DPDP Rules 2025 Notified
G.S.R. 846(E) Complete Analysis
On 13 November 2025, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 under Section 40 of the Digital Personal Data Protection Act, 2023. This notification, issued as G.S.R. 846(E), marks the operative phase of India’s first comprehensive data protection regime. The Rules follow an earlier draft published on 3 January 2025 via G.S.R. 02(E) for public consultation over a 45-day period.
This analysis, grounded in the exact text of the Gazette notification hosted at our resource library, examines the tiered commencement framework, the detailed operational rules governing notice, consent management, breach reporting, retention, children’s data, and Significant Data Fiduciary obligations. By Advocate Subodh Bajpai, Unified Chambers and Associates.
The Three-Phase Enforcement Timeline
Rule 1 of the DPDP Rules 2025 establishes a carefully sequenced commencement framework in sub-rules (2), (3), and (4). Unlike a single effective date, the Rules stagger enforcement across three time horizons to give the ecosystem time to prepare.
The practical effect: while the Data Protection Board of India (constituted under Section 18 of the Act) can begin functioning immediately, the full compliance burden on Data Fiduciaries — notice obligations, consent architecture, security safeguards, breach notification procedures, retention schedules, and Significant Data Fiduciary obligations — becomes legally enforceable from 13 May 2027. Organisations that wait until 2027 to begin compliance work will face a compressed implementation timeline with significant legal and operational risk.
The Anatomy of a Lawful Consent Notice
Rule 3 of the DPDP Rules 2025 prescribes how a Data Fiduciary must communicate with a Data Principal when seeking consent, or when providing grandfathering notice under Section 5(2) of the Act for consent given before the Act’s commencement. The Rule imposes three structural requirements and a mandatory minimum content standard.
- Standalone presentation: The notice must be presented independently of any other information that the Data Fiduciary has made or may make available. This prevents burying privacy notices within lengthy terms of service.
- Clear and plain language: The notice must give a fair account of details necessary to enable the Data Principal to give specific and informed consent.
- Minimum content: Itemised description of personal data being processed; specific purposes; goods or services provided.
Beyond the core content, Rule 3 requires the notice to contain a specific communication link — to the Data Fiduciary’s website or app, together with a description of any other means — through which the Data Principal can exercise three distinct actions: (i) withdraw consent, with equal ease as it was given (this mirrors Section 6(4) of the Act); (ii) exercise rights under the Act (access, correction, erasure, grievance redressal, nomination); and (iii) file a complaint with the Data Protection Board.
The “equal ease” standard for withdrawal is significant. A Data Fiduciary that allows consent to be given with a single tap but requires a multi-step email-and-callback process to withdraw it would violate both the Act and these Rules — a violation that could attract penalty up to Rs 50 crore under Schedule Sl.7.
The Seven-Pillar Security Framework
Section 8(5) of the Act requires a Data Fiduciary to protect personal data by taking “reasonable security safeguards to prevent personal data breach.” Rule 6(1) of the 2025 Rules gives this abstract standard operational content through seven specific minimum measures:
- Data security measures including encryption, obfuscation, masking, or use of virtual tokens mapped to personal data.
- Access control for computer resources used by the Data Fiduciary or its Data Processor.
- Visibility through logs and monitoring to detect unauthorised access, enable investigation, and support corrective action.
- Continuity measures — for example, data backups — to ensure continued processing in the event that confidentiality, integrity, or availability of personal data is compromised.
- One-year log retention of personal data and associated logs, to enable detection of unauthorised access and remediation, unless another applicable law requires longer retention.
- Contractual safeguards with any Data Processor, requiring reasonable security safeguards in the engagement contract.
- Technical and organisational measures ensuring effective observance of security safeguards.
The Two-Stage Breach Reporting Framework
Section 8(6) of the Act requires a Data Fiduciary, in the event of a personal data breach, to “give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.” Rule 7 prescribes that form and manner, creating a dual notification obligation with distinct timelines and content requirements.
Notification to Affected Data Principals (Rule 7(1))
The Data Fiduciary must, upon becoming aware of any personal data breach, intimate each affected Data Principal without delay through the user account registered with the Data Fiduciary or any other communication method the Data Principal has registered. The notification must be in concise, clear, and plain language and must include:
- description of the breach, including its nature, extent, and time of occurrence
- consequences relevant to the Data Principal likely to arise from the breach
- measures implemented and being implemented by the Data Fiduciary to mitigate risk
- safety measures the Data Principal may take to protect her interests
- business contact information for the Data Fiduciary’s representative able to respond to questions
Notification to the Board (Rule 7(2))
The Data Fiduciary must provide the Board with two rounds of information:
An important legal distinction: the 72-hour window is a Rules prescription, not an Act provision. The Act itself (Section 8(6)) requires notification “without delay.” This distinction matters in penalty defence — counsel can argue that partial compliance with the spirit of “without delay” via early Stage 1 notification demonstrates good-faith compliance even where the Stage 2 72-hour deadline proves technically challenging. Failure to notify carries penalties up to Rs 200 crore under Schedule Sl.2.
Financial institutions face a separate 6-hour reporting obligation to CERT-In under the CERT-In Directions 2022 (issued under Section 70B of the Information Technology Act 2000). The DPDP Rules do not displace this obligation — they add to it. A bank suffering a breach must now coordinate: (a) CERT-In report within 6 hours; (b) DPBI preliminary notification without delay; (c) affected Data Principal notifications without delay; and (d) DPBI detailed report within 72 hours.
When Purpose Is Deemed “No Longer Served”
Section 8(7) of the Act requires a Data Fiduciary to erase personal data once the specified purpose is no longer being served, unless retention is necessary for compliance with any law for the time being in force. Rule 8, read with Schedule III, gives this obligation concrete temporal meaning for three classes of large consumer-facing Data Fiduciaries.
| Class of Data Fiduciary | Threshold | Erasure Trigger |
|---|---|---|
| E-commerce entity | ≥ 2 crore registered Indian users | 3 years from last interaction |
| Online gaming intermediary | ≥ 50 lakh registered Indian users | 3 years from last interaction |
| Social media intermediary | ≥ 2 crore registered Indian users | 3 years from last interaction |
Specifically, Schedule III requires these Data Fiduciaries to erase personal data three years from the date the Data Principal last (i) contacted the Data Fiduciary for performance of the specified purpose or (ii) exercised any rights in respect of the processing — or from the commencement of the DPDP Rules 2025, whichever is later. Two narrow exceptions permit continued retention: (a) enabling Data Principal access to her user account; and (b) enabling access to virtual tokens used to obtain money, goods, or services.
Under Rule 8(2), the Data Fiduciary must notify the Data Principal at least 48 hours before the retention period expires, giving the Data Principal an opportunity to log in, exercise rights, or re-engage the purpose — thereby preventing erasure.
The Registered Intermediary for Consent
The Act introduces a novel regulatory figure — the Consent Manager (Section 2(g)) — a registered person acting as a single point of contact enabling Data Principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries through an accessible, transparent, and interoperable platform. Rule 4 and Schedule I operationalise this framework.
Registration Criteria (Schedule I Part A)
- Incorporation: Must be a company incorporated in India under the Companies Act 2013
- Minimum net worth: Rs 2 crore at all times
- Fit-and-proper criteria: Directors, key managerial personnel, senior management
- Capacity: Sufficient technical, operational, and financial capacity
- Conflict-of-interest safeguards: Particularly relating to Data Fiduciaries
- Interoperability: Platform must enable interoperable consent management
Ongoing Obligations (Schedule I Part B)
Once registered, a Consent Manager must: (a) enable consent management that is readable by neither the Consent Manager nor any third party other than the Data Principal and Data Fiduciaries concerned; (b) maintain records of all consent given, denied, withdrawn, notices preceding such consent, and sharing with Data Fiduciaries, for at least seven years or a longer period agreed with the Data Principal or required by law; (c) provide Data Principals access to these records in machine-readable form; (d) act in a fiduciary capacity to the Data Principal; (e) avoid conflicts of interest with Data Fiduciaries, including regarding promoters and key management; (f) publish on its website or app information about promoters, directors, key management, shareholders with more than 2 percent stake, and corporates where any promoter or key management holds more than 2 percent shareholding; and (g) maintain effective audit mechanisms.
Narrow Exemptions from Section 9
Section 9 of the Act imposes heightened protections for children’s personal data: verifiable parental consent under sub-section (1), prohibition on processing likely to cause detrimental effects under sub-section (2), and an absolute bar on tracking, behavioural monitoring, and targeted advertising directed at children under sub-section (3). Schedule IV, referenced in Rule 12, carves narrowly-tailored exemptions.
Part A · Classes of Exempted Data Fiduciary
- Clinical establishments, mental health establishments, healthcare professionals — processing limited to health services for children in their care
- Allied healthcare professionals — processing limited to treatment and referral schemes
- Educational institutions — tracking and behavioural monitoring limited to educational activities or safety of enrolled children
- Creches and child day care centres — tracking limited to safety of children in their care
- Transport providers engaged by educational institutions, creches, or day care centres — tracking limited to monitoring location during transit for safety
Part B · Exempted Purposes
- Exercise of any power, performance of any function, or discharge of any duty under any law in force in India in the interest of a child
- Processing for provision or issuance of subsidy, benefit, service, certificate, licence, or permit under Section 7(b) in the interest of a child, using public funds
The 18-Month Compliance Runway
With comprehensive compliance enforceable from 13 May 2027, Data Fiduciaries have approximately 18 months from notification to achieve full compliance. Four work streams deserve immediate attention:
DPDP Rules 2025 — Key Questions
When were the DPDP Rules 2025 notified and when do they take effect?
The Digital Personal Data Protection Rules, 2025 were notified by the Ministry of Electronics and Information Technology (MeitY) through Gazette Notification G.S.R. 846(E) dated 13 November 2025, published in the Gazette of India Extraordinary, Part II, Section 3, Sub-section (i), bearing Gazette ID CG-DL-E-14112025-267650. The Rules adopt a tiered commencement framework under Rule 1(2)-(4): Rules 1, 2, and 17 to 21 took effect immediately on the date of publication (13 November 2025); Rule 4 (registration and obligations of Consent Managers) takes effect after one year, on 13 November 2026; and Rules 3, 5 to 16, and 22 to 23 take effect after eighteen months, on 13 May 2027. This means comprehensive compliance obligations for data fiduciaries — including notice requirements, security safeguards, breach notification procedures, and Significant Data Fiduciary duties — become enforceable from 13 May 2027.
What is the exact breach notification timeline under DPDP Rules 2025?
Rule 7 of the DPDP Rules 2025 prescribes a two-stage breach notification framework. Upon becoming aware of any personal data breach, the Data Fiduciary must (a) notify each affected Data Principal without delay, in concise and plain language, through the user account or any communication channel registered with the Data Fiduciary, describing the breach, its consequences, mitigation measures taken, user protection measures, and business contact details for enquiries; and (b) notify the Board. The notification to the Board has two parts: (i) preliminary information without delay — describing the nature, extent, time, location, and likely impact of the breach; and (ii) detailed information within 72 hours of knowledge of the breach, or a longer period specified in writing by the Board on request, covering updated facts, causes, remedial measures, findings on the person responsible, and a report on notices given to affected Data Principals. The 72-hour window is a Rules prescription under Rule 7(2)(b), not an Act provision. The Act itself (Section 8(6)) requires notification "without delay."
What are the data retention obligations under the DPDP Rules 2025?
The DPDP Rules create a layered retention framework. Under Rule 6(e), Data Fiduciaries must retain personal data and associated logs for at least one year to detect unauthorised access and enable corrective action, unless another applicable law requires a longer period. Under Rule 8(3), Data Fiduciaries must retain personal data, associated traffic data, and processing logs for at least one year from the date of processing for purposes specified in Schedule VII, unless a longer retention is required by law. Schedule III (referenced by Rule 8(1)) prescribes specific retention limits for three classes of Data Fiduciary: e-commerce entities with at least two crore registered Indian users, online gaming intermediaries with at least fifty lakh registered Indian users, and social media intermediaries with at least two crore registered Indian users. For these three classes, personal data must be erased three years from the date the Data Principal last contacted the Data Fiduciary for the specified purpose or exercised her rights, or from the commencement of the DPDP Rules 2025, whichever is later. Consent Managers must retain consent records for at least seven years under Schedule I Part B, Clause 4(c).
Who must register as a Consent Manager and when?
Rule 4 of the DPDP Rules 2025 establishes the Consent Manager registration framework, which becomes operative one year after publication — that is, from 13 November 2026. A Consent Manager is a registered person acting as a single point of contact enabling Data Principals to give, manage, review, and withdraw their consent across multiple Data Fiduciaries. To register, an applicant must satisfy the conditions in Schedule I Part A, which include: incorporation as a company in India under the Companies Act 2013; minimum net worth of Rs 2 crore; directors and key managerial personnel meeting fit-and-proper criteria; sufficient technical, operational, and financial capacity; robust conflict-of-interest safeguards particularly relating to Data Fiduciaries; and interoperable platforms for consent management. The Board may approve, refuse, suspend, or cancel registration after hearing. Consent Manager obligations under Schedule I Part B include maintaining consent records for at least seven years, operating as a fiduciary to Data Principals, avoiding conflicts with Data Fiduciaries, and publishing ownership and control information on their platforms.
What security safeguards does Rule 6 require Data Fiduciaries to implement?
Rule 6(1) prescribes the minimum reasonable security safeguards a Data Fiduciary must implement to prevent personal data breach. These include: (a) appropriate data security measures such as encryption, obfuscation, masking, or use of virtual tokens linked to personal data; (b) appropriate measures to control access to computer resources used by the Data Fiduciary or its Data Processor; (c) visibility into personal data through logs, monitoring, and review to detect unauthorised access, investigate it, and take corrective action; (d) appropriate measures for continued processing in the event of loss or compromise of confidentiality, integrity, or availability of personal data (for example, through data backups); (e) retention of logs and personal data for at least one year to enable detection of unauthorised access and related remedial action, unless another law requires longer retention; (f) contractual provisions between the Data Fiduciary and any Data Processor requiring reasonable security safeguards; and (g) appropriate technical and organisational measures to ensure effective observance of security safeguards. Breach of Rule 6 obligations may trigger penalties up to Rs 250 crore under Schedule Sl.1 of the DPDP Act.
What are the children's data processing exemptions under Schedule IV?
Schedule IV of the DPDP Rules 2025 (referenced by Rule 12) provides narrowly-tailored exemptions from Section 9(1) (verifiable parental consent requirement) and Section 9(3) (prohibition on tracking, behavioural monitoring, and targeted advertising at children). Part A of Schedule IV lists five classes of Data Fiduciary entitled to exemption, subject to specific conditions: (1) clinical establishments, mental health establishments, and healthcare professionals — processing limited to providing health services to the child in their care; (2) allied healthcare professionals — processing limited to supporting treatment and referral schemes recommended by such professionals; (3) educational institutions — tracking and behavioural monitoring limited to educational activities or safety of enrolled children; (4) persons to whom infants or children are entrusted for care (crèches and child day care centres) — tracking limited to safety of children in their care; (5) persons engaged by institutions, crèches, or child day care centres for transporting enrolled children — tracking limited to monitoring location during transit for safety. Part B of Schedule IV exempts two specific purposes: exercise of any power under law in the interest of a child, and processing for certain legitimate uses under Section 7(b) of the Act.
How should Data Fiduciaries give notice to Data Principals under Rule 3?
Rule 3 of the DPDP Rules 2025 (effective from 13 May 2027) prescribes the form and content of the notice that a Data Fiduciary must give to a Data Principal when seeking consent or after commencement of processing. The notice must be: (a) presented independently of any other information that may have been made available by the Data Fiduciary; (b) given in clear and plain language, providing a fair account of the details necessary to enable the Data Principal to give specific and informed consent; and (c) contain, at a minimum — an itemised description of the personal data being processed, the specific purposes and goods or services provided by such processing, a specific communication link for accessing the Data Fiduciary's website or app (and a description of other means) through which the Data Principal can (i) withdraw consent with equal ease as it was given, (ii) exercise rights under the Act, and (iii) make a complaint to the Board. The notice obligation applies both to new consent requests under Section 6 and to grandfathering notice for pre-commencement consent under Section 5(2) of the Act.
What constitutes a "Significant Data Fiduciary" and what additional duties apply?
Under Section 10(1) of the DPDP Act 2023, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary (SDF) based on factors including: (a) volume and sensitivity of personal data processed; (b) risk to the rights of Data Principals; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order. Once notified, an SDF must under Section 10(2): (a) appoint a Data Protection Officer (DPO) who (i) represents the SDF under the Act, (ii) is based in India, (iii) is an individual responsible to the Board of Directors or similar governing body, and (iv) is the point of contact for the grievance redressal mechanism; (b) appoint an independent data auditor to evaluate the SDF's compliance; and (c) undertake periodic Data Protection Impact Assessments (DPIA) addressing the rights of Data Principals, the purpose of processing, and assessment and management of risk to such rights; periodic audits; and such other measures as prescribed. Breach of Section 10 obligations carries penalties up to Rs 150 crore under Schedule Sl.4.
DPDP Rules 2025 Compliance
Begins With One Conversation
Unified Chambers and Associates advises banks, NBFCs, fintech companies, and corporates on compliance with the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. Senior Partner response within one business day. Minimum annual retainer: Rs 50 lakhs.
All statutory references verified against Gazette of India Extraordinary G.S.R. 846(E) dated 13 November 2025. Full PDF available at unifiedchambers.com/dpdp-documents/dpdp-rules-2025-final.pdf.