The Digital Personal Data Protection Rules, 2025: A Primer

December 2, 2025
Back to Blog
Featured image for “The Digital Personal Data Protection Rules, 2025: A Primer”

Introduction 

The Digital Personal Data Protection Act, 2023 or the DPDP Act, 2023 (‘Act’) provides the framework that defines Personal Data[1], valid consent, lawful processing[2], rights of Data Principals[3], obligations of Data Fiduciaries[4], penalties for Personal Data breach, and the powers of the Data Protection Board of India (‘Board / DPBI’).

After almost two (2) years from the enactment of the Act, the Ministry of Electronics and Information Technology (MeitY) of the Government of India recently notified the Digital Personal Data Protection Rules, 2025, or the Rules, 2025, (‘Rules’) to act as the machinery for the enablement of principles laid down by the Act. Besides the constitution of the DPBI and setting out the eligibility criteria of its members and the functioning procedure, the Rules provide the operational details of how notices to Data Principals need to be structured, how grievances are to be handled by Data Fiduciaries, how Significant Data Fiduciaries are to perform DPIAs and audits, and how minor’s Personal Data is to be managed.

Pertinent to mention that data is digital by design under the Act. Unlike the European GDPR, which provides the framework for the protection of non-digital data too, the Act limits the scope to data that is solely digital.

This update examines the salient features of the Rules – the operational law under which the provisions of the Act are applied and how it impacts stakeholders; and responds to some common questions surrounding the new data protection regulations.

When does the implementation start?

The Rules are to come into effect in 3 timelines in a phase-wise manner:

  • On 13/11/2025, i.e. on the date of notification of the Rules, the following rules came into effect:
    • Rules 1 and 2, which provide for the Title and Commencement of the Rules, and Definitions in the Rules and correspondingly in the Act.
    • Rules 17 to 21, which provides for the rules relating to the Constitution of a Selection Committee by the Central Government for the appointment of the Chairman and Members of the newly constituted Board; Salary, allowances and Terms and Conditions of Service of its Chairman and Members; Procedure for meetings of the Board and authentication of its orders, directions and instruments; its functioning as a digital office; andother Terms and Conditions for the appointment and service of its officers and employees.
  • On 13/11/2026, i.e., upon on 1 year after the notification of the Rules, the following rule will come into effect:
    • Rule 4: Registration and Obligations of the Consent Manager.
  • On 13/05/2027, i.e., 18 months from the notification of the Rules, the remaining rules i.e.,
    • Rules 3, 5 to 16, 22 and 23, detailing the Obligations of the Data Fiduciaries, Data Processors, Consent Managers and the Rights available to Data Principals including provisions related to the Personal Data of minors and cross-border transfer of Personal Data, will come into effect.

What is a valid notice under the Rules? What are its elements?

Rule 3 provides the elements of a valid notice from Data Fiduciary to Data Principal (‘Notice’) under the Act. The same are mentioned below:

  • Independence: The Notice for collecting their consent for the processing of Personal Data shall be independent and understandable of any other information that may be provided.
  • Language: The notice shall be presented in a plain, simple and clear language.
  • Content: The Notice is required to give a clear description of the key details necessary for Data Principals to provide their consent. Such details should include (but are not limited to) the following:
    • The specific Personal Data that will be collected or processed in an itemised list.
    • The exact purpose(s) for which the data will be processed, including what goods or services will be provided through such processing.
  • Conspicuous information about rights and remedies of Data Principals: The Notice is also required to contain a link to the website and/or app of the Data Fiduciary, and a description of any other means, through which a Data Principal can:
    • Withdraw their consent (with the same ease by which consent was collected);
    • Exercise their rights under the Act; and
    • Make a complaint to the Board.

What are the Obligations of Data Fiduciaries?

