DRAFT RULES

The DPDP Rules lay out a comprehensive framework for implementing the provisions of the Digital Personal Data Protection Act, covering critical aspects of data governance. Key highlights include guidelines for notices by Data Fiduciaries to individuals, ensuring transparency in data collection and usage. They also specify the registration requirements and responsibilities of Consent Managers, crucial for managing user consents effectively. The Rules address the processing of personal data for delivering subsidies, benefits, and services by the State, emphasizing lawful and secure data handling. They also mandate the adoption of reasonable security safeguards, protocols for reporting personal data breaches, and clear processes for individuals to exercise their data rights. Special provisions are included for processing the personal data of children or persons with disabilities, ensuring their data is handled with extra care. The Rules outline the establishment of the Data Protection Board, detailing the appointment and service conditions of its Chairperson and members, as well as its functioning as a digital-first office. Additionally, they provide a structured procedure for filing appeals with the Appellate Tribunal, enabling streamlined redressal of disputes. This comprehensive approach ensures a robust framework for data protection, balancing individual rights with organizational responsibilities, while fostering trust in the digital ecosystem.

• 1. Short title and commencement.
• 2. Definitions.
• 3. Notice given by Data Fiduciary to Data Principal.
• 4. Registration and obligations of Consent Manager
• 5. Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.
• 6. Reasonable security safeguards.
• 7. Intimation of personal data breach.-
• 8. Time period for specified purpose to be deemed as no longer being served.
• 9. Contact information of person to answer questions about processing.
• 10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian.
• 11. Exemptions from certain obligations applicable to processing of personal data of child
• 12. Additional obligations of Significant Data Fiduciary
• 13. Rights of Data Principal
• 14. Processing of personal data outside India
• 15. Exemption from Act for research, archiving or statistical purposes
• 16. Appointment of Chairperson and other Members
• 17. Salary, allowances and other terms and conditions of service of Chairperson and other Members.
• 18. Procedure for meetings of Board and authentication of its orders, directions and instruments.
• 19. Functioning of Board as digital office.
• 20. Terms and conditions of appointment and service of officers and employees of Board
• 21. Appeal to Appellate Tribunal
• 22. Calling for information from Data Fiduciary or intermediary



SCHEDULES


• First Schedule - Part A-Conditions of registration of Consent Manager | Part B-Obligations of Consent Manager
• Second Schedule - Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub-section (2) of section 17.
• Third Schedule - Table for Class of Data Fiduciaries| Purposes | Time period.
• Fourth Schedule - Part A -Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply | Part B - Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply.
• Fifth Schedule - Terms and conditions of service of Chairperson and other Members.
• Sixth Schedule - Terms and conditions of appointment and service of officers and employees of Board
• Seventh Schedule - Table for Purpose | Authorised person.
• Explanatory Note on DPDP Rules 2025 by MEITY