Digital Personal Data Protection (DPDPA) Rules, 2025

November 27, 2025

224

27th Nov 25 11:50 am
  • 0

The Digital Personal Data Protection Rules, 2025 have now been officially notified, operationalising the Digital Personal Data Protection Act, 2023 and setting out detailed compliance requirements for organisations in India.​

When the new rules kick in

  • The Rules are called the Digital Personal Data Protection Rules, 2025 and are issued under section 40 of the DPDPA, 2023.​
  • Different provisions start on different timelines from the date of publication in the Gazette:
    • Rules 1, 2 and 17–21: effective immediately on publication.​
    • Rule 4 (Consent Managers): after 1 year.​
    • Rules 3, 5–16, 22 and 23 (core operational obligations): after 18 months.​

This staggered approach gives businesses a limited but important transition window to build their privacy, consent and security frameworks.​

Key concepts and definitions clarified

The Rules clarify several operational concepts introduced in the Act so that implementation is more uniform across sectors.​

  • Techno-legal measures” are referenced for running the Data Protection Board as a digital office and for conducting proceedings without physical presence.​
  • User account” covers not just classic logins but also profiles, pages, handles, email IDs, mobile numbers and similar presences through which a Data Principal accesses services.​
  • Verifiable consent” is tied to specific standards under Rules 10 and 11 for children and persons with disabilities, including age and identity verification mechanisms.​

These clarifications mean that even platforms relying on phone-based or handle-based access must treat those as user accounts under the Rules.​

Notice and consent: front door of compliance

The Rules tighten what an acceptable privacy notice and consent flow must look like.​

  • Data Fiduciaries must give notices that:
    • Are understandable on their own, not buried inside other documents.​
    • Use clear, plain language and give a fair account of the processing.​
    • At minimum, itemise the personal data being processed and specify purposes and the related goods/services.​
  • Notices must also clearly provide:
    • A link and description of how to withdraw consent, with ease comparable to giving consent.​
    • Ways to exercise Data Principal rights.​
    • A route to complain to the Board.​

For children and certain persons with disabilities, “verifiable consent” from a parent or lawful guardian requires robust age/identity checks, including use of identity details or tokens from authorised entities and Digital Locker service providers.​

Consent Managers: a new regulated ecosystem

One of the most significant institutional changes is formalisation of Consent Managers, who will provide interoperable platforms to manage consent across multiple Data Fiduciaries.​

  • Only Indian companies can register as Consent Managers, and they must meet conditions such as:
    • Minimum net worth of ₹2 crore and adequate technical, operational and financial capacity.​
    • Fit-and-proper management with sound financial condition and reputation.​
    • Governance documents aligned with conditions set out in the First Schedule.​
  • Registered Consent Managers must:
    • Act in a fiduciary capacity towards Data Principals and avoid conflicts of interest with Data Fiduciaries.​
    • Maintain an interoperable platform through which Data Principals can give, manage, review and withdraw consent, including routing consent between Data Fiduciaries.​
    • Keep records of consents, notices and data sharing for at least 7 years, and provide machine-readable copies on request.​

For financial services, health, and large digital platforms, Consent Managers can become the backbone for consent-based data sharing between institutions.​

Security, breach response and retention

The Rules provide detailed expectations for “reasonable security safeguards” and breach management, moving from generic obligations to an operational checklist.​

  • Security safeguards must at minimum include:
    • Encryption, obfuscation, masking or tokenisation of personal data.​
    • Access control on computer resources and monitoring of who accesses personal data.​
    • Logging, monitoring and review for detecting unauthorised access, with retention of logs and related personal data for at least one year unless another law requires more.​
    • Backup and continuity arrangements so processing can continue if confidentiality, integrity or availability is affected.​
  • On becoming aware of a personal data breach, Data Fiduciaries must promptly notify:
    • Each affected Data Principal with a description, likely consequences, mitigation measures, suggested safety steps, and a contact point.​
    • The Board without delay, and then share fuller details (scope, causes, measures, responsible persons, and intimation report) within 72 hours or a longer period allowed by the Board.​

Retention is also addressed through a mix of minimum logging requirements and sector/class-based auto-erasure triggers.​

Auto-erasure and minimum log retention

The Third Schedule introduces a structured approach to when purposes are deemed no longer served and when data must be erased.​

