Rule 3 DPDP Rules 2025

Notice given by Data Fiduciary to Data Principal.


(3) The notice given by the Data Fiduciary to the Data Principal shall—
(a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;
(b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,—
(i) an itemised description of such personal data; and
(ii)the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing; and
(c) the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may—
(i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
(ii) exercise her rights under the Act; and
(iii) make a complaint to the Board.

Rule 4 →
DPDPA
Table of contents


Report error

Legal Interpretation of Notice Obligations Under the Draft Rules

The obligation to issue a notice under Section 3 of the Draft Rules is a cornerstone of ensuring transparency and accountability in data processing. This notice, to be given by a Data Fiduciary to a Data Principal, establishes the foundation for informed consent and provides individuals with the tools to understand, manage, and potentially revoke their consent effectively.

(a) Independent and Understandable Presentation

The requirement that the notice be presented independently of other information underscores its role as a standalone document or communication. This means that the notice cannot be buried within complex terms and conditions or presented in a way that requires individuals to cross-reference other documents. Instead, the notice must be clear, concise, and accessible, enabling Data Principals to easily comprehend the terms without the risk of misinterpretation. This provision ensures fairness, minimizing the likelihood of individuals consenting to data processing without full understanding.

(b) Clarity and Specificity in Content

The Rules emphasize the use of plain and clear language, avoiding technical jargon or legalese. The notice must provide a fair account of the information necessary for the Data Principal to make an informed decision. This includes:

  • Itemized Description of Personal Data: The notice must clearly list the categories of personal data being collected. For example, instead of vague statements like "we collect information about you," it should specify "we collect your name, email address, phone number, and browsing history."
  • Specified Purpose and Usage: Data Fiduciaries must articulate the specific purpose for processing the data and provide an itemized description of the goods or services associated with the processing. This granularity prevents misuse of personal data by ensuring that individuals know exactly why their data is being collected and how it will be used. For instance, a notice might state: "We will use your email address to send product updates and promotional offers."

By providing these details upfront, the Rules enable Data Principals to make specific and informed decisions about their data, reducing the risk of uninformed consent.

(c) Communication Links for Accessibility and Redressal

The Rules also require the inclusion of a communication link that allows the Data Principal to engage with the Data Fiduciary’s website or app. This link serves multiple purposes:

  • Ease of Consent Withdrawal: The Rules mandate that withdrawing consent should be as easy as giving it. This ensures that Data Fiduciaries cannot create unnecessary hurdles for individuals wishing to revoke their consent. For example, if consent was given with a single click, withdrawing it should require no more effort.
  • Exercise of Rights Under the Act: Data Principals must be provided with clear pathways to exercise their rights, such as accessing their data, requesting corrections, or demanding erasure. The communication link serves as a one-stop portal for these actions, making the process seamless and user-friendly.
  • Mechanism for Filing Complaints: To further empower Data Principals, the Rules stipulate that the notice must detail how individuals can file complaints with the Data Protection Board. This provision promotes accountability and provides a robust redressal mechanism for grievances.

Broader Implications

The notice requirements reflect the broader principles of transparency, fairness, and accountability that underpin the Digital Personal Data Protection Act. By enforcing these standards, the Rules aim to balance the scales between Data Fiduciaries and Data Principals, ensuring that individuals retain meaningful control over their personal data. In essence, the notice acts as a bridge of trust, fostering a more equitable relationship in the digital economy.

These provisions align with global best practices, including those in the General Data Protection Regulation (GDPR), reinforcing India's commitment to safeguarding data privacy while enabling lawful and ethical data processing.

© 2025 Advocate (Dr.) Prashant Mali