ARTICLE
20 November 2025

Digital Personal Data Protection Rules, 2025 – Notified

MH
Mansukhlal Hiralal & Co.

Contributor

Mansukhlal Hiralal & Co. logo
Mansukhlal Hiralal & Co. a multi-service law firm takes great pride in providing quality legal advice for over 100 years. We have offices in Mumbai & Delhi. The firm has around 25 fee earners which includes partners, of counsels, consultants and associates. We provide complete legal services to a wide array of corporates, individuals, national and international clients. We have a peerless reputation for high professional standards and always adopt an intellectual and practical approach towards our clients’ needs.
Explore Firm Details
The Ministry of Electronics and Information Technology ("MEITY") has now formally notified the Digital Personal Data Protection Rules, 2025 ("DPDP Rules" or "Rules") on 13 November 2025.
India Privacy
Bhushan Shah and Shreya Dalal
Your Author LinkedIn Connections
Mansukhlal Hiralal & Co. are most popular:
  • within Technology, Finance and Banking, Government and Public Sector topic(s)
  • with readers working within the Metals & Mining and Law Firm industries

Introduction

The Ministry of Electronics and Information Technology ("MEITY") has now formally notified the Digital Personal Data Protection Rules, 2025 ("DPDP Rules" or "Rules") on 13 November 2025. These Rules operationalise key compliance obligations under the Digital Personal Data Protection Act, 2023 ("DPDP" Act or "Act"). The Rules enforce critical provisions on the processing of information, consent, rights, and compliance. Further, it requires (a) Mandatory breach notifications; (b) maintenance of safeguards; (c) specialised protections for vulnerable data principals to facilitate operational readiness.

While the structure of the draft Rules is largely retained, the final notification introduces definitive enforcement timelines, refined procedural requirements and expanded clarity.

The commencement timeline has been formalised as follows:

  • Rules 1, 2 and 17–21 come into force immediately;
  • Rule 4 (Consent Manager registration) comes into force after 1 year; and
  • Rules 3, 5–16, 22–23 become effective 18 months after

Notice (Rule 3)

The Rules obligate the Data Fiduciary to give notice to the Data Principal for their informed consent which must be understandable independently, and written in clear and plain language.

The notice must include:

  • An itemised description of personal data
  • Specified purposes and specific description of goods or services to be provided or uses to be enabled
  • A communication link to the Data Fiduciary's website/app with details of how the Data Principal may:
    1. withdraw consent with ease comparable to giving consent,
    2. exercise their statutory rights, and
    3. lodge complaints with the Data Protection Board ("DPB").

Consent Manager (Rule 4)

  • A Consent Manager must be registered with the DPB providing an accessible, transparent and interoperable platform for Data Principal to give, manage, review and withdraw
  • A Consent manager is solely responsible to the Data Principal and shall act on their
  • A Consent Manager must be an Indian Company with a minimum net worth of 2 crores.
  • A Consent Manager is bound to retain records of consent, accompanying notices, and data shared with transferee Data Fiduciaries for a period of atleast seven years, or longer if required by law or agreed upon by the Data Principal.

Reasonable Security Safeguards (Rule 6)

Reasonable security safeguards have to be undertaken by the Data Fiduciary to protect the personal data it possesses or controls, including any Data Processor involved.

The Data Fiduciaries shall incorporate safeguards, including:

  • Encryption, obfuscation, masking, or tokenisation,
  • Access controls for computer resources,
  • Logging, monitoring, and review for detecting unauthorised access,
  • Backup measures to ensure continued processing,
  • Retention of logs and personal data for at least one year unless required longer by law,
  • Contractual security obligations for Data Processors, and
  • Effective organisational and technical measures to ensure full

Data Breach Notification (Rule 7)

Upon becoming aware of a personal data breach, the Data Fiduciary must notify the DPB and each affected Data Principal "without delay". The Data Fiduciary must provide a detailed report to the DPB within seventy-two hours of becoming aware of the breach. This report must include a description of the breach, and the risk mitigation and remedial measures implemented.

Data Erasure and Retention (Rule 8 and Third Schedule)

Data Fiduciaries must erase personal data as soon as it is reasonable to assume that the specified purpose is no longer being served, or when the Data Principal withdraws consent (whichever is earlier), unless retention is required by law.

For certain classes of Data Fiduciaries, such as e-commerce entities and online gaming intermediaries that meet specified user thresholds, the retention period is capped at three years from the date the Data Principal last approached the Data Fiduciary for the specified purpose, or the commencement of the Rules, whichever is later.

The Data Fiduciary must notify the Data Principal at least 48 hours before erasing their data.

Significant Data Fiduciaries (SDFs) - Additional Obligations (Rule 13)

Upon being notified as a Significant Data Fiduciary (SDF), entities must adhere to additional obligations:

  • Appoint a Data Protection Officer (DPO) situated in India, who shall be the representative for compliance and the primary contact for grievances. The DPO must be an individual responsible to the board of directors or equivalent governing body.
  • Appoint an Independent Data Auditor ("IDA") to carry out compliance
  • Conduct Data Protection Impact Assessment (DPIAs) and submit a report containing significant observations to the Board at least once every twelve months.
  • Ensure that any algorithmic systems deployed for processing personal data do not violate the rights of Data Principals.

Cross-Border Transfer of Personal Data (Rule 15)

The Central Government retains the power to restrict the transfer of personal data to specified countries or territories outside India by issuing a notification. This confirms the government's approach to regulating cross-border data transfer based on adequacy assessments or other relevant factors.

Calling for Information from Data Fiduciary or Intermediary (Rule 23)

The Central Government is empowered to require any Data Fiduciary or intermediary to provide information within a specified time period. If the disclosure of such information could harm the sovereignty, integrity, or security of India, the Data Fiduciary or intermediary must not disclose it without prior written permission from the authorized person.

MHCO Comment

By specifying minimum requirements for Consent Managers, establishing clear 72-hour timelines for breach reporting, and imposing mandatory annual DPIAs and DPO appointments for SDFs, the government has created a robust and accountable data governance framework. The staggered commencement timeline provides a structured compliance runway, but entities with high user volumes, digital platforms, or cross-border data flows must begin immediate readiness planning. The focus must shift immediately to ensuring complete compliance with the finalised framework.

This article was released on 17 November 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Bhushan Shah
Bhushan Shah
Photo of Shreya Dalal
Shreya Dalal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More