Digital Personal Data Protection Rule 2025
https://www.latestlaws.com
Digital Personal Data Protection Rules, 2025
(As notified under the Digital Personal Data Protection Act, 2023)
The Digital Personal Data Protection Rules, 2025 (DPDP Rules) have been formulated by the Central Government to operationalize the provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act). These rules aim to ensure effective implementation of the rights of data principals (individuals) and obligations of data fiduciaries (entities processing data), while also safeguarding national and public interest.
1. Key Objectives:-
•To lay down the procedural framework for the collection, processing, storage, and transfer of personal data.
•To establish mechanisms for grievance redressal, consent management, and enforcement of data protection rights.
• To define the responsibilities of significant data fiduciaries and cross-border data transfer protocols.
2. Major Provisions
(As notified under the Digital Personal Data Protection Act, 2023)
The Digital Personal Data Protection Rules, 2025 (DPDP Rules) have been formulated by the Central Government to operationalize the provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act). These rules aim to ensure effective implementation of the rights of data principals (individuals) and obligations of data fiduciaries (entities processing data), while also safeguarding national and public interest.
1. Key Objectives:-
•To lay down the procedural framework for the collection, processing, storage, and transfer of personal data.
•To establish mechanisms for grievance redressal, consent management, and enforcement of data protection rights.
• To define the responsibilities of significant data fiduciaries and cross-border data transfer protocols.
2. Major Provisions
A. Consent Management :-
•Consent must be free, informed, specific, and unambiguous, given through a clear affirmative action.
•A Consent Manager, registered with the Data Protection Board, shall facilitate consent withdrawal and recordkeeping.
•Consent must be free, informed, specific, and unambiguous, given through a clear affirmative action.
•A Consent Manager, registered with the Data Protection Board, shall facilitate consent withdrawal and recordkeeping.
B. Duties of Data Fiduciaries: -
•Provide notice to individuals before collecting data.
•Ensure data is used only for the purpose for which consent is obtained.
•Maintain security safeguards and report personal data breaches to the Board within 72 hours.
C. Rights of Data Principals :-
• Right to Access Information: About processing, categories of data shared, and identities of data processors.
• Right to Correction and Erasure: Data principals can request correction or deletion of their personal data.
•Right to Grievance Redressal: Through the data fiduciary or the Data Protection Board.
D. Significant Data Fiduciaries (SDFs):-
• Entities processing large volumes of sensitive personal data may be designated as SDFs.
•SDFs must appoint a Data Protection Officer (DPO) based in India and conduct periodic data audits.
E. Cross-Border Data Transfer:-
•Personal data may be transferred outside India, except to countries notified as restricted by the Central Government.
•Sensitive personal data requires additional safeguards before transfer.
F. Data Retention and Minimization :-
• Personal data should not be retained beyond the necessary purpose.
• Periodic review of data holdings is mandated.
G. Children’s Data :-
• Parental consent is required for data processing of individuals under the age of 18.
•Targeted advertising or tracking of children is prohibited.
•Provide notice to individuals before collecting data.
•Ensure data is used only for the purpose for which consent is obtained.
•Maintain security safeguards and report personal data breaches to the Board within 72 hours.
C. Rights of Data Principals :-
• Right to Access Information: About processing, categories of data shared, and identities of data processors.
• Right to Correction and Erasure: Data principals can request correction or deletion of their personal data.
•Right to Grievance Redressal: Through the data fiduciary or the Data Protection Board.
D. Significant Data Fiduciaries (SDFs):-
• Entities processing large volumes of sensitive personal data may be designated as SDFs.
•SDFs must appoint a Data Protection Officer (DPO) based in India and conduct periodic data audits.
E. Cross-Border Data Transfer:-
•Personal data may be transferred outside India, except to countries notified as restricted by the Central Government.
•Sensitive personal data requires additional safeguards before transfer.
F. Data Retention and Minimization :-
• Personal data should not be retained beyond the necessary purpose.
• Periodic review of data holdings is mandated.
G. Children’s Data :-
• Parental consent is required for data processing of individuals under the age of 18.
•Targeted advertising or tracking of children is prohibited.
3. Data Protection Board of India:-
• An independent adjudicatory body established under the DPDP Act.
•Has powers to investigate complaints, impose penalties, and issue directions.
•May levy penalties up to ₹250 crore for serious violations.
4. Compliance Timeline:-
•Data Fiduciaries and SDFs are given specific transition timelines, ranging from 6 to 12 months, for compliance after notification.
•The government may phase implementation for different sectors.
5. Penalties for Non-Compliance:-
•Failure to take security measures: up to ₹200 crore.
•Breach of children's data protection provisions: up to ₹150 crore.
•Non-compliance with Board directions: up to ₹50 crore.
Conclusion
The Digital Personal Data Protection Rules, 2025 represent a significant move toward protecting individual privacy in the digital era. They establish a robust legal framework that balances data empowerment, innovation, and accountability, ensuring India’s alignment with global data protection standards.
• An independent adjudicatory body established under the DPDP Act.
•Has powers to investigate complaints, impose penalties, and issue directions.
•May levy penalties up to ₹250 crore for serious violations.
4. Compliance Timeline:-
•Data Fiduciaries and SDFs are given specific transition timelines, ranging from 6 to 12 months, for compliance after notification.
•The government may phase implementation for different sectors.
5. Penalties for Non-Compliance:-
•Failure to take security measures: up to ₹200 crore.
•Breach of children's data protection provisions: up to ₹150 crore.
•Non-compliance with Board directions: up to ₹50 crore.
Conclusion
The Digital Personal Data Protection Rules, 2025 represent a significant move toward protecting individual privacy in the digital era. They establish a robust legal framework that balances data empowerment, innovation, and accountability, ensuring India’s alignment with global data protection standards.
Comments
Post a Comment