[As required under Section 40(1) of the Digital Personal Data Protection Act, 2023 (22 of 2023)]
I. INTRODUCTION
The Digital Personal Data Protection (DPDP) Rules, 2025 operationalize the guiding principles of the DPDP Act, 2023, establishing a citizen-centric framework for the responsible use of digital personal data in India. The Rules provide clear and practical guidelines for organizations (“Data Fiduciaries”) on handling data and strengthen the rights of individuals (“Data Principals”), with penalties for non-compliance with fines up to ₹250 crore for failure to implement reasonable security safeguards.
II. CORE PRINCIPLES
The framework is built on certain core principles:
- Consent and Transparency: Data processing must be lawful, fair, and transparent, with clear, purpose-specific consent notices in English or any of the 22 scheduled Indian languages.
- Purpose Limitation & Data Minimization: Data can only be used for the specific purpose for which it was collected, and only the minimum amount of data necessary should be gathered.
- Accuracy & Storage Limitation: Fiduciaries must ensure data is accurate and erase it when the specified purpose is no longer served (e.g., three years of user inactivity for large platforms, unless legally required otherwise).
- Security Safeguards & Accountability: Organizations must implement robust security measures and are accountable for all processing activities.
III. PHASED IMPLEMENTATION
| Timelines | Implementation of Rules |
| Effective on and from the date of publication in the Official Gazette, i.e., November 13, 2025 | -Rules 1, 2 and 17 to 21 -Short title and commencement laying down the phased implementation and definitions have been implemented. -Amongst others, “User Account” has been defined to mean the online account registered by the Data Principal with the Data Fiduciary and includes any profiles, pages, handles, email address, mobile number and other similar presence by means of which Data Principal is able to access the services of such Data Fiduciary. -Search-cum-Selection Committee to be constituted by the Central Government in terms of Rule 17 and 18 to aid the Data Protection Board of India (“Board”). -The Board shall function as a ‘digital office’ with procedures for meetings, orders etc. prescribed in Rules 19, 20 and 21. |
| 1 year from date of publication in the Official Gazette | -Rule 4 -Registration and obligations of Consent Manager have been provided in Rule 4 read with Part A and Part B of First Schedule. -Accordingly, such registration and obligations have been deferred till 1 year from the date of publication in the Official Gazette. -The entities to be registered as Consent Managers should, inter-alia, be companies incorporated in India providing a single, transparent platform for users to manage, review, and withdraw consent and must have a minimum net worth of ₹2 crore. -Some of the obligations as listed in Part B of First Schedule of the Rules are as below: >Consent Manager shall enable the Data Principal to give consent to the processing of her personal data by a Data Fiduciary. >Consent Manager is mandated to maintain certain records on its platform like (i) consent give, denied or withdrawn by her; (ii) notices preceding or accompanying requests for consent; and (iii) sharing of her personal data with a transferee Data Fiduciary. >Consent Manager to develop and maintain a website or an app, or both, as the primary means through which Data Principal may access the services provided by the Consent Manager. >Consent Manager to act in a fiduciary capacity in relation to the Data Principal. >Consent Manager to have in place measure to ensure no conflict of interest arises on account of its directors , KMPs and senior management holding a directorship, financial interest, employment or beneficial ownership in Data Fiduciaries, or having a material pecuniary relationship with them. >Consent Manager to publish certain information as prescribed in an easily accessible manner, on its website or app or both, as the case may be. >Consent Manager to have in place effective audit mechanisms to review, monitor, evaluate and report the outcome of such audit to the Board periodically or at such occasions as the Board may direct in respect of prescribed matters. |
| 18 months after the date of publication in the Official Gazette | -Rules 3, 5 to 16, 22 and 23 -On becoming aware of a personal data breach, the Data Fiduciary is required to intimate each affected Data Principal “without delay” and to the Board “within 72 hours” of becoming aware. -Processing of personal data of a Data Principal for the provision of or issue of subsidy, benefit service, certificate, license or permit by State and its instrumentalities should be done following the standards specified in the Second Schedule. -Any person aggrieved by an order or direction of the Board may prefer an appeal before the Appellate Tribunal, i.e., Telecom Disputes Settlement and Appellate Tribunal established under section 14 of the Telecom Regulatory Authority of India Act, 1997. |
IV. OTHER KEY FEATURES
- Children’s Data: Verifiable parental/guardian consent is mandatory for processing a child’s data, except for essential services like healthcare or education.
- Cross-Border Data Transfer: Data transfer outside India is permitted but subject to conditions and restrictions specified by the Central Government, particularly regarding data accessibility by foreign states.
- Significant Data Fiduciaries (SDFs): Entities handling large volumes of sensitive data face additional obligations, including annual Data Protection Impact Assessments (DPIAs), independent audits, and adhering to specific data localisation requirements if notified by the government.
- Implementation & Penalties: The Rules have a phased implementation timeline, with core operational and compliance rules coming into effect 18 months from notification (November 2025), giving organizations time to adapt. Non-compliance can lead to substantial financial penalties, with fines up to ₹250 crore for failure to implement reasonable security safeguards.