C&M E-ALERT: The Digital Personal Data Protection Rules, 2025

On 13^th November 2025, the Ministry of Electronics and Information Technology (“MeitY”) notified the Digital Personal Data Protection Rules, 2025 (“Rules”) under the Digital Personal Data Protection Act, 2023 (“Act”). With this, India’s long-anticipated data protection framework is officially operational. The draft Rules were first released for public consultation on 3^rd January 2025.

Along with the Rules, MeitY has also published Notifications on the following subjects to operationalize the long-awaited Act:

1. Notification regarding the establishment of the Data Protection Board (“DPB”)

2. Notification regarding the DPB Board Members

3. Notification on the Timeline of Implementation of the Act (“Timeline Notification”)

The Rules are applicable to all entities governed under the Act including any person or entity outside India processing Digital Personal Data of Data Principals residing in India. The Rules provide details, methods and procedures related to the implementation of Act.

The Rules and the Timeline Notification provide for phased implementation, with significant operational provisions being effective only by 13^th May 2027.  These timelines give organisations definite timelines to align their internal data protection framework.

The implementation timelines are set out in Timeline Table 1 below:

Data Fiduciaries are required to provide clear standalone notice listing in detail:

1. Personal Data being collected and processed in an itemized manner along with the corresponding use cases;

2. the goods or services offered or use cases enabled;

3. the specific purpose(s) for processing Personal Data, to seek specified and informed consent from Data Principals;

4. access to a link (via website or an app) or any other method, with options to withdraw consent, exercise their rights and file complaints with the Data Protection Board.

The notice should be provided independently without clubbing it with ancillary documents such as terms and conditions, contracts or other such disclosures and information.

 SDFs are required to:

1. conduct a yearly Data Protection Impact Assessment (“DPIA”) and compliance audit and submit a report with their findings and observations to the Data Protection Board

2. ensure that their algorithms and algorithmic software used to host, display, upload, modify, publish, transmit, store, update, or share personal data do not harm the rights of Data Principals. For instance, poorly managed algorithms on social media platforms could violate user privacy and data protection rights

3. comply with any Government directions that certain categories of Personal Data and associated traffic data must not be transferred outside India, based on the recommendations of a committee

   
   

The Rules are again silent on who will be categorised as SDF or detailed parameters to define an SDF beyond what was mentioned before in the Act.

 The Act provides for Consent Managers – entities registered with the DPB who will act as a link between the Data Principals and Data Fiduciaries to give, manage, review and withdraw consent through an accessible platform.

The Rules specify the criteria for the registration of a person as a Consent Manager, which include:

1. Must be an Indian-incorporated company with adequate technical, operational and financial capacity, sound financial condition, and a minimum net worth of ₹2 crore.

2. Management (directors, KMPs and senior leadership) must have a reputation for fairness and integrity, with business prospects and capital structure assessed as adequate.

3. Constitutional documents must mandate compliance with requirements mentioned, supported by appropriate policies and amendable only with prior Board approval.

4. Independent certification must confirm that the interoperable consent platform meets Board-prescribed standards, and that suitable technical and organisational measures are in place to ensure compliance, including obligations under item 11 of Part B.

   
   

The registration for the Consent Manager can be suspended or cancelled by the DPB in case of non-adherence with obligations or in the interests of Data Principals.

Rule 6 provides security standards that should be deployed by Data Fiduciaries and Data Processors. These include:

1. Securing Personal Data through encryption, obfuscation, masking, or by using virtual tokens mapped to the personal data;

2. Access control on the computer systems used by Data Fiduciary or Data Processors;

3. Monitoring and reviewing of access logs to detect unauthorised access as well as retention of logs and personal data for at least up to one (1) year;

4. Have business continuity and recovery measures in place;

5. Contingency measures like backups for the continued processing of personal data despite events that may destroy or cause loss of access to personal data;

   
   

Data Fiduciaries now carry an elevated duty to safeguard the personal data they process, as the Rules set out explicit requirements for implementing appropriate security measures.

Transfer of Personal Data processed by Data Fiduciaries, to any region outside the territory of India, for the purpose of offering goods/services to Data Principals residing in India, are subject to additional restrictions laid down by the Central Government in the Rules. These have not been spelled out in the Rules.

This allows for future transfer limitations and requirements relating to foreign-government access, despite the Act adopting a generally permissive approach.

The Rules require Data Fiduciaries to provide to the Data Principals the following detail when they become aware of a breach:

1. Description of the breach, details of the relevant consequences and safety measures being undertaken and what a Data Principal can do to protect themselves

2. Contact information of personnel who shall respond to all queries pertaining to the breach on behalf of the Data Fiduciary

   
   

It should also notify the Data Protection Board in the following two steps:

1. Firstly, without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;

2. Secondly, within seventy-two (72) hours of becoming aware of the incident or within an extended period allowed by the DPB, a detailed report containing the facts, reason and circumstances leading to the breach, measures taken, report regarding notification given to data principals, risk mitigation steps, and other relevant information or findings regarding the breach.

