Back to Details

dpdpa-compliance

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

DPDPA Compliance Skill for Coding Agents

面向编码Agent的DPDPA合规技能

India's Digital Personal Data Protection Act, 2023 (DPDPA) governs the processing of digital personal data. This skill helps coding agents audit existing codebases, implement compliant features, suggest remediation for violations, and provide guidance on organizational obligations that go beyond code.
印度的2023年《数字个人数据保护法》(DPDPA)规范了数字个人数据的处理。此技能可帮助编码Agent审计现有代码库、实施合规功能、针对违规问题提出修复方案,并提供超出代码范畴的组织义务相关指导。

Quick Context: Who Does DPDPA Apply To?

快速背景:DPDPA适用于哪些对象?

Any person (company, app, service) that processes digital personal data of individuals in India, whether collected digitally or digitized from non-digital form. It also applies to processing outside India if connected to offering goods/services to Data Principals in India.
Key roles:
  • Data Fiduciary — determines purpose and means of processing (your app/company)
  • Data Processor — processes data on behalf of a Data Fiduciary (your vendors, cloud providers)
  • Data Principal — the individual whose data is being processed (your users)
  • Significant Data Fiduciary — notified by Central Government based on volume, sensitivity, risk
任何处理印度境内个人数字个人数据的主体(公司、应用、服务),无论数据是通过数字方式收集还是从非数字形式数字化而来。如果处理行为与向印度境内的Data Principal提供商品/服务相关,即使在印度境外进行处理也适用。
关键角色:
  • Data Fiduciary — 决定数据处理的目的和方式(即您的应用/公司)
  • Data Processor — 代表Data Fiduciary处理数据(即您的供应商、云服务商)
  • Data Principal — 其数据被处理的个人(即您的用户)
  • Significant Data Fiduciary — 由中央政府根据数据量、敏感性、风险等因素指定的主体

How to Use This Skill

如何使用此技能

This skill operates in three modes. Pick the one that matches the user's request:
此技能有三种模式,选择与用户请求匹配的模式:

Mode 1: Compliance Audit

模式1:合规审计

When the user asks to "audit", "check", "review", or "scan" their app for DPDPA compliance.
  1. Read 
    references/audit-checklist.md
    for the full checklist
  2. Systematically walk through the codebase examining each compliance area
  3. For each finding, report: the section of DPDPA violated, the file/line, severity (Critical / High / Medium / Low), and a concrete remediation with code
  4. Produce a summary report at the end with pass/fail counts per category
Audit categories (in priority order):
  • Consent collection and management
  • Notice/disclosure to Data Principals
  • Data retention and erasure
  • Security safeguards
  • Breach notification mechanisms
  • Children's data protections
  • Data Principal rights (access, correction, erasure, grievance, nomination)
  • Cross-border data transfer controls
  • Data Processor oversight
当用户要求“审计”、“检查”、“评审”或“扫描”其应用的DPDPA合规性时使用。
  1. 阅读
    references/audit-checklist.md
    获取完整检查清单
  2. 系统地遍历代码库,检查每个合规领域
  3. 对于每个发现,报告:违反的DPDPA条款、文件/行号、严重程度(Critical / High / Medium / Low),以及带有代码的具体修复方案
  4. 最后生成一份汇总报告,包含每个类别的通过/失败数量
审计类别(按优先级排序):
  • 同意收集与管理
  • 向Data Principal发出通知/披露信息
  • 数据保留与擦除
  • 安全保障措施
  • 泄露通知机制
  • 儿童数据保护
  • Data Principal权利(访问、更正、擦除、申诉、指定代理人)
  • 跨境数据传输控制
  • Data Processor监督

Mode 2: Implementation

模式2:实施

When the user asks to "implement", "add", "build", or "create" DPDPA-compliant features.
  1. Read 
    references/implementation-patterns.md
    for framework-specific patterns
  2. Identify which DPDPA obligations apply to the requested feature
  3. Generate production-ready code with inline comments referencing DPDPA sections
  4. Include database migrations, API endpoints, and UI components as needed
  5. Add tests that verify compliance behavior
当用户要求“实施”、“添加”、“构建”或“创建”符合DPDPA要求的功能时使用。
  1. 阅读
    references/implementation-patterns.md
    获取特定框架的模式
  2. 确定请求的功能适用哪些DPDPA义务
  3. 生成带有内联注释(引用DPDPA条款)的生产级代码
  4. 根据需要包含数据库迁移、API端点和UI组件
  5. 添加验证合规行为的测试

