Expertise

Practice Areas
Industries

Thought Leadership

COVID-19
Regulatory Updates
Articles

About

About the Firm
About the Team
Our Social Responsibility
In the Media

Contact

  • Reach Us
  • Careers

    • OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION RULES, 2025

    The Ministry of Electronics and Information Technology (“MEITY”) vide its notification dated 13th November 2025, published the much-awaited Digital Personal Data Protection Rules, 2025 (colloquially referred to as the “DPDP Rules”). The DPDP Rules are set to operationalize the principle-based legislation of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) by providing actionable steps for translating broad statutory principles into specific compliance requirements, procedural standards, and operational frameworks for Data Fiduciaries and Data Processors. Taken together, the DPDP Act and the DPDP Rules (“DPDP Law”) two finally form the umbrella law for personal data protection in the digital space.

     

    The DPDP Rules are segregated into the following parts:

     

    1. Timelines (Rule 1):

    One common concern across the industry has been when the DPDP Law will become operational. MEITY has provided the following specific time frames to avoid any kind of misinterpretation:

    Relevant Rules

    Provisions on

    Effective Date

    Rule 1

    Short Title and Commencement

    Effective immediately

    Rule 2

    Definitions

     

     

    Rule 17 to 21

    Appointment of Chairperson and other Members in the search cum selection committee along with their salary, allowances and other terms and conditions of service.

     

    Procedures for Board meetings, authentication of its orders, directions, and instruments; functioning of the Board as a digital office; and terms of appointment and service of its officers and employees.

     

    Rule 4

     

    Registration and obligations of consent manager

    Shall become effective one year after 13th November 2025.

     

    Rules 3

    Consent Notice

    Shall become effective eighteen months after 13th November 2025.

     

     

     

     

     

     

    5 to 16

    Processing by State and its instrumentalities. 

    Reasonable Security Safeguards. 

    Intimation of personal data breach, Data Protection Officer, 

    Verifiable Consent for processing of personal data belonging to   Children (with exemptions) and Persons with Disability. 

    Additional obligations of Significant Data Fiduciary (“SDF”). 

    Rights of Data Principal.   

    Transfer of personal data outside the territory of India. 

    Exemption from Act for research, archiving or statistical purposes.

     

    22

    Appeal to Appellate Tribunal

     

    23

    Calling for information from Data Fiduciary or intermediary

    2. Consent Notice Format (Rule 3):

    The DPDP Act vide its Section 5 mandates that every request for personal data made by the Data Fiduciary (i.e., persons who determine the purpose and means of processing of personal data) shall be accompanied with or preceded by a notice. The DPDP Rules now provide for a basic format of the consent notice by stating that:

    a). The notice must be clear, easy to understand, and capable of standing on its own.

    b). It must give sufficient information for informed consent, including:

        1.           an itemised list of the personal data being processed;
        2.           the specific purposes and the goods/services or uses enabled by such processing.

    c) It must provide a direct link (or other means) through which the Data Principal can

        1. withdraw consent as easily as it was given;
        2. exercise her rights under the Act.
        3. lodge a complaint with the Board.

    3. Consent Managers (Rule 4 read with Part A and B of the First Schedule):

    The DPDP Act provided for the concept of “Consent Manager” as a person who would act as a single point of contact to enable a Data Principal (i.e. individual to whom the personal data relates) to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. The DPDP Rules now provide that:

    a). Eligibility for registration as consent managers: To register as a Consent Manager under the DPDP Rules, an applicant must satisfy all eligibility conditions prescribed in Part A of the First Schedule. Specifically, an applicant must meet the following criteria:

