Rule 2 — Definitions

Relevant text: Rule 2(1)(a) to Rule 2(1)(d) and Rule 2(2).

What it says

• Rule 2(1)(a): “Act” means the Digital Personal Data Protection Act, 2023.
• Rule 2(1)(b): “Techno-legal measures” refers to measures mentioned under Rules 20 and 22 (digital-first proceedings).
• Rule 2(1)(c): “User account” includes any online account identity: email, mobile number, profile, handle, etc.
• Rule 2(1)(d): “Verifiable consent” means consent as specified in Rule 10 or Rule 11.
• Rule 2(2): Terms not defined in Rules but defined in the Act carry the same meaning.

What it means (practical)

The Rules clarify key terms used repeatedly—especially user account and verifiable consent—so organisations design compliance flows consistently across apps and websites.

Example

If you sign in using your phone number and OTP, that phone number-linked profile is treated as your “user account” for notifications like breach alerts and consent withdrawal.

Rule 3 — Notice to Data Principal

Relevant text: Rule 3(a), Rule 3(b)(i)–(ii), Rule 3(c)(i)–(iii).

What it says

• Rule 3(a): The notice must be understandable on its own (not hidden inside other documents).
• Rule 3(b): The notice must be clear and plain, and must include at minimum:
• Rule 3(b)(i): An itemised description of the personal data being processed.
• Rule 3(b)(ii): The specified purpose(s) and what service/use is enabled by such processing.
• Rule 3(c): The notice must provide links/means for the Data Principal to:
• Rule 3(c)(i): Withdraw consent easily (as easy as giving consent).
• Rule 3(c)(ii): Exercise rights under the Act.
• Rule 3(c)(iii): Make a complaint to the Board.

What it means (practical)

A company cannot rely on a vague privacy policy. The notice should explicitly tell the user: what data is collected, why, and how to withdraw consent or raise complaints. The withdrawal path must be as easy as the opt-in path.

Example

A loan app notice should say: “We collect PAN and Aadhaar for identity verification, bank account for disbursal, salary slips for eligibility.” It must also include a button/link like “Withdraw marketing consent” and a link “Raise complaint to Data Protection Board.”

Rule 4 — Registration & Obligations of Consent Manager

Relevant text: Rule 4(1)–(6) and First Schedule (Parts A and B).

What it says

• Rule 4(1): Eligible entities can apply to the Board to register as a Consent Manager, as per conditions in First Schedule (Part A).
• Rule 4(2): The Board may inquire into eligibility and either register the applicant (and publish details) or reject with reasons.
• Rule 4(3): Consent Manager must follow obligations listed in First Schedule (Part B).
• Rule 4(4): If the Board finds non-adherence, it can direct corrective measures after hearing.
• Rule 4(5): The Board may suspend/cancel registration and issue directions to protect Data Principals, with reasons recorded and after hearing.
• Rule 4(6): The Board can require the Consent Manager to furnish information.

What it means (practical)

A Consent Manager is a regulated entity that helps individuals manage consent across services (give, review, withdraw). It must be registered and can be suspended/cancelled if it harms Data Principals or fails its obligations.

Example

If multiple financial services use a consent dashboard to manage customer permissions, the operator of that dashboard may need to register as a Consent Manager. If it fails to honor withdrawals or misroutes consents, the Board can suspend its registration.

Rule 5 — State processing for subsidy/benefit/service/certificate/licence/permit

Relevant text: Rule 5(1)–(2) and Second Schedule.

What it says

• Rule 5(1): State processing under this Rule must follow standards in the Second Schedule.
• Rule 5(2): Clarifies what is meant by benefits provided under law, policy or using public funds:
• Rule 5(2)(a): Under law (statutory power/function).
• Rule 5(2)(b): Under policy/instructions (executive power).
• Rule 5(2)(c): Using public funds (Consolidated Fund/Public Account or local authority funds).

What it means (practical)

Government departments and instrumentalities processing data for welfare or public services must follow prescribed standards. This provides a structured framework for processing personal data in citizen service delivery.

Example

A department processing identity details to issue a driving licence must follow the Second Schedule standards—for example, limiting access to authorised staff and maintaining logs.

Rule 6 — Reasonable Security Safeguards

Relevant text: Rule 6(1)(a)–(g) and Rule 6(2).

