DPDP RULES

Rule 1 - Short title and commencement.

Rule 2 - Definitions

Rule 3 - Notice given by Data Fiduciary to Data Principal

Rule 4 - Registration and obligations of Consent Manager

Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

Rule 6 - Reasonable security safeguards

Rule 7 - Intimation of personal data breach

Rule 8 - Time period for specified purpose to be deemed as no longer being served

Rule 9 - Contact information of person to answer questions about processing

Rule 10 - Verifiable consent for processing of personal data of child

Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian

Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child

Rule 13 - Additional obligations of Significant Data Fiduciary

Rule 14 - Rights of Data Principals

Rule 15 - Transfer of personal data outside the territory of India

Rule 16 - Exemption from Act for research, archiving or statistical purposes

Rule 17 - Appointment of Chairperson and other Members

Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members

Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments

Rule 20 - Functioning of Board as digital office

Rule 21 - Terms and conditions of appointment and service of officers and employees of Board

Rule 22 - Appeal to Appellate Tribunal

Rule 23 - Calling for information from Data Fiduciary or intermediary

FIRST SCHEDULE - Conditions for registration of Consent Manager

SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17

THIRD SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

FIFTH SCHEDULE

SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board

SEVENTH SCHEDULE

Rule 2

Rule 2 - Definitions

  1. In these rules, unless the context otherwise requires, – 

    1. “Act” means the Digital Personal Data Protection Act, 2023 (22 of 2023);

    2. “techno-legal measures” means as referred to under rules 20 and 22;

    3. “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary; and

    4. “verifiable consent” means a consent as specified in rule 10 or 11.


  2. The words and expressions used in these rules and not defined, but defined in the Act, shall have the
    same meanings respectively assigned to them in the Act.


Effective immediately (date of notification — 13 Nov 2025)

Rule 1

Rule 3