A
AskFitness
All posts
Compliance2026-03-1811 min

DPDP Act 2023: what every Indian fitness operator must do

MS

Meera Sharma

VP Customer Success

TL;DR

  • 1DPDP Act 2023 applies to every fitness business that collects personal data — yes, every gym
  • 2Six things must be in place before you process member data: notice, consent, purpose, security, breach plan, grievance officer
  • 3Penalties go up to ₹250 Cr per incident

The Digital Personal Data Protection Act (DPDP Act) 2023 is the biggest privacy law change India has ever passed. If you collect a member's name, phone number, photograph, or biometric — and every gym does — you are a "Data Fiduciary" under the Act.

Here is the lawyer-reviewed checklist of what your gym needs in place. AskFitness ships most of this by default, but you still need to do the operational pieces.

1. Notice at the point of collection

Every membership form, app sign-up, and biometric enrolment must show a notice in plain language: what data you are collecting, why, who you share it with, how to withdraw consent, how to file a grievance. The notice must be available in the member's preferred language (Hindi at minimum).

2. Explicit, granular consent

Bundled consent ("by signing up you agree to everything") is not valid. You need separate consents for: marketing communications, sharing with third-party trainers, biometric storage, photographs in social media. Each with its own opt-in checkbox and timestamp.

3. Purpose limitation

You can only use member data for the specific purpose you collected it for. If you collected an attendance photograph for check-in, you cannot then use it in a Diwali marketing email without separate consent.

4. Security & breach response

  • Encryption at rest and in transit
  • Access logs for who viewed what data when
  • A documented breach response plan
  • Notification to the Data Protection Board within 72 hours of a breach

5. Grievance officer

Every Data Fiduciary needs a named, contactable Grievance Officer who can respond to data subject requests (access, correction, erasure, withdrawal of consent) within 90 days. This person's email must be on your privacy notice.

6. Data minimisation & retention

Don't collect what you don't need. Don't keep what you no longer need. Members who left two years ago should not have their personal data on your servers — unless you have a legal obligation to retain it.

AskFitness is DPDP Act 2023 audited. Notices, consent, erasure, breach logs, and the grievance officer workflow are all in the platform. Just turn it on.

Penalties

Up to ₹250 Cr per breach for a Significant Data Fiduciary. Up to ₹50 Cr for general non-compliance. The Board has been active since late 2024 — they have already opened proceedings against several Indian fitness apps.

Compliance is not a checkbox you do once. It's a posture. The platform helps with 80% of it; the operational pieces are on you.

Liked this?

Get the State of Indian Fitness in your inbox monthly.

Industry data, growth playbooks, tax & finance updates. One email per month. No spam.

SubscribeChat with us

Keep reading

Retention

Why Indian gyms churn 40% in Q1 — and how to fix it

The post-resolution slump is real. Here is the data and the playbook to keep January members past March.

Finance

The hidden cost of Mindbody for Indian operators

A line-by-line breakdown of what a 1,000-member Indian gym actually pays Mindbody — and why it is 3× the listed price.

Tax

GST e-invoicing for gym owners: a 5-minute guide

Everything you need to know about IRN, e-invoicing thresholds, and what changes when you cross ₹5 Cr turnover.