What is the DPDP Act 2023?

The Digital Personal Data Protection (DPDP) Act 2025 is India's comprehensive data protection law that governs how businesses collect, process, and store personal data of Indian citizens. It establishes rights for data principals and obligations for data fiduciaries.

What is the breach notification timeline under DPDP Act?

Under the DPDP Rules 2025, Data Fiduciaries must notify the Data Protection Board within 72 hours of becoming aware of a personal data breach. They must also notify affected Data Principals without delay.

What are the penalties under DPDP Act 2023?

Penalties under the DPDP Act can range from ₹50 crore to ₹250 crore per violation. The highest fines apply for failures in data security, breach notification, and children's data processing.

What is a Consent Manager under DPDP Act?

A Consent Manager is a registered entity that helps Data Principals manage their consent across multiple Data Fiduciaries. They must be incorporated in India with a minimum net worth of ₹2 crore.

OFFICIAL RULES - NOVEMBER 2025

Digital Personal Data Protection Act 2023

A comprehensive guide to India's data protection framework. Understand your obligations as a Data Fiduciary and the rights of Data Principals.

Book a Demo Read Key Provisions

72 hrs

Breach Notification Deadline

30 days

DSR Response Time

₹250 Cr

Maximum Penalty

1 Year

Log Retention Minimum

1. Definitions

Key terms and their meanings

2. Notice & Consent

Requirements for obtaining consent

3. Consent Manager

Registration and obligations

4. Security Safeguards

Data protection requirements

5. Breach Notification

72-hour reporting rule

6. Data Retention

Erasure and retention periods

7. DPO Contact Information

Publishing contact details

8. Children's Data

Verifiable parental consent

9. Significant Data Fiduciary

Additional obligations

10. Data Principal Rights

Access, correction, erasure

11. Cross-Border Transfer

International data transfers

12. Other Rules

Administrative & exemptions

Key Provisions of DPDP Rules 2025

The Digital Personal Data Protection Rules, 2025 were published on November 13, 2025, under the Digital Personal Data Protection Act, 2023. These rules provide the operational framework for data protection compliance in India.

Commencement: Rules 1, 2, and 17-21 came into force immediately. Rule 4 (Consent Manager) comes into force after 1 year. Rules 3, 5-16, 22-23 come into force after 18 months.

1. Definitions (Rule 2)

Data Fiduciary

Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

Data Principal

The individual to whom the personal data relates.

User Account

The online account registered by the Data Principal with the Data Fiduciary, including profiles, pages, handles, email address, mobile number and other similar presences.

Verifiable Consent

A consent as specified in rules 10 or 11, particularly for processing children's data or data of persons with disabilities.

Techno-Legal Measures

Technical and legal measures as referred to under rules 20 and 22 for digital proceedings.

4. Reasonable Security Safeguards (Rule 6)

Data Fiduciaries must protect personal data by implementing the following minimum security measures:

Data Security Measures

Encryption, obfuscation, masking, or virtual tokens mapped to personal data

Access Control

Appropriate measures to control access to computer resources

Logging & Monitoring

Visibility on data access through logs, monitoring, and review for detecting unauthorized access

Data Backups

Measures for continued processing in event of data compromise or loss

Log Retention

Retain logs and personal data for minimum 1 year for investigation and remediation

Contractual Provisions

Appropriate provisions in contracts with Data Processors for security safeguards

5. Personal Data Breach Notification (Rule 7)

Critical Requirement: All personal data breaches must be reported to the Data Protection Board within 72 hours.

Notification to Data Principals:

Without delay, inform each affected Data Principal through their user account or registered communication mode:

Description of the breach (nature, extent, timing)
Likely consequences relevant to the Data Principal
Measures implemented to mitigate risk
Safety measures the Data Principal can take
Business contact information of person who can respond to queries

Notification to Data Protection Board:

Within 72 hours, provide:

Updated and detailed description of the breach
Facts related to events, circumstances and reasons
Measures implemented or proposed to mitigate risk
Findings regarding the person who caused the breach
Remedial measures to prevent recurrence
Report on intimations given to affected Data Principals

6. Data Retention & Erasure (Rule 8)

Personal data must be erased when the specified purpose is no longer being served, subject to the following:

Retention Periods by Entity Type:

Entity Type	Threshold	Retention Period
E-commerce Entity	2 crore+ registered users	3 years from last interaction
Online Gaming Intermediary	50 lakh+ registered users	3 years from last interaction
Social Media Intermediary	2 crore+ registered users	3 years from last interaction

Mandatory Log Retention: All Data Fiduciaries must retain personal data, traffic data, and processing logs for a minimum of 1 year from the date of processing, regardless of entity type.

