DPDP Rules 2025: Section-by-Section Plain-English Guide

These Rules are called the Digital Personal Data Protection Rules, 2025.

Different Rules start on different dates:

• Rules 1, 2, and 17 to 21 start on the date of publication in the Official Gazette.
• Rule 4 starts one year from the date of publication.
• Rules 3, 5 to 16, 22 and 23 start eighteen months from the date of publication.

This Rule defines key terms used in the Rules.

• Act means the Digital Personal Data Protection Act, 2023.
• Techno-legal measures means the measures referred to in Rules 20 and 22.
• User account includes an online account, profile, page, handle, email address, mobile number, or similar online presence used by the Data Principal to access the Data Fiduciary's services.
• Verifiable consent means consent as specified in Rule 10 or Rule 11.

Words used in the Rules but not defined here have the same meaning as in the Act.

The notice must be understandable on its own and must be written in clear and plain language.

The notice must include:

• An itemised description of the personal data
• The specified purpose or purposes
• A specific description of the goods, services, or uses enabled by the processing
• The communication link for the Data Fiduciary's website or app

The notice must also include the other means, if any, for:

• Withdrawing consent
• Exercising rights under the Act
• Making a complaint to the Board

A person that meets the conditions in Part A of the First Schedule may apply to the Board for registration as a Consent Manager.

The Board may:

• Examine the application
• Register the applicant and publish its details on the Board's website
• Reject the application and communicate the reasons

A registered Consent Manager must follow the obligations listed in Part B of the First Schedule.

If the Board believes a Consent Manager is not meeting the conditions or obligations, it may:

• Direct corrective measures
• Suspend registration
• Cancel registration
• Issue directions to protect Data Principals

The Board may also ask the Consent Manager for information for this purpose.

Where personal data is processed by the State or its instrumentalities for giving or issuing a subsidy, benefit, service, certificate, licence, or permit, the processing must follow the standards in the Second Schedule.

This Rule also explains how these terms apply where the subsidy, benefit, service, certificate, licence, or permit is provided:

• Under law
• Under policy
• Using public funds

A Data Fiduciary must protect personal data in its possession or under its control, including where processing is done by a Data Processor.

The minimum safeguards include:

• Suitable data security measures such as encryption, obfuscation, masking, or virtual tokens
• Access controls for relevant computer resources
• Logs, monitoring, and review to detect unauthorised access and prevent recurrence
• Backups and continuity measures where confidentiality, integrity, or availability is affected
• Retention of relevant logs and personal data for at least one year for detection, investigation, remediation, and continued processing, unless another law requires otherwise
• Contractual provisions with Data Processors
• Suitable technical and organisational measures for effective observance of safeguards

When a Data Fiduciary becomes aware of a personal data breach, it must inform each affected Data Principal without delay, in clear and plain language, through the user account or another registered mode of communication.

The intimation to the affected Data Principal must include:

• Description of the breach, including its nature, extent, and timing
• Likely consequences for the Data Principal
• Mitigation measures already taken or being taken
• Safety steps the Data Principal may take
• Business contact information for queries

The Data Fiduciary must also inform the Board without delay.

For the classes of Data Fiduciaries and purposes listed in the Third Schedule, personal data must be erased if the Data Principal does not approach the Data Fiduciary for the specified purpose and does not exercise her rights in relation to that processing, for the relevant period stated in the Schedule, unless retention is necessary under law.

At least 48 hours before that period ends, the Data Fiduciary must inform the Data Principal that the personal data will be erased unless she:

• Logs into her user account
• Initiates contact for the specified purpose
• Exercises her rights

For processing covered by this Rule, the Data Fiduciary must keep the personal data, associated traffic data, and other logs of processing for at least one year from the date of processing for the purposes stated in the Seventh Schedule, and erase them after that unless a law or government notification requires longer retention.

Every Data Fiduciary must prominently publish on its website or app the business contact information of:

• The Data Protection Officer, where applicable, or
• Another person able to answer questions on behalf of the Data Fiduciary about the processing of personal data

This contact information must also be mentioned in every response to a communication for exercising rights under the Act.

Before processing personal data of a child, the Data Fiduciary must take suitable technical and organisational measures to ensure that verifiable consent of the parent is obtained.

The Data Fiduciary must check that the person identifying herself as the parent:

• Is an adult, and
• Is identifiable where required under Indian law

This may be checked using:

• Reliable identity and age details already available with the Data Fiduciary, or
• Identity and age details voluntarily given by the individual, directly or through a virtual token mapped to those details and issued by an authorised entity

For this Rule, adult means an individual who has completed eighteen years.

Where an individual identifies herself as the lawful guardian of a person with disability, the Data Fiduciary must check that the guardian has been appointed by:

• A court of law
• A designated authority
• A local level committee

This verification must be done under the law applicable to guardianship.

