DPDP RULES
Rule 1 - Short title and commencement.
Rule 2 - Definitions
Rule 3 - Notice given by Data Fiduciary to Data Principal
Rule 4 - Registration and obligations of Consent Manager
Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities
Rule 6 - Reasonable security safeguards
Rule 7 - Intimation of personal data breach
Rule 8 - Time period for specified purpose to be deemed as no longer being served
Rule 9 - Contact information of person to answer questions about processing
Rule 10 - Verifiable consent for processing of personal data of child
Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian
Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child
Rule 13 - Additional obligations of Significant Data Fiduciary
Rule 14 - Rights of Data Principals
Rule 15 - Transfer of personal data outside the territory of India
Rule 16 - Exemption from Act for research, archiving or statistical purposes
Rule 17 - Appointment of Chairperson and other Members
Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members
Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments
Rule 20 - Functioning of Board as digital office
Rule 21 - Terms and conditions of appointment and service of officers and employees of Board
Rule 22 - Appeal to Appellate Tribunal
Rule 23 - Calling for information from Data Fiduciary or intermediary
FIRST SCHEDULE - Conditions for registration of Consent Manager
SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17
THIRD SCHEDULE
FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply
FIFTH SCHEDULE
SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board
SEVENTH SCHEDULE
DPDP Rules
The Digital Personal Data Protection Rules, 2025
Step into your dedicated resource for understanding India’s Digital Personal Data Protection Rules, 2025. You can click on the button below to find the official PDF of the draft rules, along with details on the compliance requirements. The Ministry of Electronics and Information Technology on November 13th 2025 released the draft rules for the Digital Personal Data Protection Rules, 2025. The DPDPA is India’s comprehensive data protection law, designed to protect the personal data of individuals and ensure accountability in the processing of such data. From processing of children’s data to setting up of data protection boards and a consent manager framework, the DPDP Rules is set to supplement the Act and provide clarity regarding various compliance requirements under India’s data privacy regime with the aim of safeguarding personal data, empowering individuals with rights over their data and ensuing responsible processing of such data by organisations. As your compliance partner, we transform complex privacy compliance requirements into actionable strategies for your organization.
The Digital Personal Data Protection Rules, 2025
Rules supplementing the DPDPA to regulate the processing of digital personal data by efficiently balancing the rights of Individuals over their data, business requirements and the need for lawful processing.
Download
Important FAQs on the Updated DPDP Rules
What is the purpose of the updated DPDP Rules?
What counts as personal data under these rules?
Have consent requirements changed?
Is notice to data principals now more detailed?
Are children’s data protections stronger now?
What new duties do data fiduciaries have?
What has changed for significant data fiduciaries?
What rights do individuals have under the updated rules?
Is grievance redressal now time bound?
Are data retention duties more defined?
Do the rules say anything new about cross border transfers?
Have security requirements become stricter?
Are there penalties for non-compliance?
What is expected from data processors now?
How do these changes affect ordinary users?