What it says

• Rule 6(1)(a): Use measures like encryption, obfuscation, masking, or virtual tokens.
• Rule 6(1)(b): Implement access controls for systems used by Data Fiduciary/Processor.
• Rule 6(1)(c): Maintain logs, monitoring and review to detect unauthorised access and prevent recurrence.
• Rule 6(1)(d): Ensure backups/continuity if data availability or integrity is compromised.
• Rule 6(1)(e): Retain logs and relevant personal data for at least one year (unless other law requires longer).
• Rule 6(1)(f): Include security safeguard clauses in Data Fiduciary–Data Processor contracts.
• Rule 6(1)(g): Adopt technical and organisational measures (policies, training, governance).
• Rule 6(2): “Computer resource” has the same meaning as in the IT Act, 2000.

What it means (practical)

Security includes tools and processes: protect data (encryption/tokenization), restrict access, keep audit trails, maintain backups, and ensure vendors are contractually bound to equivalent safeguards.

Example

A hospital should use role-based access (only doctors/nurses who need access), log every access to patient files, encrypt data, and include strict security clauses in its cloud vendor contract.

Rule 7 — Intimation of Personal Data Breach

Relevant text: Rule 7(1)(a)–(e) and Rule 7(2)(a)–(b)(i)–(vi).

What it says

• Rule 7(1): Inform each affected Data Principal ‘without delay’ (via user account or registered communication), including:
• Rule 7(1)(a): What happened—nature, extent, timing.
• Rule 7(1)(b): Likely consequences for the person.
• Rule 7(1)(c): Mitigation actions taken/being taken.
• Rule 7(1)(d): Safety steps the person should take.
• Rule 7(1)(e): Contact details of a responsible person.
• Rule 7(2): Inform the Board:
• Rule 7(2)(a): Without delay—basic description including likely impact.
• Rule 7(2)(b): Within 72 hours (or longer if Board allows), provide:
• Rule 7(2)(b)(i): Updated/detailed information.
• Rule 7(2)(b)(ii): Events/circumstances/reasons leading to breach.
• Rule 7(2)(b)(iii): Mitigation measures implemented/proposed.
• Rule 7(2)(b)(iv): Findings about who caused the breach (if known).
• Rule 7(2)(b)(v): Remedial measures to prevent recurrence.
• Rule 7(2)(b)(vi): Report on user intimations issued.

What it means (practical)

Breach reporting is two-track: quickly alert impacted people, and report to the Board promptly with a detailed update within 72 hours. Companies should maintain an incident response plan and communication templates.

Example

If a payment app detects unauthorised access to transaction data, it should alert affected users immediately and guide them (change password, watch for fraud), and submit a Board report within 72 hours with root cause and prevention steps.

Rule 8 — Erasure when purpose is no longer served (Retention & logs)

Relevant text: Rule 8(1)–(3) and Illustrations.

What it says

• Rule 8(1): For certain classes/purposes (Third Schedule), erase personal data after the specified time if the user is inactive, unless another law requires retention.
• Rule 8(2): Inform the user at least 48 hours before erasure; allow them to log in/contact/exercise rights to stop erasure.
• Rule 8(3): Retain personal data + traffic data/logs for at least one year from processing date (Seventh Schedule purposes), then erase unless other law/Govt notification requires longer.

What it means (practical)

Retention must be planned: data cannot be kept forever, but security and dispute-handling needs require logs for at least one year. Even if an account is deleted, certain records may still be retained for the minimum period.

Examples

Example 1: After an e-book purchase is completed, the platform must keep order/payment/delivery logs for at least one year even if the user deletes the account.

Example 2: If a company uses a cloud vendor, the company must ensure the vendor also retains required logs for at least one year before erasure.

Rule 9 — Contact details for processing-related queries

Relevant text: Rule 9.

What it says

• Publish business contact details of the DPO (if applicable) or a responsible person on the website/app and include it in responses to rights-related communications.

What it means (practical)

Users must have a clear way to contact the organisation about their personal data. The contact information should be prominent and consistently used.

Example

A bank lists ‘Privacy Officer: privacy@bank.com’ on its website/app and includes the same contact in replies to access/correction/erasure requests.

Rule 10 — Verifiable consent for children

Relevant text: Rule 10(1)–(2) and Illustrations.

What it says

• Rule 10(1): Before processing a child’s data, obtain verifiable parental consent and verify the parent is an identifiable adult.
• Rule 10(1)(a): Verification can use reliable identity/age details already held by the platform.
• Rule 10(1)(b): Or identity/age details voluntarily provided directly or via a virtual token from an authorised entity (including Digital Locker).
• Rule 10(2): Adult means 18+; authorised entity includes government/entrusted entities and Digital Locker service providers.

What it means (practical)

Children’s onboarding needs a parent verification step. Simply asking ‘Are you under 18?’ is not enough if the platform continues processing without verifying parental authority.

Example

A gaming/edtech app can allow a child account only after the parent verifies identity/age using a trusted identity proof or a Digital Locker based token.

Rule 11 — Verifiable consent for persons with disability (lawful guardian)

Relevant text: Rule 11(1)–(2).

What it says

• Rule 11(1): Verify that the lawful guardian is appointed by a court or designated authority/local level committee under applicable guardianship law.
• Rule 11(2): Defines designated authority and the guardianship laws and who is covered.

What it means (practical)

If a guardian gives consent on behalf of a person with disability, the organisation should ask for official proof of guardianship before relying on that consent.

Example

A hospital portal grants record-management access to a guardian only after verifying the guardianship appointment document.

Rule 12 — Limited exemptions for children’s data processing

Relevant text: Rule 12(1)–(2) and Fourth Schedule.

What it says

• Rule 12 permits limited exemptions from certain Section 9 obligations for specified classes/purposes (Fourth Schedule), subject to conditions.

What it means (practical)

Some child-related processing may be exempted in limited cases, but organisations must meet the specific conditions in the Fourth Schedule before relying on the exemption.

Example

A regulated education platform may get a limited exemption for specific purposes, but only if it satisfies the conditions notified.

Rule 13 — Additional obligations of Significant Data Fiduciary (SDF)

Relevant text: Rule 13(1)–(5).

What it says

• Rule 13(1): Annual DPIA and audit (every 12 months).
• Rule 13(2): DPIA/audit person must submit a report with significant observations to the Board.
• Rule 13(3): Due diligence that technical measures/algorithms are not likely to risk Data Principal rights.
• Rule 13(4): For specified data, ensure data and related traffic data is not transferred outside India.
• Rule 13(5): Government committee supports this rule.

What it means (practical)

Large/high-risk companies have higher duties: regular DPIA and audits, oversight of algorithms, and possible localisation for specified categories of data.

Example

A large payment platform notified as SDF must run annual audits, document privacy risks, and ensure fraud-detection algorithms do not unfairly impact users.

Rule 14 — Operationalising rights of Data Principals

Relevant text: Rule 14(1)–(5).

What it says

• Rule 14(1): Publish the methods to request rights and identifiers needed.
• Rule 14(2): Data Principal can submit requests using those methods.
• Rule 14(3): Publish grievance timeline ≤ 90 days and implement measures to meet it.
• Rule 14(4): Enable nomination (as per terms of service and applicable law).
• Rule 14(5): Identifier includes customer ID, application reference, email, mobile number, licence number, etc.

What it means (practical)

Companies must have clear privacy-request mechanisms, a grievance system, and the ability to respond within 90 days.

Example

An app provides a ‘Privacy Requests’ section where users can request access/correction/erasure using their registered email or mobile number and track status.

Rule 15 — Transfer outside India (conditions)

Relevant text: Rule 15.

What it says

• Transfer is allowed, but Data Fiduciary must comply with Central Government requirements for making data available to a foreign State or its agencies/entities.

What it means (practical)

Cross-border transfers are permitted but can be conditioned or restricted by Government orders, especially regarding foreign state access.

Example

A SaaS provider hosting data abroad may need additional safeguards if Government orders specify restrictions for foreign state access.

Rule 16 — Research/archiving/statistical exemption

Relevant text: Rule 16 and Second Schedule.

What it says

• Act does not apply to processing necessary for research/archiving/statistical purposes if carried out as per Second Schedule standards.

What it means (practical)

Responsible research can be exempted if it follows standards and is not used to make decisions about specific individuals.

Example

A university analyses anonymised datasets to publish statistics without identifying individuals, following prescribed standards.

