Introduction  

The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive legal framework to regulate personal data protection in India. While the Act emphasizes the importance of data privacy, security, and compliance, it also recognizes the need for certain exemptions that allow specific entities to process personal data without strictly adhering to all provisions. Understanding these exemptions is crucial for businesses, government agencies, and individuals. These exceptions shape compliance obligations and influence operational strategies.   

Key Exemptions Under the DPDP Act, 2023   

Let’s decode the exemptions granted by India’s first comprehensive legislative framework for data protection-   

Exemptions for Government Agencies and National Security Concerns   

To ensure that national security, sovereignty, and public order are not compromised, the DPDP Act grants certain exemptions to government agencies. As per Section 17(2)(a), the Central Government has the authority to exempt certain agencies from compliance obligations if their data processing activities are deemed necessary for safeguarding the sovereignty, integrity, or security of the state, maintaining friendly relations with foreign nations, or preserving public order. These exemptions allow government entities to carry out operations without being hindered by compliance requirements that may slow down critical functions. For private entities handling data in collaboration with the government, there may be a reduced compliance burden.    

Standards for Processing by State and its Instrumentalities and for Specified Purposes   

Section 17 (2) (a) of the DPDPA exempts the processing of personal data by a state instrumentality notified by the Central Government for sovereignty, security, foreign relations, public order, or crime prevention from fulfilling certain obligations under the Act. These exemptions now operate under the conditions given in the DPDP Rules 2025, which require the State to limit processing to what is necessary for the notified purpose and to put in place reasonable security safeguards to prevent any breach. Processing carried out by the State or its instrumentalities is based on the legitimate uses listed in Section 7 of the Act. Consent is not required when the State processes personal data to deliver a subsidy, benefit, service, certificate, licence or permit or when the data already exists in a government database that has been notified for this purpose. The Rules require the State to follow purpose limitation, storage limitation and security safeguards while doing so. 

Exemptions for Research, Archiving and Statistical Purposes 

The Act recognises the importance of research and data backed studies. Section 17(2)(b) allows the processing of personal data for research, archiving or statistical purposes as long as the processing does not lead to a decision that affects a person directly. Rule 15 of the DPDP Rules 2025 supports this and requires organisations to remove personal identifiers where possible and to keep the processing limited to what is necessary. This exemption supports universities, research bodies and analytics organisations in handling datasets without the full range of compliance obligations, provided they follow strict safeguards and ensure that the output cannot be used to identify a person. 

Exemptions for Startups and Certain Data Fiduciaries   

Acknowledging the challenges faced by startups and small enterprises, the DPDP Act includes provisions to ease compliance burdens for certain data fiduciaries based on the scale and nature of data processing. Section 17(3) allows the government to grant exemptions to specific data fiduciaries including startups from selected provisions of the Act. This exemption is based on the volume and nature of data processes. In addition to this, certain other exceptions stem from the Act.   

Startups are not required to issue detailed notices to data principals before processing their data, helping them streamline operations without excessive paperwork.   

Unlike larger organizations, startups are not mandated to ensure the accuracy and completeness of personal data.  

Eligibility Criteria for startups: These exemptions apply to startups that meet specific government-defined criteria.  

Legal Rights and Judicial Functions Exemptions   

To facilitate judicial and legal processes, the Act permits data processing under specific legal contexts to be exempted from specific provisions. Section 17 allows the processing of personal data when necessary for legal proceedings, investigations, and prosecutions, for the enforcement of legal rights and claims. However, organizations utilizing this exemption must ensure that data is processed strictly within the boundaries of legal frameworks and is not misused.   

Exemptions for Corporate Restructuring and Financial Assessments   

Business transactions such as mergers, acquisitions, and financial evaluations often require extensive data exchange. The DPDP Act accommodates these needs by providing exemptions in relevant scenarios. Section 17(1)(e) allows the processing of personal data during corporate restructuring activities, including mergers, acquisitions, and demergers.   

