
6
6. For Nomination requests — nominee details and relationship to Data Principal
7
7. Identity verification — upload government ID or answer security questions
8
8. Declaration — requestor confirms information provided is true (per Section 15 duties)
9
9. Submission confirmation — unique reference number and expected response timeline
Breach Notification Template — DPBI
1
1. Data Fiduciary details — name, registration number (if applicable), DPO contact
2
2. Nature of the breach — what happened, how it was discovered, timeline of events
3
3. Categories and approximate number of Data Principals affected
4
4. Categories and approximate volume of personal data records affected
5
5. Likely consequences of the breach for Data Principals
6
6. Measures taken to contain and mitigate the breach
7
7. Measures taken to address the breach and prevent recurrence
8
8. Contact details for further information
9
9. Timeline — when breach occurred, when detected, when contained
Breach Notification Template — Data Principals
1
1. Plain-language description of what happened (no technical jargon)
2
2. What personal data was affected (be specific)
3
3. What the organisation has done to address the breach
4
4. What the Data Principal should do to protect themselves (change passwords, monitor accounts, etc.)
5
5. Contact details for further information and the Grievance Officer
6
6. Right to file a complaint with the Data Protection Board of India
7
7. Available in English and the Data Principal's preferred scheduled language
Data Protection Impact Assessment (DPIA) Template
1
1. Assessment details — date, assessor, processing activity under review
2
2. Description of the processing — what data, what purpose, what technology, what volume
3
3. Necessity and proportionality assessment — is this the minimum data needed? Are there less intrusive alternatives?
4
4. Risk identification — what could go wrong for Data Principals (unauthorized access, inaccuracy, discrimination, loss of autonomy)?
5
5. Risk assessment — likelihood and impact rating for each identified risk (High/Medium/Low matrix)
6
6. Mitigation measures — what controls are in place or planned to reduce each risk
7
7. Residual risk assessment — what risk remains after mitigation
8
8. Stakeholder consultation — input from Data Principals, DPO, security team
9
9. Decision and sign-off — proceed, proceed with conditions, or halt processing
10
10. Review schedule — when will this DPIA be reviewed next
Record of Processing Activities (ROPA) Template
1
1. Processing activity name and ID
2
2. Department / business function responsible
3
3. Description of processing activity
4
4. Categories of Data Principals (customers, employees, vendors, children)
5
5. Categories of personal data processed
6
6. Purpose of processing
7
7. Lawful basis — Consent (with reference to consent record) or Certain Legitimate Use (with Section 7 sub-section)
8
8. Retention period and deletion schedule
9
9. Recipients of data (internal departments and external third parties)
10
10. Cross-border transfers (destination country and safeguards)
11
11. Security measures applied
12
12. Whether children's data is processed (Yes/No — if Yes, additional requirements apply)
13
13. Date of last review
Employee Privacy Notice Template
1
1. Identity of the Data Fiduciary (employer details)
2
2. Categories of employee personal data processed (PAN, Aadhaar, bank details, health records, performance data)
3
3. Purposes of processing — payroll, benefits, statutory compliance, performance management, workplace safety
4
4. Lawful basis — employment contract and legal obligations (Section 7 legitimate uses)
5
5. Third parties with whom employee data is shared (payroll processor, insurance provider, government agencies)
6
6. Retention periods for different categories of employee data
7
7. Employee rights under DPDP Act — access, correction, erasure, grievance
8
8. Grievance Officer contact details
9
9. Cross-border transfer information (if applicable, e.g., global HRIS systems)
Consent Withdrawal Acknowledgement Template
1
1. Confirmation of receipt of withdrawal request (date, reference number)
2
2. Scope of withdrawal — which processing purposes are affected
3
3. Consequences of withdrawal — what services or features will no longer be available
4
4. Timeline for cessation of processing and data erasure
5
5. Confirmation that withdrawal does not affect the lawfulness of processing done prior to withdrawal
6
6. Data that will be retained under legal obligations despite the withdrawal (with explanation)
7
7. Grievance Officer contact for any concerns about the withdrawal process
Vendor Data Protection Assessment Questionnaire
1
1. Vendor details — company name, registered address, contact person
2
2. Description of personal data processing performed by vendor
3
3. Security measures — encryption standards, access controls, incident response capabilities
4
4. Sub-processors used — list all sub-processors and their locations
5
5. Cross-border data transfer practices — where is data stored and processed?
6
6. Breach notification capabilities — internal detection and notification timelines
7
7. Data retention and deletion practices — what happens to data on contract termination?
8
8. Compliance certifications — ISO 27001, SOC 2, or other relevant certifications
9
9. Employee training — does the vendor train staff on data protection?
10
10. Previous incidents — has the vendor experienced any data breaches in the past 3 years?