(1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.
(2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
(3) A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
(4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
(5) In this rule, “committee” means a committee constituted by the Central Government for the purpose of this rule, which shall include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.

📋 Rule 13: Additional Obligations of Significant Data Fiduciary

Digital Personal Data Protection Rules, 2025

Statutory Reference: Notified under G.S.R. 846(E), dated 13th November, 2025
Parent Legislation: Digital Personal Data Protection Act, 2023 (Section 10)

🎯 Executive Overview

Rule 13 prescribes enhanced compliance obligations for entities designated as Significant Data Fiduciaries (SDFs) under Section 10 of the DPDP Act, 2023. These obligations impose heightened accountability standards, mandatory audits, algorithmic due diligence, and data localization requirements to protect Data Principal rights at scale.

RULE 13 - ADDITIONAL OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARY

(1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.

(2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.

(3) A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.

(4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.

(5) In this rule, "committee" means a committee constituted by the Central Government for the purpose of this rule, which shall include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.

🔍 Detailed Legal Analysis

1 Annual Data Protection Impact Assessment (DPIA) & Audit

📌 Key Requirements:

Frequency: Once every 12 months from notification date
Scope: Both DPIA and independent audit mandatory
Trigger: Applies from date of SDF notification or class inclusion
Purpose: Ensure compliance with DPDP Act and Rules

⚖️ Legal Interpretation:

DPIA Components (Per Section 10(2)(c)):

Description of Data Principal rights
Purpose of personal data processing
Risk assessment to Data Principal rights
Risk management measures
Other prescribed matters

Audit Standards: Must evaluate compliance with Act provisions - independent auditor required (Section 10(2)(b))

🔗 Statutory Cross-References:

Section 10(2)(b) & (c) of DPDP Act: Mandates appointment of independent data auditor and periodic DPIA

Section 10(1): Notification criteria based on volume, sensitivity, risk factors

2 Mandatory Reporting to Data Protection Board

📌 Key Requirements:

Recipient: Data Protection Board of India
Content: Report with "significant observations" from DPIA and audit
Responsibility: SDF must "cause" the auditor/assessor to furnish report
Implication: Creates regulatory oversight mechanism

⚖️ Legal Interpretation:

"Significant Observations" is not defined in the Rules, suggesting:

Material compliance gaps or violations
High-risk processing activities identified
Systemic weaknesses in data protection framework
Recommendations for remediation

Liability: SDF remains accountable for ensuring timely submission - failure may constitute breach under Section 33

💼 Practical Application:

Scenario: A social media platform with 25 crore users (notified as SDF) conducts annual DPIA revealing algorithmic bias in content recommendations affecting user privacy.

Compliance Obligation: Must ensure auditor submits report to Board highlighting this "significant observation" along with remediation plan.

3 Algorithmic Due Diligence & Risk Verification

📌 Key Requirements:

Scope: All technical measures including algorithmic software
Activities Covered: Hosting, display, uploading, modification, publishing, transmission, storage, updating, sharing
Standard: Verify algorithms "not likely to pose a risk" to Data Principal rights
Obligation Type: Continuous due diligence (ongoing verification)

⚖️ Legal Interpretation:

Algorithmic Accountability: This is a landmark provision establishing:

Proactive Verification Duty: SDFs cannot deploy algorithms without risk assessment
Rights-Based Test: Focus on protecting Data Principal rights (access, correction, erasure, grievance redressal)
Technical + Organizational Measures: May require explainability, transparency, bias testing
Examples of Risk: Discriminatory profiling, manipulation, privacy erosion, automated decision-making without human review

Standard of Care: "Due diligence" suggests reasonable steps expected from a prudent SDF in similar circumstances

💼 Practical Application:

E-commerce Platform (SDF): Uses ML algorithm for personalized product recommendations based on browsing history.

