Digital Personal Data Protection Rules, 2025 – A Brief Overview And Analysis

1. Be understandable on its own without relying on any other document or policy.
2. Use clear and plain language and include at least:
3. An itemised list of the personal data to be processed, and
4. The specific purpose[s] and the exact goods/services or uses enabled by such processing.
5. Provide a direct communication link to the Fiduciary’s website/app and describe all available mechanisms through which the Data Principal may:

1. 1. Withdraw consent easily
   2. Exercise her statutory rights, and
   3. File a complaint with the Data Protection Board.

B. The notice must contain:

1. An itemised description of the personal data needed for processing;
2. The specific purpose/purposes of processing such data;
3. A description of goods or services to be provided or uses to be enabled through such processing;
4. A communication link which directs the Data Principal to the Data Fiduciary’s website or app;
5. A description of the means available to the Data Principal to withdraw her consent, exercise her rights, and file a complaint in the data protection board of India.

Analysis: Rule 3 significantly raises the standard for organisational transparency. Organisations are required to revise existing consent flows so they provide itemised data details and specific purpose statements, and avoid vague or bundled descriptions. User experience for withdrawing consent and invoking rights must also be simplified, with the ease of withdrawal matching the ease of giving consent.

This may require UX/UI redesigns, updated user pathways, and integrated grievance mechanisms. Organisations must maintain consistent access points [website, app, or other channels] and ensure that notices are maintained as evidence of compliance.

1. Any person who satisfies the eligibility conditions specified in Part A of the First Schedule may apply to the Data Protection Board for registration as a Consent Manager.
2. The applicant must submit all particulars, information, and documents as may be prescribed and published by the Board on its website.
3. Upon receiving the application, the Board may conduct such enquiry as it considers appropriate to verify whether all conditions under Part A are fulfilled.
4. Based on its assessment, the Board may either:
   1. register the applicant as a Consent Manager and publish its particulars on the Board’s website; or
   2. reject the application and communicate the grounds for rejection to the applicant.

B. Obligations of Consent Managers [Part B of First Schedule]
A registered Consent Manager is required to:

1. Enable Data Principals to give, manage, review, or withdraw consent to a Data Fiduciary onboarded on its platform, either directly or through another onboarded Data Fiduciary.
2. Ensure that any personal data handled or transmitted through its platform remains unreadable to the Consent Manager itself.
3. Maintain records on its platform of:
   1. consents given, denied, or withdrawn;
   2. notices provided before or along with consent requests;
   3. any sharing of the Data Principal’s personal data with transferee Data Fiduciaries.
4. Provide Data Principals with access to these records and supply the information in a machine-readable format upon request.
5. Retain such records for at least seven years, unless a longer period is agreed between the Data Principal and the Consent Manager or required by law.
6. Refrain from sub-contracting or assigning any of its statutory obligations and implement reasonable security safeguards to prevent personal data breaches.
7. Avoid conflicts of interest with Data Fiduciaries, including conflicts arising from their promoters, directors, key managerial personnel, or senior management.
8. Maintain effective audit mechanisms to monitor compliance, evaluate controls, and report audit outcomes to the Board as required.

C. A Consent Manager may not transfer control of its company, whether by sale, merger, or any other means, without the prior approval of the Board and compliance with any conditions the Board may impose.

Analysis: For organisations, the Consent Manager framework under the DPDP Rules, 2025 introduces a structured and regulated ecosystem for managing user consent. Any Data Fiduciary choosing to onboard a Consent Manager must work only with entities that meet strict eligibility, security, and audit requirements under the First Schedule. Additionally, since Consent Managers must keep data unreadable and maintain strong security safeguards, Data Fiduciaries will need to integrate technical systems that support encrypted, non-readable transfers.

1. Technical protections such as encryption, obfuscation, masking, or virtual tokens mapped to personal data; strict access controls over the computer resources used by the Data Fiduciary or Data Processor; and appropriate technical and organisational measures to ensure effective observance of these safeguards.
2. Monitoring and visibility measures, including maintaining appropriate logs, conducting regular reviews, and ensuring adequate monitoring to detect unauthorised access, investigate incidents, and implement remediation steps to prevent recurrence.
3. Continuity measures, such as maintaining data backups or similar safeguards to ensure that personal data can continue to be processed even if its confidentiality, integrity, or availability is compromised due to destruction or loss of access.
4. Where continued processing is required after a compromise, the Data Fiduciary may retain the relevant logs and personal data for up to one year, unless a longer retention period is mandated under any applicable law.

