DPDP RULES
Rule 1 – Short title and commencement.
Rule 2 – Definitions
Rule 3 -Notice given by Data Fiduciary to Data Principal
Rule 4 – Registration and obligations of Consent Manager
Rule 5 – Processing of personal data for provision or issue of subsidy …
Rule 6 – Reasonable security safeguards
Rule 7 – Intimation of personal data breach
Rule 8 – Time period for specified purpose to be deemed …
Rule 9 – Contact information of person to answer questions about processing
Rule 10 – Verifiable consent for processing of personal data of child
Rule 11 – Verifiable consent for processing of personal data …
Rule 12 – Exemptions from certain obligations …
Rule 13 – Additional obligations of Significant Data Fiduciary
Rule 14 – Rights of Data Principals
Rule 15 – Transfer of personal data outside
Rule 16 – Exemption from Act for research
Rule 17 – Appointment of Chairperson …
Rule 18 – Salary, allowances and other terms …
Rule 19 – Procedure for meetings of Board
Rule 20 – Functioning of Board as digital office
Rule 21 – Terms and conditions of appointment …
Rule 22 – Appeal to Appellate Tribunal
Rule 23 – Calling for information from …
First Schedule – Conditions for registration of …
Second Schedule – Standards for processing of …
Third Schedule
Fourth Schedule – Classes of Data Fiduciaries …
Fifth Schedule – Terms and conditions of …
Sixth Schedule – Terms and conditions of appointment …
Seventh Schedule
FOURTH SCHEDULE
[See rule 12]
PART A
Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply
| S. No. | Class of Data Fiduciaries | Conditions |
|---|---|---|
| 1. | A Data Fiduciary who is a clinical establishment, mental health establishment or healthcare professional. | Processing is restricted to provision of health services to the child by such establishment or professional, to the extent necessary for the protection of her health. |
| 2. | A Data Fiduciary who is an allied healthcare professional. | Processing is restricted to supporting implementation of any healthcare treatment and referral plan recommended by such professional for the child, to the extent necessary for the protection of her health. |
| 3. | A Data Fiduciary who is an educational institution. | Processing is restricted to tracking and behavioural monitoring: (a) for the educational activities of such institution; or (b) in the interests of safety of children enrolled with such institution. |
| 4. | A Data Fiduciary who is an individual in whose care infants and children in a crèche or child day care centre are entrusted. | Processing is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted in the care of such individual, crèche or centre. |
| 5. | A Data Fiduciary who is engaged by an educational institution, crèche or child care centre for transport of children enrolled with such institution, crèche or centre. | Processing is restricted to tracking the location of such children, in the interests of their safety, during the course of their travel to and from such institution, crèche or centre. |
PART B
Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply
| S. No. | Purposes | Conditions |
|---|---|---|
| 1. | For the exercise of any power, performance of any function or discharge of any duties in the interests of a child, under any law for the time being in force in India. | Processing is restricted to the extent necessary for such exercise, performance or discharge. |
| 2. | For providing or issuing of any subsidy, benefit, service, certificate, licence or permit, by whatever name called, under law or policy or using public funds, in the interests of a child, under clause (b) of section 7 of the Act. | Processing is restricted to the extent necessary for such provision or issuance. |
| 3. | For the creation of a user account for communicating by email. | Processing is restricted to the extent necessary for creating such user account, the use of which is limited to communication by email. |
| 4. | For the determination of real-time location of a child. | Processing is restricted to the tracking of real-time location of such child, in the interest of her safety and protection or security. |
| 5. | For ensuring that any information, service or advertisement likely to cause any detrimental effect on the well-being of a child is not accessible to her. | Processing is restricted to the extent necessary to ensure that such information, service or advertisement is not accessible to the child. |
| 6. | For confirmation by the Data Fiduciary that the Data Principal is not a child and observance of due diligence under rule 10. | Processing is restricted to the extent necessary for such confirmation or observance. |
Note: In this Schedule, –
(a) “advertisement” shall have the same meaning as is assigned to it in the Consumer Protection Act, 2019 (35 of 2019).
(a) “allied healthcare professional” shall have the same meaning as is assigned to it in the clause (d) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);
(b) “clinical establishment” shall have the same meaning as assigned to it in the clause (c) of section 2 of the Clinical Establishments (Registration and Regulation) Act, 2010 (23 of 2010);
(c) “educational institution” shall mean and include an institution of learning that imparts education, including vocational education;
(d) “healthcare professional” shall have the same meaning as is assigned to it in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);
(e) “health services” shall mean the services required to be provided by a healthcare professional as referred to in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021); and
(f) “mental health establishment” shall have the same meaning as is assigned to it in clause (p) of sub section (1) of section 2 of the Mental Healthcare Act, 2017 (10 of 2017).