Data Consent Form (India)
DATA CONSENT FORM
This Data Consent Form is issued under the Digital Personal Data Protection Act 2023 (DPDP Act 2023) and the Information Technology Act 2000. Date: [Consent Date].
DATA FIDUCIARY: [Fiduciary Name], [Fiduciary Address]. Data Protection/Grievance Contact: [DPO Contact].
DATA PRINCIPAL: [Principal Name], Email: [Principal Email], Phone: [Principal Phone].
1. NOTICE (Section 5, DPDP Act 2023)
1.1 Categories of personal data collected: [Data Categories].
1.2 Purposes of processing: [Processing Purposes].
1.3 Third parties with whom data will be shared: [Third Party Sharing].
1.4 Retention period: [Retention Period].
2. CONSENT (Section 6, DPDP Act 2023)
2.1 Having received and read the notice in Clause 1 above, the Data Principal gives free, specific, informed, unconditional, and unambiguous consent to the collection and processing of their personal data as described above.
2.2 The Data Principal understands that they may withdraw this consent at any time by contacting [DPO Contact]. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.
2.3 This consent is given by clear affirmative action (signature below) as required by Section 6 of the DPDP Act 2023.
3. DATA PRINCIPAL RIGHTS (Chapter III, DPDP Act 2023)
3.1 The Data Principal has the following rights under the DPDP Act 2023: (a) Right to access information about personal data being processed (Section 11); (b) Right to correction, completion, update, or erasure of personal data (Section 12); (c) Right to grievance redressal — complaints may be directed to [DPO Contact] and thereafter to the Data Protection Board of India (Section 13); (d) Right to nominate another individual to exercise rights on their behalf in case of death or incapacity (Section 14); and (e) Right to withdraw consent at any time (Section 6(4)).
4. GOVERNING LAW
4.1 This consent form is governed by the Digital Personal Data Protection Act 2023, the Information Technology Act 2000, and the Indian Contract Act 1872. Any dispute regarding data processing shall be addressed first through the Data Fiduciary's grievance mechanism and thereafter before the Data Protection Board of India.
5. EXECUTION
The Data Principal confirms that they have read and understood this consent form and give their consent freely and voluntarily on [Consent Date].
Data Principal
________________
Signature
Data Fiduciary Representative
________________
Signature
What Is a Data Consent Form (India)?
A Data Consent Form in India confirms in writing the permission or release granted and the rights given up or relied on as a result.
India's data protection environment has undergone a fundamental transformation with the enactment of the DPDP Act 2023. For the first time, India has a standalone, thorough personal data protection statute that imposes specific obligations on Data Fiduciaries and grants enforceable rights to Data Principals. The Act applies to the processing of digital personal data within India, and to the processing outside India if it involves offering goods or services to persons within India.
The DPDP Act 2023's consent framework under Section 6 requires that consent be free, specific, informed, unconditional, and unambiguous — given through a clear affirmative action. This means that pre-ticked boxes, bundled consent, and consent obtained as a condition of accessing unrelated services will no longer be legally valid. Organisations must redesign their consent collection processes to meet the new standard.
A Data Consent Form in compliance with the DPDP Act 2023 must: be preceded by a notice under Section 5 that clearly describes the personal data to be processed and the purposes; use plain language accessible to a person of ordinary intelligence; provide separate, granular consents for different processing purposes; clearly state the Data Principal's right to withdraw consent; and disclose the contact details of the Data Protection Officer (if appointed) or the grievance mechanism.
The legal framework governing the Data Consent Form (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a Data Consent Form (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a Data Consent Form (India)?
A Data Consent Form is needed by any organisation or individual in India that collects and processes personal data from individuals, where consent is the chosen legal basis for processing.
You need a Data Consent Form when collecting personal information from customers, clients, or users for marketing purposes. Under the DPDP Act 2023, sending marketing communications (email, SMS, WhatsApp) based on personal data requires valid, specific consent for marketing — it cannot be bundled into general terms of service.
You need a Data Consent Form when building a database of users, subscribers, or registered members. Whether you run a website, mobile app, e-commerce platform, or subscription service, collecting personal data from users requires a legally compliant consent mechanism.
You need a Data Consent Form when processing employee data beyond what is strictly necessary for employment. Employee data processing for HR purposes may fall within the 'legitimate uses' exceptions under the DPDP Act 2023, but data processing for additional purposes (wellness programmes, surveys, third-party benefit providers) requires consent.
You need a Data Consent Form when sharing personal data with third parties — partners, vendors, analytics providers, or advertising platforms. Each sharing relationship should be disclosed in the consent form, and consent should be obtained for each third-party category.
You need a Data Consent Form when collecting data from children (under 18 years). The DPDP Act 2023 requires verifiable parental consent before any personal data of a child is processed.
The India Data Consent Form (India) form is also needed when processing health, financial, biometric, or other sensitive categories of personal data — where the sensitivity of the data warrants a specific, clearly communicated consent.
Parties in India should prepare a Data Consent Form (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Consent Form (India)
A well-drafted India Data Consent Form compliant with the DPDP Act 2023 should contain the following essential elements.
Data Fiduciary Identity: Full name, registered address, and contact details (including Data Protection Officer contact, if appointed) of the organisation collecting the data.
Data Principal Identity: Name and contact details of the individual giving consent. For children, the parent or guardian's details.
Personal Data Collected: A specific list of the categories of personal data being collected — name, contact details, financial information, health data, biometric data, location data, device identifiers, etc. Vague descriptions like 'any information you provide' are insufficient.
Purpose of Processing: Each purpose for which the data will be used, described specifically and separately. Consent should be granular — a separate affirmative act for each distinct purpose (e.g., service delivery, marketing, analytics, third-party sharing).
