As you are aware that Digital Personal Data Protection Act, 2023 is the first enactment issued by Government to India to regulate and handle personal digital data of individuals. Earlier there was no specific regulation which regulate safety of personal digital data of individuals and their data are mis-utilized by data handlers for various types of sales and promotional activities. Their personal data were compromised and used without their permission and lead towards various types of frauds and misappropriations.
DPDPA 2023 refers to India's Digital Personal Data Protection Act, 2023, a comprehensive data privacy law passed to protect citizens' personal data. Key aspects include requiring consent for data processing, granting rights to individuals (like data correction and erasure), imposing duties on data fiduciaries (data holders), and establishing penalties for non-compliance. The Act applies to the processing of digital personal data within India and to processing outside India that offers goods or services in India.
The DPDPA, 2023 was notified by GOI on 11th August, 2023 and preamble of the Act, 2023 is; "An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto".
The Ministry of Electronics and Information Technology on 3 rd January, 2025 has issued draft of DPDP Rules, 2025 to operationalise provisions of DPDPA, 2023 and after considering views and suggestions of stake holders , the Ministry of Electronics and Information Technology has notified Digital Personal Data Protection Rules, 2025 on 13 th November, 2025. These Rules was effective from the date of its publication except;
i) Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette.
ii) Rule 4 shall come into force one year after the date of publication of this Gazette.
iii) Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette.
SECTION 2 OF DPDPA, 2023 DEFINES
SECTION 2(g) "Consent Manager" means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
SECTION 2(h) "data" means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
SECTION 2(i) "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
SECTION 2(j) "Data Principal" means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
SECTION 2(k) "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary;
SECTION 2(l) "Data Protection Officer" means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10;
SECTION 2(m) "digital office" means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode;
SECTION 2(n) "digital personal data" means personal data in digital form;
SECTION 2(o) "gain" means —
(i) a gain in property or supply of services, whether temporary or permanent; or (ii) an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
SECTION 2(p) "loss" means
(i) a loss in property or interruption in supply of services, whether temporary or permanent; or
(ii) a loss of opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of legitimate remuneration;
SECTION 2 (s) "person" includes
(i) an individual;
(ii) a Hindu undivided family;
(iii) a company;
(iv) a firm;
(v) an association of persons or a body of individuals, whether incorporated or not;
(vi) the State; and
(vii) every artificial juristic person, not falling within any of the preceding sub-clauses;
SECTION 2(t) "personal data" means any data about an individual who is identifiable by or in relation to such data;
SECTION 2 (u) "personal data breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;
SECTION 2(x) "processing" in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
APPLICABILITY
SECTION 3- Subject to the provisions of this Act, it shall
(a) apply to the processing of digital personal data within the territory of India where the personal data is collected––
(i) in digital form; or
(ii) in non-digital form and digitised subsequently;
(b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;
(c) not apply to—
(i) personal data processed by an individual for any personal or domestic purpose; and
(ii) personal data that is made or caused to be made publicly available by—
(A) the Data Principal to whom such personal data relates; or
(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
RULE 2- deals with definition.
KEY HIGHLIGHTS
1. The DPDP Rules have been framed under the provisions of the DPDP Act, 2023, establishing clear procedures, obligations, and safeguards for the collection, processing, storage, and erasure of personal data.
2. The Rules provide the operational framework to implement the Act’s provisions, covering:
i) Consent mechanisms and notice requirements
ii) Data retention timelines
iii) Breach notification protocols
iv) Obligations for significant data fiduciaries
v) Registration and duties of consent managers.
3. Under Rule 3, Data Fiduciaries must provide clear, independent, and accessible notices to Data Principals, detailing:
i) The personal data being collected
ii) The specific purposes for which the data is processed
iii) Simple mechanisms to withdraw consent, exercise rights, or lodge complaints.
RULE 3. Notice given by Data Fiduciary to Data Principal
The notice given by the Data Fiduciary to the Data Principal shall—
(a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;
(b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum, —
(i) an itemised description of such personal data; and
(ii) the specified purpose or purposes of, and specific description of the goods or services to be provided or uses to be enabled by, such processing; and
(c) give, the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may—
(i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
(ii) exercise her rights under the Act; and
(iii) make a complaint to the Board.
4. These notices empower individuals to make informed choices and safeguard their fundamental right to privacy.
5. Rule 4 sets out the registration process for Consent Managers. Applicants meeting conditions in Part A of the First Schedule may apply to the Board, which will review and either register or reject with reasons. Once registered, Consent Managers must comply with obligations in Part B. Non-adherence can lead to corrective directions or suspension/cancellation of registration after due hearing.
6. Processing of Personal Data for Subsidies and Services (Rule 5);
i) Personal data may be processed for issuing subsidies, benefits, certificates, licences, or permits.
ii) Standards in the Second Schedule apply.
iii) Coverage includes.
iv) Legal provisions under any law.
v) Policies or instructions by Central/State Governments.
vi) Expenditure from public funds (Consolidated Fund of India/State, local authority funds).
