DPDP RULES

Rule 1 - Short title and commencement.

Rule 2 - Definitions

Rule 3 - Notice given by Data Fiduciary to Data Principal

Rule 4 - Registration and obligations of Consent Manager

Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

Rule 6 - Reasonable security safeguards

Rule 7 - Intimation of personal data breach

Rule 8 - Time period for specified purpose to be deemed as no longer being served

Rule 9 - Contact information of person to answer questions about processing

Rule 10 - Verifiable consent for processing of personal data of child

Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian

Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child

Rule 13 - Additional obligations of Significant Data Fiduciary

Rule 14 - Rights of Data Principals

Rule 15 - Transfer of personal data outside the territory of India

Rule 16 - Exemption from Act for research, archiving or statistical purposes

Rule 17 - Appointment of Chairperson and other Members

Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members

Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments

Rule 20 - Functioning of Board as digital office

Rule 21 - Terms and conditions of appointment and service of officers and employees of Board

Rule 22 - Appeal to Appellate Tribunal

Rule 23 - Calling for information from Data Fiduciary or intermediary

FIRST SCHEDULE - Conditions for registration of Consent Manager

SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17

THIRD SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

FIFTH SCHEDULE

SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board

SEVENTH SCHEDULE

Rule 1

Rule 1 - Short title and commencement.

  1. These rules may be called the Digital Personal Data ProtectionRules, 2025.

  2. Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette.

  3. Rule 4 shall come into force one year after the date of publication of this Gazette.

  4. Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette.

Effective immediately (date of notification — 13 Nov 2025)

Rule 2