Skip to main contentChat with us

DPDP Act 2023 · Templates & Resources

DPDP Act Templates &
Resources

Comprehensive templates and guidance for DPDP Act compliance. Used by organizations across Mumbai, Bangalore, Delhi, Hyderabad, Gurgaon, and Pune.

A complete documentation set centres on six artefacts — privacy notices, a DPA, consent forms, a DPIA, breach-notification templates, and a data inventory / ROPA.

Get Custom TemplatesExplore the DPDP Hub
6Core templates
3Privacy-notice variants
2Breach-notice audiences

DPDP Act 2023 + DPDP Rules 2025 · Guidance structures, tailored before use · Last reviewed June 2026

Template Guidance Only

The templates described below provide structural guidance and key elements required for DPDP compliance. Each organization must customize these templates based on their specific data processing activities, industry requirements, and legal advice. TCSA provides customized template development as part of our DPDP implementation services.

Direct Answer

What documents do you need for DPDP Act compliance?

A complete DPDP Act 2023 documentation set is built around six artefacts: privacy notices, a Data Processing Agreement (DPA), consent forms, a DPIA template, breach-notification templates (for both the Data Protection Board and affected data principals), and a data inventory / Record of Processing Activities (ROPA). Together these cover how you tell people about processing, how you obtain and record consent, how you bind your vendors, and how you respond when something goes wrong.

Each artefact has non-negotiable elements under the Act — consent must be specific and unbundled, notices must be in plain language, and breaches must be reported to both audiences. But a template is a starting structure, not a finished policy: every document must be tailored to your actual processing activities, your sector’s overlapping rules, and qualified legal advice before use. The reference structures below, the framework provisions in the DPDP Act knowledge hub, and the MeitY rule text are the right inputs to that tailoring.

The Document Set

The DPDP Documentation Set

The core templates a DPDP program relies on, what each is for, and who must prioritise it.

TemplatePurposeWho Needs It
Privacy NoticeInform data principals of what, why, and how data is processedEvery data fiduciary
Data Processing Agreement (DPA)Bind processors and sub-processors to DPDP obligationsAny fiduciary using vendors/processors
Consent FormObtain specific, unbundled, withdrawable consentAny fiduciary relying on consent
DPIA TemplateAssess and document risk for high-risk processingMandatory for SDFs; recommended for high-risk processing
Breach-Notification TemplatesNotify the Data Protection Board and affected data principalsEvery data fiduciary
Data Inventory / ROPAMap processing activities, lawful basis, retention, and transfersEvery data fiduciary (foundation document)

Reference Structures

Available Templates

Privacy Notice Templates

Comprehensive privacy notice templates for different touchpoints

Website Privacy Notice

Key Elements:
Identity and contact details of Data Fiduciary
Personal data collected and purposes
Lawful basis for processing (consent or legitimate use)
Data retention periods
Data Principal rights and how to exercise them
Grievance redressal mechanism
Cross-border transfer disclosures (if applicable)

Mobile App Privacy Notice

Key Elements:
All website elements plus:
Device permissions required and why
Location data collection and usage
Third-party SDKs and their data practices
Push notification consent
In-app analytics and tracking

B2B Privacy Notice

Key Elements:
Business contact data processing
Employee data processing (if applicable)
Contract performance as lawful basis
Data sharing with affiliates and processors
Retention aligned with business relationship

Data Processing Agreement (DPA)

Standard DPA template for vendor and processor relationships

Standard DPA Template

Key Elements:
Scope and purpose of processing
Types of personal data and categories of Data Principals
Obligations of Data Processor (security, confidentiality)
Sub-processor authorization and requirements
Data Principal rights assistance obligations
Breach notification obligations
Audit rights and compliance verification
Data deletion or return upon termination
Liability and indemnification clauses

Consent Form Templates

DPDP-compliant consent collection templates

Digital Consent Form

Key Elements:
Clear identification of Data Fiduciary
Specific purposes stated in plain language
Granular consent options (unbundled)
Clear affirmative action mechanism (checkbox, button)
Easy withdrawal mechanism with same ease as giving consent
No pre-ticked boxes or implied consent
Timestamp and consent record maintenance

Marketing Consent

Key Elements:
Separate consent for marketing communications
Channel-specific consent (email, SMS, WhatsApp)
Frequency and type of communications
Easy opt-out in every communication
Consent refresh mechanism

Data Protection Impact Assessment (DPIA)

DPIA template for Significant Data Fiduciaries

DPIA Template

Key Elements:
Description of processing activity and purpose
Assessment of necessity and proportionality
Risks to Data Principal rights and freedoms
Risk severity and likelihood assessment
Mitigation measures and safeguards
Consultation with stakeholders (if required)
DPO review and approval
Periodic review and update mechanism

