Does the DPDP Act apply to patient data on WhatsApp?
Yes, absolutely. The Digital Personal Data Protection Act 2023 applies to any digital personal data processed in India, including patient names, phone numbers, medical histories, appointment records, and prescription details sent via WhatsApp. Under the DPDP framework, a clinic that decides why and how patient data is collected is classified as a 'Data Fiduciary.' If you use a WhatsApp automation vendor like Orbixel, that vendor is a 'Data Processor' acting on your behalf. Both roles carry legal obligations. The Act covers data regardless of where processing occurs — your clinic's computer, a cloud server in Mumbai, or a BSP's infrastructure abroad. If you handle Indian patient data, DPDP applies to you. This includes small single-doctor clinics, dental practices, diagnostic centres, and multi-specialty hospitals.
What consent does a clinic need before WhatsApp messaging patients?
DPDP requires 'free, specific, informed, unconditional, and unambiguous' consent with a clear affirmative action. For clinics, this means a checkbox at registration or checkout that says: 'I consent to receive appointment reminders, health tips, and follow-up messages via WhatsApp on [number].' The consent must be purpose-limited — you cannot use a patient's number for marketing if they only consented to appointment reminders. It must also be withdrawable — every message should include an easy opt-out mechanism like 'Reply STOP to unsubscribe.' Pre-ticked boxes, implied consent buried in terms and conditions, or verbal agreements do not meet DPDP standards. Orbixel's clinic automation includes built-in consent capture flows, opt-out handling, and audit logs to demonstrate compliance during any regulatory review.
How should appointment reminders and records be handled compliantly?
Appointment reminders are typically classified as 'utility' messages under WhatsApp's template categories, but under DPDP they are still personal data processing. Best practice: send reminders only to patients who have explicitly consented, limit content to appointment details (date, time, doctor name), and avoid including sensitive diagnoses or test results in WhatsApp messages. For records, DPDP mandates data minimisation — collect only what you need, store it only as long as required, and delete it securely when the purpose is fulfilled. Clinic records should be retained per Medical Council guidelines (typically 3–5 years for outpatient records, longer for surgical cases). Use encryption at rest and in transit. Maintain access logs. Do not store patient data on personal devices or unencrypted spreadsheets. Orbixel's clinic CRM encrypts all data, maintains automatic deletion schedules, and provides audit trails for every access.
What must you check in your WhatsApp automation vendor?
Your vendor is a Data Processor under DPDP, and you are liable for their compliance. Before signing, verify four things. First, a written Data Processing Agreement (DPA) that defines roles, data flows, security measures, and breach notification procedures. Second, data location — where is patient data stored? India-based servers are preferable; if offshore, ensure adequate safeguards and cross-border transfer compliance. Third, encryption standards — AES-256 at rest and TLS 1.3 in transit are industry minimums. Fourth, deletion and portability — can you export patient data on request? Can you permanently delete records when required? Does the vendor notify you within 72 hours of any breach? Vendors who cannot answer these questions clearly are compliance risks. Orbixel provides a standard DPA, India-first data hosting, end-to-end encryption, and automated breach alerts to every clinic client.
What are the penalties for non-compliance under the DPDP Act?
DPDP penalties are among the highest in the world for data protection laws. The maximum penalty is ₹250 crore per violation for failure to implement reasonable security safeguards that lead to a data breach. Failure to notify the Data Protection Board and affected patients attracts up to ₹200 crore. Breaches involving children's data carry up to ₹200 crore. General violations of DPDP provisions can reach ₹50 crore. Unlike GDPR, these are fixed maximum amounts — not percentages of revenue — making them potentially existential for small clinics. The Data Protection Board of India became operational in November 2025, and full enforcement begins after the 18-month compliance window. As of 2026, clinics should treat DPDP compliance as urgent. This article is for informational purposes; consult a qualified legal professional for practice-specific compliance advice.
Frequently Asked Questions
Does the DPDP Act apply to WhatsApp messages sent by clinics?
Yes. Any digital personal data processed by a clinic — including patient names, numbers, and health information sent via WhatsApp — falls under the DPDP Act 2023.
What type of consent is required for patient WhatsApp messages?
Explicit, purpose-limited, withdrawable consent via a clear affirmative action such as a registration checkbox. Implied or pre-ticked consent does not comply.
How long can clinics keep patient data under DPDP?
Only as long as necessary for the stated purpose. Typical medical record retention is 3–5 years for outpatients, with secure deletion afterward.
Is a WhatsApp automation vendor a data processor under DPDP?
Yes. The vendor processes data on behalf of the clinic (the data fiduciary). The clinic remains liable for the vendor's compliance.
What are the maximum penalties for DPDP non-compliance?
Up to ₹250 crore for security safeguard failures, up to ₹200 crore for breach notification failures, and up to ₹50 crore for general violations, as per the DPDP Act Schedule.
Sources & Further Reading
Mohit Malpani
Founder, Orbixel Labs