        1. Be a company incorporated in India.
        2. Possess sufficient technical, operational, and financial capacity to discharge Consent Manager obligations.
        3. Demonstrate a sound financial position and a management team with a reputation for fairness and integrity.
        4. Maintain a minimum net worth of INR 2 crores.
        5. Have adequate business prospects, including appropriate capital structure and earning potential.
        6. Ensure its MOA and AOA mandate adherence to items 9 and 10 of Part B, supported by internal policies for compliance, and permit amendments to these provisions only with prior Board approval.
        7. Undertake operations that are in the interests of Data Principals.
        8. Obtain independent certification confirming that:
          • its interoperable consent platform complies with the Board-prescribed data protection standards and assurance framework; and
          • it has appropriate technical and organisational measures to ensure adherence to such standards and frameworks as well as effective compliance with obligations under item 11 of Part B.

    b). Evaluation by the board: Once an application for registration is submitted, the Board may undertake any inquiries it considers necessary to verify whether the applicant satisfies the eligibility conditions under Part A of the First Schedule. If the conditions are met, the Board will register the applicant as a Consent Manager and publish its details on its website. Otherwise, it will reject the application and communicate the reasons for such rejection.

    c). Operation as a consent manager: Registered Consent Managers must comply with the obligations set out in Part B. If the Board finds any non-adherence, it may, after giving an opportunity of being heard, direct the Consent Manager to take corrective measures. In the interests of Data Principals, the Board may also suspend or cancel the registration through a reasoned order and issue any necessary directions. The Board may additionally require the Consent Manager to furnish any information needed for oversight and enforcement.

    4. Processing by States and its Instrumentalities (Rule 5 read with Second Schedule):

    State and its instrumentalities:

      1. may process personal data for delivering or issuing any subsidy, benefit, service, certificate, licence, or permit whether arising under statute, government policy, or public expenditure schemes.
      2. must ensure lawful processing, limited strictly to the specific statutory or policy purpose and to the extent necessary for that purpose.
      3. must take reasonable steps to maintain data accuracy, limit retention to what is required, and implement appropriate security safeguards to prevent breaches.
      4. must provide mandatory intimation and contact details to the Data Principal when processing is carried out.
      5. must remain accountable as the entity determining the purpose and means of processing and comply with any additional applicable legal or policy standards.

    5. Reasonable Security Safeguards (Rule 6):

    A Data Fiduciary must safeguard all personal data under its control, including data processed by its processors, by implementing reasonable security measures to prevent breaches, including at a minimum:

      1. adopting security measures such as encryption, masking, obfuscation, or tokenisation;
      2. enforcing access controls over all relevant computer resources;
      3. maintaining logs and monitoring to detect, investigate, and remediate unauthorised access;
      4. ensuring continuity of processing through backups or other measures if data integrity or availability is compromised;
      5. retaining logs and necessary personal data for at least one year;
      6. requiring Data Processor contracts to mandate reasonable security safeguards; and
      7. implementing technical and organisational measures to ensure effective security compliance.

    6. Data breach notification to Data Principal and Board (Rule 7):

    a. Notification to Data Principal – On becoming aware of a personal data breach, the Data Fiduciary must promptly inform affected Data Principals of any personal data breach in clear, simple language, detailing:

      1. the breach and its nature, extent, and timing; (ii) likely consequences; (iii) mitigation measures taken or underway; (iv) recommended protective steps; and (v) contact details of a responsible person for queries.

    b. Notification to the Board

      1. The Data Fiduciary must provide an immediate notice promptly inform the Board of the breach, describing its nature, extent, timing, location, and likely impact.
      2. Within 72 hours (or a Board-approved extension), the Data Fiduciary must provide detailed updates on the breach, including fuller incident details, causes, mitigation steps, any identified responsible party, remedial measures, and confirmation that affected Data Principals have been notified. 

    7. Personal Data retention period (Rule 8): 

    A Data Fiduciary falling under the categories listed in the Third Schedule i.e. ecommerce entities, online gaming intermediaries, and social media intermediaries (having numbers of users as specified under Third Schedule) must erase personal data once the specified purpose is no longer served i.e., when the Data Principal neither engages with the Fiduciary nor exercises her rights within the prescribed period, unless retention is required by law. The Data Fiduciary must notify the Data Principal at least 48 hours before erasure.

    Additionally, all personal data, associated traffic data, and other logs must be retained for at least one year before being erased, unless further retention is legally mandated.

