Rule 11 DPDP Rules 2025

Verifiable consent for processing of personal data of person with disability who has lawful guardian.


(1) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, or by a designated authority or by a local level committee, under the law applicable to guardianship.
(2) In this rule, the expression—
(a) “designated authority” shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity;
(b) “law applicable to guardianship” shall mean, —
(i) in relation to an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who despite being provided adequate and appropriate support is unable to take legally binding decisions, the provisions of law contained in
Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and
(ii) in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of such conditions and includes a person suffering from severe multiple disability, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and the rules made thereunder;
(c) “local level committee” shall mean a local level committee constituted under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999);
(d) “person with disability” shall mean and include—
(i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and
(ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions.

Rule 12 →
DPDPA
Table of contents


Report error

Legal Interpretation: Rule 11 - Verifiable consent for processing of personal data of person with disability who has lawful guardian.

I. Legislative Framework

A. Statutory Basis

Section 9(1) of the Digital Personal Data Protection Act, 2023 provides:

"The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed."

Rule 11 operationalizes this statutory mandate specifically for persons with disabilities who have lawful guardians.

II. Detailed Legal Analysis of Rule 11

A. Scope and Application

Rule 11 establishes the procedural and substantive requirements for obtaining verifiable consent when processing personal data of:

  1. Persons with disabilities who have
  2. A lawful guardian appointed under applicable law

B. Key Legal Requirements

1. Technical and Organisational Measures

The Data Fiduciary must adopt appropriate technical and organisational measures to ensure:

  • Verifiable consent is obtained before any processing
  • The consent mechanism is robust and auditable
  • Due diligence procedures are in place

2. Identity Verification of Lawful Guardian

The Data Fiduciary must exercise due diligence to verify that:

a) The individual is an adult (completed 18 years of age)

b) The individual is identifiable if required for compliance with any law in force in India

c) Verification through one of two methods:

Method 1: Existing Reliable Details

  • Identity and age details already available with the Data Fiduciary
  • Must be "reliable" - suggesting previous verification or trusted source

Method 2: Voluntary Provision of Details

  • Details voluntarily provided directly by the guardian; OR
  • Details provided through a virtual token mapped to identity/age details issued by an authorised entity

C. Definition of "Authorised Entity" (Critical for Compliance)

An authorised entity includes:

  1. Statutory or Government-appointed entities entrusted with:
    • Issuance of identity and age details, OR
    • Issuance of virtual tokens mapped to such details
  2. Delegated persons appointed or permitted by such entities
  3. Digital Locker Service Providers - intermediaries (including body corporates or government agencies) notified by the Central Government under the Information Technology Act, 2000

III. Comparative Analysis: Rule 10 (Children) vs Rule 11 (Persons with Disability)

Aspect Rule 10 (Children) Rule 11 (PWD with Guardian)
Consent Provider Parent of child Lawful guardian
Age Verification Parent must be adult (18+) Guardian must be adult (18+)
Verification Methods Same two-method framework Same two-method framework
Illustrations Provided Yes (3 detailed scenarios) No specific illustrations
Due Diligence Standard Explicitly required Explicitly required

IV. Critical Legal Issues and Interpretations

Issue 1: Definition of "Lawful Guardian"

Analysis:

  • The Act and Rules do not define "lawful guardian"
  • Must be interpreted under existing Indian law:
    • Guardians and Wards Act, 1890
    • Hindu Minority and Guardianship Act, 1956
    • National Trust Act, 1999 (for persons with disabilities)
    • Rights of Persons with Disabilities Act, 2016

Interpretation: A lawful guardian must be:

  • Appointed by a competent court, OR
  • Recognized under statutory provisions, OR
  • A natural guardian recognized by law

Issue 2: "Person with Disability Who Has a Lawful Guardian"

Analysis:

  • Not all persons with disabilities have guardians
  • Rule 11 applies only when a lawful guardian exists
  • For persons with disabilities without guardians:
    • Standard consent provisions under Section 6 apply
    • Capacity to consent determined by disability type and severity

Interpretation: This creates a bifurcated regime:

  • Persons with disability + lawful guardian → Rule 11 (guardian consent)
  • Persons with disability without guardian → Standard consent provisions

Issue 3: "Verifiable Consent"

Analysis:

  • Rule 2(1)(d) defines: "verifiable consent" means a consent as specified in rule 10 or 11
  • Creates higher standard than regular consent under Section 6
  • Requires:
    • Identity verification of consent-giver
    • Age verification (adult status)
    • Audit trail of verification process

Interpretation: Verifiable consent imposes enhanced due diligence obligations on Data Fiduciaries, creating potential liability for inadequate verification.