Breach Notification Templates

Templates for notifying Data Protection Board and Data Principals

Notification to Data Protection Board

Key Elements:
Nature of personal data breach
Number of Data Principals affected
Likely consequences of the breach
Remedial action taken or proposed
Timeline of breach discovery and containment
Contact point for further information

Notification to Data Principals

Key Elements:
Description of breach in plain language
Types of personal data affected
Potential consequences and risks
Steps taken to mitigate harm
Recommended actions for Data Principals
Contact details for queries and support

Data Inventory & ROPA

Record of Processing Activities template

Data Inventory Template

Key Elements:
Data category and type
Source of data collection
Purpose of processing
Lawful basis (consent or legitimate use)
Data storage location and systems
Retention period
Data sharing and third-party processors
Cross-border transfers (if any)
Security measures applied

Beyond the Core Set

Additional Resources

Vendor Assessment Questionnaire

Comprehensive questionnaire to assess third-party processors and vendors for DPDP compliance, including security controls, data handling practices, and sub-processor management.

  • Data processing and security questions
  • Compliance certification verification
  • Breach response capabilities

Data Principal Rights Request Forms

Standardized forms for Data Principals to exercise their rights under DPDP Act, including access, correction, erasure, and grievance redressal requests.

  • Identity verification mechanism
  • Request tracking and SLA management
  • Response templates for each right

DPDP Templates — Frequently Asked Questions

What each DPDP document must contain, and which artefacts your organisation actually needs.

What documents do I need for DPDP Act compliance?

A core DPDP documentation set has six building blocks: (1) privacy notices for each collection touchpoint (website, app, B2B); (2) a Data Processing Agreement (DPA) for vendors and processors; (3) consent forms that are specific, unbundled, and withdrawable; (4) a Data Protection Impact Assessment (DPIA) template (essential for Significant Data Fiduciaries); (5) breach-notification templates for the Data Protection Board and affected data principals; and (6) a data inventory / Record of Processing Activities (ROPA). Supporting documents include a retention schedule, a data-principal rights-request workflow, and a vendor-assessment questionnaire.

What must a DPDP-compliant privacy notice include?

A DPDP privacy notice should identify the data fiduciary and provide contact details; state the personal data collected and the specific purposes; set out the lawful basis (consent or a legitimate use); disclose retention periods; explain data-principal rights and how to exercise them; describe the grievance-redressal mechanism; and disclose any cross-border transfers. Mobile apps additionally cover device permissions, location data, third-party SDKs, and push-notification consent. The notice must be clear and in plain language, and be available in English and the languages listed in the Eighth Schedule on request.

What makes a consent form DPDP-compliant?

Under the DPDP Act, valid consent is free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. In practice the form must identify the data fiduciary, state each purpose in plain language, offer granular (unbundled) consent options, avoid pre-ticked boxes or implied consent, and provide a withdrawal mechanism that is as easy as giving consent. You must also keep a timestamped record of the consent obtained. Marketing consent should be separate from service consent and channel-specific (email, SMS, WhatsApp).

Do all organisations need a DPIA template?

A Data Protection Impact Assessment is specifically mandated for Significant Data Fiduciaries, which must conduct DPIAs periodically. For ordinary fiduciaries it is strongly recommended best practice for high-risk processing — large-scale profiling, sensitive data, or new technologies — even though it is not strictly required. A DPIA template documents the processing purpose and necessity, the data and data principals involved, the risks to their rights, the mitigations applied, and DPO review and approval.

Can I download ready-made DPDP templates?

The structures and key elements on this page are intended as guidance, not drop-in legal documents. A privacy notice, DPA, or consent flow must reflect your specific processing activities, your sector’s overlapping rules, and qualified legal advice — a generic template applied without tailoring can create compliance gaps. Tranquility Cybersecurity (TCSA) develops fully customised DPDP templates and policies as part of its implementation engagements, mapped to your actual data inventory.

Need these documents built for your organisation? Ground them in the DPDP Act knowledge hub, gauge the cost of getting it wrong with the penalty calculator, and see delivered documentation outcomes on our proof page. Tranquility Cybersecurity (TCSA) produces fully customised template sets through DPDP compliance consulting in India.

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

Privacy

DPDP Knowledge Hub

Rules 2025, penalties, SDF obligations and 14 deep-dive guides.

Read more
Privacy

DPDP Compliance Checklist

A step-by-step checklist for DPDP Act readiness.

Read more
Privacy

DPDP Implementation Roadmap

Phased roadmap from gap assessment to full compliance.

Read more
Privacy

DPDP Consent Management

Lawful consent collection, withdrawal and record-keeping under the DPDP Act.

Read more
Service

DPDP Consulting in India

DPDP Act readiness ahead of the 2027 deadline.

Read more
ISO 27001

ISO 27001 Templates

ISMS policy templates, SoA workbook, risk register, and audit checklists.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations