Digital Personal Data Protection Act 2022/23 of India

Ministry of Electronics and Information

Notification

New Delhi, the 3rd January 2025

GSR..02(E) :

Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby; and notice is hereby given that the said draft rules shall be taken into consideration after 18th February, 2025;

Objections and suggestions, if any, may be submitted on the website of MyGov (https://mygov.in) by the said date; The objections and suggestions, which may be received from any person with respect to the said draft rules before the expiry of the period specified above, shall not be attributed to the persons submitting publicly and shall be held in fiduciary capacity to enable them to provide the same freely, and shall be considered by the Central Government.

Summary of Rules

Rule	u/s	Description
1	1(2)	Short Title and Commencement
2	2	Definitions
3	5	Notice given by Data Fiduciary to Data Principal
4	6(7)	Registration and obligations of Consent Manager
5	7	Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities
6	8(3)	Reasonable security safeguards
7	8(6)	Intimation of personal data breach
8	8(7)	Time period for specified purpose to be deemed as no longer being served
9	10(2)	Contact information of person to answer questions about processing
10	9(1)	Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian
11	9(3)	Exemptions from certain obligations applicable to processing of personal data of child
12	10	Additional obligations of Significant Data Fiduciary.
13	11	Rights of Data Principals
14	16	Processing of personal data outside India
15	17	Exemption from Act for research, archiving or statistical purposes
16	18	Appointment of Chairperson and other Members
17	19	Salary, allowances and other terms and conditions of service of Chairperson and other Members
18	23	Procedure for meetings of Board and authentication of its orders, directions and instruments
19	23	Functioning of Board as digital office
20	20	Terms and conditions of appointment and service of officers and employees of Board.
21	29	Appeal to Appellate Tribunal
22	36	Calling for information from Data Fiduciary or intermediary
Sch
1-Part A		Conditions of registration of Consent Manager
1-Part B		Obligations of Consent Manager
2		Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub-section (2) of section 17
3		Time Period under rule 8(1)
4-Part A		Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply
4-Part B		Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply
5		Terms and conditions of service of Chairperson and other Members
6		Terms and conditions of appointment and service of officers and employees of Board
7		Authorized persons under Rule 22(1)

Coloured rows indicate rules that will come into effect on a date to be specified. Others will be effective from the date of publication of the rules in the official gazette.