Digital Personal Data Protection Rules 2025
🦺

Digital Personal Data Protection Rules 2025

The DPDP Rules (”the Rules”) were notified on 13.11.2025 to operationalize several provisions of the DPDPA 2023. The Central Government has opted for a staggered, three-stage approach to implement the Act and the Rules over a period of 18 months.
Stage 1: Provisions for establishing and governing the Data Protection Board of India (”DPB” or “the Board”), the main enforcement body, and rules for appointing its members came into effect immediately on November 14, 2025.
Stage 2: Rules for the registration and functioning of Consent Managers will be effective after 12 months, allowing time for infrastructure development.
Stage 3: The majority of compliance requirements for Data Fiduciaries, including privacy notices, consent, data security, processing children's data, data retention, deletion policies, and cross-border data transfers (except to restricted countries), will be fully enforceable after 18 months.
 

Legislative Context (Rule 1)

The DPDP Act, 2023 lays down substantive obligations for Data Fiduciaries, Data Principals, Consent Managers, and the Data Protection Board of India. The DPDP Rules, 2025 operationalize the Act by clarifying:
  • how notices must be issued,
  • how consent is verified,
  • how breaches are handled,
  • how data retention is managed,
  • what systems must be published for grievance resolution,
  • obligations of Significant Data Fiduciaries,
  • the functioning of the Board, and
  • procedural requirements for appeals and enforcement.
The Rules focus heavily on standardisation, verification, traceability, and ensuring minimal friction for the Data Principal.
 

Key Components of Notice (Rule 3)

The DPDP Rules elaborate on Section 5(1)–(3) of the DPDP Act by prescribing the mandatory contents of the notice accompanying a request for consent.
  1. Notice should be standalone, regardless of any other documents/information given by the Data Fiduciary to the Data Principal.
  1. Notice should clearly inform the Principal as to what data is being collected and the purpose for which it is being collected.
  1. Notice should also give the Principal the link/method to access the platform (generally handled by a Consent Manager) through which Principal can withdraw consent, exercise other principal rights, and, lodge a complaint before the DPB.
 

Registration and Duties of Consent Managers (Rule 4)

[See also, Ss. 6(7)–(9) of the Act]

Registration Conditions (Rule 4 r/w Schedule I, Part A)

Applications made to DPB for the status of Consent Manager must meet criteria pertaining to:
  • Financial and technical capability,
  • Governance standards,
  • Interoperability of consent systems, and
  • Absence of conflicts of interest.
The Board may approve or reject registrations, once they check compliance with the aforementioned standards. Consent Managers must be transparent about material interests and comply with standards in the First Schedule.

Duties of Consent Manager (Rule 4 r/w Schedule I, Part B)

A Consent Manager must:
  • Provide an interoperable platform for giving, managing, reviewing, or withdrawing consent;
  • Maintain accurate and accessible logs of all consent transactions;
  • Store these logs for at least 7 years or longer if required by law or contract;
  • Comply with reasonable security standards;
  • Not assign or transfer its obligations (including by way of merger/sale of company except upon prior approval by DPB);
  • Submit to audits and oversight by the Board.
Board can direct action to ensure compliance where necessary. Suspension or revocation of license/CM status is possible.
 

Government Processing for Subsidies, Benefits, Licenses, etc. (Rule 5 r/w Schedule II)

Section 7(b) of the Act allows the State to process personal data for issuing subsidies, benefits, certificates, licenses, and permits. However, it must follow standards relating to:
  • Purpose limitation and data minimization (including storage limitation),
  • strict access control,
  • verifiable audit trails, and
The Rule basically states that law-based, policy-based, and public-funded welfare schemes all fall under this framework.
 

Security Safeguards and Breach Management (Rules 6-7)

[See also Ss. 8(5)–(6) of the Act]

Security Safeguards (Rule 6)

Rule 6 outlines recommended “reasonable security measures” as directed under S.8(5) of the Act by outlining minimum required safety controls:
  1. encryption, masking, obfuscation, or tokenization;
  1. access controls for computer resources;
  1. logging and monitoring to detect unauthorized access;
  1. backup and continuity measures;
  1. one-year mandatory log retention unless another law requires longer (reference may be made to S.8(8) of the Act);
  1. outline contractually mandated security measures to be followed by Data Processors.

