The Digital Personal Data Protection Rules- 2025

The Ministry of Electronics and Information Technology (MeitY) has introduced the Digital Personal Data Protection Rules, 2025, which aim to provide a robust framework for the protection of personal data in India. These rules are part of the Digital Personal Data Protection Act, 2023, and are designed to ensure the privacy and security of individuals’ personal data while enabling its lawful processing. In this blog, we will explore the key provisions, timelines, and implications of these rules.

Key Highlights of the Digital Personal Data Protection Rules, 2025

1. Implementation Timeline

The rules have a phased implementation plan:

Rules 1, 2, and 17 to 21: Effective from the date of publication in the Official Gazette.
Rule 4: Effective one year after publication.
Rules 3, 5 to 16, 22, and 23: Effective eighteen months after publication.

This staggered approach allows stakeholders to adapt to the new regulations gradually.

2. Definitions

The rules define key terms to ensure clarity:

Act: Refers to the Digital Personal Data Protection Act, 2023.
Techno-legal measures: Measures referred to under rules 20 and 22 for digital office functioning.
User account: Online accounts registered by Data Principals with Data Fiduciaries, including profiles, email addresses, and mobile numbers.
Verifiable consent: Consent as specified in rules 10 or 11.

3. Responsibilities of Data Fiduciaries 

Data Fiduciaries, entities that process personal data, have several obligations under the rules:

Notice to Data Principals: Clear and understandable notices must be provided to Data Principals, detailing the purpose of data processing, the type of data collected, and how to withdraw consent or file complaints.
Security Safeguards: Data Fiduciaries must implement reasonable security measures, such as encryption, access control, monitoring, and data backups, to prevent breaches.
Intimation of Data Breaches: In case of a breach, Data Fiduciaries must promptly inform affected Data Principals and the Data Protection Board, providing details of the breach, its consequences, and mitigation measures.

4. Consent Management

The rules introduce the concept of Consent Managers, who act as intermediaries to help Data Principals manage their consent for data processing. Key aspects include:

Registration: Consent Managers must meet specific criteria, such as being a company incorporated in India with a net worth of at least ₹2 crore.
Obligations: Consent Managers must enable Data Principals to give, manage, review, and withdraw consent. They must maintain records of consents and ensure data security.
Transparency: Consent Managers are required to disclose information about their promoters, directors, and key personnel on their platforms.

5. Special Provisions for Children and Persons with Disabilities

The rules provide additional safeguards for the personal data of children and persons with disabilities:

Children: Verifiable consent from parents is mandatory before processing a child’s personal data. Certain Data Fiduciaries, such as healthcare professionals and educational institutions, are exempt from specific obligations under section 9 of the Act, provided the processing is necessary for the child’s health, safety, or education.
Persons with Disabilities: Verifiable consent must be obtained from lawful guardians, with due diligence to ensure the guardian is appointed under applicable laws.

6. Significant Data Fiduciaries 

The rules introduce the concept of Significant Data Fiduciaries, which are entities handling large volumes of personal data. These Fiduciaries have additional obligations:

Conduct annual Data Protection Impact Assessments and audits.
Ensure technical measures, such as algorithms, do not pose risks to Data Principals.
Restrict the transfer of certain personal data outside India, as specified by the Central Government.

7. Rights of Data Principals 

The rules empower individuals, referred to as Data Principals, with several rights:

Access to Information: Data Fiduciaries must provide clear means for Data Principals to exercise their rights, including access to their data and grievance redressal mechanisms.
Nomination: Data Principals can nominate individuals to exercise their rights on their behalf.
Notification of Data Erasure: Data Fiduciaries must inform Data Principals before erasing their personal data.

8. Data Transfer Outside India 

The rules allow the transfer of personal data outside India, subject to conditions specified by the Central Government. This ensures that data is handled securely and in compliance with Indian laws.

9. Exemptions for Research and Statistical Purposes 

The rules provide exemptions for processing personal data for research, archiving, or statistical purposes, provided it adheres to the standards specified in the Second Schedule.

10. Governance and Oversight

The rules establish a Data Protection Board to oversee compliance and address grievances. Key aspects include:

Appointment of Chairperson and Members: A Search-cum-Selection Committee will recommend individuals for these positions.
Digital Office: The Board will function as a digital office, leveraging techno-legal measures to conduct proceedings without requiring physical presence.
Appeals: Aggrieved individuals can appeal Board decisions to an Appellate Tribunal, which will also function as a digital office.

Implications of the Rules

The Digital Personal Data Protection Rules, 2025, mark a significant step in safeguarding personal data in India. By introducing clear guidelines for data processing, consent management, and security measures, the rules aim to build trust between individuals and entities handling their data. The focus on children, persons with disabilities, and the restriction on data transfer outside India further highlights the Government’s commitment to protecting vulnerable groups and national interests.

Conclusion

The Digital Personal Data Protection Rules, 2025, are a landmark development in India’s journey toward a robust data protection framework. By balancing the need for data-driven innovation with the protection of individual privacy, these rules set the stage for a secure and transparent digital ecosystem. As the rules are implemented in phases, it is crucial for Data Fiduciaries, Consent Managers, and other stakeholders to align their practices with the provisions to ensure compliance and foster trust among Data Principals.

Listen to this on our #YouTube Channel

In case you face any issues related to Indirect Tax-Customs, GST, Foreign Trade Policy (FTP), Arbitration matters and Central Licensing and related advisory matters in India then please feel free to get in touch with SJ EXIM Services.

We offer Legal advice and litigation support in matters related to Indirect Tax-Customs, FTP, other Indirect Tax matters & Arbitration law, all sorts of Central licensing and related matters. Come and explore the new way of doing business with us!

Source: MeitY

Disclaimer

Handy Download:

MeitY NotificationDownload

Connect with us for more-

@ Team S J EXIM SERVICES, New Delhi, IN

CP: Ms. Shubhra Jha, Founder

Tel: +91-11-4999 2707 I +91-9999005693

Web: www.sjexim.services

EMAIL: operations@sjexim.services I shubhra@sjexim.services

Facebook: www.facebook.com/sjeximservices

LinkedIn: https://www.linkedin.com/company/90794255/admin/feed/posts/

YouTube: https://www.youtube.com/@sjeximIndia

Subscribe our WhatsApp Channel: https://whatsapp.com/channel/0029VaTxDT8JZg4CHEOSoK47

Subscribe our Telegram Channel: https://t.me/sjeximindia

S J EXIM Services