dpdpa.co.in

Menu

    DPDP RULES

    Rule 1 – Short title and commencement

    Rule 2 – Definitions

    Rule 3 -Notice given by Data Fiduciary to Data Principal

    Rule 4 – Registration and obligations of Consent Manager

    Rule 5 – Processing of personal data for provision or issue of subsidy …

    Rule 6 – Reasonable security safeguards

    Rule 7 – Intimation of personal data breach

    Rule 8 – Time period for specified purpose to be deemed …

    Rule 9 – Contact information of person to answer questions about processing

    Rule 10 – Verifiable consent for processing of personal data of child

    Rule 11 – Verifiable consent for processing of personal data …

    Rule 12 – Exemptions from certain obligations …

    Rule 13 – Additional obligations of Significant Data Fiduciary

    Rule 14 – Rights of Data Principals

    Rule 15 – Transfer of personal data outside

    Rule 16 – Exemption from Act for research

    Rule 17 – Appointment of Chairperson …

    Rule 18 – Salary, allowances and other terms …

    Rule 19 – Procedure for meetings of Board

    Rule 20 – Functioning of Board as digital office

    Rule 21 – Terms and conditions of appointment …

    Rule 22 – Appeal to Appellate Tribunal

    Rule 23 – Calling for information from …

    First Schedule – Conditions for registration of …

    Second Schedule – Standards for processing of …

    Third Schedule

    Fourth Schedule – Classes of Data Fiduciaries …

    Fifth Schedule – Terms and conditions of …

    Sixth Schedule – Terms and conditions of appointment …

    Seventh Schedule

    Rule 13

    Additional obligations of Significant Data Fiduciary

    (1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder. 

    (2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact
    Assessment and audit. 

    (3) A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals. 

    (4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India. 

    (5) In this rule, “committee” means a committee constituted by the Central Government for the purpose of this rule, which shall include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.

    Effective after 18 months (13 May 2027)

    Rule 12
    Rule 14
    Scroll to Top