DPDP RULES
Rule 1 – Short title and commencement
Rule 2 – Definitions
Rule 3 -Notice given by Data Fiduciary to Data Principal
Rule 4 – Registration and obligations of Consent Manager
Rule 5 – Processing of personal data for provision or issue of subsidy …
Rule 6 – Reasonable security safeguards
Rule 7 – Intimation of personal data breach
Rule 8 – Time period for specified purpose to be deemed …
Rule 9 – Contact information of person to answer questions about processing
Rule 10 – Verifiable consent for processing of personal data of child
Rule 11 – Verifiable consent for processing of personal data …
Rule 12 – Exemptions from certain obligations …
Rule 13 – Additional obligations of Significant Data Fiduciary
Rule 14 – Rights of Data Principals
Rule 15 – Transfer of personal data outside
Rule 16 – Exemption from Act for research
Rule 17 – Appointment of Chairperson …
Rule 18 – Salary, allowances and other terms …
Rule 19 – Procedure for meetings of Board
Rule 20 – Functioning of Board as digital office
Rule 21 – Terms and conditions of appointment …
Rule 22 – Appeal to Appellate Tribunal
Rule 23 – Calling for information from …
First Schedule – Conditions for registration of …
Second Schedule – Standards for processing of …
Third Schedule
Fourth Schedule – Classes of Data Fiduciaries …
Fifth Schedule – Terms and conditions of …
Sixth Schedule – Terms and conditions of appointment …
Seventh Schedule
Rule 1
Short title and commencement.
(1) These rules may be called the Digital Personal Data ProtectionRules, 2025.
(2) Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette.
(3) Rule 4 shall come into force one year after the date of publication of this Gazette.
(4) Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette.
Effective immediately (date of notification — 13 Nov 2025)