This Rule states that section 9(1) and section 9(3) of the Act do not apply to:

• The classes of Data Fiduciaries listed in Part A of the Fourth Schedule, subject to the conditions in that Part
• The purposes listed in Part B of the Fourth Schedule, subject to the conditions in that Part

A Significant Data Fiduciary must, once in every period of twelve months from the date of notification or inclusion in a notified class:

• Carry out a Data Protection Impact Assessment
• Carry out an audit to ensure observance of the Act and the Rules

The person conducting the assessment and audit must submit a report to the Board with significant observations.

A Significant Data Fiduciary must also:

• Verify with due diligence that technical measures, including algorithmic software used for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data, are not likely to pose a risk to the rights of Data Principals
• Ensure that any personal data specified by the Central Government is processed subject to a restriction that the personal data and related traffic data are not transferred outside India

To enable the exercise of rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, must prominently publish on its website or app:

• The means by which a Data Principal may make a request
• The particulars that may be required to identify her under the terms of service, such as a username or another identifier

Every Data Fiduciary and Consent Manager must publish, in its grievance redressal system, a response period that is reasonable and does not exceed ninety days. They must also take suitable technical and organisational measures to ensure the grievance system works effectively within that period.

This Rule also allows a Data Principal to nominate one or more individuals for exercising her rights, in accordance with the Data Fiduciary's terms of service and applicable law.

Personal data processed by a Data Fiduciary under the Act may be transferred outside India, but only subject to any restriction that the Central Government may specify by general or special order.

The Central Government may also specify requirements for making such personal data available to any foreign State, or any person or entity under the control of an agency of such a State.

The provisions of the Act do not apply to personal data processing that is necessary for research, archiving, or statistical purposes, where the processing is carried out in accordance with the standards in the Second Schedule.

The Central Government must create a Search-cum-Selection Committee to recommend individuals for appointment.

For appointment of the Chairperson, the Committee includes:

• Cabinet Secretary as chairperson
• Secretary, Department of Legal Affairs
• Secretary, Ministry of Electronics and Information Technology
• Two experts of repute

For appointment of a Member other than the Chairperson, the Committee includes:

• Secretary, Ministry of Electronics and Information Technology as chairperson
• Secretary, Department of Legal Affairs
• Two experts of repute

The Central Government appoints the Chairperson or Member after considering the recommendations. A vacancy or defect in the Committee does not make its acts or proceedings invalid.

The salary, allowances, and other terms and conditions of service of the Chairperson and Members are given in the Fifth Schedule.

The Chairperson fixes the date, time, and place of Board meetings, approves the agenda, and causes notice to be issued.

Key meeting rules include:

• The Chairperson presides over the meeting
• In the Chairperson's absence, a Member chosen by those present presides
• One-third of the membership is the quorum
• Decisions are made by majority of Members present and voting
• In case of equality, the presiding person has a second or casting vote
• A Member with an interest in an item must not take part in or vote on that item

In urgent cases, the Chairperson may act immediately after recording reasons in writing. That action must be communicated within seven days to all Members and placed before the Board for ratification at its next meeting. Matters may also be decided by circulation if the Chairperson so directs.

The Board must function as a digital office.

It may adopt techno-legal measures to conduct proceedings in a way that does not require physical presence, without affecting its power to summon persons, enforce attendance, or examine persons on oath.

The Board may, with prior approval of the Central Government, appoint officers and employees needed for efficient discharge of its functions.

Their terms and conditions of appointment and service are set out in the Sixth Schedule.

A person aggrieved by an order or direction of the Board may file an appeal before the Appellate Tribunal in digital form, in the manner decided by the Tribunal.

The appeal must be accompanied by the applicable fee under the Telecom Regulatory Authority of India Act, 1997, unless the Chairperson of the Appellate Tribunal reduces or waives it.

The fee must be paid digitally through:

• UPI, or
• Another payment system authorised by the Reserve Bank of India

The Tribunal is guided by natural justice and may regulate its own procedure. It also functions as a digital office and may adopt techno-legal measures to conduct proceedings without requiring physical presence.

For the purposes listed in the Seventh Schedule, the Central Government, acting through the corresponding authorised person in that Schedule, may require any Data Fiduciary or intermediary to furnish information within the stated period.

Where disclosure of the fact of furnishing information is likely to prejudicially affect the sovereignty and integrity of India or the security of the State, the Government may require the Data Fiduciary or intermediary not to disclose that fact to the affected Data Principal or any other person, unless prior written permission is given by the authorised person.

For this Rule, intermediary has the same meaning as under the Information Technology Act, 2000.

