DPDP RULES
Rule 1 – Short title and commencement.
Rule 2 – Definitions
Rule 3 -Notice given by Data Fiduciary to Data Principal
Rule 4 – Registration and obligations of Consent Manager
Rule 5 – Processing of personal data for provision or issue of subsidy …
Rule 6 – Reasonable security safeguards
Rule 7 – Intimation of personal data breach
Rule 8 – Time period for specified purpose to be deemed …
Rule 9 – Contact information of person to answer questions about processing
Rule 10 – Verifiable consent for processing of personal data of child
Rule 11 – Verifiable consent for processing of personal data …
Rule 12 – Exemptions from certain obligations …
Rule 13 – Additional obligations of Significant Data Fiduciary
Rule 14 – Rights of Data Principals
Rule 15 – Transfer of personal data outside
Rule 16 – Exemption from Act for research
Rule 17 – Appointment of Chairperson …
Rule 18 – Salary, allowances and other terms …
Rule 19 – Procedure for meetings of Board
Rule 20 – Functioning of Board as digital office
Rule 21 – Terms and conditions of appointment …
Rule 22 – Appeal to Appellate Tribunal
Rule 23 – Calling for information from …
First Schedule – Conditions for registration of …
Second Schedule – Standards for processing of …
Third Schedule
Fourth Schedule – Classes of Data Fiduciaries …
Fifth Schedule – Terms and conditions of …
Sixth Schedule – Terms and conditions of appointment …
Seventh Schedule
Rule 8
Time period for specified purpose to be deemed as no longer being served
(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, or, for the corresponding time period specified in the Third Schedule, if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
(2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing
of such personal data.
(3) Without prejudice to sub-rules (1) and (2), a Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing, for the purposes as specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law for the time being in force or notified by the Government.
Illustration.
Case 1: X, a Data Principal purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if X deletes her account.
Case 2: X, a company engages a cloud service provider C as its Data Processor to host customer records. X as the Data Fiduciary, is required to ensure that the C also retains the data and associated logs for at least one year before erasure, unless any other applicable law requires a longer period.
Effective after 18 months (13 May 2027)