Breach Notification (Rule 7)

Prescribes breach notification as under S.8(6) of the Act. Broadly, two types of Breach Notification: (a) made to the Principal; (b) made to the DPB.
🗓️
Breach notification timeline
⏱️
T0: Become aware of a personal data breach
  • Trigger for all actions below. Relevant timelines apply from time of knowledge of breach, and not time of breach itself.
🕧
Without delay: Notify affected Data Principals in plain simple language:
  • Describe breach: nature, extent, timing
  • Likely consequences for the individual
  • Measures implemented and in progress to mitigate risk
  • Safety measures the individual can take
  • Business contact person for queries
🕧
Without delay: Notify the Data Protection Board
  • Describe breach: nature, extent, timing, location
  • Likely impact
đź“ť
By T0 + 72 hours (or Board‑granted extension): Submit detailed follow‑up to the Board
  • Updated and detailed description
  • Broad facts: events, circumstances, reasons
  • Mitigation measures implemented or proposed
  • Findings on the person who caused the breach
  • Remedial steps to prevent recurrence
  • Report on notices sent to Data Principals
➡️
Mandated flow: T0 → Principals (without delay) → Board (without delay) → Board detailed report (≤ 72h)
 

Retention and Erasure Mandates (Rule 8 r/w Schedule III)

[See also Ss. 8(7)-(8) of the Act]
Rule 8 provides for two conditions to be fulfilled following which erasure of data from any database of the Fiduciary/Processor is mandatory (unless retention is necessary to comply with any law in force in India).
Condition 1: Purpose Expiration
  1. As per S.8(7) of the Act, personal data is to be erased when (a) consent is withdrawn, or; (b) it is reasonable to assume the specified purpose is no longer served (”purpose expiration”).
  1. Rule 8 establishes the the purpose expiration test is twofold:
    1. Principal does not approach Fiduciary for performance of the specified purpose within the sector-specific time specified correspondingly under Schedule III, or;
    2. Principal does not approach Fiduciary for exercise of rights related to the processing within the sector-specific time specified correspondingly under Schedule III.
  1. Fiduciary must send a 48-hour pre-erasure alert to the Data Principal.
Condition 2: Minimum Retention Period
Fiduciaries are required to maintain personal data, traffic data, and logs of processing for a minimum period of one-year post processing.
 

Contact Information for Data Principal Queries (Rule 9)

[See also S.8(9) of the Act]
DFs must publish business contact information of:
  • the Data Protection Officer (required for SDFs under Section 10(2)(a)), or
  • any another authorised individual,
on their website/app and in responses to all rights requests.
This connects to the requirement that consent notices and rights-related communication include contact details (See Ss. 5(1)-(3) and 6(3)).
 

Processing of Data of Vulnerable Groups (Rules 10-12)

[See also S.9 of the Act]

Children’s Personal Data (Rule 10 and 12 r/w Schedule IV)

The principle of verifiable parental consent is introduced here as Rule 10 mandates the Fiduciary to verify that the person giving consent is indeed an adult and the parent/lawful guardian of the principal before processing of the data. It prescribes the usage of:
  1. information of the identity and age of the individual already available with the Fiduciary, or;
  1. details of the identity and age of individual voluntary provided by the individual
  1. details of the identity and age of individual verifiable through a virtual token issued by an authorised entity that is mapped to such information.
Reference may be made to S.9(2)-(3), which prohibits harmful processing and behavioural tracking of children. However, S.9(4) empowers the Government to exempt certain classes of Data Fiduciaries or purposes from these provisions.
As per Rule 12 and Schedule IV, educational and allied services, and healthcare and allied services, are the exempted classes of Fiduciaries.
As per the same provisions, safety-related processing, and verifying age/identity (including verifiable parental/guardian consent) are exempted purposes for Processing.

Personal Data of Persons with Disabilities Who Have Lawful Guardians (Rule 11)

Section 2(j) recognizes the lawful guardian acting on behalf of a person with disability as the data principal. Lawful guardians, as recognised by the Act and Rules, are appointed by a court of law, or by a designated authority or by a local level committee, under the law applicable to guardianship.
 

