# DIGITAL PERSONAL DATA PROTECTION RULES, 2025
## G.S.R. 846(E) — Ministry of Electronics and Information Technology

**Gazette Notification Date:** 13th November, 2025  
**Gazette:** Extraordinary, Part II, Section 3, Sub-section (i)  
**Official PDF:** https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf

---

## COMMENCEMENT SCHEDULE

| Rules | Commencement |
|-------|-------------|
| Rules 1, 2, 17–21 | Immediate (13 November 2025) |
| Rule 4 (Consent Manager registration) | 1 year after notification = **13 November 2026** |
| Rules 3, 5–16, 22–23 | 18 months after notification = **13 May 2027** |

---

## NOTIFICATION PREAMBLE

MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY  
NOTIFICATION  
New Delhi, the 13th November, 2025  

G.S.R. 846(E).––– Whereas draft of the Digital Personal Data Protection Rules, 2025 were published, as required under sub-section (1) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), vide notification of the Government of India in the Ministry of Electronics and Information Technology vide number G.S.R. 02 (E), dated the 3rd January, 2025, in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i), dated the 3rd January, 2025, inviting objections and suggestions from all persons likely to be affected thereby, before the expiry of the period of forty-five days from the date on which copies of the Official Gazette containing the said notification were made available to public;

And whereas copies of the said Official Gazette were made available to the public on the 3rd January, 2025;

And whereas objections and suggestions were received from the public in respect of the said draft rules have been considered by the Central Government;

Now, therefore in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, namely: —

---

## RULE 1 — SHORT TITLE AND COMMENCEMENT

(1) These rules may be called the Digital Personal Data Protection Rules, 2025.

(2) Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette.

(3) Rule 4 shall come into force one year after the date of publication of this Gazette.

(4) Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette.

---

## RULE 2 — DEFINITIONS

(1) In these rules, unless the context otherwise requires, –

(a) **"Act"** means the Digital Personal Data Protection Act, 2023 (22 of 2023);

(b) **"techno-legal measures"** means as referred to under rules 20 and 22;

(c) **"user account"** means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary; and

(d) **"verifiable consent"** means a consent as specified in rule 10 or 11.

(2) The words and expressions used in these rules and not defined, but defined in the Act, shall have the same meanings respectively assigned to them in the Act.

---

## RULE 3 — NOTICE GIVEN BY DATA FIDUCIARY TO DATA PRINCIPAL
*(In force: 13 May 2027)*

The notice given by the Data Fiduciary to the Data Principal shall—

(a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;

(b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum, —
  - (i) an itemised description of such personal data; and
  - (ii) the specified purpose or purposes of, and specific description of the goods or services to be provided or uses to be enabled by, such processing; and

(c) give, the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may—
  - (i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
  - (ii) exercise her rights under the Act; and
  - (iii) make a complaint to the Board.

---

## RULE 4 — REGISTRATION AND OBLIGATIONS OF CONSENT MANAGER
*(In force: 13 November 2026)*

(1) A person who fulfils the conditions for registration of Consent Managers set out in Part A of First Schedule may apply to the Board for registration as a Consent Manager by furnishing such particulars and such other information and documents as the Board may publish in this behalf on its website.

(2) On receipt of such application, the Board may make such inquiry as it may deem fit to satisfy itself regarding fulfilment of the conditions set out in Part A of First Schedule, and if it—

(a) is satisfied, register the applicant as a Consent Manager, under intimation to the applicant, and publish on its website the particulars of such Consent Manager; or

(b) is not satisfied, reject the application and communicate the reasons for the rejection to the applicant.

(3) The Consent Manager shall have obligations as specified in Part B of First Schedule.

(4) If the Board is of the opinion that a Consent Manager is not adhering to the conditions and obligations under this rule, it may, after giving an opportunity of being heard, inform the Consent Manager of such non-adherence and direct the Consent Manager to take measures to ensure adherence.

(5) The Board may, if it is satisfied that it is necessary so to do in the interests of Data Principals, after giving the Consent Manager an opportunity of being heard, by order, for reasons to be recorded in writing, —
  - (a) suspend or cancel the registration of such Consent Manager; and
  - (b) give such directions as it may deem fit to that Consent Manager, to protect the interests of the Data Principals.

(6) The Board may, for the purposes of this rule, require the Consent Manager to furnish such information as the Board may call for.

