The Government of India, through the Ministry of Electronics & Information Technology (MeitY), has published the much-awaited Digital Personal Data Protection Rules, 2025 (the “Rules”) under the Digital Personal Data Protection Act, 2023 (DPDPA). After rounds of deliberation, the Rules under the Digital Personal Data Protection Act, 2023, were finally published on November 13, 2025.
The draft Digital Personal Data Protection Rules, 2025 were published, vide notification of the Government of India in MeitY on January 3, 2025, and were made available to the public, inviting objections and suggestions from all persons likely to be affected thereby, before the expiry of the period of 45 days from the date on which copies of the Official Gazette containing the said notification were made available to public. The MEITY also announced the notification of the Act and the formation of the board, along with the timelines for compliance with the law.
Timeline for Digital Personal Data Protection Act and Rules
The Rules adopt a staggered commencement structure, wherein certain provisions take effect immediately, others after 1 year, and others after 18 months from the date of publication. This phased approach would allow Data Fiduciaries, processors, government bodies, and the public to transition into the new compliance requirements in a structured manner. The timeline under the Rules is as follows:
- The Act stands notified as of November 13, 2025.
- Companies have 18 months to comply with the law. This period ends on May 13, 2027.
- Provisions in relation to the organisations that will be Consent Manager must be complied with within 12 months, i.e. November 13, 2026.
- Data Protection Board of India (DPBI), number of members in the DPBI and provisions notified with immediate effect, i.e. with effect from November 13, 2025.
- DPBI will be in the National Capital Region of India.
The details as per the Notification are as follows:
| Timeline | Effective date | Section/Rule | Details of the Provision |
| Effective Immediate | November 13, 2025 | Section 1(2), Section 2, sections 18 to 26, sections 35, 38, 39, 40, 41, 42, 43, and subsections (1) and (3) of section 44 of the said Act shall come into force; | |
| Section 1 (2) | Act stands Notified | ||
| Section 2 | Definitions | ||
| Section 18-26 | Chapter V Data Protection Board of India | ||
| Chapter IX | |||
| Section 35 | Protection of action taken in good faith. | ||
| Section 38 | Consistency with other laws. | ||
| Section 39 | Bar of jurisdiction. | ||
| Section 40 | Power to make rules. | ||
| Section 41 | Laying of rules and certain notifications. | ||
| Section 42 | Power to amend Schedule. | ||
| Section 43 | Power to remove difficulties. | ||
| Section 44 (1) and (3) | Amendments to certain Acts | ||
| Rule 1 | (2) Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette. | ||
| Rule 2 | Definitions | ||
| Rule 17-21 | Provisions in relation to the formation of the Data Board of India | ||
| 1 Year (12 months) | November 13, 2026 | Section 6 (9) and Section 27 (1) (d) and Rule 4 – Specific provisions in relation to the Consent Manager | |
| Eighteen Months | May 13, 2027 | All other Sections and Rules | |
Key Highlights of the DPDP Rules
Definitions
“techno-legal measures” means as referred to under Rules 20 and 22, which state how the Board will function as a Digital Office.
“user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.
Notice by Data Fiduciary to Data Principal
Rule 3 requires that a notice be provided to the Data Principal before collecting personal data. This emphasises transparency, ensuring that consent can be genuinely informed. The Rule also prohibits bundling notices with service agreements or other documents, preventing Data Principals from being misled by complex or hidden disclosures. To further detail Section 5 of the DPDPA, the notice has been defined as:
| Be Presented | Provide the document to the Data Principal. |
| Understandable | Be clear in relation to the target of the Notice. E.g., Children’s data should be in a language the child can understand, even when the parent is giving consent. |
| Independently | The Notice cannot be clubbed with other terms and notices. |
| Clear & Plain Language | It cannot be filled with legal and technical jargon but should be clear to the lay public. |
| Fair Account of the details | This is the principle of fairness and transparency, which requires that details be provided so the individual can decide whether to consent. |
| Specific and Informed Consent | As mentioned above, the terminology of “Independent Notice” is related to the concept of Specific Consent. Consent has to be for a specific purpose. Also, it needs to be informed, and this relates to the concept of “fair account of details necessary”. |
| Minimum details necessary defined
| (i) an itemised description of personal data (ii) the specified purpose or purposes of, and (iii) specific description of the goods or services to be provided or uses to be enabled by such processing; and (iv) give the communication link for accessing the website or app, or both, or such other means by which a Data Principal may communicate for: · Easy Consent Withdrawal · Data Principal Rights · Complaint to the Board |
Registration and Obligations of Consent Manager
A very important section was the understanding of the Consent Manager, which was defined in Sections 2(e) and 6 of the DPDPA. The registration and obligations of the Consent Manager have been defined, and the Consent Manager must be a company incorporated in India with sound financial and operational capacity and a minimum net worth of INR 2 crore. The company must have a reputation for fairness and integrity in its management, and a certified interoperable platform that enables Data Principals to manage their consent. Registration and cancellation of the Consent Manager are prescribed by the Board constituted under the DPDP Act, 2023.
