Explanatory Note to Digital Personal Data Protection Rules, 2025
Disclaimer: The purpose of this explanatory note is only to make it easier to understand the provisions of the Rules. However, this explanatory note is not intended to form part of the Rules and shall not be considered for legal interpretation of any provision of the Rules.
The Digital Personal Data Protection Act, 2023 (Act) received the assent of the Hon'ble President on 11th August 2023. A draft of the Rules as envisaged under different sections of the Act has been made. The Rules provide the necessary details and implementation framework of the Act.
1. Short Title and Commencement
These rules, called the Digital Personal Data Protection Rules, 2025, come into force upon publication, except for rules 3 to 15, 21, and 22 which will be effective from a later date.
2. Definitions Clause
The expression in the Act shall have the same meaning as assigned in the Act unless context otherwise requires.
3. Notice by Data Fiduciary to Data Principal
The notice provided by the Data Fiduciary must be clear, standalone, and understandable. It should provide an itemized list of the personal data being collected, clear descriptions of the purpose for processing, and other details such as:
- Communication link of the Data Fiduciary’s website or app.
- Methods for withdrawing consent and exercising rights.
- Details about making complaints to the Board.
4. Registration and Obligations of a Consent Manager
A Consent Manager must be a company incorporated in India with a minimum net worth of two crore rupees. It must comply with obligations such as ensuring data transparency, maintaining records, and implementing security measures. Any changes in control require prior approval from the Board.
5. Processing for Services by the State or Its Instrumentality
The State and its instrumentalities may process personal data to provide services or issue benefits. Processing must adhere to the standards outlined in Schedule II, ensuring lawful and secure handling of data.
6. Reasonable Security Safeguards
Data Fiduciaries must implement measures like encryption, access control, and monitoring for unauthorized access to ensure data security.
7. Intimation of Personal Data Breach
Data Fiduciaries must notify affected Data Principals and the Board promptly in case of a breach. Notifications should explain the breach and suggest measures for data protection.
8. Time Period for Erasure
If a Data Principal does not engage with the Fiduciary within a specified period, their data must be erased unless required for legal compliance. Prior notice should be given before erasure.
9. Contact Information for Queries
Every Data Fiduciary must display the contact details of a designated person or Data Protection Officer (DPO) on their website or app for addressing queries related to data processing.
10. Verifiable Consent for Children and Persons with Disabilities
Consent must be obtained from a parent or legal guardian before processing the data of children or persons with disabilities. Verification measures should be implemented to ensure compliance.
11. Exemptions for Processing Children’s Data
Certain entities like healthcare providers and educational institutions may process children’s data for specific purposes like health services and safety monitoring, within a defined scope.
12. Obligations of Significant Data Fiduciaries
Significant Data Fiduciaries must conduct annual audits, DPIAs, and ensure compliance with restrictions on cross-border data transfers.
13. Rights of Data Principals
Data Principals can access, erase, and manage their data through processes published by Data Fiduciaries. Clear timelines must be provided for grievance redressal.
14. Processing Personal Data Outside India
Data Fiduciaries must comply with requirements set by the Central Government for cross-border data processing to ensure data protection.
15. Exemption for Research, Archiving, and Statistics
Data processing for research, archiving, or statistics is exempt from the Act, provided it adheres to safeguards outlined in Schedule II.
16. Appointment of Chairperson and Members
A Search-cum-Selection Committee will recommend candidates for Chairperson and Members of the Data Protection Board. Appointments will be made by the Central Government.
17. Terms of Service for Chairperson and Members
The Chairperson and Members will receive consolidated salaries of ₹4,50,000 and ₹4,00,000 per month respectively, with detailed service conditions outlined in Schedule V.
18. Procedure for Board Meetings
Board meetings will be chaired by the Chairperson or a designated Member. Quorum and voting procedures are defined, with urgent matters requiring immediate action.
19. Functioning as a Digital Office
The Board will operate as a digital office to streamline processes and reduce the need for physical attendance.
20. Service Conditions for Officers and Employees
The Board can appoint officers and employees as needed, with terms of service aligned with government standards.
21. Appeals to Appellate Tribunal
Appeals must be submitted digitally, and the Tribunal will handle proceedings efficiently through a digital office.
22. Information Requests from Data Fiduciaries
The Central Government can request information from Data Fiduciaries or intermediaries under specific conditions outlined in Schedule VII.