Mode 3: Guidance

模式3:指导

When the task involves organizational, legal, or process obligations that cannot be solved purely in code.
  1. Read 
    references/organizational-guidelines.md
  2. Clearly explain what falls outside the application scope
  3. Provide actionable recommendations the user can take to their legal/compliance team
  4. Where possible, suggest tooling or process automation that can help
当任务涉及无法仅通过代码解决的组织、法律或流程义务时使用。
  1. 阅读
    references/organizational-guidelines.md
  2. 明确说明哪些内容超出应用范围
  3. 向用户提供可采取的、可提交给其法律/合规团队的可行建议
  4. 尽可能推荐有助于实现合规的工具或流程自动化方案

Core DPDPA Obligations — Quick Reference

核心DPDPA义务——快速参考

Use this to quickly identify which sections are relevant to a given task.
使用此部分快速确定给定任务相关的条款。

1. Lawful Processing (Section 3-4)

1. 合法处理(第3-4条)

Personal data may only be processed with valid consent OR for legitimate uses.
Consent requirements — all must be met:
  • Free (no bundling with unrelated terms)
  • Specific (to a stated purpose)
  • Informed (clear, plain language notice given)
  • Unconditional (no coercion)
  • Unambiguous (clear affirmative action — no pre-ticked boxes)
  • Limited to data necessary for the specified purpose
What to look for in code:
  • Pre-checked consent checkboxes → violation
  • Consent buried in Terms of Service → violation
  • Collecting data beyond what's needed for the stated purpose → violation
  • No mechanism to withdraw consent → violation
  • Withdrawal harder than giving consent → violation
个人数据只能在获得有效同意或出于合法用途的情况下进行处理。
同意要求——必须全部满足:
  • 自愿(不得与无关条款捆绑)
  • 具体(针对明确说明的目的)
  • 知情(提供清晰、通俗易懂的通知)
  • 无条件(无胁迫)
  • 明确(需明确的肯定操作——不得预先勾选复选框)
  • 仅限于实现指定目的所需的数据
代码中需要检查的内容:
  • 预先勾选的同意复选框 → 违规
  • 同意条款隐藏在服务条款中 → 违规
  • 收集超出指定目的所需的数据 → 违规
  • 无撤回同意的机制 → 违规
  • 撤回同意比给予同意更困难 → 违规

2. Notice (Section 5)

2. 通知(第5条)

Before or at the time of collecting data, provide notice containing:
  • Description of personal data being collected and purpose
  • How to exercise rights (withdrawal, correction, erasure)
  • How to file a complaint with the Data Protection Board
What to look for in code:
  • Data collection without prior notice display → violation
  • Notice not in clear, plain language → violation
  • Missing grievance/complaint mechanism → violation
在收集数据之前或之时,提供包含以下内容的通知:
  • 收集的个人数据描述及处理目的
  • 如何行使权利(撤回、更正、擦除)
  • 如何向数据保护委员会提交投诉
代码中需要检查的内容:
  • 收集数据前未显示通知 → 违规
  • 通知内容不清晰、不通俗易懂 → 违规
  • 缺少申诉/投诉机制 → 违规

3. Legitimate Uses Without Consent (Section 6)

3. 无需同意的合法用途(第6条)

Processing is allowed without consent for:
  • Voluntarily provided data where processing is reasonably expected
  • Employment-related purposes
  • Legal compliance (court orders, judgments)
  • Medical emergencies
  • Epidemics or public health threats
  • Disaster response or public order breakdown
What to look for in code:
  • Ensure the legal basis is documented in code comments or config
  • Don't rely on "legitimate use" as a blanket bypass — scope it narrowly
在以下情况下可无需同意处理数据:
  • 自愿提供的数据,且处理是合理预期的
  • 与雇佣相关的目的
  • 合规要求(法院命令、判决)
  • 医疗紧急情况
  • 流行病或公共卫生威胁
  • 灾难响应或公共秩序崩溃
代码中需要检查的内容:
  • 确保合法依据在代码注释或配置中有记录
  • 不要将“合法用途”作为全面绕过同意要求的借口——应严格限定范围