Data Sharing: Identification of third parties with whom the data will be shared, and the purposes of such sharing.
Retention Period: The period for which the data will be retained, or the criteria used to determine the retention period.
Data Principal Rights: A clear statement of the Data Principal's rights under the DPDP Act 2023 — access, correction, erasure, withdrawal of consent, and right to nominate.
Withdrawal Mechanism: How the Data Principal can withdraw consent, and the consequences of withdrawal.
Grievance Mechanism: Contact details for raising complaints about data processing.
Affirmative Consent: A clear opt-in action — tick box, signature, or other unambiguous affirmative act — for each processing purpose.
Additional compliance elements for a Data Consent Form (India) used in India include: Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Forms-legal.com provides this template as a starting point for India-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Consent Form (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/personal/consent/data-consent-form-india
"Data Consent Form (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/personal/consent/data-consent-form-india.
@misc{formslegal-data-consent-form-india,
author = {{Forms Legal}},
title = {Data Consent Form (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/personal/consent/data-consent-form-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}
Frequently Asked Questions
The Digital Personal Data Protection Act 2023 (DPDP Act 2023) establishes specific requirements for valid consent by a Data Principal (the individual whose data is processed) to a Data Fiduciary (the entity processing the data). These requirements are set out in Section 6 of the Act and represent a significant strengthening of India's data protection framework compared to the earlier Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT Act 2000. Under Section 6 of the DPDP Act 2023, consent must be: (1) Free — given voluntarily, without coercion, undue influence, or making the provision of a service conditional on consent to data processing that is not necessary for that service; (2) Specific — relating to a specific purpose of processing personal data that has been clearly described to the Data Principal; (3) Informed — the Data Principal must be given a notice (in accordance with Section 5 of the Act) describing the personal data to be processed, the purposes of processing, and the Data Principal's rights, before consent is sought; (4) Unconditional — consent must not be bundled with unrelated terms or given as an all-or-nothing proposition where specific consents should be separable; and (5) Unambiguous — given through a clear affirmative action (an opt-in), not through pre-ticked boxes, silence, or inactivity.
Indian data protection law distinguishes between 'personal data' and categories of data that attract heightened protection. Understanding this distinction is critical for any organisation operating in India. Under the DPDP Act 2023, 'personal data' is defined in Section 2(t) as 'any data about an individual who is identifiable by or in relation to such data.' This is a broad definition covering any information — including names, addresses, email addresses, phone numbers, financial details, location data, online identifiers, and any other data that can identify a natural person, whether directly or indirectly. The DPDP Act 2023 does not yet separately define 'sensitive personal data' but grants the Central Government the power to notify specific categories of personal data as 'significant personal data' or designate certain Data Fiduciaries as 'Significant Data Fiduciaries' who must comply with additional obligations. Until such notifications are made, the earlier framework under the IT (SPDI) Rules 2011 continues to be relevant for certain categories. Under the IT (SPDI) Rules 2011, 'sensitive personal data or information' (SPDI) includes: passwords; financial information (bank account, credit card, debit card, and other payment instrument details); physical, physiological, and mental health conditions; sexual orientation; medical records and history; biometric information; any detail relating to the above that is received by a body corporate for processing; and any information received under a lawful contract.
The Digital Personal Data Protection Act 2023 grants Data Principals (individuals whose personal data is processed) a set of enforceable rights against Data Fiduciaries. These rights are set out in Chapter III of the Act (Sections 11–14) and represent the most comprehensive data subject rights framework India has legislated to date. Right to access information about personal data (Section 11): A Data Principal has the right to obtain from the Data Fiduciary a summary of personal data being processed, the processing activities undertaken with respect to such data, the identities of all other Data Fiduciaries and Data Processors with whom personal data has been shared, and any other information as prescribed. This is analogous to the right of access under the EU GDPR. Right to correction and erasure (Section 12): A Data Principal has the right to correct, complete, update, or erase their personal data processed by the Data Fiduciary, where such data is inaccurate or incomplete or where the Data Principal withdraws consent. Erasure may be limited where retention is required by law or a court order. Right to grievance redressal (Section 13): Every Data Fiduciary must establish a grievance redressal mechanism. A Data Principal may file a complaint if they believe their rights under the Act have been violated. If unsatisfied with the Data Fiduciary's response, the Data Principal may approach the Data Protection Board of India.
A Data Consent Form (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A Data Consent Form (India) does not legally require a lawyer in India, though legal advice is recommended. Under Indian law, the Indian Contract Act 1872 governs agreements. The Companies Act 2013 and Registrar of Companies (ROC) regulate corporate documents. The Information Technology Act 2000 governs electronic contracts and data protection. The Consumer Protection Act 2019 provides consumer rights. The Income Tax Act 1961 requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Indian advocate for significant transactions. Under India law, Indian Contract Act, 1872, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). Forms-legal.com provides this template as a starting point for India-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Background Check Consent (India)
A background verification consent form under the Indian Contract Act 1872 and the DPDP Act 2023 by which a job applicant, employee, or service provider authorises an employer or background screening agency to conduct identity, employment, education, and criminal record checks.
Photography Consent Form (India)
A photography and image use consent form under the Indian Contract Act 1872 and the DPDP Act 2023. Grants a photographer, event organiser, or media producer the right to photograph, record, and use images of the consenting individual for specified purposes.
Research Consent Form (India)
An informed consent form for research participants under the ICMR National Ethical Guidelines for Biomedical and Health Research 2017 and the Indian Contract Act 1872. Documents voluntary participation, research procedures, risks, benefits, confidentiality, and the right to withdraw without penalty.