Reasonable Security Safeguards
The Rules strengthen the accountability of Data Fiduciaries through detailed security and processing obligations. Rule 6 mandates the implementation of technical and organisational measures to ensure the integrity and protection of personal data. Data Fiduciaries must maintain reasonable security safeguards to prevent personal data breaches, ensure the reliability of Data Processors who handle data on their behalf, and adopt appropriate technological protections proportional to the risk and sensitivity of the data being processed. Importantly, Data Processors must adhere to the same level of protections and safeguards as Data Fiduciaries. This prevents dilution of responsibility on their part. The DPDPA in Section 8(5) talks of the Reasonable Security Safeguards:
- Pseudonymising/Anonymising the Persona Data – encryption, obfuscation, masking or the use of virtual tokens mapped to that personal data;
- Measures for Access Control of Data
- Logs monitoring and review for early detection
- Maintenance of the CIA triad
- Retention of 1 year for logs and personal data unless there is a compliance requirement in any other law for the time being in force
- Contract with Data Processor and
- appropriate technical and organisational measures (TOMs)
Intimation of Personal Data Breach
A key highlight of the DPDP Rules is the framework for personal data breach notifications under Rule 7. When a Data Fiduciary becomes aware of a breach, the Rules mandate that it promptly notify all affected Data Principals. This is in line with Section 8 (6) of the DPDPA.
The notification must be clear and straightforward, explaining the following:
- breach’s nature, extent, and timing,
- potential consequences for the affected individuals,
- any measures taken to mitigate the risks,
- safety recommendations for protecting their data, and
- The business contact information of a responsible person for inquiries must be included.
There is also a two-stage reporting requirement to the Data Protection Board of India. The Data Fiduciary must inform the Board about the breach without delay, with details on the description, nature, extent, timing, location of occurrence and likely impact. Within 72 hours or a longer time, if permitted, the Data Fiduciary is obligated to provide an updated and detailed report, including the events that led to the breach, actions implemented or proposed for risk mitigation, the identity of the individual responsible, if known and report on the remedial steps taken to prevent future breaches and details on the notifications sent to affected Data Principals.
Time Period for Specified Purpose to be Deemed as No Longer Being Served
Another critical provision relates to data retention and limitation to purpose. Rule 8 identifies the point at which a specified purpose is considered no longer necessary and requires Data Fiduciaries to erase personal data accordingly. “Specified Purpose no longer served” has been used in Section 8(8) of the DPDPA. The Rules further elaborate on this and state that, if the Data Principal does not engage with the Data Fiduciary within a specified period, the Data Principal’s personal data must be erased unless required for legal compliance.
A class of companies (in Schedule III) – E-commerce, Gaming and Social Media intermediaries shall erase such personal data if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises their rights in relation to such processing. They may retain personal data for up to 3 years from the last interaction or the coming into effect of the Rules, whichever is later, except when the data is needed for the principal to access their account or virtual tokens.
Importantly, at least 48 hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period; there is a login into the account or the Data Principal otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
Further, the Rules state Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of 1 year from the date of such processing, for Sovereignty and National Interest, fulfilling and/or disclosure of any functions under law, which the Data Fiduciary shall erase such data and logs unless for compliance with any other law for the time being in force or notified by the Government.
Contact Information
Business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data must be displayed and prominently published on the website or mobile application.
Verifiable Consent for Processing of Personal Data of a Child
One of the most important clauses that was called into question for better clarity on Section 9 of the DPDPA was the definition of “Verifiable Consent”. A child, under the Act, is any person below eighteen years of age. The Rules mandate that no personal data of a child may be processed without obtaining verifiable consent. Data Fiduciaries must implement measures to ensure:
- that the person providing consent for a child’s data processing is the child’s parent or legal guardian,
- and that the parent is identifiable.
For a child, the Data Fiduciary must verify that the parent is an adult using reliable identity information or a virtual token mapped to such information. This verification process is critical to ensure that consent is being given by a responsible adult in compliance with relevant laws.
The Rules also make it clear that consent must be obtained prior to processing, and in a manner that allows the parent to make an informed choice with full knowledge of the data being collected, its purpose, retention period, and rights available to the child through their parent or guardian.
Verifiable Consent for Processing of Personal Data of a Person with Disability Who Has a Lawful Guardian
For Data Principals who are persons with disability, the DPDP Rules recognise that direct consent may not always be feasible or meaningful. To ensure inclusion and dignity, the Rules permit consent to be provided by a “lawful guardian”, a person duly authorised by a court of law, or by a designated authority or by a local-level committee, under the law applicable to guardianship to act on behalf of the Data Principal. The Rules require the same standard of “verifiable consent” to apply here. The guardian is then empowered to exercise the full range of rights available to the Data Principal, including access, correction, erasure, and grievance redressal.