    8. Data Protection Officer Details (Rule 9):

    A Data Fiduciary is required to prominently publish on its website or app and include in every response issued in relation to the exercise of a Data Principal’s rights, the business contact details of its Data Protection Officer, or any other authorised representative competent to address queries concerning the processing of the Data Principal’s personal data.

    9. Consent for processing personal data of a child (Rule 10):

    Data Fiduciaries must implement robust technical and organisational measures to ensure that verifiable parental consent is obtained before processing any personal data of a child. This includes exercising due diligence to confirm that the person claiming to be the parent is an identifiable adult, which may be validated through reliable identity and age information already held by the Data Fiduciary, details voluntarily provided by the individual, or through a virtual token issued by an authorised entity and mapped to such credentials.

    10. Consent for processing personal data of a person with disability (Rule 11):

    A Data Fiduciary shall verify that any individual giving consent as the lawful guardian of a person with disability has been duly appointed under applicable law by a court, designated authority, or local-leve committee.

    11. SDF’s additional obligations (Rule 13):

    A Significant Data Fiduciary (“SDF”) shall:

      1.           Annually (from the date it is notified or included in the class of SDF) conduct a Data Protection Impact Assessment (“DPIA”) and audit from the date of its notification as an SDF.
      2.           Ensure the assessor submits a report with key observations from the DPIA and audit to the Board.
      3.           Verify through due diligence that its technical and algorithmic tools do not pose risks to Data Principals' rights.
      4.           Implement measures to ensure that specified categories of personal and traffic data are processed without being transferred outside India, as notified by the Central Government.

    12. Rights of Data Principals (Rule 14):

    1. Publication of Process: Every Data Fiduciary and, where applicable, Consent Manager must clearly publish on its website or app:
        1. The method for submitting requests to exercise Data Principal rights; and
        2. Any required identifiers (e.g., username or other particulars) needed to verify the Data Principal.
    2. Submission of Requests: A Data Principal may exercise her rights by submitting a request to the Data Fiduciary that received her consent, using the prescribed method and identifiers.
    3. Grievance Redressal: Data Fiduciaries and Consent Managers must publish their grievance redressal timelines, not exceeding 90 days, and implement suitable technical and organisational measures to ensure compliance.
    4. Nomination: A Data Principal may nominate one or more individuals to exercise her rights, in accordance with the Data Fiduciary’s terms of service and applicable law, and by providing the required particulars.

    13. Transfer of personal data outside India (Rule 15):

    Personal data processed by a Data Fiduciary may be transferred outside India only if the Data Fiduciary complies with any requirements specified by the Central Government, by general or special order, for sharing such data with a foreign State or any person or entity under its control or any agency thereof.

    14. Exemption for research, archiving, and statistical processing (Rule 16):

    Processing of personal data that is necessary for research, archiving, or statistical purposes are exempt, so long as such processing is conducted in accordance with the standards set out in the Second Schedule.

    15. Government requests for information from Data Fiduciaries or Intermediaries (Rule 23):

    The Central Government may require any Data Fiduciary or intermediary to provide information needed for purposes outlined in the Seventh Schedule, within a specified timeframe. If sharing such information could compromise India’s sovereignty, integrity, or security, the Data Fiduciary or intermediary may be instructed not to disclose it to the affected Data Principal or anyone else without prior written approval from the authorised government official.

     

    Similar Articles

    Didn't find what you were looking for?

    Search for what you want tags, keywords anything under NovoJuris

    SEARCH

    Contact us for a Solution

    Contact us for more information about our services and how we can help

    Contact
    Disclaimer

    As per the rules of the Bar Council of India, we are not permitted to advertise or solicit work. By accessing and browsing through this website, all users agree and acknowledge that the content of this website is for informational purposes only and that there has been no form of solicitation, advertisement or inducement by NovoJuris Legal or its members, in any form. No information provided on this website should be construed as legal advice and NovoJuris Legal shall not be liable for consequences of any action taken by relying on the information provided on this website.

    I Agree Disagree