Due Diligence Steps:

Algorithmic Impact Assessment - test for discriminatory pricing
Transparency measures - explain recommendation logic
User controls - ability to opt-out or correct data
Regular audits - monitor for unintended privacy impacts

⚠️ Non-Compliance Risk:

Penalty Exposure: Breach of SDF obligations under Section 10 attracts penalty up to ₹150 crore (Schedule, Item 4)

4 Critical Data Localization Requirement

📌 Key Requirements:

Data Scope: Personal data specified by Central Government
Committee-Based: Specification based on recommendations of Government-constituted committee
Restriction: Personal data AND traffic data cannot be transferred outside India
Applicability: Only for designated categories, not all personal data

⚖️ Legal Interpretation:

Conditional Localization Model: Unlike blanket localization, DPDP Act adopts targeted approach:

Category-Specific: Only "specified" personal data subject to restriction
Traffic Data Inclusion: Novel requirement - even metadata about data flow must remain in India
Absolute Prohibition: No cross-border transfer permitted for specified categories
Government Discretion: Central Government determines which data qualifies (likely sensitive categories)

Potential Categories: Financial data, health records, biometric data, government-issued ID data, critical infrastructure data

🔗 Committee Composition (Sub-Rule 5):

Lead Ministry: Ministry of Electronics and Information Technology (mandatory)
Inter-Ministerial: May include other ministries (Home, Finance, Health, etc.)
Function: Assess data categories requiring localization based on national security, economic policy, data sovereignty

💼 Hypothetical Scenario:

Fintech SDF: Processes UPI transaction data, Aadhaar-linked bank accounts, credit scores.

If Government Specifies Financial Data:

All UPI transaction records must be stored on India-based servers
Traffic data (metadata showing data access patterns) also localized
Cannot use AWS US region - must use AWS India or domestic cloud
Cross-border data processing agreements void for specified data

⚠️ Enforcement Mechanism:

Non-compliance may trigger:

Penalty up to ₹150 crore (Section 10 breach)
Blocking orders under Section 37 (Government power to block access)
Criminal liability if data transfer compromises national security

⏱️ Implementation Timeline

📅 Effective Date

18 months from Gazette publication (November 13, 2025) = Approximately May 2027

Rule 1(4) specifies: "Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette."

🔔 SDF Notification Trigger

12-month clock starts from:

Date entity is individually notified as SDF by Central Government, OR
Date entity falls within a class of SDFs notified by Government

📊 First DPIA & Audit Deadline

Within 12 months of SDF notification + report submission to Board

🔄 Recurring Obligation

Every subsequent 12-month period requires fresh DPIA, audit, and reporting

✅ SDF Compliance Checklist

Obligation	Frequency	Key Action	Penalty Risk
DPIA Conduct	Annual	Assess risks to Data Principal rights, document mitigation	₹150 Cr
Independent Audit	Annual	Appoint auditor per Section 10(2)(b), verify compliance	₹150 Cr
Board Reporting	Post-audit	Submit significant observations report to DPB	₹150 Cr
Algorithmic Due Diligence	Continuous	Verify algorithms don't harm Data Principal rights	₹150 Cr
Data Localization (if specified)	Ongoing	Ensure critical data + traffic data stays in India	₹150 Cr + Blocking
DPO Appointment	One-time	Appoint India-based DPO per Section 10(2)(a)	₹150 Cr

🌍 Comparative Legal Framework

GDPR vs DPDP Act: SDF Obligations Comparison

Aspect	EU GDPR	India DPDP Act (Rule 13)
DPIA	Article 35 - required for high-risk processing	Mandatory annual DPIA for all SDFs
Algorithmic Accountability	Implicit in Article 22 (automated decision-making)	Explicit due diligence obligation (Rule 13(3))
Data Localization	None - free flow within EU/EEA + adequacy decisions	Conditional - for government-specified categories
Audit Frequency	Not mandated (industry best practice)	Annual independent audit mandatory
Regulator Reporting	Breach notification (Article 33) - incident-based	Annual compliance report submission

📝 Conclusion: Strategic Implications

Rule 13 establishes a stringent regulatory regime for Significant Data Fiduciaries, emphasizing:

Proactive Compliance: Shift from reactive breach response to preventive risk management
Algorithmic Governance: First Indian law to explicitly mandate due diligence on AI/ML systems processing personal data
Regulatory Oversight: Board gains visibility into SDF operations through mandatory annual reporting
Data Sovereignty: Conditional localization balances innovation with national security concerns
High Penalty Exposure: ₹150 crore penalty per violation creates significant financial deterrent

Organizations processing data at scale must urgently assess SDF designation risk and implement robust governance frameworks before May 2027 deadline.

Disclaimer: This analysis is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance. 2025 Advocate (Dr.) Prashant Mali Email: prashant.mali@cyberlawconsulting.com

Document Reference: Digital Personal Data Protection Rules, 2025 | G.S.R. 846(E) | November 13, 2025