Where Policy
Is Made. Where
Compliance Starts.
Delhi is where India’s DPDP Rules, 2025 were notified on 13 November 2025 and where the Data Protection Board will be constituted ahead of the 13 May 2027 commencement.
Delhi enterprises face a unique compliance dynamic. The DPDPA Rules will be notified by MeitY, a Delhi institution. The Data Protection Board will be constituted in Delhi. The organisations closest to where standards are set have the least excuse for non-compliance.
Delhi Sector DPDPA Risk Matrix
Delhi’s economic profile, heavy government vendor presence, large EdTech market, and IT-ITES corridor, creates distinct DPDPA exposure that differs from Mumbai or Bengaluru.
Central ministries are among the largest processors of citizen personal data in India. DPDPA exemptions for state data processing are narrow and conditional — not blanket.
₹250 Cr maximum penalty for vendors and processors engaged by government
Aadhaar-linked data processing, e-governance portals, and citizen benefit delivery systems sit within DPDPA’s scope for private sector vendors and processors engaged by government entities.
Delhi is India’s largest EdTech consumer market. Student data — including data of minors — faces the highest DPDPA penalty category at ₹200 crore maximum penalty.
₹200 Cr maximum penalty for children’s data without parental consent
Most EdTech platforms running personalised learning algorithms are tracking minors without verifiable parental consent. The behavioural tracking prohibition under DPDPA is absolute for children’s data.
Delhi NCR hosts India’s largest concentration of private hospital groups. Health data is among the most sensitive personal data categories under DPDPA and demands the highest safeguard standard.
₹250 Cr maximum penalty for health data security breach
Digital health records, telemedicine platforms, and patient management systems are processing sensitive health data without DPDPA-compliant consent architecture. Most were built before the Act was notified.
The Delhi NCR tech corridor — Gurgaon, Noida, Faridabad — hosts thousands of IT and ITES companies processing data of Indian and global clients. These entities are Data Processors under DPDPA.
₹10 Cr maximum penalty as Data Processors + client contractual liability
IT companies processing personal data for foreign clients are subject to DPDPA regardless of where the data originates. Most IT sector legal teams are treating this as a GDPR-only issue. DPDPA applies independently.
PSUs in telecom, energy, banking, and infrastructure process vast volumes of employee and customer personal data. DPDPA obligations apply to PSUs operating in competitive or commercial sectors.
₹200 Cr maximum penalty for breach notification failure
The boundary between government-exempt processing and commercially-covered processing is not clearly understood in most PSU legal departments. Most PSUs are not DPDPA exempt.
The AMLEGALS Delhi Advantage
Policy Proximity
Delhi is where India’s DPDP Rules, 2025 were notified by MeitY on 13 November 2025, and where every subsequent direction, Data Protection Board order and enforcement standard will originate. AMLEGALS Delhi tracks every MeitY circular, DPB constitution step and adjudication signal, giving clients advance intelligence on how the 13 May 2027 enforcement regime will actually operate.
Government & PSU Advisory
DPDPA obligations on private sector vendors and processors engaged by government entities are the most complex and least understood compliance question in Delhi. AMLEGALS has mapped this intersection in depth.
EdTech & Children’s Data
Delhi NCR’s EdTech sector faces the highest-risk DPDPA category — children’s data. AMLEGALS advises EdTech platforms on DPDPA-compliant consent architecture for student data and parental verification systems.
Regulatory Representation
The Data Protection Board will be constituted in Delhi. AMLEGALS will represent enterprises before the Board from its Delhi office — providing continuity from compliance advisory through enforcement defence.
Six Practices Built for Delhi’s DPDPA Context
Government Vendor DPDPA Advisory
Mapping DPDPA obligations for private sector companies engaged as vendors, processors, or technology partners by Central Government ministries and PSUs.
EdTech Children’s Data Programme
DPDPA-compliant consent architecture and age verification systems for EdTech platforms — addressing the ₹200 Cr exposure from children’s data processing without parental consent.
Healthcare Data Governance
DPDPA compliance for hospital groups, diagnostic chains, and health-tech platforms — covering health data consent, processor agreements with labs and TPAs, and breach protocols.
IT Sector Data Processor Advisory
DPDPA obligations for IT and ITES companies processing personal data for domestic and foreign clients — including DPA clause retrofitting for existing client contracts.
Data Protection Board Representation
Regulatory representation before the Data Protection Board from AMLEGALS Delhi — from show cause response through inquiry, hearing, and High Court appeal if required.
DPDPA Rules Monitoring & Advisory
Monthly intelligence on DPDPA Rules drafts, MeitY consultations, and regulatory signals — delivered as actionable legal briefings for Delhi enterprises and their boards.