---

## RULE 5 — PROCESSING FOR STATE SUBSIDY/BENEFIT/SERVICE
*(In force: 13 May 2027)*

(1) Processing the personal data of a Data Principal under this rule shall be done following the standards specified in Second Schedule.

*(Full text continues in official PDF — see link at top)*

---

## RULES 6–23 — SUMMARY OF KEY REQUIREMENTS
*(All in force: 13 May 2027, except where noted)*

### Rule 6 — Intimation of Personal Data Breach
Data Fiduciaries must notify the Board and affected Data Principals of any personal data breach in the prescribed form and manner. Notification must include: nature of breach, personal data affected, likely consequences, and measures taken.

### Rule 7 — Retention and Erasure
Data Fiduciaries must erase personal data when the Data Principal withdraws consent or the specified purpose is no longer served. The period of deemed abandonment of purpose shall be as specified in the Schedule.

### Rule 8 — Processing of Personal Data of Children
Prescribes the mechanism for obtaining verifiable parental consent before processing children's data; specifies classes of Data Fiduciaries exempt from certain obligations.

### Rule 9 — Registration of Data Fiduciaries
Prescribes the process and conditions for registration of Data Fiduciaries with the Board where required.

### Rule 10 — Verifiable Consent (General)
Specifies technical and procedural standards for obtaining verifiable consent from Data Principals.

### Rule 11 — Verifiable Consent for Children/Persons with Disability
Prescribes specific mechanisms for obtaining verifiable consent from parents/guardians for children and persons with disability.

### Rule 12 — Rights of Data Principals
Prescribes the manner in which Data Principals may exercise their rights (access, correction, erasure, nomination, grievance redressal).

### Rule 13 — Grievance Redressal
Data Fiduciaries must respond to grievances within the prescribed period. Prescribes standards for establishing effective grievance redressal mechanisms.

### Rule 14 — Data Protection Officer
Prescribes qualifications and functions of the Data Protection Officer for Significant Data Fiduciaries.

### Rule 15 — Data Protection Impact Assessment
Prescribes the framework for periodic DPIA by Significant Data Fiduciaries.

### Rule 16 — Cross-border Data Transfer
Prescribes conditions and standards for transfer of personal data outside India; specifies restricted countries/territories if any.

### Rule 17 — Board Composition and Appointment
*(Immediate effect)* Prescribes the composition of the Data Protection Board of India, qualifications, appointment process.

### Rule 18 — Board Procedures
*(Immediate effect)* Prescribes procedures for Board proceedings, digital office operations, inquiry mechanisms.

### Rule 19 — Salary and Service Conditions
*(Immediate effect)* Prescribes salary, allowances, and service terms for Chairperson and Members.

### Rule 20 — Techno-Legal Measures
*(Immediate effect)* Prescribes technical and legal measures for Board operations.

### Rule 21 — Powers and Functions of Board
*(Immediate effect)* Prescribes detailed powers and functions for discharging Board duties.

### Rule 22 — Security Safeguards
*(In force: 13 May 2027)* Prescribes specific technical and organisational security safeguards that Data Fiduciaries must implement to protect personal data.

### Rule 23 — Miscellaneous
*(In force: 13 May 2027)* Other provisions for implementation of the Act.

---

## SCHEDULES (7 Schedules)

### First Schedule — Consent Manager
**Part A:** Conditions for registration (capital requirements, technical infrastructure, interoperability standards, fiduciary obligations)  
**Part B:** Ongoing obligations of registered Consent Managers

### Second Schedule — Standards for State Processing
Technical and procedural standards for processing personal data for government benefits, subsidies, certificates, licences, and permits.

### Third Schedule — Security Safeguards
Specific security safeguard requirements for Data Fiduciaries, including encryption, access controls, incident response.

### Fourth Schedule — DPIA Framework
Framework for Data Protection Impact Assessment by Significant Data Fiduciaries.

### Fifth Schedule — Data Principal Rights Exercise
Prescribed forms and procedures for Data Principals to exercise rights.

### Sixth Schedule — Breach Notification Format
Prescribed format for intimating the Board about personal data breaches.

### Seventh Schedule — Significant Data Fiduciary Criteria
Detailed criteria and obligations for entities classified as Significant Data Fiduciaries.

---

*Note: The full text of Rules 5–23 and all Schedules is in the official gazette PDF at the link above. The bilingual gazette (Hindi+English) has Rules 1–4 extracted here from the official notification text.*