Digital Personal Data Protection (DPDP) Act, 2023, and the DPDP Rules, 2025
- tax comply
- Nov 18
- 5 min read
Key Provision/Rule/Section | Detail/Requirement/Specification | |
I. Foundational Framework & Scope | Act Name & Purpose | The Act provides for processing digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process it for lawful purposes. |
Rules Name & Purpose | The Digital Personal Data Protection Rules, 2025 (notified November 13/14, 2025), convert the Act’s framework into operational requirements and outline how organizations must meet their obligations. | |
Design Principle | The framework follows the SARAL approach: Simple, Accessible, Rational, and Actionable. | |
Applicability | Applies to processing of digital personal data within India (collected digitally or subsequently digitized). Also applies outside India if processing is related to offering goods or services to Data Principals in India. | |
Grounds for Processing | Personal data may be processed only for a lawful purpose, which is any purpose not expressly forbidden by law. Grounds include: Data Principal's consent or certain legitimate uses (e.g., voluntary provision, state functions, employment, medical emergencies). | |
Non-Applicability/Exemptions | The Act does not apply to personal data processed by an individual for any personal or domestic purpose. It also does not apply to data made publicly available by the Data Principal or by a person under a legal obligation to do so. | |
II. Key Entities and Definitions | Data Principal (DP) | The individual to whom the personal data relates; includes parents/lawful guardians for a child or PwD. |
Data Fiduciary (DF) | Any person who alone or with others determines the purpose and means of processing personal data. | |
Data Processor (DPr) | Any person who processes personal data on behalf of a Data Fiduciary. | |
Consent Manager (CM) | A person registered with the Board who acts as a single point of contact to enable a DP to give, manage, review, and withdraw consent via an accessible, transparent and interoperable platform. | |
Significant Data Fiduciary (SDF) | A DF or class of DF notified by the Central Government based on volume, sensitivity of data, risk to DP rights, and potential impact on sovereignty/security of India. | |
Digital Office | An office that adopts an online mechanism where proceedings are conducted in online or digital mode. The Board functions as an independent digital office. | |
III. Compliance Timelines | Immediate Commencement | November 13, 2025. Activated institutional setup, including the establishment of the Data Protection Board of India (DPBI) and its initial governing rules (Rules 1, 2, 17–21). |
Phase 2 Commencement | One year after publication (around November 2026). Activates the Consent Manager ecosystem, including CM registration (Act Sec 6(9), Rule 4). | |
Core Compliance Commencement | Eighteen months after publication (around May 2027). Activates the majority of operational provisions, including rules on notices, consent flows, security safeguards, breach reporting, retention, SDF requirements, and rights administration (Rules 3, 5–16, 22, 23). | |
IV. Notice and Consent Obligations | Notice Standard (Rule 3) | Must be clear, self-contained, and understandable independently of any other information. Must include an itemized description of the data and the specified purpose(s). |
Consent Standard (Sec 6) | Must be free, specific, informed, unconditional and unambiguous with a clear affirmative action. DF must maintain records showing that notice was provided and valid consent was obtained. | |
Right to Withdraw (Sec 6(4)) | The Data Principal has the right to withdraw consent at any time, with the ease of doing so being comparable to the ease with which consent was given. | |
Consent Manager Requirements (Rule 4, Schedule I) | CMs must be a company incorporated in India. They must have a net worth of not less than two crore rupees (₹2 Crore). They must act in a fiduciary capacity toward the DP. They must maintain consent records for at least seven years. | |
V. Security and Breach | Security Safeguards (Sec 8(5), Rule 6) | DF must implement appropriate technical and organizational measures to prevent personal data breach. Minimum measures include encryption, masking, obfuscation, or virtual tokens, and strict access controls. |
