MeitY Notifies The Digital Personal Data Protection Rules 2025

The Ministry of Electronics and Information Technology ("MeitY") has notified rules to the Digital Personal Data Protection Act, 2023 ("DPDPA"). The much-awaited Digital Personal Data Protection Rules, 2025 ("Rules") will operationalize the DPDPA, setting India's first privacy law into motion.

We have noted certain key points of the recently notified Rules below.

1. Provision of Notice to Data Principals: As previously mentioned, Data Fiduciaries will have to provide notice to Data Principals in "clear and plain language" stipulating necessary details which mandatorily have to include an itemized description of personal data being processed and the specified purposes of such processing. Notably, unlike in the previous version of the Rules, Fiduciaries have to mandatorily also provide details pertaining to withdrawal in this notice.
2. Appointment and Removal of Consent Managers: the First Schedule to the Rules sets out conditions for registrations of Consent Managers. The decision as to whether a person fulfills such criteria is to be taken by the Data Protection Board ("Board"). The Board is also empowered to remove or suspend a Consent Manager after giving them an opportunity to be heard if the Board believes it is necessary to do so int the interest of Data Principals.
3. Reasonable Security Safeguards: The Rules call upon Data Fiduciaries to undertake "reasonable security safeguards" with regards to personal data under their control. It has indicated that such safeguards would at the minimum include measures such securing personal data through encryption, obfuscation, control of access to computer resources used by Data Fiduciaries/Processors and other organisational and technical measures to ensure adherence to this provision.
4. Intimation of Personal Data Breach: As seen in the previous version of the Rules, this Rule also calls upon Data Fiduciaries to intimate to Data Principals the occurrences of any data breaches along with certain mandatory details. Further, Fiduciaries are also required to provide effectively two submissions to the Board providing information pertaining to the occurrence of a personal data breach. Notably, the Rules do not provide a timeline as to intimation of breaches by a Data Fiduciary to its Data Principals. However, it sets a 72-hour window for providing such notice to the Board.
5. Verifiable Consent for Processing Data of Children and Guardians of Persons with Disabilities: The Rules provide that verifiable consent of the parent of a child is to be obtained either voluntarily provided by the parent or through a virtual token mapped to such details (like Aadhaar). Further, such verifiable consent of persons with disabilities with guardians is also to be provided.
6. Additional Obligations on Significant Data Fiduciaries: Amongst other things, Significant Data Fiduciaries will be required to conduct Data Protection Impact Assessment and audits which will have to be submitted to the Board. Notably, as was also seen in the previous draft of the Rules, Significant Data Fiduciaries will be prevented from transferring "certain" personal data and traffic data pertaining to its flows outside of India. This category of personal data will be identified on the basis of the recommendations of a committee constituted by the Central Government.
7. Rights of Data Principals: The Rules also enumerate the rights that Data Principals have under the Act, which include the right to make requests to Data Fiduciaries and the right to nominate persons to manage their exercise of such rights, amongst others.
8. Data Transfer Restriction: Personal Data processed by Data Fiduciaries in India will not be permitted to be transferred outside India or made available to any foreign State or any person or entity under the control of or any agency of such a State, unless the Data Fiduciary meets certain requirements that will be prescribed by the Central Government.
9. Call for Information from Data Fiduciary: The Central Government can on the basis of certain situations provided in the Seventh Schedule to the Act, call for information from Data Fiduciaries.

The Rules, through their provisions and Schedules also provide procedural and administrative details pertaining to the functioning of the Board, which is essential to the operationalization of the DPDPA itself. It has been notified that the Board is to comprise of four members.

Additionally, it has been announced that certain sections of the DPDPA and the Rules will come into force 12 to 18 months from today, i.e., 14th November 2025.

Our detailed analysis of the Rules will follow shortly. Please reach out to us in the case of any queries with regards to the Rules or the parent Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.