Rules 17–21 — Data Protection Board functioning (high-level)

• Rule 17: Appointment through Search-cum-Selection Committees with senior officials and experts.
• Rule 18: Salaries/terms as per Fifth Schedule.
• Rule 19: Meeting procedure (quorum 1/3), voting rules, conflict of interest abstention, emergency decisions, authentication, inquiry timeline (6 months + extensions).
• Rule 20: Board as digital office using techno-legal measures.
• Rule 21: Board can appoint staff with Government approval; terms as per Sixth Schedule.

Rule 22 — Appeal to Appellate Tribunal (digital)

Relevant text: Rule 22(1)–(3).

• Rule 22(1): Appeal can be filed digitally.
• Rule 22(2): Fee payable digitally (UPI or RBI-authorised systems), similar to TRAI Act appeals.
• Rule 22(3): Tribunal follows natural justice, not bound by CPC; Tribunal functions as digital office.

Rule 23 — Government can call for information (and can impose confidentiality)

Relevant text: Rule 23(1)–(3).

• Rule 23(1): Government can require Data Fiduciary/intermediary to provide information for Seventh Schedule purposes through authorised person.
• Rule 23(2): Government can direct the entity not to disclose the request/furnishing if disclosure could harm sovereignty/integrity/security.
• Rule 23(3): Intermediary meaning same as IT Act.

Quick Compliance Checklist (Training Summary)

• Stand-alone notice with itemised data and specific purposes (Rule 3).
• Consent withdrawal as easy as giving consent (Rule 3).
• Minimum security safeguards + vendor contract clauses (Rule 6).
• Immediate breach alert to users + Board reporting + 72-hour detailed report (Rule 7).
• Retention/erasure plan; keep logs for at least one year (Rule 8).
• Publish DPO/Privacy contact information (Rule 9).
• Verifiable parental/guardian consent flows (Rules 10 & 11).
• Annual DPIA/audit and algorithmic risk checks for SDFs (Rule 13).
• Publish rights request channels and meet grievance timeline within 90 days (Rule 14).
• Digital-first readiness for Board/Tribunal proceedings and appeals (Rules 19–22).
• Protocol for Government information requests and confidentiality directions (Rule 23).

Simplified Explanation of Schedules (Simple Language)

Based on the text you provided (Schedule by Schedule)

FIRST SCHEDULE

Topic: Registration & duties of a Consent Manager (a company that helps people manage consent for sharing personal data).

Part A - Conditions to register as a Consent Manager

1. Must be a company incorporated in India.
2. Must have enough technical, operational, and financial capacity to do the job.
3. Management and financial condition should be sound.
4. Net worth must be at least Rs. 2 crore.
5. Business volume, capital structure, and earning prospects should be adequate.
6. Directors and senior management must have a good reputation and integrity.
7. Company documents (MoA/AoA) must include provisions to follow key obligations (especially conflict of interest controls) and can be changed only with Board approval.
8. Proposed operations should be in the interest of Data Principals (the individuals whose data is involved).
9. Independent certification must confirm the platform meets Board-published standards and that proper technical and organisational measures exist.

Part B - Obligations of a Consent Manager

10. Provide a platform for individuals to give, manage, review, and withdraw consent for processing their personal data.
11. Ensure that any personal data made available/shared cannot be read by the Consent Manager.
12. Maintain records of (a) consent given/denied/withdrawn, (b) notices connected to consent requests, and (c) sharing of personal data with other Data Fiduciaries.
13. Give the individual access to these records, provide them in machine-readable form on request (as per terms), and keep them for at least 7 years (or longer if agreed/required by law).
14. Provide services mainly through a website/app (or both).
15. Do not subcontract or assign these obligations to others.
16. Take reasonable security safeguards to prevent personal data breaches.
17. Act in a fiduciary capacity for the individual (act in the user’s best interest).
18. Avoid conflicts of interest with Data Fiduciaries (including their promoters and key managerial personnel).
19. Ensure directors/KMP/senior management do not create conflicts via directorships, financial interests, employment, ownership, or material relationships with Data Fiduciaries.
20. Publish key transparency information on the website/app (promoters/directors/KMP/senior management; shareholders over 2%; related corporate holdings over 2%; and any other info directed by the Board).
21. Maintain effective audit mechanisms and report results to the Board as required (covering controls, continued eligibility, and compliance).
22. Do not transfer control of the Consent Manager (sale/merger etc.) without prior Board approval.

SECOND SCHEDULE

Topic: Standards for processing personal data by the State and its instrumentalities for certain purposes.