  • For specified classes of large digital entities (e-commerce, online gaming, and social media intermediaries above certain user thresholds) the Rules require erasure after 3 years from the last interaction, except for:
    • Access to the user account.
    • Access to virtual tokens used to obtain money, goods or services.​
  • Independently, all Data Fiduciaries must retain personal data, traffic data and other logs relating to processing for at least one year for purposes set out in the Seventh Schedule, after which they must erase it unless another law requires longer retention.​
  • Data Fiduciaries must inform Data Principals at least 48 hours before erasing data under the auto-erasure rule, giving them a chance to re-engage or exercise their rights.​

This combination pushes digital businesses towards formal data retention schedules instead of indefinite storage.​

Special treatment of children’s data

Children’s data remains a focus area, but the Rules also create calibrated exemptions where strict consent requirements would harm welfare-centric processing.​

  • Verifiable parental consent is mandatory for processing personal data of a child, with strict checks to ensure:
    • The person claiming to be parent is an identifiable adult.
    • Identity/age is confirmed via records already with the Data Fiduciary or via authorised entities/Digital Locker tokens.​
  • Exemptions from certain obligations in section 9 for children’s data apply to:
    • Healthcare providers and allied health professionals, limited to protecting the child’s health.​
    • Educational institutions and transport providers, limited to educational activities and safety/behavioural monitoring.​
    • Certain public-interest purposes such as welfare schemes, statutory functions, and safety-related processing like location tracking.​

These carve-outs are tied to tight purpose limitation and necessity conditions, ensuring processing remains proportionate.​

Significant Data Fiduciaries: enhanced obligations

For Significant Data Fiduciaries (SDFs), the Rules convert many high-level duties from the Act into specific recurring compliance tasks.​

  • SDFs must, every 12 months:
    • Conduct a Data Protection Impact Assessment and a data protection audit.​
    • Submit a report with significant observations from both to the Board.​
  • SDFs must ensure that their technical measures, including algorithmic software used for hosting, storing, updating and sharing personal data, do not pose risks to Data Principals’ rights.​
  • For certain categories of personal data designated by the Central Government, SDFs must ensure that both the data and traffic data related to its flow are not transferred outside India.​

These requirements effectively mandate continuous privacy risk management and localised processing for notified datasets.​

Rights of Data Principals and grievance redressal

The Rules strengthen practical enforceability of Data Principal rights by focusing on discoverability and timelines.​

  • Every Data Fiduciary must:
    • Prominently publish, on its website/app, the contact details of the Data Protection Officer (if applicable) or another responsible contact person.​
    • Clearly explain the modes and identifiers (e.g., customer ID, email, mobile, licence number) Data Principals should use to exercise rights.​
  • Grievance redressal systems must:
    • Be clearly disclosed on websites/apps.​
    • Be structured to respond within a reasonable period not exceeding 90 days.​
  • Data Principals can also nominate individuals to act on their behalf to exercise rights, in line with terms of service and applicable law.​

These safeguards make it harder for organisations to hide behind complex processes or unclear contact points.​

Cross-border transfers, research and State use

The Rules also address some of the most debated topics under the DPDPA: international transfers, research exemptions, and State use of data.​

  • Personal data can be transferred outside India by Data Fiduciaries, but if data is being made available to a foreign State or its agencies, they must meet conditions specified by the Central Government through general or special orders.​
  • The Act does not apply to processing necessary for research, archiving or statistical purposes, so long as it complies with standards in the Second Schedule, which emphasise lawfulness, necessity, accuracy, security and accountability.​
  • When the State or its instrumentalities process personal data under clause b of section 7 or clause b of section 17(2), they must follow standards in the Second Schedule and can only use authorised officers listed in the Seventh Schedule for tasks such as using data for sovereignty/security or calling for information from Data Fiduciaries.​

This tries to balance operational flexibility for the State and researchers with baseline privacy safeguards.​

Board, appeals and digital-by-design enforcement

The enforcement architecture is explicitly designed as digital-first to match the nature of data processing being regulated.​

  • The Data Protection Board will function as a digital office and may use techno-legal measures so proceedings do not require physical presence, though it retains powers like summoning and examining persons on oath.​
  • The Board should ordinarily complete inquiries within 6 months of receiving a complaint/intimation/reference, with limited scope for written extensions of up to 3 months at a time.​
  • Appeals against Board orders go to the Appellate Tribunal in digital form, with fees aligned to those under the Telecom Regulatory Authority of India Act and payable through UPI or other authorised digital payment systems.​

This model is intended to make enforcement faster and more accessible, especially for digital-first businesses and Data Principals.​

pdf icon Digital_Personal_Data_Protection_DPDPA_Rules

 

Categorized in:

  • Tag Cloud

  • Social Follow

    • Subscribe to SGCMS
    Get the latest posts delivered right to your email.
    By subscribing, you agree with our privacy policy and our terms of service.