  • In general, Data Fiduciaries are required to: 
    • Protect Personal Data in their possession or control, including when processed by a Data Processor[5], by implementing reasonable security safeguards to prevent a Personal Data breach.
    • Use encryption, masking, obfuscation, or tokenisation to safeguard Personal Data.
    • Maintain logs and monitoring systems to detect unauthorised access and support investigation and prevention.
    • Maintain backups to ensure ongoing processing if data is lost, corrupted, or compromised.
    • Contractually agree with Data Processors to include obligations to implement the reasonable security safeguards as are applicable on them.
  • In connection with Personal Data breach, Data Fiduciaries have the following obligations:
    • Obligation to notify Data Principals:
      • Data Fiduciary is required to notify Data Principals, with details including description of the breach and likely consequence to the Data Principal, the measures taken by the Data Fiduciary to mitigate risk, among others, as soon as it becomes aware of their data breach.
    • Notification to be in clear, concise and in plain language.
      • Obligation to notify the Board without delay and provide a description of the breach including nature, extent, timing, location, and potential impact.
      • Obligation to update the Board within 72 hours:
        • Updated and detailed breach information;
        • Facts regarding events that lead to the breach;
        • Mitigation measures planned/implemented;
        • Findings regarding person(s) responsible;
        • Steps taken to prevent recurrence;
        • Report confirming that Notification has been sent to Data Principals.
  • In connection with Personal Data retention and deletion, Data Fiduciaries have the following obligations:
    • A Data Fiduciary may retain the collected Personal Data of respective Data Principals only for as long as it is necessary to fulfil the specific purpose for which the data was collected, or for the time period specified in the Third Schedule of the Rules (also summarized below). A 48-hour notice in advance is required to be given by Data Fiduciary to Data Principals before the deletion of their data.
    • For E-Commerce entities and Social media intermediaries with more than two (2) crore users and online gaming intermediaries with more than fifty (50) lakh users, Personal Data must be retained for a period of three (3) years after the later of (i) last interaction (ii) exercise of a right under the Act (iii) commencement of the Rules. This is exempted for data required to (a) allow the user to access their account (b) access virtual tokens that the user has invested in.
    • Even after the purpose has been fulfilled, the Data Fiduciary is required to retain the Personal Data, associated traffic data and processing logs, for at least one (1) year for purposes of State such as compliance, audit, assessment, dispute resolution, or investigation.
    • After this mandatory 1-year retention period, the Data Fiduciary shall erase the concerned Personal Data unless further retention is required under any law or government direction.

What are the Rights of Data Principals?

  • Visibility of rights of Data Principals and how to use them:
    • The Data Fiduciary and Consent Manager are required to clearly display on their website and/or app: (a) how Data Principals can make requests to exercise their rights; (b) What information or identifiers (username/account details) are needed to verify identity.
    • To exercise rights as a Data Principal, requests may be made to the same Data Fiduciary that received consent and holds the relevant Personal Data.
    • The Data Fiduciary or Consent Manager is to respond to the request within a reasonable time, and not later than 90 days and must follow the respective grievance redressal process published on their platform.
    • A Data Principal may appoint one or more individuals to exercise rights on their behalf, in accordance with the terms of service of the platform and the applicable law.
  • What is Verifiable Consent for Children and Disabled?
  • In both cases, Data Fiduciary is required to:
    • adopt appropriate technical and organisational measures, and
    • exercise due diligence;

to ensure that the person providing consent is legally authorised to do so.

  • Consent from children and persons with disability cannot be assumed, implied, or based merely on a claim; it must be verified, traceable, and legally grounded, and obtained from persons responsible, as follows:
    • For children – consent must be obtained from the parent/guardian, and verification may rely on existing identity details held by the Data Fiduciary, identity details submitted during verification, or a government-authorised digital identity token.
    • For the disabled – Data Fiduciary must confirm the legal basis of guardianship, which may arise from a court appointment, a designated authority under disability law, or a local level committee established under relevant statutes.

Processing of Data by the State in Certain Cases

  • Section 7 of the Act allows the State to process Personal Data, when such processing is necessary for the purpose of providing a service, benefit, certificate, license, permit or subsidy, following the standards followed for processing laid down by a Central Government policy.
  • Correspondingly, Rule 5 of the Rules defines the scope of what “service, benefit, certificate, license, permit or subsidy” is, and when the principle applies. The Second Schedule of the Rules lists the data processing requirements the State must follow when processing Personal Data.

Who are Significant Data Fiduciaries?

Significant Data Fiduciaries[6] (‘SDFs’) will be a category of data fiduciaries notified by the Central Government based on factors such as volume of data processed, sensitivity of data, and the potential risk to Data Principals due to the same, and are subject to enhanced compliance requirements, in addition to the appointment of Data Protection Officer[7], under the Rules.

The compliance requirements for SDFs are elaborated below.

  • Annual DPIA and Independent Audit:

SDFs are required to conduct a Data Protection Impact Assessment and undergo an independent data protection audit at least once every twelve months, the findings of which must be submitted to the Board.

  • Restrictions on Transfer of Specified Data:

SDFs must comply with additional localisation requirements for certain categories of Personal Data identified by the Central Government. Such data, along with associated traffic data, cannot be transferred outside India. These classifications will be based on recommendations made by a committee appointed for the purpose by the Central Government.

  • Committee Oversight:

The committee advising the Government on such classifications will include representatives from MeitY and may include officials from other Ministries or Central Government departments

Who are Consent Managers? What are their Obligations?