4. Data Fiduciary Obligations (Section 7)

4. Data Fiduciary义务(第7条)

  • Ensure accuracy and completeness of data used for decisions
  • Implement reasonable security safeguards
  • Notify the Board AND each affected Data Principal of breaches
  • Erase data when no longer needed (unless legal retention required)
  • Publish contact info of Data Protection Officer or responsible person
What to look for in code:
  • No encryption at rest or in transit → violation
  • No breach detection/notification system → violation
  • No data retention policy or auto-deletion → violation
  • No DPO contact displayed → violation
  • 确保用于决策的数据准确、完整
  • 实施合理的安全保障措施
  • 向委员会及每个受影响的Data Principal通知数据泄露事件
  • 当数据不再需要时将其擦除(除非法律要求保留)
  • 公布Data Protection Officer或负责人的联系信息
代码中需要检查的内容:
  • 未在静态存储或传输过程中加密 → 违规
  • 无数据泄露检测/通知系统 → 违规
  • 无数据保留政策或自动删除机制 → 违规
  • 未显示DPO联系方式 → 违规

5. Children's Data (Section 8)

5. 儿童数据(第8条)

Critical — penalties up to Rs. 200 crore:
  • Obtain verifiable parental/guardian consent before processing
  • Never process data that could detrimentally affect a child's well-being
  • No tracking, behavioural monitoring, or targeted advertising for children
What to look for in code:
  • No age verification gate → violation
  • Tracking/analytics on children's sections without parental consent → violation
  • Ad targeting based on children's data → violation
关键——最高罚款可达20亿卢比:
  • 处理前获得可验证的父母/监护人同意
  • 不得处理可能损害儿童福祉的数据
  • 不得对儿童进行跟踪、行为监控或定向广告
代码中需要检查的内容:
  • 无年龄验证关卡 → 违规
  • 未获得父母同意就在儿童专区进行跟踪/分析 → 违规
  • 基于儿童数据进行广告定向 → 违规

6. Data Principal Rights (Sections 11-14)

6. Data Principal权利(第11-14条)

Implement mechanisms for:
  • Right to access — confirmation of processing, summary of data, list of recipients
  • Right to correction — fix inaccurate/misleading data
  • Right to erasure — delete data (unless legally required to retain)
  • Right to grievance redressal — respond within prescribed period
  • Right to nominate — designate someone to exercise rights after death/incapacity
What to look for in code:
  • No self-service data export/download → gap
  • No correction/update mechanism beyond profile edit → gap
  • No account deletion flow → violation
  • No grievance submission endpoint → violation
实施以下机制:
  • 访问权 — 确认处理情况、数据摘要、接收方列表
  • 更正权 — 修正不准确/误导性的数据
  • 擦除权 — 删除数据(除非法律要求保留)
  • 申诉救济权 — 在规定期限内响应
  • 指定代理人权 — 指定某人在其死亡/无行为能力后行使权利
代码中需要检查的内容:
  • 无自助式数据导出/下载功能 → 缺口
  • 除了资料编辑外无更正/更新机制 → 缺口
  • 无账户删除流程 → 违规
  • 无申诉提交端点 → 违规

7. Significant Data Fiduciary Obligations (Section 10)

7. Significant Data Fiduciary义务(第10条)

If designated as SDF by the Central Government:
  • Appoint a Data Protection Officer based in India
  • Conduct periodic Data Protection Impact Assessments
  • Appoint independent data auditor
  • Undertake periodic audits
What to look for in code:
  • No audit logging → gap
  • No DPIA tooling integration → gap
如果被中央政府指定为SDF:
  • 任命位于印度的Data Protection Officer
  • 定期开展数据保护影响评估(Data Protection Impact Assessments)
  • 任命独立数据审计师
  • 定期进行审计
代码中需要检查的内容:
  • 无审计日志 → 缺口
  • 未集成DPIA工具 → 缺口

8. Cross-Border Transfer (Section 16)

8. 跨境数据传输(第16条)