Analysis: Organisations must deploy encryption or tokenisation, enforce strict access controls, maintain detailed logs, and ensure real-time visibility into who accesses personal data and when. They must also be prepared to continue operations during a breach through backups or resilience measures, and retain logs and
affected data for one year to support investigation and remediation, unless a longer period is required by law.

1. A description of the breach, detailing its nature, extent, when it occurred, and the likely consequences for the Data Principal;
2. The measures the Data Fiduciary has taken or is taking to mitigate risks, along with recommended safety steps that the Data Principal can take to protect her interests; and
3. The business contact details of a person authorised to respond to any queries from the Data Principal.

B. The Data Fiduciary must also inform the Data Protection Board without delay, providing a description of the breach including its nature, extent, timing, location of occurrence, and the likely impact.
C. Within 72 hours of becoming aware of the breach [or within a longer period if permitted by the Board on written request], the Data Fiduciary must submit detailed information to the Board, including:

1. Updated and comprehensive facts regarding the breach, including circumstances and reasons that led to it;
2. Measures implemented or proposed to mitigate risks;
3. Findings on the individual or entity responsible for the breach and the remedial steps being taken to prevent recurrence; and
4. A report confirming the notifications given to affected Data Principals.

Analysis: Rule 8 introduces a stringent two-tiered breach reporting framework, requiring immediate intimation to both affected Data Principals and the Data Protection Board, followed by a detailed second-stage report to the Board within 72 hours [or a longer period if permitted].
Further, this obligation exists in parallel with the mandatory CERT-In reporting requirement under the Information Technology [CERT-In] Directions, 2022, which requires notifying CERT-In within 6 hours of detecting a cyber incident. As a result, organisations now face dual reporting pathways, i.e., to CERT-In for cybersecurity incidents and to the DPB for personal data breaches.

1. the date the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercised her rights; or
2. the commencement date of the DPDP Rules, 2025.
3. This extended retention applies even if the original purpose is no longer being served, unless erasure is mandated under another applicable law.

D.Before erasing any personal data at the end of the relevant retention period, the Data Fiduciary must notify the Data Principal at least 48 hours in advance, informing her that the data will be erased unless she initiates contact to continue the specified purpose or exercise her rights in relation to that data.

Analysis: Organisations are required to erase personal data once the purpose is fulfilled while simultaneously complying with mandatory retention obligations under the Third and Seventh Schedules.

1. the individual providing consent is indeed the parent or lawful guardian, and
2. the individual is legally competent to provide such consent.

C. Rules 10 and 11 permit verification through the following methods:

1. Reliable identity or age details already available with the Data Fiduciary;
2. Identity or age documents voluntarily provided by the parent or guardian;
3. A virtual token issued by an authorised entity of the Central or State Government, mapped to the individual’s verified identity and age.

D. When processing the data of a person with disability, the Data Fiduciary must exercise due diligence to confirm that the consenting guardian has been validly appointed under the applicable guardianship laws, whether by a court, a designated authority, or a local level committee, and must verify the guardian’s identity using one of the methods permitted under the Rules.

E. Rule 11 defines a “person with disability” to include individuals with long-term physical, mental, intellectual, or sensory impairments that limit their ability to make legally binding decisions despite adequate support, as well as persons with autism, cerebral palsy, mental retardation, or multiple disabilities who similarly cannot take legally binding decisions even with adequate and appropriate support.

Analysis: Organisations must redesign their consent workflows to ensure that consent for children and persons with disabilities is collected only from a verified parent or lawful guardian. This requires implementing technical measures to authenticate the identity and age of the consenting individual, either by using identity/age details already held, by accepting documents or particulars voluntarily provided, or by integrating government-issued virtual token verification.

For persons with disabilities, organisations must additionally verify the guardian’s legal authority by checking court orders, designatedauthority appointments, or local-level committee certificates. To operationalise this, organisations will need to build verification APIs or upload channels, maintain secure logs of verification events, train customer-facing teams, update privacy notices and consent forms, and establish backend checks preventing processing unless verifiable consent is confirmed.

Rule 15 and 2nd Schedule – Exemption for Research, Archiving, and Statistical Purposes

1. Clinical establishments, mental health establishments, and healthcare professionals;
2. Allied healthcare professionals;
3. Educational institutions;
4. Individuals responsible for the care of infants or children in a crèche or child day-care centre;
5. Data Fiduciaries engaged by an educational institution, crèche, or child-care centre for transporting enrolled children.

