Your Complete Guide to Digital Personal Data Protection Rules, 2025

On 13-11-2025, the Ministry of Electronics and Information Technology (MeitY) notified Digital Personal Data Protection Rules, 2025, a crucial step toward safeguarding personal data in the digital age. This marks a decisive move in operationalizing the Digital Personal Data Protection Act, 2023 (DPDP Act).

Commencement

• Rules 1, 2, and 17—21: effective from 13-11- 2025

• Rule 4: effective from13-11-2026 (1 year later).

• Rules 3, 5—16, 22—23: effective from 13-5-2027 (18 months later).

Background:

The journey toward these Rules began with the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, which declared the Right to Privacy a fundamental right under Article 21 of the Constitution. This ruling created a constitutional obligation for the government to safeguard citizens’ informational privacy.

In response, the government drafted successive versions of a data protection law, culminating in the DPDP Act, 2023. While the Act laid down broad principles, consent, rights of individuals, obligations of data fiduciaries, it left the details to be operational through rules. With the Rules now in place, privacy regime finally begins to take shape.

Key Highlights:

1. The DPDP Rules have been framed under the provisions of the DPDP Act, 2023, establishing clear procedures, obligations, and safeguards for the collection, processing, storage, and erasure of personal data.

2. The Rules provide the operational framework to implement the Act’s provisions, covering:

   • Consent mechanisms and notice requirements

   • Data retention timelines

   • Breach notification protocols

   • Obligations for significant data fiduciaries

   • Registration and duties of consent managers

3. Under Rule 3, Data Fiduciaries must provide clear, independent, and accessible notices to Data Principals, detailing:

   • The personal data being collected

   • The specific purposes for which the data is processed

   • Simple mechanisms to withdraw consent, exercise rights, or lodge complaints

4. These notices empower individuals to make informed choices and safeguard their fundamental right to privacy.

5. Rule 4 sets out the registration process for Consent Managers. Applicants meeting conditions in Part A of the First Schedule may apply to the Board, which will review and either register or reject with reasons. Once registered, Consent Managers must comply with obligations in Part B. Non-adherence can lead to corrective directions or suspension/cancellation of registration after due hearing.

6. Processing of Personal Data for Subsidies and Services (Rule 5)

   • Personal data may be processed for issuing subsidies, benefits, certificates, licences, or permits.

   • Standards in the Second Schedule apply.

   • Coverage includes:

   • Legal provisions under any law.

   • Policies or instructions by Central/State Governments.

   • Expenditure from public funds (Consolidated Fund of India/State, local authority funds).

7. Under Rule 6, Data Fiduciaries must adopt minimum safeguards to prevent breaches, including:

   • Encryption, masking, or tokenization of data.

   • Access controls on computer resources.

   • Logging and monitoring for unauthorized access.

   • Backup measures to ensure continuity.

   • Retention of logs and data for one year.

   • Contractual obligations for Data Processors to maintain safeguards.

8. In case of a breach, Data Fiduciaries must promptly notify Data Principals with details and mitigation steps and inform the Board with an initial description followed by a detailed report within 72 hours.

9. A Data Fiduciary is required to erase personal data once the specified purpose and time in the Third Schedule are no longer served, unless retention is required by law.

10. Before erasure, Data Principals must be notified 48 hours in advance, given the option to continue or exercise her rights.

11. Regardless of purpose, all personal data and associated logs must be retained for at least one year (Seventh Schedule).

12. Rule 9 states that, Every Data Fiduciary must publish the contact details of its Data Protection Officer (‘DPO’) or another responsible person. This information will be displayed on websites/apps and included in responses to Data Principals exercising their rights.

13. Rule 10 mandates Data Fiduciaries to adopt technical and organisational measures to ensure that verifiable consent of a parent is obtained before processing any personal data of a child.

14. Due diligence will be observed to confirm that the person identifying as the parent is an adult, verified through reliable identity and age details available with the Fiduciary, voluntarily provided by the individual, or through a virtual token issued by an authorised entity.

15. For these Rules, “adult” is defined as someone who has completed eighteen years of age, while an “authorised entity” refers to a body empowered by law or government to issue identity and age details or tokens, including those verified by a Digital Locker service provider under the Information Technology Act, 2000.

16. Rule 11 defines provisions for verifiable consent from persons with disabilities, under:

    • Consent will be obtained from a lawful guardian, verified as appointed by:

      ○ A court.

      ○ A designated authority under the Rights of Persons with Disabilities Act, 2016.

      ○ A local level committee under the National Trust Act, 1999.

    • Ensures that guardianship is legally valid before processing sensitive personal data.

17. Certain classes of Data Fiduciaries and specific purposes (Fourth Schedule) are exempt from obligations relating to children’s data, balancing protection with practical needs in education, healthcare, and essential services.

18. The Rules operationalize rights under the Act, ensuring:

    • Transparency through clear instructions for exercising rights

    • Identification via valid identifiers (e.g., username, enrolment ID, mobile number)

    • Grievance redressal systems with responses within 90 days

    • Nomination rights for Data Principals to appoint representatives.

19. Any personal data processed by a Data Fiduciary may be transferred outside India, provided the Fiduciary complies with requirements specified by the Central Government through general or special orders regarding its availability to foreign States or their agencies.

20. A Search-cum-Selection Committee will recommend appointments for the Board, with separate compositions for Chairperson and Members.

21. Procedure for Board Meetings and Authentication of Orders

    • The Chairperson sets the date, time, and agenda of meetings.

    • Quorum: one-third of the Board’s membership.

    • Decisions are made by majority vote, with the Chairperson holding a casting vote in case of a tie.

    • Members with conflicts of interest must abstain.

    • In emergencies, the Chairperson can act unilaterally, subject to ratification.

    • Decisions may also be taken by circulation among Members.

    • All orders and instruments must be authenticated by the Chairperson, a member, or an authorised individual.

    • Inquiries will be completed within six months, extendable by three months at a time with reasons recorded.

22. The Board will function as a digital office, using techno-legal measures to conduct proceedings without physical presence, while retaining powers to summon individuals when necessary.

23. Appeals against Board orders may be filed before the Appellate Tribunal in digital form, with fees aligned to the Telecom Regulatory Authority of India Act, 1997, subject to reduction or waiver by the Chairperson.