DPDP RULES

Rule 1 - Short title and commencement.

Rule 2 - Definitions

Rule 3 - Notice given by Data Fiduciary to Data Principal

Rule 4 - Registration and obligations of Consent Manager

Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

Rule 6 - Reasonable security safeguards

Rule 7 - Intimation of personal data breach

Rule 8 - Time period for specified purpose to be deemed as no longer being served

Rule 9 - Contact information of person to answer questions about processing

Rule 10 - Verifiable consent for processing of personal data of child

Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian

Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child

Rule 13 - Additional obligations of Significant Data Fiduciary

Rule 14 - Rights of Data Principals

Rule 15 - Transfer of personal data outside the territory of India

Rule 16 - Exemption from Act for research, archiving or statistical purposes

Rule 17 - Appointment of Chairperson and other Members

Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members

Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments

Rule 20 - Functioning of Board as digital office

Rule 21 - Terms and conditions of appointment and service of officers and employees of Board

Rule 22 - Appeal to Appellate Tribunal

Rule 23 - Calling for information from Data Fiduciary or intermediary

FIRST SCHEDULE - Conditions for registration of Consent Manager

SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17

THIRD SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

FIFTH SCHEDULE

SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board

SEVENTH SCHEDULE

Rule 13

Rule 13 - Additional obligations of Significant Data Fiduciary

  1. A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder. 

  2. A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact

    Assessment and audit. 

  3. A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals. 

  4. A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India. 

  5. In this rule, “committee” means a committee constituted by the Central Government for the purpose of this rule, which shall include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.

Effective after 18 months (13 May 2027)

Rule 12

Rule 14