7. DPO Contact Information (Rule 9)

Every Data Fiduciary must prominently publish on its website or app:

Business contact information of the Data Protection Officer (if applicable)
Or contact of a person able to answer questions about data processing
This information must be included in every response to Data Principal communications

Requirement: The contact information must be mentioned in every response to a communication for the exercise of Data Principal rights under the Act.

8. Children's Data Protection (Rules 10-12)

Processing personal data of children requires verifiable parental consent with due diligence to verify the parent is an identifiable adult.

Verification Methods:

Reliable identity and age details already available with the Data Fiduciary
Details voluntarily provided by the parent
Virtual token mapped to identity/age issued by an authorised entity
Digital Locker service provider verification

Exemptions from Parental Consent:

Healthcare: Clinical establishments, mental health establishments, and healthcare professionals for health services

Education: Educational institutions for tracking and behavioural monitoring for educational activities or safety

Child Care: Creches and day care centres for safety monitoring

Transport: Transport providers for location tracking during travel to/from institutions

9. Significant Data Fiduciary Obligations (Rule 13)

Data Fiduciaries notified as "Significant" have additional obligations:

1
Annual Data Protection Impact Assessment
Conduct DPIA and audit every 12 months to ensure compliance
2
Report to Data Protection Board
Furnish significant observations from DPIA and audit to the Board
3
Algorithmic Due Diligence
Verify that algorithmic software does not pose risk to Data Principal rights
4
Data Localisation
Certain personal data may be restricted from transfer outside India as specified by Central Government

10. Rights of Data Principals (Rule 14)

Data Fiduciaries must enable Data Principals to exercise their rights under the Act:

Right to Access

Access personal data being processed and obtain a summary

Right to Correction

Request correction of inaccurate or incomplete personal data

Right to Erasure

Request deletion of personal data no longer necessary

Right to Withdraw Consent

Withdraw previously given consent at any time

Right to Grievance Redressal

File grievances and receive response within 90 days

Right to Nominate

Nominate individuals to exercise rights on their behalf

Response Timeline: Data Fiduciaries must respond to grievances within 90 days through their grievance redressal system.

11. Cross-Border Data Transfer (Rule 15)

Personal data may be transferred outside India subject to restrictions specified by the Central Government regarding:

Making data available to any foreign State
Transfer to persons or entities under control of a foreign State
Transfer to agencies of foreign States

Note: Significant Data Fiduciaries may be subject to additional data localisation requirements for certain categories of personal data.

Other Rules (Administrative)

The following rules cover administrative matters, exemptions, and the functioning of the Data Protection Board:

Rule 16: Research Exemption

Processing for research, archiving, or statistical purposes is exempt if carried out per Second Schedule standards.

Rules 17-21: Data Protection Board

Covers appointment of Chairperson and Members, salaries, procedures, and digital office functioning. The Board operates as a digital office using techno-legal measures.

Rule 22: Appeals

Appeals against Board orders go to the Appellate Tribunal. Must be filed digitally with applicable fees (payable via UPI).

Rule 23: Information Requests

Central Government may require Data Fiduciaries or intermediaries to furnish information for purposes specified in Seventh Schedule (national security, law enforcement, etc.).

Schedules: The Rules include 7 Schedules covering Consent Manager requirements, processing standards, retention periods, children's data exemptions, Board member terms, employee conditions, and government information requests.

Need Help with DPDP Compliance?

Privacy Labs provides end-to-end compliance automation for the DPDP Act 2025. From consent management to breach notifications, we've got you covered.

Book a Demo View Documentation