DPDP RULES

Rule 1 - Short title and commencement.

Rule 2 - Definitions

Rule 3 - Notice given by Data Fiduciary to Data Principal

Rule 4 - Registration and obligations of Consent Manager

Rule 5 - Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

Rule 6 - Reasonable security safeguards

Rule 7 - Intimation of personal data breach

Rule 8 - Time period for specified purpose to be deemed as no longer being served

Rule 9 - Contact information of person to answer questions about processing

Rule 10 - Verifiable consent for processing of personal data of child

Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian

Rule 12 - Exemptions from certain obligations applicable to processing of personal data of child

Rule 13 - Additional obligations of Significant Data Fiduciary

Rule 14 - Rights of Data Principals

Rule 15 - Transfer of personal data outside the territory of India

Rule 16 - Exemption from Act for research, archiving or statistical purposes

Rule 17 - Appointment of Chairperson and other Members

Rule 18 - Salary, allowances and other terms and conditions of service of Chairperson and other Members

Rule 19 - Procedure for meetings of Board and authentication of its orders, directions and instruments

Rule 20 - Functioning of Board as digital office

Rule 21 - Terms and conditions of appointment and service of officers and employees of Board

Rule 22 - Appeal to Appellate Tribunal

Rule 23 - Calling for information from Data Fiduciary or intermediary

FIRST SCHEDULE - Conditions for registration of Consent Manager

SECOND SCHEDULE - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub section (2) of section 17

THIRD SCHEDULE

FOURTH SCHEDULE - Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply

FIFTH SCHEDULE

SIXTH SCHEDULE - Terms and conditions of appointment and service of officers and employees of Board

SEVENTH SCHEDULE

THIRD SCHEDULE

S. no.

Class of Data Fiduciaries (1)

Purposes (2)

Time period (3)

1.

Data Fiduciary who is an e-commerce entity having not less than two crore registered users in India.

For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services.

Three years from the date on which the Data Principal has approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.

2.

Data Fiduciary who is an online gaming intermediary having not less than fifty lakh registered users in India.

For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services.

Three years from the date on which the Data Principal has approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.

3.

Data Fiduciary who is a social media intermediary having not less than two crore registered users in India.

For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services.

Three years from the date on which the Data Principal has approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.

Note: In this Schedule, –

  1. “e-commerce entity” means any person who owns, operates or manages a digital facility or platform for e-commerce as defined in the Consumer Protection Act, 2019 (35 of 2019), but does not include a seller offering her goods or services for sale on a marketplace e-commerce entity as defined in the said Act;

  2. “online gaming intermediary” means any intermediary who enables the users of its computer resource to access one or more online games;

  3. “social media intermediary” means an intermediary as defined in clause (w) of sub-rule (1) of rule  2 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and

  4. “user”, in relation to-

    1. an e-commerce entity, means any person who accesses or avails any computer resource of an e-commerce entity; and

    2. an online gaming intermediary or a social media intermediary, means any person who accesses or avails of any computer resource of an intermediary for the purpose of hosting, publishing, sharing, transacting, viewing, displaying, downloading or uploading information.

SECOND SCHEDULE