B. The specific purposes for which processing of children’s personal data is exempted from Section 9[1] and 9[3] are listed in Part B of the Fourth Schedule.

C. Separately, processing of personal data that is necessary for research, archiving, or statistical purposes is exempt from the provisions of the Act, so long as it is carried out in accordance with the standards specified in the Second Schedule. These standards include purpose limitation, lawful processing, reasonable efforts to ensure completeness and accuracy of personal data, and the implementation of safeguards to prevent data breaches.

Analysis: For organisations in the healthcare and diagnostics centre, these provisions provide a meaningful operational relief: clinical establishments, mental-health establishments, healthcare professionals, and allied healthcare professionals are exempt from the stricter child-processing requirements under Section 9[1] and 9[3]. This means they may process a child’s personal data without needing verifiable parental consent mechanisms or being restricted by prohibitions on tracking or behavioural profiling, provided the processing is strictly for healthcare, treatment, or institutional purposes specified in the Schedule.

However, this exemption does not dilute other obligations such as security safeguards, purpose limitation, breach reporting, or accuracy requirements. Additionally, research laboratories, diagnostic centres, and medical institutions conducting studies benefit from the research exemption under the Second Schedule, but only if they implement the mandated standards, i.e., lawful processing, strict purpose limitation, data integrity controls, and
breach-prevention measures.

C. SDFs must exercise due diligence to ensure that any technical measures, including algorithmic software used for hosting, displaying, uploading, modifying, transmitting, storing, updating, or sharing personal data, do not pose a risk to the rights of Data Principals. This introduces a formal algorithmic accountability obligation.

D. SDFs must also ensure that any personal data categories notified by the Central Government are processed subject to the restriction that such data, and its associated traffic data, is not transferred outside India, effectively enabling targeted data localisation for sensitive personal data categories.

E. For the purpose of identifying which categories of personal data and traffic data require localisation, the Central Government will constitute a committee, comprising officials from the Ministry of Electronics and Information Technology and, where necessary, officials from other relevant ministries or departments.

Analysis: Designation as a Significant Data Fiduciary imposes a substantially higher compliance burden on organisations, requiring them to run annual DPIAs and independent audits, submit findings to the Data Protection Board, and implement formal algorithmic accountability by verifying that their AI, automation, or decisionsupport tools do not create risks to Data Principals’ rights.

SDFs must also prepare for selective data localisation, as any personal or traffic data categories notified by the Government must be processed strictly within India. Organisations need strong governance structures, cross-functional compliance teams, mature risk-assessment methodologies, and the technical capacity to segregate and localise notified data types.

1. The details of the methods through which a Data Principal may submit requests to exercise her rights; and
2. The identifiers or particulars she must provide so the organisation can accurately identify her for rights-exercise purposes.

A Data Principal may exercise her rights by submitting a request to the same Data Fiduciary to whom she had previously given consent, using the published channels and furnishing the required identifiers.

Each Data Fiduciary is also required to maintain a mandatory grievance redressal system, ensuring that grievances raised by Data Principals are responded to within 90 days. This system must be supported by appropriate technical and organisational measures that enable timely and effective resolution.

Further, Data Principals have the right to nominate one or more individuals who may exercise these rights on their behalf in the event of their death or incapacity. Such nomination must be exercised in accordance with the Data Fiduciary’s terms of service and applicable law.

Analysis: These requirements significantly increase the operational responsibilities of organisations by obligating every Data Fiduciary and Consent Manager to provide clear, easily accessible channels for Data Principals to exercise their rights. Organisations must publish and maintain precise instructions and identifiers needed for rights requests, which means building or updating rightsmanagement interfaces, verification processes, and backend workflows.

The mandatory 90-day grievance redressal requirement demands a well-structured support function backed by robust technical and organisational measures, ensuring timely acknowledgment, tracking, and closure of grievances. Additionally, organisations must update their terms of service and internal systems to support the nomination mechanism, allowing authorised nominees to exercise rights on behalf of incapacitated or deceased Data Principals.

C. The digital functioning of either body does not limit or affect their statutory authority to summon individuals, enforce attendance, or examine persons on oath whenever required.

Analysis: The requirement for both the Data Protection Board and the Appellate Tribunal to function entirely as digital offices means organisations must be prepared for fully online regulatory and appellate interactions. All submissions, complaints, responses, evidence bundles, appeals, and procedural filings, will occur
digitally.

Although proceedings are virtual, the Board and Tribunal retain full statutory powers to summon individuals or require testimony on oath, so companies must also ensure key personnel are available for remote hearings or examinations.