DPDP RULES
Rule 1 - Short title and commencement.
Rule 2 - Definitions
Rule 3 - Notice given by Data Fiduciary to Data Principal
Rule 4 - Registration and obligations of Consent Manager
Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities
Rule 6 - Reasonable security safeguards
Rule 7 - Intimation of personal data breach
Rule 8 - Time period for specified purpose to be deemed as no longer being served
Rule 9 - Contact information of person to answer questions about processing
Rule 10 - Verifiable consent for processing of personal data of child
Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian
Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child
Rule 13 - Additional obligations of Significant Data Fiduciary
Rule 14 - Rights of Data Principals
Rule 15 - Transfer of personal data outside the territory of India
Rule 16 - Exemption from Act for research, archiving or statistical purposes
Rule 17 - Appointment of Chairperson and other Members
Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members
Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments
Rule 20 - Functioning of Board as digital office
Rule 21 - Terms and conditions of appointment and service of officers and employees of Board
Rule 22 - Appeal to Appellate Tribunal
Rule 23 - Calling for information from Data Fiduciary or intermediary
FIRST SCHEDULE - Conditions for registration of Consent Manager
SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17
THIRD SCHEDULE
FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply
FIFTH SCHEDULE
SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board
SEVENTH SCHEDULE
Rule 14
Rule 14 - Rights of Data Principals
For enabling Data Principals to exercise their rights under the Act,
the Data Fiduciary and, where applicable, the Consent Manager, shall prominently publish on its website or app, or both, as the case may be, –the details of the means using which a Data Principal may make a request for the exercise of such rights; and
the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.
To exercise the rights of the Data Principal under the Act, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such rights.
Every Data Fiduciary and Consent Manager shall prominently publish on its website or app, or both, as the case may be, within a reasonable period not exceeding ninety days under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures.
To exercise the rights of the Data Principal under the Act, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such right.
In this rule, the expression “identifier” shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID, email address, mobile number or licence number that enables such identification.
Effective after 18 months (13 May 2027)