Part A — Conditions for registration

A Consent Manager applicant must:

• Be a company incorporated in India
• Have sufficient technical, operational, and financial capacity
• Have sound financial condition and sound management character
• Have net worth of at least ₹2 crore
• Have adequate expected business volume, capital structure, and earning prospects
• Have directors, key managerial personnel, and senior management with a reputation for fairness and integrity
• Have constitutional documents requiring compliance with the obligations in Part B
• Have policies and procedures supporting such compliance
• Operate in the interests of Data Principals
• Have independent certification showing that its interoperable platform is consistent with the Board's standards and assurance framework, and that suitable technical and organisational measures are in place

Part B — Obligations of Consent Manager

A Consent Manager must:

• Enable the Data Principal to give consent to an onboarded Data Fiduciary
• Ensure personal data made available or shared is not readable by the Consent Manager
• Maintain records of consent given, denied, or withdrawn
• Maintain records of notices related to consent requests
• Maintain records of sharing of personal data with a transferee Data Fiduciary
• Give the Data Principal access to those records
• Provide that information in machine-readable form on request
• Retain those records for at least seven years, or longer if agreed or required by law
• Provide services mainly through a website or app
• Not sub-contract or assign its obligations under the Act and Rules
• Take reasonable security safeguards
• Act in a fiduciary capacity in relation to the Data Principal
• Avoid conflicts of interest with Data Fiduciaries
• Maintain measures to prevent conflicts arising from its directors, key managerial personnel, and senior management
• Publish key ownership and management information
• Maintain effective audit mechanisms
• Not transfer control of the company without prior approval of the Board and fulfilment of any conditions specified by the Board

The required standards include:

• Processing must be lawful
• Processing must be for the permitted use or purpose
• Processing must be limited to personal data necessary for that use or purpose
• Reasonable efforts must be made to ensure completeness, accuracy, and consistency
• Retention must continue only as long as needed for the purpose or legal compliance
• Reasonable security safeguards must be taken
• Where processing is under section 7(b), the Data Principal must receive an intimation with business contact information and the communication link or other means for exercising rights

The person deciding the purpose and means of processing remains accountable for following these standards.

This Schedule applies to:

• An e-commerce entity with not less than 2 crore registered users in India
• An online gaming intermediary with not less than 50 lakh registered users in India
• A social media intermediary with not less than 2 crore registered users in India

For each of these classes, the time period is three years from the later of:

• The date on which the Data Principal last approached the Data Fiduciary for the specified purpose, or exercised her rights, or
• The commencement of the DPDP Rules, 2025

The Schedule excludes purposes relating to:

• Enabling the Data Principal to access her user account
• Enabling access to certain virtual tokens stored on the platform that may be used to obtain money, goods, or services

Part A — Classes of Data Fiduciaries

The listed classes include:

• Clinical establishments, mental health establishments, and healthcare professionals, for health services to the child to the extent necessary for protection of health
• Allied healthcare professionals, for supporting implementation of a healthcare treatment and referral plan recommended for the child
• Educational institutions, for tracking and behavioural monitoring for educational activities or child safety
• Individuals entrusted with infants and children in a crèche or child day care centre, for tracking and behavioural monitoring in the interests of safety
• Persons engaged by educational institutions, crèches, or child care centres for transport of enrolled children, for tracking location during travel

Part B — Purposes

The listed purposes include:

• Exercise of power, performance of function, or discharge of duties in the interests of a child under Indian law
• Provision or issue of subsidy, benefit, service, certificate, licence, or permit in the interests of a child under law, policy, or public funds
• Creation of a user account for communication by email, where use is limited to that purpose
• Determining the real-time location of a child in the interests of safety, protection, or security
• Ensuring that information, services, or advertisements likely to harm a child's well-being are not accessible to the child
• Confirming that the Data Principal is not a child and carrying out due diligence under Rule 10

• The Chairperson receives a consolidated salary of ₹4,50,000 per month.
• Each other Member receives a consolidated salary of ₹4,00,000 per month.

The Schedule also covers:

• Travelling allowance
• Medical assistance
• Leave
• Leave encashment
• Leave travel concession
• Conflict of interest requirements
• Other service conditions

They are eligible for provident fund, but not pension or gratuity for Board service.

The Board may appoint officers and employees on deputation, generally for a period not exceeding five years, from:

• The Central Government
• A State Government
• Autonomous bodies
• Statutory bodies
• Public sector enterprises

The Board may also take officers or employees on deputation from the National Institute for Smart Government for up to five years.

The Schedule also covers:

• Salary and allowances
• Gratuity
• Travelling allowance
• Medical assistance
• Leave
• Leave travel concession
• Conduct rules
• Disciplinary rules
• Other service matters

The Seventh Schedule lists three purposes:

For each purpose, the Schedule also identifies the corresponding authorised person.