V. Obligations and Compliance Framework

A. Pre-Processing Obligations

  1. Identify whether the Data Principal is a person with disability who has a lawful guardian
  2. Verify the identity and adult status of the lawful guardian
  3. Obtain verifiable consent before any processing
  4. Document the verification and consent process

B. Technical Measures

Data Fiduciaries must implement:

  • Authentication systems for guardian verification
  • Integration with Digital Locker or authorised entities
  • Consent management platforms with audit capabilities
  • Age verification mechanisms

C. Organisational Measures

  • Policies and procedures for identifying persons with disabilities who have guardians
  • Training for staff on verification requirements
  • Due diligence checklists
  • Record-keeping systems for compliance demonstration

VI. Legal Risks and Liability Exposure

A. Breach of Rule 11

Consequences under the Act:

  1. Section 33: Penalties
    • Processing without verifiable consent = breach of Section 9(1)
    • Penalty up to ₹250 crores (Section 33(3))
  2. Section 13: Right to Grievance Redressal
    • Guardian can file complaint with Data Fiduciary
    • Escalation to Data Protection Board
  3. Reputational Risk
    • Processing personal data of vulnerable persons without proper consent
    • Regulatory scrutiny and public backlash

B. Inadequate Verification

Risk: Data Fiduciary obtains consent from someone claiming to be lawful guardian without proper verification

Liability:

  • Consent may be deemed invalid
  • Processing becomes unlawful
  • Potential penalties under Section 33
  • Civil liability for damages

VII. Practical Implementation Challenges

Challenge 1: Identification of Guardianship Status

Issue: How does Data Fiduciary know if a person with disability has a lawful guardian?

Solution:

  • Self-declaration mechanism
  • Request guardianship documentation
  • Integration with National Trust or court databases

Challenge 2: Verification of Guardian Status

Issue: Verifying someone is the "lawful" guardian

Solution:

  • Request court orders or guardianship certificates
  • Use Digital Locker for verified documents
  • Maintain copies for compliance records

Challenge 3: Balancing Autonomy and Protection

Issue: Rule may inadvertently deny autonomy to persons with disabilities who can consent independently

Solution:

  • Apply Rule 11 only when lawful guardian exists
  • Respect autonomy of persons with disabilities without guardians
  • Consider capacity on case-by-case basis

VIII. Interaction with Other Legal Frameworks

A. Rights of Persons with Disabilities Act, 2016

  • Section 3: Equality and non-discrimination
  • Section 13: Legal capacity and equal recognition before law
  • Potential conflict: RPWD Act emphasizes autonomy; DPDP Act emphasizes protection

B. Mental Healthcare Act, 2017

  • Section 14: Advance directive
  • Section 89: Nominated representative
  • Coordination needed: Align guardian consent with nominated representatives

C. Guardians and Wards Act, 1890

  • Defines powers and duties of guardians
  • Court-appointed guardianship procedures
  • Relevance: Establishes who qualifies as "lawful guardian"

IX. Best Practices for Data Fiduciaries

1. Develop Comprehensive Identification Protocols

  • Screening mechanisms to identify persons with disabilities who have guardians
  • Clear communication about consent requirements

2. Implement Robust Verification Systems

  • Integration with Digital Locker Service Providers
  • Acceptance of court orders, guardianship certificates
  • Age and identity verification for guardians

3. Create Audit Trails

  • Document every step of verification and consent
  • Maintain records for regulatory inspection
  • Timestamp and log all consent transactions

4. Training and Awareness

  • Educate staff on Rule 11 requirements
  • Sensitivity training on disability rights
  • Legal compliance workshops

5. Transparent Communication

  • Clear notices to guardians about data processing
  • Accessible formats for persons with disabilities
  • Easy mechanisms for consent withdrawal

X. Recommendations

For Data Fiduciaries:

  1. Conduct legal audit of current consent mechanisms for compliance with Rule 11
  2. Implement technical solutions for guardian verification
  3. Develop policies distinguishing between persons with disabilities with/without guardians
  4. Establish partnerships with Digital Locker providers and authorised entities
  5. Create escalation protocols for complex guardianship situations

For Lawful Guardians:

  1. Understand consent rights and responsibilities
  2. Maintain updated documentation of guardianship status
  3. Use Digital Locker for easy verification
  4. Monitor data processing on behalf of the person with disability
  5. Exercise rights under the Act (correction, erasure, grievance redressal)

For Persons with Disabilities:

  1. Know your rights - Rule 11 applies only if you have a lawful guardian
  2. Assert autonomy if you can consent independently
  3. Participate in consent decisions where possible
  4. Use grievance mechanisms if rights are violated

XI. Conclusion

Rule 11 represents a protective yet complex regulatory framework designed to safeguard the personal data of persons with disabilities who have lawful guardians. Key takeaways:

Mandatory verifiable consent from lawful guardian before processing

Dual verification requirement: guardian identity + adult status

Technical and organisational measures must be appropriate and effective

High compliance burden on Data Fiduciaries with significant penalties for breach

Balancing act between protection and autonomy of persons with disabilities

⚠️ Ambiguities remain regarding definition of "lawful guardian" and identification mechanisms

⚠️ Implementation challenges in verification and coordination with other laws

Overall Assessment: Rule 11, read with Section 9(1) of the DPDP Act, 2023, creates a robust but demanding consent framework that prioritizes the protection of vulnerable individuals while imposing substantial due diligence obligations on Data Fiduciaries. Effective compliance requires investment in technology, training, and legal expertise to navigate the intersection of data protection law, disability rights law, and guardianship law.

This legal interpretation is based on the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 as provided. It should be read in conjunction with other applicable laws and may require updates as regulatory guidance and jurisprudence develop.

© 2025 Advocate (Dr.) Prashant Mali