Digital Personal Data Protection Rules, 2025

By

The Digital Personal Data Protection Act, 2023 (Act) received the assent of the Hon'ble President on 11th August 2023. A draft of the Rules as envisaged under different sections of the Act have been made. The Rules provides for the necessary details and implementation framework of the Act.

Features of the Rules:

Notice by Data Fiduciary to Data Principal: The notice provided by the Data Fiduciary to the Data Principal must be clear, standalone, and understandable, distinct from any other information shared by the Data Fiduciary.

Registration and obligations of a Consent Manager: Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent.

Processing for provision or issue of services by the State or its instrumentality: The State and its instrumentalities may process the personal data of Data Principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as defined under law or policy or using public funds. 

Reasonable security safeguards: A Data Fiduciary must implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, and data backups etc.    

Intimation of Personal Data Breach: When a Data Fiduciary becomes aware of a personal data breach, it is required to promptly notify all affected Data Principals. This notification must be clear and straightforward, explaining the breach's nature, extent, and timing, along with potential consequences for the affected individuals.

Time period for specified purpose to be deemed as no longer being served: Under this provision, if a Data Fiduciary processes personal data for purposes outlined in Schedule III and the Data Principal does not engage with the Fiduciary within a specified period, the personal data must be erased unless required for legal compliance.

Contact information for addressing data processing queries: This mandates that every Data Fiduciary must clearly display on their website or app the contact details of a designated person who can address questions regarding the processing of personal data.

Verifiable consent for processing personal data of children and persons with disabilities: This provision outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities.

Exemptions from obligations in processing personal data of children: This provision outlines certain exemptions to the standard requirements for processing the personal data of children, as stated in section 9 of the Act. These exemptions are applicable to specific types of Data Fiduciaries and for certain purposes, subject to conditions laid out in Schedule IV. According to Part A of the schedule, certain classes of Data Fiduciaries, such as healthcare professionals, educational institutions, and childcare providers, are exempt from specific provisions related to children's data. The processing of children's personal data by these entities is permitted, but it is restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking. These activities must be necessary for the well-being and safety of the child, ensuring that data processing is done within a defined and limited scope. 

Additional obligations of Significant Data Fiduciaries: This provision brings specific responsibilities for Significant Data Fiduciaries. It mandates that these Fiduciaries must conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year. The results of these assessments and audits must be reported to the Board, which need to contain key findings related to their adherence to data protection requirements. 

Rights of Data Principals: Data Fiduciaries and Consent Managers must clearly publish on their website or app the process by which Data Principals can exercise their rights under the Act, including identifying details like usernames to facilitate identification.

Processing of personal data outside India: Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities. This is intended to ensure that personal data remains protected under the Act. 

Exemption from Act for research, archiving, or statistical purposes: The Act does not apply to the processing of personal data carried out for research, archiving, or statistical purposes if it adheres to the specific standards outlined in Schedule II. 

Appointment of Chairperson and other Members: A Search-cum-Selection Committee shall be formed by the Central Government to recommend candidates for the position of Chairperson of the Data Protection Board. The committee will be led by the Cabinet Secretary , Secretary MeitY, Secretary DLA and include two subject matter experts.

Explanatory note to Digital Personal Data Protection Rules, 2025

Comments

Post a Comment

Popular posts from this blog

Russian parliament passed a bill to revoke its ratification of the Comprehensive Test Ban Treaty

By
Relevance:  Russia revokes ratification of nuclear test ban treaty (CTBT) - ICAN But it affirmed that it will  retain its cooperation with the treaty’s verification system and implementing organisation.  Comprehensive Test Ban Treaty: The Comprehensive Test Ban Treaty (CTBT), which opened for signature in 1996, was intended to prohibit all nuclear weapon test explosions. Over 2,000 nuclear tests occurred between 1945 and 1996: the United States (1,000+), the Soviet Union (700+), France (200+), the United Kingdom and China (45 each). As at January 2013, 183 countries had signed the Treaty, of which 158 have also ratified it, including three of the nuclear weapon states (France, the Russian Federation and the United Kingdom). However, 44 specific nuclear technology holder countries must sign and ratify before the CTBT can enter into force. Of these, eight are still missing: China, Egypt, India , Iran, Israel, North Korea, Pakistan and the US. India , North Korea and Pakista...
Read more

Interstellar space and Interstellar Probes ( Voyager and New Horizons Missions )

By
Interstellar Space: Interstellar space is often called the space between the stars, but more specifically, it’s the region between our Sun’s heliosphere and the astrospheres of other stars. Our heliosphere is a vast bubble of plasma – a gas of charged particles – that spews out of the Sun. This outflow is known as the solar wind. The bubble surrounds the Sun and stretches beyond the planets. Both Voyager spacecraft had to travel more than 11 billion miles (17 billion kilometers) from the Sun in order to cross the edge of the heliosphere. This bubble is moving through interstellar space as the Sun orbits the center of the Milky Way galaxy. As our heliosphere plows through space, it creates a bow wave, like the wave formed by the bow of a ship. Kuiper Belt &  Oort Cloud: The Kuiper Belt is a doughnut-shaped ring of icy objects around the Sun, extending just beyond the orbit of Neptune from about 30 to 55 AU. Similar to the asteroid belt, the Kuiper Belt is a region of leftovers f...
Read more

ISRO developing semi-cryogenic engine working on LOX Kerosene propellant

By
ISRO is developing a 2000 kN thrust semi-cryogenic engine working on an LOX Kerosene propellant combination for enhancing the payload capability of LVM3 and for future launch vehicles. Liquid Propulsion Systems Centre (LPSC) is the lead centre for the development of semi-cryogenic propulsion systems with the support of other launch vehicle centres of ISRO. The assembly and testing of the propulsion modules were done at the ISRO propulsion complex (IPRC), Mahendragiri. As part of the engine development, a pre-burner ignition test article, which is a full complement of the engine power head system excluding the turbopumps is realized. The first ignition trial was conducted successfully on May 2, 2024, at semi cryo integrated engine test facility (SIET) at IPRC, Mahendragiri, which was dedicated to the nation recently by the honorable Prime Minister of India. Smooth and sustained ignition of the preburner is demonstrated which is vital for the starting of the semi-cryogenic engine. Semi-c...
Read more