dpdpa.co.in

Menu

    DPDP RULES

    Rule 1 – Short title and commencement.

    Rule 2 – Definitions

    Rule 3 -Notice given by Data Fiduciary to Data Principal

    Rule 4 – Registration and obligations of Consent Manager

    Rule 5 – Processing of personal data for provision or issue of subsidy …

    Rule 6 – Reasonable security safeguards

    Rule 7 – Intimation of personal data breach

    Rule 8 – Time period for specified purpose to be deemed …

    Rule 9 – Contact information of person to answer questions about processing

    Rule 10 – Verifiable consent for processing of personal data of child

    Rule 11 – Verifiable consent for processing of personal data …

    Rule 12 – Exemptions from certain obligations …

    Rule 13 – Additional obligations of Significant Data Fiduciary

    Rule 14 – Rights of Data Principals

    Rule 15 – Transfer of personal data outside

    Rule 16 – Exemption from Act for research

    Rule 17 – Appointment of Chairperson …

    Rule 18 – Salary, allowances and other terms …

    Rule 19 – Procedure for meetings of Board

    Rule 20 – Functioning of Board as digital office

    Rule 21 – Terms and conditions of appointment …

    Rule 22 – Appeal to Appellate Tribunal

    Rule 23 – Calling for information from …

    First Schedule – Conditions for registration of …

    Second Schedule – Standards for processing of …

    Third Schedule

    Fourth Schedule – Classes of Data Fiduciaries …

    Fifth Schedule – Terms and conditions of …

    Sixth Schedule – Terms and conditions of appointment …

    Seventh Schedule

    Rule 3

    Notice given by Data Fiduciary to Data Principal

    The notice given by the Data Fiduciary to the
    Data Principal shall—
    (a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;
    (b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include,
    at the minimum, —
    (i) an itemised description of such personal data; and
    (ii) the specified purpose or purposes of, and specific description of the goods or services to be provided or uses to be enabled by, such processing; and
    (c) give, the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may—
    (i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
    (ii) exercise her rights under the Act; and
    (iii) make a complaint to the Board.

    Effective after 18 months (13 May 2027)

    Rule 2
    Rule 4
    Scroll to Top