RULE 5. Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities. —
(1) Processing the personal data of a Data Principal under this rule shall be done following the standards specified in Second Schedule.
(2) In this rule and the Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued—
(a) under law shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit in exercise of any power of or the performance of any function by the State or any of its instrumentalities under any law for the time being in force;
(b) under policy shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit under any policy or instruction issued by the Central Government or a State Government in exercise of its executive power; and
(c) using public funds shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit by incurring expenditure on the same from, or with accrual of receipts to, —
(i)in case of the Central Government or a State Government, the Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or
(ii) in case of any local or other authority within the territory of India or under the control of the Government of India or of any State, the fund or funds of such authority.
7. Under Rule 6, Data Fiduciaries must adopt minimum safeguards to prevent breaches, including:
i) Encryption, masking, or tokenization of data.
ii) Access controls on computer resources.
iii) Logging and monitoring for unauthorized access.
iv) Backup measures to ensure continuity.
v) Retention of logs and data for one year.
vi) Contractual obligations for Data Processors to maintain safeguards.
RULE 6. Reasonable security safeguards. —
(1) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include, at the minimum, —
(a) appropriate data security measures, such as securing of personal data through encryption, obfuscation, masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor, wherever applicable;
(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, such as by way of data-backups;
(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor, wherever applicable, for taking reasonable security safeguards; and
(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
(2) In this rule, the expression "computer resource" shall have the same meaning as is assigned to it in Information Technology Act, 2000 (21 of 2000)
8. In case of a breach , Data Fiduciaries must promptly notify Data Principals with details and mitigation steps and inform the Board with an initial description followed by a detailed report within 72 hours.
RULE 7. Intimation of personal data breach. —
(1) On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary, —
(a) a description of the breach, including its nature, extent and the timing of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach;
(c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
(2) On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board, —
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the breach, or within such longer period as the Board may allow on a request made in writing in this behalf, —
(i) updated and detailed information in respect of such description;
(ii) the broad facts related to the events, circumstances and reasons leading to the breach;
(iii) measures implemented or proposed, if any, to mitigate risk;
(iv) any findings regarding the person who caused the breach;
(v) remedial measures taken to prevent recurrence of such breach; and
(vi) a report regarding the intimations given to affected Data Principals.
9. A Data Fiduciary is required to erase personal data once the specified purpose and time in the Third Schedule are no longer served, unless retention is required by law.
RULE 8. Time period for specified purpose to be deemed as no longer being served .—
(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, or, for the corresponding time period specified in the Third Schedule, if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
(2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
(3) Without prejudice to sub-rules (1) and (2), a Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing, for the purposes as specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law for the time being in force or notified by the Government.
10. Before erasure, Data Principals must be notified 48 hours in advance, given the option to continue or exercise her rights.
11. Regardless of purpose, all personal data and associated logs must be retained for at least one year (Seventh Schedule).
12. Rule 9 states that, Every Data Fiduciary must publish the contact details of its Data Protection Officer (‘DPO’) or another responsible person. This information will be displayed on websites/apps and included in responses to Data Principals exercising their rights.
RULE 9. Contact information of person to answer questions about processing.— Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data
13. Rule 10 mandates Data Fiduciaries to adopt technical and organisational measures to ensure that verifiable consent of a parent is obtained before processing any personal data of a child.
RULE 10. Verifiable consent for processing of personal data of child .—
(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age of the individual available with the Data Fiduciary; or
(b) details of identity and age, voluntarily provided —
(i) by the individual; or
(ii) through a virtual token mapped to such details, which is issued by an authorised entity.
(2) In this rule, the expression—
(a) "adult" shall mean an individual who has completed the age of eighteen years;
(b) "authorised entity" shall mean —
(i) an entity entrusted by law or by the Central Government or by the State Government with the issuance of details of the identity and age or a virtual token mapped to such details; or
(ii) a person appointed or permitted by the entity specified under clause (i), for such issuance, and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider;
(c) "Digital Locker service provider" shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);
14. Due diligence will be observed to confirm that the person identifying as the parent is an adult, verified through reliable identity and age details available with the Fiduciary, voluntarily provided by the individual, or through a virtual token issued by an authorised entity.
15. For these Rules, "adult" is defined as someone who has completed eighteen years of age, while an "authorised entity" refers to a body empowered by law or government to issue identity and age details or tokens, including those verified by a Digital Locker service provider under the Information Technology Act, 2000.
16. Rule 11 defines provisions for verifiable consent from persons with disabilities, under:
i) Consent will be obtained from a lawful guardian, verified as appointed by:
○ A court.
○ A designated authority under the Rights of Persons with Disabilities Act, 2016.
○ A local level committee under the National Trust Act, 1999.
ii) Ensures that guardianship is legally valid before processing sensitive personal data.
17. Certain classes of Data Fiduciaries and specific purposes (Fourth Schedule) are exempt from obligations relating to children’s data, balancing protection with practical needs in education, healthcare, and essential services.
