EverydayPDF Logo
DPDP Act 2023 · India

The DPDP Act for Advocates and Law Firms

Updated July 5, 2026·9 min read·EverydayPDF Research

A law practice is a concentration of other people's personal data: Aadhaar and PAN copies in vakalatnamas, addresses and phone numbers in petitions, medical records in MACT claims, bank statements in matrimonial and insolvency matters. Under the DPDP Act, the firm holding that data is a Data Fiduciary — and the obligations attach to the firm, not the client.

Where DPDP meets daily legal practice

Daily activityDPDP consideration
Collecting client KYC and case documentsNotice and lawful basis — usually voluntary provision for a specified purpose (Section 7(a)) or consent
Filing documents containing third-party PIICompliance with law / court procedure is a legitimate use — but over-disclosure beyond what the filing requires is not
Emailing briefs and annexuresReasonable security safeguards: encrypt or password-protect attachments containing personal data
Using cloud PDF tools to merge/compress filingsEach tool is a Data Processor — contract, safeguards and retention visibility required
Storing closed-matter files indefinitelyRetention must map to a purpose or statutory requirement; indefinite ad-hoc storage is exposure
Sharing case papers with counsel/expertsDisclose the minimum necessary; redact identifiers that the recipient does not need

Redaction becomes a duty, not a courtesy

Data minimisation means filings and shared documents should carry only the personal data the purpose requires. Masking Aadhaar numbers, PAN, bank account numbers and minors' identities before circulation is the practical expression of that duty. Two cautions: drawing a black rectangle over text in a PDF does not remove the text underneath, and uploading a client document to a free cloud redaction tool defeats the purpose — you have disclosed the entire unredacted document to an unknown processor in order to redact it.

Privilege does not exempt you

Professional privilege protects communications from compelled disclosure; it does not exempt the firm from data protection obligations toward the personal data it holds. The two regimes coexist: privilege governs who can demand your files, DPDP governs how you must protect them.

A five-point plan for a law office

  1. Inventory client-document storage (server, drives, email, clerks' laptops) and apply access controls and encryption.
  2. Replace cloud PDF utilities with client-side tools for merging, compressing, redacting and converting case files.
  3. Adopt a redaction SOP: pattern-based detection of Aadhaar/PAN/phone numbers, true text-layer removal, and a verification pass.
  4. Password-protect (AES) documents sent by email; share passwords over a separate channel.
  5. Define retention: how long closed-matter files are kept, and a yearly purge with a log entry.

Redact filings without uploading them

EverydayPDF's Auto-Redact detects Aadhaar, PAN, phone numbers and other Indian identifiers and removes them permanently — entirely in your browser, with a compliance certificate generated for your records.

Auto-redact a filing

Frequently asked questions

Is a law firm a Data Fiduciary under the DPDP Act?+

Yes. The firm determines the purpose and means of processing the personal data in its matters, which is the statutory definition of a Data Fiduciary. Individual advocates practising solo are fiduciaries in the same way.

Do I need client consent to file documents containing their personal data?+

Filing pursuant to law or court procedure falls within legitimate uses, and clients typically provide documents voluntarily for the purpose of the engagement. The obligation that bites is minimisation and safeguards: disclose only what the proceeding requires and protect what you hold.

Can I keep using free online PDF tools for case documents?+

Every upload transfers client personal data to a third-party processor — one you likely have no contract with, whose servers may be outside India, and whose retention you cannot verify. Under DPDP's safeguard obligations that is difficult to defend. Client-side tools that process files in the browser avoid the transfer entirely.

What happens if my firm suffers a data breach?+

You must notify affected individuals and the Data Protection Board within the prescribed timelines, regardless of breach size — there is no materiality threshold. Failure to notify carries penalties up to ₹200 crore; failure of the underlying safeguards, up to ₹250 crore.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.