MeitY Notifies DPDP Rules, Enforcement Timelines And Formation Of The Board.

The Ministry of Electronics and Information Technology ("MeitY") on 14.11.2025, published multiple notifications numbered G.S.R. 843(E)¹, G.S.R. 844(E)², G.S.R. 845(E)³ and G.S.R. 846(E)⁴, to bring in force the provisions of the Digital Personal Data Protection Act, 2023 ("DPDPA"), publish and enforce Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), establish the Data Protection Board of India ("DPB") and notify that the DPB shall consist of 4 members with the head office at National Capital Region of India.

The DPDP Rules primarily provide for:

1. Notice requirements: The notice provided to the Data Principal ("DP") by the Data Fiduciary ("DF") has to be in a clear and plain language to enable DP to give specific and informed consent for processing their personal data, with an itemized description of the data being processed, and with link where they can withdraw their consent, exercise their rights and make complaint to the DPB.
2. Reasonable security safeguards: The security safeguards for protection of personal data should include appropriate data security measures, access controls on computer resources, logs, monitoring and reviews for detection of unauthorised access, measures for continued processing in the event of confidentiality or integrity breach, retention of data by class of DF as given in the schedule, and appropriate provisions in the agreement signed with data processors for taking reasonable safeguards.
3. Intimation on data breach: On becoming aware of a personal data breach, the DF should notify both the DP and DPB of such data breach and within seventy-two hours of becoming aware, provide a summary of the breach to DPB including broad facts of the event, measures implemented to mitigate risks and remedial measures taken to prevent reoccurrence.
4. Verifiable consent from parent/guardian on processing of personal data of children and people with disability: DF should adopt appropriate measure to verify the identity and age of parent or guardian and the concerned DP and get verifiable consent from the parent or guardian when processing data of children and people with disability.
5. Additional obligations of significant DF: Any DF who has been identified as a significant DF is required to comply with additional obligations such as conducting data protection impact assessment and audits annually, furnishing observations to the DPB containing significant observations and observing due diligence to verify that technical measures do not infringe the rights of the DP.
6. Rights of DP: The DPDP Rules provide how a DP can exercise her rights with DF, DPB and consent managers. DP can also nominate one or more individuals for the exercise of their rights subject to the terms of the DF and the law in place at the time.
7. International transfer of data: Personal data processed by DF can be transferred outside India, subject to restrictions imposed by the Central Government.
8. Appeal to Appellate Tribunal: Any person aggrieved by an order or direction of the DPB can prefer an appeal before the Appellate Authority. The Appellate Tribunal shall not be bound by the procedure laid down in the Code of Civil Procedure but will be guided by the principles of natural justice. Additionally, the Appellate Tribunal shall function as a digital office.
9. Calling for information from DF or intermediary: The Central Government may for such purposes as specified under DPDPA and the seventh schedule of the DPDP Rules, call for information from DF or intermediary. Where the disclosure of such calling is prejudicial for the sovereignty or integrity of the nation, the DF and intermediary shall not notify the DP of such disclosure.

Further, MeitY has also notified the implementation timelines of the provisions of the DPDPA and the DPDP Rules, which will be in a staggered manner. Sections and rules primarily pertaining to definitions, formation of the DPB, and powers of the Central Government have come in force on the date of this notification, i.e., 14.11.2025. Sections and rules concerning the consent manager shall come in force one year from the date of this notification, i.e., 14.11.2026. The rest of the sections and rules, primarily revolving around duties of DF, rights and duties of DP, processing of personal data and powers and functions of DPB shall come into force eighteen months from the date of the notification, i.e., 14.05.2027.

Footnotes

1 Enforcement Timeline for the DPDP Act

2 Establishment of the Data Protection Board of India

3 Decision Regarding Number of Members in the Data Protection Board of India

4 Digital Personal Data Protection Rules, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.