DPDP RULES

Rule 1 - Short title and commencement.

Rule 2 - Definitions

Rule 3 - Notice given by Data Fiduciary to Data Principal

Rule 4 - Registration and obligations of Consent Manager

Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

Rule 6 - Reasonable security safeguards

Rule 7 - Intimation of personal data breach

Rule 8 - Time period for specified purpose to be deemed as no longer being served

Rule 9 - Contact information of person to answer questions about processing

Rule 10 - Verifiable consent for processing of personal data of child

Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian

Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child

Rule 13 - Additional obligations of Significant Data Fiduciary

Rule 14 - Rights of Data Principals

Rule 15 - Transfer of personal data outside the territory of India

Rule 16 - Exemption from Act for research, archiving or statistical purposes

Rule 17 - Appointment of Chairperson and other Members

Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members

Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments

Rule 20 - Functioning of Board as digital office

Rule 21 - Terms and conditions of appointment and service of officers and employees of Board

Rule 22 - Appeal to Appellate Tribunal

Rule 23 - Calling for information from Data Fiduciary or intermediary

FIRST SCHEDULE - Conditions for registration of Consent Manager

SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17

THIRD SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

FIFTH SCHEDULE

SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board

SEVENTH SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

PART A

Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

S. No.

Class of Data Fiduciaries

Conditions

1.

A Data Fiduciary who is a clinical establishment, mental health establishment or healthcare professional.

Processing is restricted to provision of health services to the child by such establishment or professional, to the extent necessary for the protection of her health.

2.

A Data Fiduciary who is an allied healthcare professional.

Processing is restricted to supporting implementation of any healthcare treatment and referral plan recommended by such professional for the child, to the extent necessary for the protection of her health.

3.

A Data Fiduciary who is an educational institution.

Processing is restricted to tracking and behavioural monitoring: (a) for the educational activities of such institution; or (b) in the interests of safety of children enrolled with such institution.

4.

A Data Fiduciary who is an individual in whose care infants and children in a crèche or child day care centre are entrusted.

Processing is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted in the care of such individual, crèche or centre.

5.

A Data Fiduciary who is engaged by an educational institution, crèche or child care centre for transport of children enrolled with such institution, crèche or centre.

Processing is restricted to tracking the location of such children, in the interests of their safety, during the course of their travel to and from such institution, crèche or centre.

PART B

Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply

S. No.

Purposes

Conditions

1.

For the exercise of any power, performance of any function or discharge of any duties in the interests of a child, under any law for the time being in force in India.

Processing is restricted to the extent necessary for such exercise, performance or discharge.

2.

For providing or issuing of any subsidy, benefit, service, certificate, licence or permit, by whatever name called, under law or policy or using public funds, in the interests of a child, under clause (b) of section 7 of the Act.

Processing is restricted to the extent necessary for such provision or issuance.

3.

For the creation of a user account for communicating by email.

Processing is restricted to the extent necessary for creating such user account, the use of which is limited to communication by email.

4.

For the determination of real-time location of a child.

Processing is restricted to the tracking of real-time location of such child, in the interest of her safety and protection or security.

5.

For ensuring that any information, service or advertisement likely to cause any detrimental effect on the well-being of a child is not accessible to her.

Processing is restricted to the extent necessary to ensure that such information, service or advertisement is not accessible to the child.

6.

For confirmation by the Data Fiduciary that the Data Principal is not a child and observance of due diligence under rule 10.

Processing is restricted to the extent necessary for such confirmation or observance.

Note: In this Schedule, –

  1. “advertisement” shall have the same meaning as is assigned to it in the Consumer Protection Act, 2019 (35 of 2019).

  2. “allied healthcare professional” shall have the same meaning as is assigned to it in the clause

  3. of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);

  4. “clinical establishment” shall have the same meaning as assigned to it in the clause (c) of section 2 of the Clinical Establishments (Registration and Regulation) Act, 2010 (23 of 2010);

  5. “educational institution” shall mean and include an institution of learning that imparts education, including vocational education;

  6. “healthcare professional” shall have the same meaning as is assigned to it in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);

  7. “health services” shall mean the services required to be provided by a healthcare professional as referred to in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021); and

  8. “mental health establishment” shall have the same meaning as is assigned to it in clause (p) of sub section (1) of section 2 of the Mental Healthcare Act, 2017 (10 of 2017).