Exemptions From Certain Obligations Applicable to Processing of Personal Data of a Child
In continuance of Section 9(4) of the DPDPA, specific classes of companies, such as healthcare professionals, educational institutions, and childcare providers (Schedule IV), are exempt from the provisions of sections relating to the processing of personal data of a child for defined purposes as mentioned in the Schedule. The processing of children’s personal data by these entities is permitted, subject to restrictions on activities such as health services, educational activities, safety monitoring, and transportation tracking that are necessary for the child’s well-being and safety, and to ensuring that data processing is carried out within a defined and limited scope.
Additional Obligations of Significant Data Fiduciary
In line with Section 10 of the DPDPA, the additional obligations are detailed under Rule 13, and this class of Data Fiduciary must conduct a Data Protection Impact Assessment (DPIA) and an audit once every 12 months. A report by the Party conducting the DPIA must include significant observations. Additionally, due diligence to verify that the technical measures, including the use of algorithmic software, are not likely to pose a risk to the rights of Data Principals must be provided.
Further, they need to undertake measures to ensure that personal data specified by the Central Government, based on the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow are not transferred outside the territory of India.
Rights of Data Principals
The Rules also expand on the rights of the Data Principal under Rule 14. Further to Chapter III of the DPDPA, the Data Fiduciary/consent manager must publish on the website or app details of how to make such a request, including any particulars, such as identifying details (e.g., usernames), to facilitate identification.
In all aspects, the Rules state that, whether for access, erasure, or nomination, the same means must be used to request, using what was published and provided by the Data Fiduciary. The grievance redressal mechanism is to be published on their website or app, and appropriate TOMs will be implemented. Here, the rules are worded in a way which sets a timeline of 90 days as the maximum period to address a grievance of an individual. Data Principals are also empowered to nominate another person to exercise rights on their behalf, enabling greater inclusivity in cases of incapacity or unavailability.
Cross-Border Data Transfers
In line with Section 16(1) of the DPDPA, cross-border data transfers are addressed through Rule 15. Such a transfer will be subject to the restrictions set by the Central Government on the transfer of personal data to a foreign country. This has some localisation implications, though its implementation will need to be seen.
Establishment of the Board and its Constitution
Governance of the new regime will be anchored by the Data Protection Board of India, which was formally established by a government notification with immediate effect. The Board will be headquartered in the National Capital Region. The Rules provide the full operational architecture for selection, functioning, meetings, and digital processes of the Board under Rules 17-21:
- Appointment of Chairperson and other Members (Section 19 of the DPDPA)
- Salary, allowances and other terms and conditions of service of Chairperson and other Members (Section 20 of the DPDPA)
- Procedure for meetings of the Board and authentication of its orders, directions and instruments (Section 23 of the DPDPA)
- Functioning of the Board as a digital office (Section 28 of the DPDPA)
- Terms and conditions of appointment and service of officers and employees of the Board (Section 24 of the DPDPA)
Appeals Before the Appellate Tribunal
Rule 22 sets out the mechanism for filing appeals before the Appellate Tribunal. In accordance with Section 29(1) of the DPDPA, if dissatisfied with the order of the Board, an Appeal can be filed with the Appellate Tribunal in accordance with the procedure set out. Appeals must be filed digitally and accompanied by a fee equivalent to that charged for appeals under the Telecom Regulatory Authority of India Act. Payments must be made electronically through UPI or other RBI-authorised systems. The Tribunal itself will operate as a digital office, mirroring the Board’s techno-legal ecosystem.
Calling for Information from a Data Fiduciary or Intermediary
Under Rule 23, the Central Government may require any Data Fiduciary or intermediary to furnish such information as may be called for, as mentioned and for the purposes mentioned in the Seventh Schedule, in line with Section 36 of the DPDPA. Further, it states that the Central Government may also require the Data Fiduciary/consent manager not to disclose information without the permission of the authorised person if it is likely to prejudicially affect the sovereignty and integrity of India or security of the State.
Conclusion
Taken together, the Rules provide a robust, modern, and detailed framework that transforms the DPDPA into a fully operational data protection regime. They create a digitally empowered regulatory system, impose strong obligations on Data Fiduciaries, protect the rights of individuals in a structured manner, and establish clear bridges between privacy, national security, and digital governance. With their phased commencement, comprehensive governance architecture, breach-notification regime, cross-border conditions, and digital adjudicatory mechanisms, the Rules can position India among jurisdictions attempting to balance individual rights with innovation and strategic considerations in the global data economy.
Authors: Srinjoy Banerjee and Shivi Gupta
First Published by: Mondaq here