Why Understanding Scope Matters Before Anything Else
Before an organisation invests in consent management platforms, appoints a Data Protection Officer, or redesigns its privacy notices, it must answer a threshold question: does the DPDPA apply to us? Section 3 answers this question by defining the material and territorial scope of the Act. Getting this analysis wrong has serious consequences in both directions. If you incorrectly conclude the Act does not apply, you risk penalties of up to two hundred and fifty crore rupees for non-compliance. If you over-apply the Act to data processing activities that are actually exempt, you waste resources and impose unnecessary friction on your business. This post provides a rigorous analysis of Section 3, covering every limb of the provision with practical examples drawn from common business scenarios across e-commerce, SaaS, financial services, healthcare, and government operations.
Section 3(a): Processing of Digital Personal Data Within India
The first limb of Section 3 establishes that the Act applies to the processing of digital personal data within the territory of India. This covers two scenarios explicitly. First, personal data collected in digital form - meaning data that originates in digital format. When a customer fills out a registration form on your website, submits an order through your mobile app, or interacts with your chatbot, the data is born digital. Second, personal data collected in non-digital form and subsequently digitised - meaning data originally captured on paper, through verbal communication, or in any analogue format that is later converted to digital form. When a hospital transcribes handwritten patient intake forms into its Electronic Health Record system, or when a bank scans KYC documents and stores them digitally, that digitised data falls squarely within the DPDPA's scope. The critical trigger is not how data is collected but whether it exists in digital form at the point of processing.
- Born-digital data: online forms, app interactions, IoT sensor data, API payloads, cookies, and device identifiers
- Digitised data: scanned paper forms, transcribed call recordings, photographed identity documents stored electronically
- The Act applies regardless of whether data is processed manually or through automated means, as long as it is in digital form
Section 3(b): Extraterritorial Application - Processing Outside India
Section 3(b) extends the DPDPA's reach beyond Indian borders. The Act applies to the processing of digital personal data outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India. This extraterritorial provision means that a SaaS company headquartered in the United States that sells subscription software to Indian businesses and collects personal data of Indian employees through its platform must comply with the DPDPA. A European e-commerce marketplace that ships products to Indian customers and processes their names, addresses, and payment details is subject to the Act. A Singaporean fintech company offering lending services to Indian borrowers through a mobile app falls within scope. The test is not where the organisation is incorporated or where its servers are located - it is whether the processing activity connects to offering goods or services to people in India. Passive availability of a website, without active targeting, may not trigger this provision, but any deliberate targeting - pricing in Indian rupees, advertising in India, or offering India-specific services - will.
What Counts as 'Offering Goods or Services' to Data Principals in India
The phrase 'offering goods or services' is not defined in the Act itself, but its interpretation will likely draw from established jurisprudence and analogous provisions in the GDPR. Factors that indicate deliberate targeting of Indian Data Principals include maintaining an India-specific website or domain (such as .in), displaying prices in Indian rupees, offering customer support in Indian languages, running marketing campaigns targeted at Indian audiences through Indian media or platforms, having an Indian subsidiary or business presence, accepting Indian payment methods such as UPI or RuPay, and referencing Indian regulatory frameworks in terms of service. Conversely, the mere fact that an Indian individual can access a global website and make a purchase does not automatically bring that website within scope. The distinction between passive accessibility and active targeting will be critical in borderline cases. Organisations operating globally should conduct a targeting analysis for each product or service line to determine whether the DPDPA applies.
- India-specific domain, INR pricing, or regional language content signals active targeting
- Acceptance of UPI, RuPay, or India-specific payment methods signals targeting
- Mere global availability without India-specific features likely does not trigger extraterritorial scope
- Marketing campaigns directed at Indian audiences, even through global platforms, constitute targeting
What the DPDPA Does Not Apply To - Exclusions and Carve-Outs
Section 3 must be read alongside other provisions that carve out specific exclusions from the Act's scope. Section 17(2) provides that the Central Government may exempt certain Data Fiduciaries or classes of Data Fiduciaries from any provision of the Act in the interest of the sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognisable offence. The Act explicitly does not apply to personal data processed by an individual for any personal or domestic purpose. If you maintain a personal contact list, family photo album, or household budget spreadsheet, the DPDPA does not regulate that activity. Additionally, the Act does not apply to personal data that is made publicly available by the Data Principal themselves or by any other person under a legal obligation. The Act also carves out data processed in connection with judicial or quasi-judicial functions. These exclusions are narrow and should not be stretched beyond their statutory language.