Publicly Available Data and Personal Use Exemptions   

Certain categories of data are excluded from the Act’s purview, reducing regulatory burdens on businesses and individuals. Section 3(c) exempts personal data that has been voluntarily made publicly available by individuals. Businesses leveraging publicly available data and involved in data scraping must be cautious to avoid infringing on individuals’ rights or unethical processing.  

Conditional Exemptions for Processing Children’s Data   

Under Section 9, a Data Fiduciary must obtain verifiable consent from the parent or lawful guardian before processing the personal data of a child or a person with a disability. Additionally, Section 9 specifically prohibits the processing of children’s data for behavioural monitoring or tracking. The Central Government may exempt Data Fiduciaries from these obligations if they demonstrate verifiable safety in their processing practices. Organizations working with children’s data must adhere to stringent guidelines, but certain exemptions apply under specific conditions.  While these exemptions facilitate essential services, organizations must implement additional safeguards and security measures to prevent exploitation and ensure child safety.    

Rule 11 of the DPDP Rules 2025 and the Fourth Schedule now set out the exemptions for certain classes of data fiduciaries and certain processing activities from the obligations under Section 9 of the Act. Part A of the schedule states that an educational institution is exempt when the processing of children’s personal data is limited to tracking or behavioural monitoring for educational purposes or for the safety of children enrolled in the institution. A crèche or childcare centre, or the individual responsible for the children there, is also exempt when the processing is restricted to tracking and monitoring for the safety of the children in their care. The same exemption applies to a transport service provider engaged by an educational institution or childcare facility when the processing is confined to tracking the real time location of children during their travel to and from the institution to ensure their safety. 

The purpose of these exemptions is to protect the well being and safety of the child and to make sure that the processing stays limited to clearly defined needs. Part B of the Fourth Schedule covers exemptions linked to specific processing activities. For instance, when a child’s personal data is processed to provide a subsidy, benefit, service, certificate, licence or permit in the interests of the child, the duties under Section 9 may not apply as long as the processing is restricted to what is necessary for delivering that benefit or service. 

Exemptions Under the Digital Personal Data Protection (DPDP) Rules, 2025 

Digital Personal Data Protection (DPDP) Rules, 2025, India recognizes that strict consent requirements can sometimes stand in the way of critical services for children. Rule 12, supported by the Fourth Schedule, creates targeted exemptions for certain classes of Data Fiduciaries such as healthcare providers, educational institutions, childcare services, and transport operators removing the need for verifiable parental consent in specific situations. For example, clinical or mental health establishments and healthcare professionals can process children’s personal data without explicit parental consent, but only as far as is necessary to protect the child’s health. Likewise, allied healthcare professionals are allowed to use this data to support ongoing treatment or referral plans aimed at the child’s well-being. 

Educational institutions also benefit from Rule 12 exemptions, permitting them to process children’s data for educational activities and for tracking or behavior monitoring when safety is at stake. Similar relaxations apply to crèche and daycare centers, allowing these organizations and even transport providers engaged by schools or daycares to track children’s locations during pickup and drop-off solely for safety reasons. It’s important to note that each of these exemptions is tightly circumscribed: processing must remain purpose-specific, proportional, and strictly in the child’s best interest. 

Additionally, the Rules (Fourth Schedule, Part B) identify certain public interest and safety functions that are exempt from standard restrictions. For instance, if a government authority is issuing benefits or certificates to a child, or a service provider is tracking a child’s real-time location for security reasons, they may do so without the typical consent framework provided the purpose is limited and justifiable. These balanced exemptions (Rule 12 and Fourth Schedule) are designed to remove administrative hurdles for essential services while maintaining the DPDP Act’s core focus: the safety, privacy, and well-being of children. 

Conclusion  
Organizations must strike a balance between leveraging exemptions for operational efficiency and upholding individuals’ rights to data privacy. Companies should proactively implement robust data protection frameworks to navigate these regulatory complexities while maintaining compliance with the DPDP Act. Understanding these exemptions is essential for businesses and individuals to ensure compliance, mitigate risks, and uphold ethical data-handling practices in an evolving regulatory landscape.  

Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.