Processor Accountability (Sec 8(1)) | DF remains responsible for complying with the Act irrespective of processing by a Data Processor. DPr contracts must explicitly incorporate security safeguard provisions. | |
Mandatory Log Retention (Rule 8(3), Rule 6) | DF must retain personal data, traffic data, and system logs for a minimum period of one year from processing date for detection/investigation. | |
Breach Notification Timelines (Rule 7) | DF must notify affected Data Principals and the Board. Initial intimation to the Board must be without delay; detailed report must follow within seventy-two hours (72 hrs) of becoming aware of the breach. | |
VI. Data Retention and Erasure | General Erasure Duty (Sec 8(7)) | DF must erase personal data upon withdrawal of consent or when the specified purpose is no longer being served. |
Deemed Purpose Expiry (Rule 8, Schedule III) | Applies to large E-commerce (≥ 2 Crore registered users), Social Media (≥ 2 Crore registered users), and Online Gaming (≥ 50 Lakh registered users) Fiduciaries. | |
Retention Period (Deemed Purpose) | Data for these entities is retained for three years from the date the DP last approached for the specified purpose/exercised rights, or Rules commencement, whichever is latest. | |
Pre-Erasure Notice (Rule 8(2)) | DF must inform the DP at least forty-eight hours (48 hrs) before the completion of the erasure period. | |
VII. Significant Data Fiduciaries (SDFs) | Annual Assessments (Rule 13) | SDFs must conduct a Data Protection Impact Assessment (DPIA) and an audit once every twelve months (yearly). |
DPO/Auditor Mandates (Sec 10) | Must appoint a DPO who is based in India and responsible to the Board/governing body, and an Independent Data Auditor. | |
Algorithmic Due Diligence (Rule 13(3)) | SDFs must verify that technical measures, including algorithmic software, are not likely to pose a risk to the rights of Data Principals. | |
Data Localization (Rule 13(4)) | SDFs must undertake measures to ensure specified personal data and associated traffic data are not transferred outside the territory of India if mandated by the Central Government. | |
VIII. Special Protections | Children's Data (Sec 9, Rule 10) | Requires verifiable consent of the parent/lawful guardian. DF must verify parent is an identifiable adult by reference to reliable details or a virtual token issued by an authorized entity (including Digital Locker Service Provider). |
Prohibitions for Children | DF shall not undertake tracking, behavioural monitoring, or targeted advertising directed at children. | |
PwD Data (Rule 11) | Requires verifiable consent from a lawful guardian. DF must verify the guardian was appointed by a court of law, designated authority, or local level committee under applicable guardianship law. | |
IX. Data Principal Rights & Grievance | Key Rights (Chapter III) | Right to access information about personal data, correction, completion, updating, and erasure. Also includes the right to nominate another individual to act on their behalf in case of death or incapacity. |
DP Duties (Sec 15) | Duties include not impersonating another person, not suppressing material information, and not registering a false or frivolous grievance. | |
Grievance Response Timeline | DF/CM must respond to grievances/requests within a reasonable published timeline, not exceeding ninety days (90 days). | |
X. Enforcement and Penalties | Regulator/Appeals | The Data Protection Board of India (DPBI) is the regulator. It functions as a digital office. Appeals are heard by the Appellate Tribunal (TDSAT). |
Inquiry Timeline (Rule 19(9)) | Inquiries must be completed within six months from complaint/intimation date, extendable once by maximum three months. | |
Penalty: Security Safeguards | Breach in observing the obligation to take reasonable security safeguards (Sec 8(5)). | May extend to ₹250 Crore. |
Penalty: Breach Notification | Failure to notify Board/DP of data breach (Sec 8(6)). | May extend to ₹200 Crore. |
Penalty: Children's Obligations | Breach in observance of obligations related to children (Sec 9). | May extend to ₹200 Crore. |
Penalty: SDF Obligations | Breach in observance of additional obligations of SDF (Sec 10). | May extend to ₹150 Crore. |
Penalty: DP Duties | Breach in observance of duties of Data Principal (Sec 15). | May extend to ₹10,000. |
Penalty: Other Violations | Breach of any other provision of the Act or the Rules. | May extend to ₹50 Crore. |
Comments