- Personal or domestic processing by individuals is excluded
- Data made publicly available by the Data Principal or under legal obligation is excluded
- State security and sovereignty exemptions exist under Section 17(2) but require government notification
- Non-digital data that is never digitised remains outside DPDPA scope entirely
Practical Compliance Scenarios - Who Must Comply
To make Section 3 concrete, consider the following scenarios. An Indian e-commerce startup collecting customer names, addresses, and payment details through its website and mobile app is clearly within scope under Section 3(a) - digital personal data processed within India. A US-based HR software provider whose Indian clients use the platform to store employee records falls within scope under Section 3(b) - processing outside India in connection with offering services to Indian Data Principals. A European pharmaceutical company conducting clinical trials in India and collecting patient health data in paper case report forms that are later digitised falls within scope - non-digital data that is subsequently digitised. A Japanese gaming company whose online game is accessible to Indian users but has no India-specific pricing, language support, or marketing likely falls outside scope - passive global availability without active targeting. An Indian government department processing Aadhaar data for social welfare scheme delivery falls within scope but may benefit from exemptions under Section 17. Each organisation must perform this scoping analysis before building its compliance programme.
The Digitisation Trigger - When Offline Data Enters Scope
One of the most practically significant aspects of Section 3 is the inclusion of data collected in non-digital form and subsequently digitised. This means that vast quantities of historical data - paper records, physical forms, handwritten notes - enter the DPDPA's scope the moment they are digitised. Consider a hospital that has maintained paper patient records for decades and decides to implement an Electronic Health Record system. The moment those paper records are scanned, transcribed, or otherwise converted to digital format, the resulting digital personal data falls within the DPDPA. The hospital must then comply with all applicable provisions - providing notice, ensuring a lawful basis for processing, implementing security safeguards, and enabling Data Principal rights. Similarly, a company digitising its employee HR files, a law firm scanning client documents, or a government agency converting land records to digital format all trigger DPDPA obligations at the point of digitisation. Organisations planning digitisation projects must build DPDPA compliance into their project plans from the outset.
Interaction with Other Indian Laws and Global Frameworks
Section 3 does not operate in a vacuum. The DPDPA coexists with the Information Technology Act, 2000, sectoral regulations from the RBI, SEBI, IRDAI, and TRAI, and India's evolving data governance framework. Where sectoral regulators impose additional data protection requirements - such as RBI's data localisation mandate for payment data - those requirements supplement, rather than replace, the DPDPA. Organisations must comply with both. Internationally, organisations subject to both the DPDPA and the GDPR will find significant overlap but also important differences. The DPDPA's scope is narrower in that it covers only digital personal data, whereas the GDPR covers all personal data regardless of format. However, the DPDPA's extraterritorial reach is functionally similar to Article 3 of the GDPR. Multinational companies should map their DPDPA and GDPR obligations side by side to identify gaps and avoid duplicative compliance efforts. Kraver.ai's cross-regulatory mapping feature is designed precisely for this multi-framework compliance challenge.
How Kraver.ai Helps
Determining whether the DPDPA applies to your organisation - and to which specific data processing activities - requires a systematic analysis that many businesses struggle to perform manually. Kraver.ai's scoping assessment module walks your team through a structured questionnaire calibrated to Section 3, evaluating your data collection channels, geographic footprint, data types, and processing activities. The platform automatically flags processing activities that fall within scope, identifies those that are excluded, and highlights borderline cases that require legal review. For multinational organisations, Kraver.ai maps DPDPA scope alongside GDPR, CCPA, and other applicable frameworks so you can see exactly which regulations apply to each data processing activity in a single unified dashboard. Our continuous monitoring engine also detects when new data processing activities - such as launching an India-facing website or digitising paper records - bring previously out-of-scope operations into the DPDPA's reach. Start your free scoping assessment today.