• Processing must be lawful.
• Use data only for the permitted government purposes mentioned in the law/rules.
• Collect/process only the data necessary for those purposes.
• Make reasonable efforts to keep data complete, accurate, and consistent.
• Keep data only as long as needed for the purpose or required by law.
• Use reasonable security safeguards to prevent data breaches (including when processors are involved).
• Where required, inform the individual and provide: (i) business contact details for queries, (ii) link to website/app to exercise rights, and (iii) follow other applicable standards/policies.
• Ensure accountability of the person/entity deciding purpose and means of processing.

THIRD SCHEDULE

Topic: Time limits (retention periods) for certain large Data Fiduciaries (platforms) to keep personal data.

• Applies to: (1) e-commerce entities with 2 crore or more registered users in India, (2) online gaming intermediaries with 50 lakh or more registered users in India, (3) social media intermediaries with 2 crore or more registered users in India.

Main rule (simplified):

• For most purposes, they should not keep personal data beyond 3 years from the last time the user approached them for that purpose or to exercise their rights, or from the start of the Digital Personal Data Protection Rules, 2025 - whichever is later.

Exceptions (simplified):

• They may keep data needed to let the user access their account.
• They may keep data needed to let the user access virtual tokens/credits stored on the platform (used for money, goods, or services).

FOURTH SCHEDULE

Topic: Certain exemptions for processing children’s data (where some requirements of section 9(1) and 9(3) do not apply), subject to strict conditions.

Part A - Classes of Data Fiduciaries exempt (in specific situations)

• Healthcare establishments/professionals: only for providing health services to the child (necessary for protecting the child’s health).
• Allied healthcare professionals: only to support healthcare treatment/referral plans (necessary for protecting the child’s health).
• Educational institutions: only for tracking/behaviour monitoring for education activities or safety of enrolled children.
• Crèches/day care caregivers: only for tracking/behaviour monitoring for children’s safety.
• Transport providers engaged by schools/crèches/child care: only for tracking location during travel for children’s safety.

Part B - Purposes exempt (with conditions)

• To perform legal powers/duties in a child’s interest - only as necessary.
• To provide government subsidy/benefit/service/certificate/licence/permit in a child’s interest - only as necessary.
• To create an email account used only for email communication - only as necessary.
• To determine a child’s real-time location for safety/protection/security - only location tracking and only as necessary.
• To ensure harmful information/services/advertisements are not accessible to a child - only as necessary.
• To confirm the user is not a child and to follow due diligence rules - only as necessary.

FIFTH SCHEDULE

Topic: Salary and service conditions for the Chairperson and Members of the Data Protection Board.

• Chairperson salary: Rs. 4,50,000 per month (no house and car facility).
• Member salary (other than Chairperson): Rs. 4,00,000 per month (no house and car facility).
• Provident Fund: eligible as per Board employee rules.
• No pension or gratuity for Board service.
• Travel allowances: same scale as senior Central Government officers (Level 17 for Chairperson, Level 15 for Members).
• Medical assistance: covered under Board’s group health insurance (with some options for retirees).
• Leave and leave encashment: broadly as per Central Government leave rules (subject to conditions).
• Leave travel concession: as per Central Government LTC rules.
• Must avoid conflicts of interest; no sitting fee or sumptuary allowance.

SIXTH SCHEDULE

Topic: Appointment and service conditions for officers and employees of the Board.

• Board may appoint staff on deputation from government/statutory/autonomous/public sector bodies for up to 5 years.
• Board may also take deputation from National Institute for Smart Government (up to 5 years), with market-guided compensation as decided by the Board.
• Gratuity: as per Payment of Gratuity Act, 1972.
• Travel allowance: same as Central Government employees.
• Medical assistance: under Board’s scheme (requires Central Government approval).
• Leave and leave encashment: as per Central Government leave rules.
• Leave travel concession: as per Central Government LTC rules (for certain deputation categories).
• Conduct and disciplinary rules: largely aligned with Central Government conduct/CCA rules.

SEVENTH SCHEDULE

Topic: Who can authorise certain uses of personal data by the State in specific situations.

• For sovereignty/integrity of India or security of the State: an officer designated by the Central Government or head of the instrumentality (as applicable).
• For performing functions under law or disclosing information to meet legal obligations: person authorised under applicable law.
• For assessment to notify Significant Data Fiduciary: an officer designated by the Secretary, MeitY (Ministry of Electronics and IT).