18. The Rules operationalize rights under the Act, ensuring:
i) Transparency through clear instructions for exercising rights .
ii) Identification via valid identifiers (e.g., username, enrolment ID, mobile number).
iii) Grievance redressal systems with responses within 90 days.
iv) Nomination rights for Data Principals to appoint representatives.
19. Any personal data processed by a Data Fiduciary may be transferred outside India, provided the Fiduciary complies with requirements specified by the Central Government through general or special orders regarding its availability to foreign States or their agencies.
20. A Search-cum-Selection Committee will recommend appointments for the Board, with separate compositions for Chairperson and Members.
21. Procedure for Board Meetings and Authentication of Orders;
i) The Chairperson sets the date, time, and agenda of meetings.
ii) Quorum: one-third of the Board’s membership.
iii) Decisions are made by majority vote, with the Chairperson holding a casting vote in case of a tie.
iv) Members with conflicts of interest must abstain.
v) In emergencies, the Chairperson can act unilaterally, subject to ratification.
vi) Decisions may also be taken by circulation among Members.
vii) All orders and instruments must be authenticated by the Chairperson, a member, or an authorised individual.
viii) Inquiries will be completed within six months, extendable by three months at a time with reasons recorded.
22. The Board will function as a digital office, using techno-legal measures to conduct proceedings without physical presence, while retaining powers to summon individuals when necessary.
23. Appeals against Board orders may be filed before the Appellate Tribunal in digital form, with fees aligned to the Telecom Regulatory Authority of India Act, 1997, subject to reduction or waiver by the Chairperson.
RULE 22. Appeal to Appellate Tribunal. —
(1) Any person aggrieved by an order or direction of the Board, may prefer an appeal before the Appellate Tribunal, it shall be filed in digital form as the Appellate Tribunal may decide.
(2) An appeal filed with the Appellate Tribunal shall be accompanied by fee of like amount as is applicable in respect of an appeal filed under the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless reduced or waived by the Chairperson of the Appellate Tribunal at her discretion, and the same shall be payable digitally using the Unified Payments Interface or such other payment system authorised by the Reserve Bank of India.
(3) The Appellate Tribunal—
(a) shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the provisions of the Act, may regulate its own procedure; and
(b) shall function as a digital office which, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual.
LET’S UNDERSTAND HOW CONSENT OF PARENT OF A CHILD ACQUIRED
SIGNIFICANT TO NOTE THAT THE RULES OBLIGATE A DATA FIDUCIARY TO OBTAIN "VERIFIABLE CONSENT" OF THE PARENT.
Suppose C is a child, P is a parent, and DF is a Data Fiduciary and user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1 : C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF.
Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 2: C informs DF that she is a child and declares P as her parent. DF shall enable P to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF's platform.
Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3: P is opening an account for C and identifies herself as C's parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF.
Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P and that P is an identifiable adult.
Case 4: P is opening an account for C and identifies herself as C's parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the identity and age, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
SOME IMPORTANT RULES
RULE 14. RIGHTS OF DATA PRINCIPALS. —
(1) For enabling Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall prominently publish on its website or app, or both, as the case may be, —
(a) the details of the means using which a Data Principal may make a request for the exercise of such rights; and
(b) the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.
(2) To exercise the rights of the Data Principal under the Act, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such rights.
(3) Every Data Fiduciary and Consent Manager shall prominently publish on its website or app, or both, as the case may be, within a reasonable period not exceeding ninety days under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures.
(4) To exercise the rights of the Data Principal under the Act, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such right.
(5) In this rule, the expression "identifier" shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID, email address, mobile number or licence number that enables such identification.
RULE 15. Transfer of personal data outside the territory of India.— Any personal data processed by a Data Fiduciary under the Act may be transferred outside the territory of India subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.
RULE 16. Exemption from Act for research, archiving or statistical purposes . —The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving or statistical purposes if it is carried on in accordance with the standards specified in Second Schedule.
RULE 23. Calling for information from Data Fiduciary or intermediary. —
(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, within the specified period as may be given in such.
(2) Where the disclosure of furnishing of information as referred to in sub-rule (1) is likely to prejudicially affect the sovereignty and integrity of India or security of the State, the Central Government may require the Data Fiduciary or intermediary to not disclose such furnishing to affected Data Principal or any other person except with the previous permission, in writing, of the authorised person.
(3) For the purposes of this rule, the expression "intermediary" shall have the same meaning as assigned to it in the Information Technology Act, 2000 (21 of 2000).
CONCLUSION
The importance of the DPDP (Digital Personal Data Protection) rules lies in empowering individuals by giving them control over their personal data, holding organizations accountable for data protection, and building trust in the digital economy. These rules establish a comprehensive data protection framework, safeguard the fundamental right to privacy, and provide penalties for non-compliance, as seen in the recent notification of the 2025 rules. They also provide clarity on specific aspects like consent, data breach notifications, and processing children's data.
DISCLAIMER: The article presented here is only for sharing information with readers. In case of necessity do consult with professionals.
CAclubindia
