Data PrivacyImpact of the Digital Personal Data Protection Act on SaaS

September 20, 20230


Software as a Service (hereinafter, “SaaS”) is a cloud computing model that revolutionizes the way software applications are delivered and accessed. Instead of purchasing and installing software on individual devices, the software is hosted and maintained by third-party providers and made available to users over the internet via web browsers or dedicated client applications, paying for subscriptions on a recurring basis.

The Indian SaaS market is projected to expand from $13 billion in 2022 to $25 billion by 2025. Consequently, as the number of SaaS providers grow, there is now a demand for these providers to establish well-defined privacy policies and procedures for safeguarding data privacy, ensuring that they handle customers’ personal information with the utmost care and adhere to the guidelines set forth in the Digital Personal Data Protection Act, 2023 (hereinafter “DPDPA”).


As one of the largest growing industries and SaaS companies’ majority user base being people below the age of 30 who are conscious about personal data safety, SaaS companies would do well to be equipped with their obligations under the DPDPA and its forthcoming Rules and regulations. Following are some of the main legal obligations that SaaS companies must take note of:

a. Consent-

The main requirement is that service providers must secure consent from users as well as employees, which must meet criteria like being freely given, specific, informed, unconditional, and clear with positive action.

Therefore if a software company provides ride-sharing services to users, the company must provide a clear understanding of the location, SMS and authentication data that it needs to collect before the user can access the service.

However, in certain specific situations, service providers are not required to obtain consent in the case of “legitimate use” as a basis to justify processing digital personal data. This option is only applicable in limited scenarios, such as when data principles voluntarily share their personal data such as when optional permissions such as camera and audio are turned on to send and receive videos or when processing digital personal data is necessary to shield the company from legal liability.

b. Processing Children’s Personal Data-

The DPDPA mandates that SaaS providers must obtain parental or guardian consent prior to handling a child’s personal data. Furthermore, it prohibits Data Fiduciaries from engaging in any processing of a child’s personal data that could harm the child’s well-being. Additionally, it explicitly forbids tracking, behavioural monitoring, or targeted advertising directed at children. This would have a huge impact on companies in the social networking or digital communication spheres such as TikTok, Meta, and X to name a few.

To reduce legal liability under this requirement entirely companies may opt to strictly enforce minimum age restrictions for users.

c. Cross Border Data Transfer-

Service providers based outside India serving individuals in India will also be expected to adhere to the provisions of this bill.

Personal data transfers outside of the country are subject to further scrutiny under the DPDPA. Under the DPDPA, the transfer of Personal Data outside India can be restricted to a certain country or territory upon notification by the Central Government.


With the rapid acceleration of digital transformation and the growth of cloud computing, SaaS has swiftly become the preferred software delivery model, surpassing traditional on-premise products. The introduction of the DPDPA represents a pivotal moment in India’s data privacy and protection landscape and will have a profound impact on SaaS providers. The new DPDPA imposes several responsibilities on SaaS providers regarding the processing and management of personal data, all while safeguarding the online rights of data principals. Upholding the rights and privacy of data subjects within a SaaS provider’s environment is not only a legal requirement but also serves as a means for these providers to showcase their dedication to data protection and privacy, ultimately bolstering customer confidence and trust.

-Team AMLEGALS, assisted by Ms. Bhavy Sharma (Intern)

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.