Additional Obligations of Significant Data Fiduciaries (Rule 13)

[See also, S.10 of the Act]
Rule 13 requires entities classified as SDF to:
  1. Conduct annual Data Protection Impact Assessments.
  1. Conduct annual audits through independent auditors.
  1. Submit significant observations to the Board.
  1. Verify that algorithmic or technical tools do not pose risk to Data Principals.
  1. Comply with restrictions and conditions on processing and transfer of Government-specified categories of data.
 

Data Principal Rights: Publication and Grievance System (Rule 14)

[See also, Ss. 11-14 of the Act]
Fiduciaries and Consent Managers must clearly publish how Data Principals can exercise rights under the Act with respect to data being held by the Fiduciary. Rule 14(3) mandates the following:
  • a prominently published grievance system,
  • a maximum response period of 90 days,
  • supporting technical and organisational measures.
Data Principals must exhaust this remedy before approaching the Board per Section 13(3).

Cross-Border Transfers (Rule 15)

[See also S.16 of the Act]
Rule 15 supports Section 16, permitting transfers unless restricted by the Central Government. Transfers must comply with any Government-specified safeguards for foreign States or entities controlled by such States.
 

Research, Archiving, and Statistical Exemptions (Rule 16)

[See also S.17(2)(b) of the Act]
As has been specified under S.17(2)(b) of the Act, Rule 16 provides that processing for research, archiving, and statistical purposes is exempt from most obligations if:
  • data is not used to make decisions about specific individuals, and
  • standards in the Second Schedule are followed.
 

Data Protection Board of India (Rules 17-22)

[See also Chapter V-VII of the Act]

Composition, Appointment and Functioning (Rule 17, 20 and 21)

The DPB shall consist of a chairperson and members, each of whom shall be appointed by a distinct search-cum-selection committee (”committee”), which recommend individuals for the corresponding posts.
  1. For Chairperson of DPB - Chairperson of committee shall be the Cabinet Secretary, and members shall be Secretaries to the Government of India in charge of the Department of Legal Affairs and the MeitY and two experts of repute in a field deemed relevant by Central Govt.
  1. For Members of DPB - Chairperson of committee shall be Secretary to the Government in the MeitY, and members shall be the Secretary to the Government in the Department of Legal Affairs, and two experts of repute in a relevant field.
The Central Govt. will review the recommendations, and, if satisfied, appoint the recommended individuals in the DPB. However, vacancy/absences/defects in constitution shall not be grounds to initiate proceedings under Rule 17.
Rule 20 states that the DPB shall function as a digital office, and will operate virtually where possible. However, this cannot prejudice its power to summon and enforce the attendance of any person and examine her on oath. This means that techno-legal methods (such as virtual conferencing) are encouraged as the “default” unless necessary for summoning/examination.
Rule 21 empowers the DPB to employ officers and employees for efficient functioning subject to prior permission from the Central Govt.

Initiation of Inquiry

The Board may begin an inquiry upon receiving any of the following:
  1. Breach notification from a Data Fiduciary (S.8(6)) - which is also communicated to the Principal
  1. Complaint by a Data Principal (breach of Fiduciary obligations or Principal rights)
  1. Complaint against a Consent Manager
  1. Intimation of breach of CM registration conditions
As per S.28(3), the Board must ensure that there are sufficient grounds for inquiry once any of these triggers are fulfilled. If not, proceedings are closed and reasons are recorded.

Manner of Inquiry

The following must be ensured during inquiry proceedings:
  1. Principles of natural justice
  1. Digital by default (see Rule 20)
  1. Inquiry must be completed within 6 months from receipt of complaint/reference (extendable by 3 months at a time, with written reasons).

Inquiry Powers in Detail

A. Board’s Powers Equivalent to Civil Court
  1. The Board can summon any person and examine them on oath.
  1. It may accept evidence submitted via affidavit.
  1. It can require discovery and production of any document or data.
  1. It may inspect any data, book, document, register, or account.
  1. Additional powers may be granted through the Rules.
B. Additional Statutory Powers
  1. The Board cannot seize equipment or hinder day-to-day operations (S.28(8)).
  1. It can require assistance from police or government officers, which must be complied with (S.28(9)).
  1. It may issue reasoned interim directions after hearing the concerned person (S.28(10)).
  1. After inquiry, it can close the case or proceed to levy penalties (S.28(11)).

