The DPDP Act is an important measure to establish data protection and privacy in India by empowering individuals with greater control over how organizations use their personal information. The Act imposes obligations on Data Fiduciaries or custodians responsible for processing data and defines the rights and responsibilities of Data Principals, the individuals to whom the data belongs. It also enforces financial penalties for violations.
After the wait from 11th August 2023, when the DPDP Act, 2023 (Act) received the nod from our Honorable President, the Union Government on January 3rd, 2025 unveiled the Draft Rules for implementing the Act and is accepting stakeholders’ feedback on the draft rules until February 18th 2025. These Rules reiterate India’s commitment to establishing a robust digital economy while protecting fundamental rights and the organization’s accountability. The Government plans to start implementation of this around mid-2025.
1. Short Title and Commencement
The Digital Personal Data Protection Rules, 2025, take effect upon publication, except for rules 3-15, 21, and 22, which will be enforced later.
2. Definitions Clause
Terms used shall carry the same meaning as in the Act unless the context specifies otherwise.
3. Notice by Data Fiduciary
The Data Fiduciary must provide a clear, standalone notice in plain language, detailing the personal data collected, its uses, and a link to the website/app for withdrawing consent, exercising rights, or filing complaints with the Board.
4. Registration and Obligations of a Consent Manager
A Consent Manager must be an Indian-incorporated company with a net worth of at least Rs. 2 crores and a reputation for integrity. It must provide an interoperable platform for Data Principals to manage consent. Responsibilities include enabling easy consent management, maintaining transparent records, ensuring strong data security, avoiding conflicts of interest, and publishing management details. Changes in control require Board approval, which can audit, suspend, or cancel registrations if necessary.
5. Processing by the State for Services
The State and its instrumentalities can process personal data to provide services or benefits defined by law or policy, or funded by public resources. Processing must follow Schedule II standards, ensuring lawful, purpose-specific use, data accuracy, limited retention, and security safeguards. Data Principals should be informed to access their rights, with compliance with laws and accountability for data protection mandatory.
6. Reasonable Security Safeguards
Data Fiduciaries must implement measures like encryption, access control, monitoring, and data backups to ensure data confidentiality, integrity, and availability. Safeguards must include breach detection, log maintenance, and secure contracts with Data Processors, adhering to technical and organizational standards to prevent breaches.
7. Intimation of Personal Data Breach
Upon discovering a breach, a Data Fiduciary must notify affected Data Principals promptly with details on the breach, impacts, and mitigation. They must also provide contact details for inquiries. The Data Fiduciary must notify the Board immediately and submit a report within 72 hours, including the breach’s cause, mitigation, responsible parties, and notifications to affected individuals.
8. Time for specified purpose to be deemed as no longer being served
If a Data Fiduciary processes personal data for purposes in Schedule III and the Data Principal does not engage within the specified period, the data must be erased unless legally required to be kept. The retention period, defined in Schedule III, can last up to three years from the last interaction or rule enforcement. Before erasure, the Data Fiduciary must notify the Data Principal 48 hours in advance, giving them a chance to retain their data by logging in or contacting the Fiduciary.
9. Contact Information for Data Processing Queries
Data Fiduciaries must provide clear contact details (e.g., Data Protection Officer) on their website or app for data processing queries. These details should be easily accessible and included in responses to Data Principals exercising their rights, ensuring transparency and accountability.
10. Verifiable Consent for processing personal data of Children and Persons with Disabilities
Data Fiduciaries must obtain verifiable consent from a parent or guardian before processing personal data of children or persons with disabilities. The consent provider must be identifiable as an adult, using reliable identity details or a virtual token, ensuring compliance with relevant laws.
11. Exemptions for Processing Children's Data
Certain Data Fiduciaries, like healthcare providers and educational institutions, are exempt from some obligations for processing children’s data, as per Schedule IV. These exemptions cover activities such as health services, education, safety monitoring, and transportation, ensuring data is processed for the child’s well-being. Exemptions also apply for legal duties, issuing benefits, creating communication accounts, preventing harmful content, and prioritizing the child’s best interests. These provisions balance data protection with essential activities for children’s health, education, and safety.
12. Additional Obligations for Significant Data Fiduciaries
Significant Data Fiduciaries must conduct an annual Data Protection Impact Assessment (DPIA) and audit, reporting findings to their Board. They must ensure algorithmic software does not jeopardize Data Principals’ rights, including in data hosting, storage, and sharing. Additionally, they must comply with government restrictions to prevent the transfer of personal and traffic data identified by the Central Government outside India.
13. Rights of Data Principals
Data Fiduciaries and Consent Managers must detail the process for Data Principals to exercise their rights, including access and data erasure, on their website or app. Clear timelines for grievance resolution and secure processes are mandatory. Data Principals can nominate representatives to act on their behalf, following established procedures and legal requirements.
14. Processing of Personal Data Outside India
Data Fiduciaries processing or offering services to Indian Data Principals from abroad must adhere to Central Government regulations for sharing data with foreign states or entities, ensuring compliance with the Act.
15. Exemption for Research, Archiving, or Statistics
The Act exempts personal data processing for research, archiving, or statistical purposes if it adheres to Schedule II standards, ensuring such activities comply with data protection safeguards.
16. Appointment of Chairperson and Members
A Search-cum-Selection Committee, led by the Cabinet Secretary and key officials, will recommend candidates for the Data Protection Board. The Central Government will appoint them after evaluation.
17. Salary and Terms for Chairperson and Members
The Chairperson receives ₹4,50,000/month, and Members ₹4,00,000/month, without housing or car provisions. Service conditions are detailed in Schedule V.
18. Board Meetings and Order Authentication
The Chairperson sets the agenda, time, and place for meetings, chaired by them or a designated Member. A one-third quorum is required, with majority decisions and the Chairperson casting tie-breaking votes. Members with conflicts of interest must abstain. Urgent actions by the Chairperson require later ratification. Decisions may also be made by circulation, and orders are authenticated by the Chairperson or an authorized person. Inquiries must conclude within six months, extendable by three months if needed.
19. Board Functioning as a Digital Office
The Board operates digitally, enabling efficient proceedings without physical presence, while retaining the authority to summon and examine individuals under oath.
20. Appointment and Service Terms for Board Officers and Employees
The Board appoints officers and employees with Central Government approval, including deputations and hires from the National Institute for Smart Government, offering market-aligned salaries as per Schedule VI.
21. Appeal to Appellate Tribunal
Appeals against Board orders must be filed digitally with a fee (waivable by the Chairperson). The Tribunal operates digitally, regulating its procedures and summoning individuals as needed.
22. Information Request from Data Fiduciary or Intermediary
The Central Government may request information from Data Fiduciaries or intermediaries per Schedule VII. Disclosure can be restricted for national security unless permitted in writing, as mandated under Section 36.
Inspira offers a full suite of data privacy services to help organizations establish a robust data privacy governance framework aligned with DPDPA, GDPR, CCPA & other Global privacy regulations. Inspira enables our customers with data privacy assessment, data discovery & classification, virtual DPO, Privacy regulations enablement & Managed privacy services.
