MeitY notifies Digital Personal Data Protection Rules, 2025

November 17, 2025
Central, Industries
4 min read

The Ministry of Electronics and Information Technology (“MeitY”) has notified the Digital Personal Data Protection Rules, 2025 (“Rules”) under the Digital Personal Data Protection Act, 2023 (“Act”). Only a limited set of procedural provisions take effect immediately, while the substantive compliance framework activates after a significant transition period. Only a limited set of procedural provisions take effect immediately, while the substantive compliance framework activates after a significant transition period. Rules 1, 2 and 17 to 21 are effective immediately, covering the following provisions—

  • Rule 1 – Short title and commencement
  • Rule 2 – Definitions
  • Rule 17 – Appointment of Chairperson and other Members
  • Rule 18 – Salaries, allowances and other conditions of service of the Chairperson and Members
  • Rule 19 – Procedure for meetings of the Board and authentication of its orders and directions
  • Rule 20 – Board to function as a digital office
  • Rule 21 – Terms and conditions of appointment and service of officers and employees of the Board

Rule 4, which provides for the registration and obligations of consent managers, shall come into force after 1 year from the date of publication (i.e., 13th November 2026).

All operative obligations for businesses including notice requirements, consent mechanics, children’s data safeguards, breach reporting, security standards, retention and deletion timelines, and duties of Significant Data Fiduciaries will come into effect after 18 months from the date of publication (i.e., 13th May 2027). This transition period provides organisations the time needed to build internal systems, upgrade governance frameworks, and prepare for full compliance.

Key Highlights:

  1. Clear standards for notices and consent requiring Data Fiduciaries to issue unbundled, simple-to-understand notices outlining data categories, processing purposes, risks, rights, and contact details of grievance personnel or the Data Protection Officer.
  2. Consent managers must meet defined eligibility conditions relating to financial capacity, technical competence, and governance. They must provide interoperable consent dashboards enabling individuals to grant, manage, review, and withdraw consent easily.
  3. State entities processing personal data for benefits, permits, certificates, and statutory functions can continue such processing based on the safeguards outlined in the Second Schedule, reinforcing transparency and purpose limitation.
  4. Mandatory security safeguards include encryption, strict access controls, audit logs, incident detection mechanisms, disaster recovery systems, and binding obligations on processors to implement equivalent measures.
  5. Detailed personal data breach reporting framework requires Data Fiduciaries to notify individuals promptly, explain the nature and likely impact of the breach, outline mitigation steps, and simultaneously inform the Board with periodic updates.
  6. Purpose-limited retention and deletion duties require erasing data after the purpose is fulfilled unless law mandates retention. Individuals must be informed 48 hours before deletion and provided with clear options to retain or continue processing.
  7. Comprehensive requirements for processing children’s data, including verifiable parental consent, proof of identity and age validation, and reliance on trusted digital credentials or authorised verification routes.
  8. Safeguards for persons with disabilities allow verified lawful guardians to provide consent, supported by reliable verification pathways such as court orders, authorised authority records, or institutional documents.
  9. Exemptions for specific processing of children’s data apply where listed in the Fourth Schedule, subject to strict conditions designed to maintain privacy protections while supporting certain types of processing.
  10. Enhanced obligations for Significant Data Fiduciaries (SDFs) include data protection impact assessments, periodic audits, algorithmic bias checks, additional transparency measures, and stricter oversight of cross-border data flows.
  11. Structured procedures for classifying Data Fiduciaries as SDFs based on factors such as volume, sensitivity, and risk associated with the processing, with corresponding duties triggered upon designation.
  12. Restrictions on cross-border data transfers where notified, including obligations to ensure adequate safeguards, contractual controls, and adherence to listed countries and mechanisms approved under the Act and Rules.
  13. Clear responsibilities for Data Processors requiring them to act only on documented instructions, ensure technical and organisational measures, maintain logs, and support Data Fiduciaries in compliance with retention, deletion, and breach-reporting requirements.
  14. Standardized formats for notices, consent management, breach reporting, and retention logs are set out through Schedules, ensuring uniformity across sectors and facilitating consistent reporting to individuals and the Board.
  15. Verification standards for identity, age, and lawful authority are detailed to ensure reliable authentication before collecting or processing personal data in high-risk contexts.
  16. Detailed record-keeping requirements mandate Data Fiduciaries to maintain logs of consent, access, transfers, deletion, and security events for prescribed minimum periods.
  17. Operational framework for the Data Protection Board covers digital functioning, case allocation, time-bound inquiry processes, authentication of orders, emergency measures, and procedures for hearing parties.
  18. Appeals process streamlined through digital filing before the designated Appellate Tribunal, along with rules governing submission formats, timelines, and recognition of digital signatures.
  19. Duties relating to research, archiving, and statistical purposes are clarified, allowing certain processing without fresh consent when carried out under strict conditions listed in the Fifth Schedule.
  20. Grievance redressal expectations require timely acknowledgment, clear resolution pathways, and availability of contact details of grievance officers in notices and consent documents.

For regulatory updates and update-related services, drop a mail at inquiries@lexplosion.in.

Source: Ministry of Electronics and Information Technology

https://lexplosion.in/

Lexplosion Solutions Private Limited is a pioneering Indian Legal-Tech company that provides legal risk and compliance management solutions through cloud-based software and expert services.

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us