Procedure (Rules 19-22)

đź“…
Step 1: Setup & Notice - Rule 19(1)
  • Chairperson fixes date, time, and place
  • Approves agenda items
  • Issues signed notice or authorises issuance by written order
🧑‍⚖️
Step 2: Who chairs - Rule 19(2)
  • Chairperson presides
  • If absent, Members present choose a Member to chair
đź‘Ą
Step 3: Quorum - Rule 19(3)
  • One‑third of total membership required as “minimum attendance” to start meetings.
🗳️
Step 4: Decision‑making - Rule 19(4)
  • Majority of Members present and voting decide
  • Tie‑breaker: Chairperson or acting chair has a second/casting vote
đźš«
Step 5: Conflict of interest - Rule 19(5)
  • Interested Member does not participate or vote
  • Decision by majority of other Members present and voting
⚠️
Step 6: Emergent action - Rule 19(6)
  • If meeting not feasible, Chairperson may act immediately, recording reasons in writing
  • Communicate action to all Members within 7 days
  • Place before Board for ratification at next meeting
🔄
Step 7: Decision by circulation - Rule 19(7)
  • Chairperson may refer item by circulation
  • Decided with approval of a majority of Members
✍️
Step 8: Authentication - Rule 19(8)
  • Orders, directions, instruments authenticated under signature of Chairperson, any Member, or authorised individual
⏳
Step 9: Inquiry timeline - Rule 19(9)
  • Complete within 6 months from receipt under section 27
  • Extendable by further periods not exceeding 3 months at a time, with reasons recorded in writing
⚖️
Step 10: Appeal - Rule 22
  • Who: Any person aggrieved by a Board order or direction
  • Filing: Appeal in digital form, as per Appellate Tribunal’s directions
  • Appellate Body: Telecom Disputes Settlement and Appellate Tribunal (”TDSAT” or “Tribunal”)
  • Fee: Same as under the TRAI Act, 1997; may be reduced or waived by Tribunal Chairperson; payable digitally via UPI or other RBI‑authorised system
  • Procedure: Tribunal not bound by the Code of Civil Procedure; guided by principles of natural justice; may regulate its own procedure
  • Mode: Tribunal functions as a digital office and may adopt techno‑legal measures without prejudice to its powers to summon, enforce attendance, and examine on oath
 

Government’s Power to Call for Information (Rule 23)

[See also S.37 of the Act]
This provision allows the Central Government to direct Fiduciaries/Intermediaries to furnish any information as may be required by the Government within a specified period of time. In case disclosure/furnishing of such information is a threat to national sovereignty or security, Government may direct Fiduciaries/Intermediaries not to inform Principals about such disclosures.
 

Key Takeaways

The essence of the DPDP regime in India can be summarised as the following key takeaways:
Theme
Takeaway
In Practice
Simple, Accessible Framework
The Act is drafted in clear, plain language, avoiding heavy legal/technical jargon.
Makes privacy law understandable to citizens, startups, and SMEs who lack legal capacity.
Unified Consent Architecture
Introduces a standardised, rights-based system for consent and withdrawal across all sectors in the form of a novel consent manager framework.
Ensures consistency, reduces ambiguity, and empowers users with clearer control over their data.
Digital-First Governance Model
Complaints, notices, hearings, and appeals are primarily digital.
Enables scalability and faster processes in a country with high digital penetration but limited administrative capacity.
Mandatory Breach Notification
Clear duties to report personal data breaches to both the user and the Board.
Creates structured incident-management norms that did not previously exist across sectors.
Significant Data Fiduciaries (SDFs)
Adopts a risk-based, tiered compliance model (DPO, audits, DPIA for SDFs only).
Protects high-risk environments without overburdening startups and small businesses.
Strong Baseline Protections for Children
Bans tracking, profiling, and targeted advertising directed at minors.
Establishes one of the toughest statutory protections against commercial exploitation of children.
Interoperable Consent Managers
Introduces a new institutional layer for managing, viewing, and withdrawing consent.
Reduces consent fatigue, centralises user control, and appears to be in line with India’s digital public infrastructure.
Clear Penalty Structure
Provides predictable upper limits and a structured set of factors for calculating penalties.
Creates deterrence, improves compliance culture, and increases regulatory certainty.