As per the Act, Personal Data must only be retained to fulfill its original purpose, unless required by law. Data Fiduciaries must notify Data Principals at least forty-eight (48) hours before erasing stored Personal Data, unless the Data Principal logs in or contacts the Data Fiduciary to exercise their rights or complete the specified purpose.

The Third Schedule specifies retention timelines for certain large fiduciaries for certain data processing purposes, as outlined in Table 2 below.

Table 2

An addition to the Draft Rules requires all Data Fiduciaries, including government entities, to retain Personal Data, traffic data, and specified logs for at least one (1) year for lawful or investigative purposes, after which deletion is required unless continued retention is mandated by another regulatory statute. Other fiduciaries must similarly align their retention and deletion practices to ensure that Personal Data is not stored beyond the completion of the relevant purpose while still meeting the one (1) year minimum requirement.

To enable Data Principals to exercise their rights under the Act, Data Fiduciaries and where applicable, consent managers are required to provide on their website or application or both:

1. instructions and identification details to enable Data Principals to take necessary action and to raise a request to exercise their rights;

2. response time to grievance redressal, ensuring its effectiveness through appropriate technical and organisational measures;

3. mechanism for Data Principals to nominate representatives that shall act on their behalf;

4. contact information of the Data Protection Officer (only for SDF) or an authorised representative (for other Data Fiduciary) who can address queries pertaining to the processing of the Data Principal’s personal data and exercising their rights. This is also required to be included in every response to a Data Principal’s request under the Act and Rules.

Data Fiduciaries must obtain verified parental or guardian consent before processing Personal Data of a Child (below 18 years of age) or person with disability (PwD). In obtaining such consent Data Fiduciaries are required to implement suitable technical and organisational safeguards to ensure that parental consent is secured prior to processing a Child’s Personal Data.

Data Fiduciaries must verify the parent/guardian’s identity as an adult using reliable details of identity and age available with the Data Fiduciary or tools like Digital Locker.

Exemption 

1. Certain classes of Data Fiduciaries such as clinics, schools, and daycare centers (mentioned under Forth Schedule) can process Children’s Personal Data without parental consent for the purpose of healthcare, education, or child safety subject to the processing being restricted for purposes specified in the Rules.

2. Certain purposes such as user account creation for communication, subsidy, benefits or authentication of the age of a Child are also exempted from obtaining verifiable parental consent so long as the processing is restricted to the extent necessary for fulfilling the purpose.

   
   

While the exempted class of Data Fiduciaries are the same as in the Draft Rules, an exemption has been provided for two additional purposes:

1. identifying a Child’s real-time location for services designed to support or protect children;

2. allowing limited tracking or monitoring when required to ensure that a feature, service, or advertisement does not negatively impact a Child’s well-being reflecting a recognition that some degree of personalisation may be necessary for online safety.

The Central Government, through authorised individuals (as highlighted in Seventh Schedule; see Table 3 below), may request information from Data Fiduciaries or intermediaries (such as online platforms) as per the purposes outlined in the Act. The Central Government will set a deadline for providing the requested information. If disclosure of such information could risk India’s sovereignty, integrity, or security, the Data Fiduciary or intermediary must withhold the information unless granted permission by authorised persons.

Table 3

The Rules in line with the Act provide an exemption for processing of Personal Data for the purpose of conducting research, archiving or statistics and that complies with the safeguards mentioned as under Second Schedule that include:

1. Personal Data is processed lawfully and only as needed for that purpose;

2. Efforts are made to ensure accuracy of Personal Data;

3. Personal Data is retained only as long as necessary;

4. Security measures to prevent breaches and to keep Personal Data secure are implemented;

5. Data Principle is informed about the use of their Personal Data and provided with a link to exercise their rights, when applicable and the Data Fiduciary is to be held accountable for these exempted purposes.

The publication of the Rules is an important step towards enforcement of the long pending comprehensive framework for protection of personal data.

Post publication of the Rules and the timelines for implementation, organisations should now start identifying gaps and implementing concrete measures. This includes mapping personal data flows, updating privacy notices and third-party contracts, strengthening internal governance and incident-response processes, and assessing potential SDF classification. Businesses should also track forthcoming government directions on cross border transfers and SDF notifications while revising internal policies and preparing for the consent-manager ecosystem. These steps will support accountable data-handling practices, mitigate risks and reinforce the rights of Data Principals within the digital ecosystem.

In case of feedback, suggestions, or queries, please reach out to the C&M team on

tmt@chandhiok.com