  • The Rules make provisions for registration of Consent Managers[8] who are independent Indian corporations with certain capacity and financial requirements and without any conflict of interest with Data Fiduciaries. 
  • The Consent Managers are required to:
  1. Enable Data Principal to give consent directly to Data Fiduciaries (or indirectly through another Data Fiduciary) who is onboarded with the Consent Manager.
  2. Ensure that sharing of Personal Data to be done without enabling them to access the contents of the same.
  3. Maintain record of:
    • Consent given, denied or withdrawn by the Data Principal
    • Provide such records to the Data Principal, upon request.
    • Maintain such records for a minimum period of 7 years or as required by law.
  4. Maintain an app/website through which Data Principal may easily access their consent record.
  5. Have reasonable safeguards to prevent data breach.
  6. Act in a fiduciary capacity w.r.t Data Principals.
  7. Avoid conflict of interest with Data Fiduciaries – also applies to their Promoters/Directors/KMPs.
  8. Publish major shareholding/Directors/KMP information on their website/app.
  9. Not restructure in a manner that transfers their control without authorisation of Board.
  10. Submit yearly audit reports to the Board.

Is Cross-Border Data Transfer Permitted? Are there any exceptions? 

  • Cross-Border transfer of Personal Data is permitted subject to the restrictions that may be issued by the Central Government.
  • The Data Fiduciary is required to meet the requirements of the Government in respect of making such Personal Data available to any foreign State, or person or entity under the control or agency of the State.

Concluding Views

The Digital Personal Data Protection Rules, 2025 transform the broad principles of the DPDP Act, 2023 into an operational compliance framework.

The phase-wise implementation of the provisions gives sufficient time to stakeholders to implement processes and systems that are compliant with the regime. It also makes it seamless for them to mindfully analyse and structure their systems. This staggered enforcement timeline also reflects a measured implementation philosophy, one that recognises the infrastructural and behavioural shift required across both public and private systems.

The Rules also emphasise transparency, accountability, consent-based processing, and purpose limitation, while introducing governance expectations for large or sensitive platforms. By formalising mechanisms for notice, consent, retention, breach response, and lawful processing of vulnerable groups’ data, the Rules establish a regulated digital ecosystem centred on individual autonomy and organisational responsibility. The explicit requirements of ‘valid notice’ under the framework ensure that Data Principals are well-informed when they give their consent for the processing of their Personal Data by the Data Fiduciaries. They in a way provide ammunitions to Data Principals for the strict exercise of their valuable rights of Personal Data. Then finally the layer of independent and unbiased Consent Managers between Data Principals and Data Fiduciaries ensures that the data exchange and data handling between the parties is smooth practically.

The Rules ultimately signal India’s transition toward a rights-based privacy regime, balancing business needs with personal protection in a digital economy built on trust.

[1] “Personal Data” is defined as any data about an individual who is identifiable by or in relation to such data.

It is data that can be tied, directly or indirectly, to a specific human being. Names, numbers, device IDs, behavioural patterns, and even fragments of metadata become personal the moment they make a person identifiable. Identifiability isn’t limited to direct identifiers. If a piece of data, when combined with reasonably available information, can single someone out, it falls within the definition.

[2] “Processing” means any automated or partly automated collection, recording, organisation, storage, use, sharing, retrieval, alteration, restriction, erasure, destruction, or any similar handling.

[3] “Data Principal” means the individual to whom the Personal Data relates, and who holds the rights under the Act in respect of that data.

[4] “Data Fiduciary” is a person or entity that determines why and how Personal Data will be processed, and is responsible for compliance with the Act when processing that data.

[5] “Data Processor” means the person or entity that processes Personal Data on behalf of a Data Fiduciary, solely in accordance with the instructions received from Data Fiduciaries.

[6] “Significant Data Fiduciary” will be a Data Fiduciary or class of Data Fiduciaries as notified by the Government under the Act. Pertinent to mention that the Government has not made any notification in relation to any such Data Fiduciary yet.

[7] “Data Protection Officer” means the individual appointed by a Significant Data Fiduciary to oversee compliance with the Act, coordinate grievance redressal, and act as the point of contact for the Data Principal and the Board.

[8] Under the Rules, “Consent Managers” are required to be registered as such with the Board after meeting the eligibility criteria provided under Part A of the First Schedule of the Rules. Their obligations are covered under Part B of the First Schedule.

As per the Act, a Consent Manager is required to act as the single point of contact between Data Principal and Data Fiduciaries. The Consent Managers enable the Data Principal to give, manage, review and withdraw consent through their own accessible, transparent and interoperable platform.

Contributed by Aditi Verma Thakur & Akash Sajan

Share: