India has taken a decisive step toward strengthening digital trust by formally notifying the Digital Personal Data Protection Rules, 2025. These rules provide the essential operational blueprint for the Digital Personal Data Protection Act, 2023, establishing a clear roadmap for how personal data must be collected, used, stored, protected, and ultimately deleted across the country. The new law is being rolled out in phases, with some rules in force right now and others coming into effect later, giving organizations time to adjust and comply.
What are DPDPA Rules 2025?
The DPDPA Rules 2025 are India’s answer to growing concerns about how personal data is managed in the digital world. They make sure organizations respect people’s privacy and follow clear steps before collecting or using individual data. These rules are designed to help citizens control their own data and make organizations more accountable.
Who Are the Key Players?
- Data Principal: The individual whose personal data is being collected. This is you—the user, the customer, the citizen.
- Data Fiduciary: The organization or person that collects and uses personal data. This could be a company, a website, an app, or even a government department.
- Consent Manager: A registered platform that helps individuals easily give, review, manage, and withdraw their consent for data processing across multiple services.
- Significant Data Fiduciary: Large organizations that handle massive amounts of data. These include e-commerce platforms with more than 2 crore (20 million) users, online gaming platforms with more than 50 lakh (5 million) users, and social media platforms with more than 2 crore users.
What are the Data Principal under DPDPA:
The rules give you strong and clear rights over your own information:
- Right to Access: Ask any organization what data they hold about you and why they are using it.
- Right to Correction: Request correction if any information is incorrect or incomplete.
- Right to Erasure: Ask for your data to be deleted once the purpose of collection is complete.
- Right to Nominate: Appoint someone to exercise your rights on your behalf if you are unable to do so.
- Right to Complain: File a complaint with the Data Protection Board if your rights are violated.
Core Compliance Duties for Data Fiduciaries
The rules mandate a comprehensive compliance framework for all Data Fiduciaries, focusing on transparency, security, and accountability.
1. Clear Notices:
Every time an organization collects your data, they must give you a privacy notice that is easy to understand and separate from other information. The notice must explain:
- What data is being collected.
- Why is it needed.
- How long it will be kept.
- How you can withdraw consent, exercise your rights, or make a complaint
2. Consent:
Organizations must get clear and informed consent from individuals before collecting or processing their personal data. Most importantly, withdrawing consent must be as easy as giving it.
3. Data Security:
Organizations must safeguard personal data through robust technical measures such as
- Encryption or masking of sensitive information
- Strict access controls to ensure only authorized personnel can access data
- Conduct regular monitoring and audits to detect and prevent security issues
- Maintain secure data backups to ensure business continuity in case of incidents
4. Data Breach Notification:
In the event of a data breach, organizations must act fast:
- Inform affected individuals immediately using clear and simple language.
- Explain the breach: what happened, its potential impact, and steps individuals can take to protect themselves.
- Notify the Data Protection Board without delay, submitting a detailed report within 72 hours.
5. Data Retention Limits:
The rules make it clear that personal data cannot be stored forever. Personal data cannot be kept forever. Once the purpose of collection is complete, it must be deleted unless another law requires longer retention.
Organizations must maintain data processing logs for at least one year before they can be deleted. These logs help authorities review how personal data was handled.
Significant Data Fiduciaries (large platforms): Can retain most types of personal data for up to three years from a user’s last interaction.
- Must delete inactive accounts after three years.
- Must provide users with a 48-hour advance notice before deleting their accounts.
Certain data may still be retained for at least one year for security, fraud prevention, and legal compliance. These obligations ensure consistency across major digital platforms without affecting smaller businesses or regular Data Fiduciaries.
6. Publish Contact Information:
Every organization must clearly display the contact details of their Data Protection Officer or a responsible person who can answer questions about data processing. This information must be on their website or app.
Special Safeguards for Children and the Disabled in India
Children receive extra protection under these rules:
- Any organization processing data of someone under 18 years of age must obtain verified parental consent.
- The parent must be authenticated using reliable identity documents or through a Digital Locker Service Provider.
- Organizations are strictly prohibited from tracking children’s behavior, profiling them, or targeting them with personalized advertisements.
At the same time, sensible exemptions are provided for essential services like healthcare, education, and childcare. This means schools can maintain student records, hospitals can provide treatment, and childcare services can ensure safety without unnecessary barriers.
The Framework for Consent Managers India:
The framework for Consent Managers is one of the most important additions.
Who can become a Consent Manager?
- A company incorporated in India.
- Must have strong technical, operational, and financial capacity.
- Must have a net worth of at least Rs. 2 crore.
- Directors and key personnel must have a good reputation and record of fairness.
What do Consent Managers do?
- Help people give, review, and withdraw their consent across multiple platforms from one place.
- Maintain a secure record of all consents for at least seven years.
- Cannot have conflicts of interest with Data Fiduciaries.
- Must submit audit reports to the Data Protection Board regularly.
This system aims to create a simple, transparent, and user-friendly way to manage consent in India’s growing digital ecosystem.
Cross-Border Data Transfer India:
- Personal data can be transferred outside India, but only under conditions notified by the Central Government.
- A Data Fiduciary may send data to a foreign country or an entity controlled by that country only if expressly permitted through a general or special government order.
- Transfers without permission are prohibited.
- The government may specify certain categories of data, such as traffic data, that must remain within India and cannot be routed or stored abroad.
Data Protection Board of India
To oversee the entire system, the Data Protection Board of India will be established with one Chairperson and four Members. It will be based in Delhi NCR and will function as a fully digital office.
Powers of the Board:
- Investigate complaints and breaches.
- Summon individuals and examine them.
- Issue directions and impose penalties for non-compliance.
- Complete inquiries within six months, with short extensions if necessary.
Conclusion:
The Digital Personal Data Protection Rules 2025 set a clear and structured foundation for responsible data governance in India. With defined rights, stronger security requirements, retention controls, and focused safeguards for children and other vulnerable groups, the framework aims to strengthen trust and accountability across the digital ecosystem. As organizations prepare for phased compliance, adopting the right policies, systems, and practices will be essential.
If your organisation needs support in understanding these rules or building a compliance roadmap, PrivacyPulse is here to help with practical, reliable, and tailored guidance.
Disclaimer: This article provides a detailed overview of the Digital Personal Data Protection Rules 2025. For full legal details, please refer to the official Gazette notification.