The Central Government may restrict transfer to specific countries. Until notified, transfers are generally permitted, but good practice is:
  • Document where data flows
  • Implement controls to restrict transfer to blocked territories when notified
  • Maintain a data flow map
中央政府可能限制向特定国家传输数据。在规则公布前,一般允许传输,但最佳实践是:
  • 记录数据流向
  • 当规则公布后,实施控制措施以限制向受限地区传输
  • 维护数据流向图

9. Penalties (Section 21 — The Schedule)

9. 罚款(第21条——附表)

BreachMaximum Penalty
Children's data obligations (Section 8)Rs. 200 crore
Security safeguards failure (Section 7c)Rs. 250 crore
Breach notification failure (Section 7d)Rs. 200 crore
General Data Fiduciary obligationsRs. 250 crore
Significant Data Fiduciary obligationsRs. 150 crore
Data Principal duty violationsRs. 10,000
Other non-complianceRs. 50 crore
违规行为最高罚款
违反儿童数据义务(第8条)20亿卢比
安全保障措施失效(第7c条)25亿卢比
未履行泄露通知义务(第7d条)20亿卢比
违反一般Data Fiduciary义务25亿卢比
违反Significant Data Fiduciary义务15亿卢比
违反Data Principal义务10,000卢比
其他不合规行为5亿卢比

Audit Report Format

审计报告格式

When producing an audit report, use this structure:
undefined
生成审计报告时,使用以下结构:
undefined

DPDPA Compliance Audit Report

DPDPA合规审计报告

Summary

摘要

  • Total findings: N
  • Critical: N | High: N | Medium: N | Low: N
  • Compliance score: X/100
  • 总发现数:N
  • 严重:N | 高:N | 中:N | 低:N
  • 合规得分:X/100

Findings

发现情况

[SEVERITY] Finding Title

[严重程度] 发现标题

  • DPDPA Section: Section X — Description
  • Location: 
    path/to/file.ts:line
  • Issue: What is wrong
  • Risk: What could happen (including penalty exposure)
  • Remediation: Step-by-step fix with code
  • DPDPA条款: 第X条 — 描述
  • 位置: 
    path/to/file.ts:line
  • 问题: 存在的问题
  • 风险: 可能造成的后果(包括罚款风险)
  • 修复方案: 分步修复指南及代码

Organizational Recommendations

组织层面建议

(Items that require process/policy changes, not code changes)
(需要流程/政策变更而非代码变更的事项)

Out-of-Scope Notes

超出范围说明

(Items that require legal counsel or government interaction)
undefined
(需要法律顾问或与政府互动的事项)
undefined

Reference Files

参考文件

Read these when you need deeper guidance:
  • references/audit-checklist.md
    — Detailed 50+ point checklist for systematic auditing
  • references/implementation-patterns.md
    — Code patterns for Node.js, Python, React, React Native, Laravel, and database schemas
  • references/organizational-guidelines.md
    — Non-code obligations, DPO requirements, DPIA guidance, breach response playbook
  • references/dpdpa-full-text.md
    — Complete Act text for precise section references
需要更深入指导时阅读以下文件:
  • references/audit-checklist.md
    — 包含50+项的详细系统检查清单
  • references/implementation-patterns.md
    — 适用于Node.js、Python、React、React Native、Laravel的代码模式及数据库架构
  • references/organizational-guidelines.md
    — 非代码义务、DPO要求、DPIA指南、泄露响应手册
  • references/dpdpa-full-text.md
    — 完整法案文本,用于精确引用条款

Important Notes

重要说明

  • DPDPA is still awaiting rules from the Central Government on many operational details (consent manager registration, breach notification format, cross-border restrictions). Flag this to users when relevant — recommend they monitor the Ministry of Electronics and IT for rule notifications.
  • This skill provides technical compliance guidance, not legal advice. Always recommend users consult qualified legal counsel for definitive compliance opinions.
  • When in doubt about whether something violates the Act, err on the side of caution and flag it as a potential issue.
  • DPDPA的许多操作细节(同意管理器注册、泄露通知格式、跨境限制)仍在等待中央政府出台规则。当相关时,向用户指出这一点——建议他们关注电子和信息技术部的规则通知。
  • 此技能提供技术合规指导,而非法律建议。始终建议用户咨询合格的法律顾问以获取明确的合规意见。
  • 若不确定某事项是否违反法案,应谨慎处理,并将其标记为潜在问题。