ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
DRAFT DPDPA RULES, 2025
Commencement and implementation: The Rules will be implemented in different phases
COMPLIANCE-RELATED RULES RULES CONCERNING THE DATA PROTECTION
e.g. how notice is to be provided or how a BOARD (e.g., the appointment of members, their
personal data breach should be reported terms of service, and allied techno-legal measures)
With effect from dates that the Central Will come into force upon being published in the
Government will specify. Official Gazette
Rules 3 to 15, rule 21 and rule 22 All others except Rules 3 to 15, rule 21 and rule 22
NOTICE BY DATA FIDUCIARY TO DATA PRINCIPAL (DP): Rule 3
BOTH PAST, PRESENT &
➢ Must be clear, standalone, and understandable,
NEW DP
➢ Distinct from any other information shared by the Data Fiduciary.
➢ In simple, plain language
➢ Provide the Data Principal with a full and transparent information
➢ Purpose:- Necessary for giving informed consent for the processing of their personal data.
NOTICE MUST INCLUDE: -
➢ Itemized list of the personal data being collected
➢ Clear description of the purpose for processing
➢ Itemized explanation of the goods, services, or uses enabled by such processing.
➢ A communication link of the data fiduciary’s website or app, and
➢ Describe other methods to withdraw consent as easily as process of giving consent,
➢ Methods to exercise their rights and
➢ Methods to make complaints with the board.
REGISTRATION AND OBLIGATIONS OF A CONSENT MANAGER: Rule 4
➢ Must be a company incorporated in India
➢ Sound financial and operational capacity,
➢ minimum net worth of 2 crore rupees,
➢ a reputation for fairness and integrity in its management, and
➢ a certified interoperable platform enabling Data Principals to manage their consent.
Application for registration to be made to Data Protection Board
Obligations of a Consent Manager:
Ensure that Data Principals Further obligations w.r.t. Data principals
➢ can easily give, ➢ Maintaining records of consents and
➢ manage, ➢ Data sharing,
➢ review, and ➢ Providing transparent access to such records.
➢ withdraw consent
Responsibilities of ➢ To implement strong security measures to protect
consent Manager:- personal data,
➢ Avoid conflicts of interest, And
➢ Ensure transparency by publishing key management
details and ownership structures
ADV. GANAT JUNEJA 1
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
POWER OF THE BOARD
Board may
➢ audit the Consent Manager's operations,
➢ suspend or
➢ cancel its registration, if necessary,
➢ Issue corrective directions to safeguard the interests of Data Principals.
Consent Manager must strict rules to prevent conflicts of interest
maintain independence ➢ involving its directors or
➢ senior management
➢ and
➢ Data Fiduciaries
Prohibition on Consent from subcontracting or assigning responsibilities
Managers
Obligations Ensure long-term compliance by regularly reviewing their operations
Transfer of control of the Consent Manager company requires prior
approval from the Board
Purpose To ensures that Consent Managers uphold high standards of
transparency, security, and fiduciary duty in managing personal data.
PROCESSING FOR PROVISION OR ISSUE OF SERVICES BY STATE OR ITS INSTRUMENTALITY Rule 5
Processing of personal Data Purpose:- To As defined under Processing must
by provide or issue ➢ Law or adhere to the
➢ State and subsidies, ➢ Policy or specific standards
➢ its instrumentalities benefits, ➢ Using public in
services, funds. Schedule II
certificates,
licenses, or
permits.
Note:- Schedule II ensures lawful, transparent, and secure handling of personal data for
such purposes.
Conditions:- ➢ Personal data is processed lawfully,
➢ for the stated purposes,
➢ Limited to the data necessary for achieving those purposes.
➢ data must be accurate
➢ Retained only as long as necessary,
➢ Appropriate security safeguards to prevent breaches.
Data Principal 1. About the processing, Purpose:- To ensure that personal data
should be informed 2. Means to access their processing is transparent, secure,
rights and in line with legal and policy
standards, safeguarding the
interests of the Data Principals.
Processing must be Wider Scope by covering The responsible parties must be accountable
done in compliance other laws along with for adhering to these standards.
with any applicable DPDPA
laws
ADV. GANAT JUNEJA 2
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
REASONABLE SECURITY SAFEGUARDS Rule 6
A Data Fiduciary must implement reasonable security measures to protect personal data,
Security Measures includes Encryption, Access Control, Monitoring For Unauthorized Access,
And Data Backups etc.
Also applicable on Contracts with Data Processors must adhere to above measures
Measures must comply with technical and organizational standards to prevent
data breaches
To ensure ➢ Confidentiality, integrity, and
➢ Availability of data, and
➢ Must include provisions for detecting and
➢ Addressing breaches and
➢ Maintenance of logs.
INTIMATION OF PERSONAL DATA BREACH Rule 7
Data Fiduciary becomes aware Immediately notify all affected Data Principals
of a personal data breach
Must inform the Board about the breach without delay.
Notification must be clear and ➢ Breach's nature,
straightforward explaining ➢ Extent, and
➢ Timing,
➢ Along with potential consequences for the affected
individuals
➢ Measures taken to mitigate the risks
Update ➢ Safety recommendations for protecting their data.
➢ Contact information of a DPO/responsible person for
inquiries must be included
Time limit Within 72 hours or a longer time if permitted
Further obligation to provide detailed information on all above aspects
Additionally The identity of the individual responsible, if known
Must also Report On the remedial steps taken to prevent future breaches and
details on the notifications sent to affected Data Principals
TIME PERIOD FOR SPECIFIED PURPOSE TO BE DEEMED AS NO LONGER BEING SERVED Rule 8
The personal data must be erased if Data Fiduciary processes personal data for purposes outlined
in Schedule III
Purpose Provides a clear process for erasing personal data
if the Data Principal has not interacted with the Data Fiduciary within
the specified time.
To ensure Data is retained only when necessary for continued use or legal
obligations
Classes of Data E-commerce entities, online gaming intermediaries, and social media
Fiduciaries platforms
Condition Data Principal does not engage with the Fiduciary within a specified
period
Exception Required for legal compliance, must not be erased.
ADV. GANAT JUNEJA 3
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
Time period for this Defined in Schedule III
erasure
Time period May Retain Personal Data for up to 3 years
Reckoning of Time period ➢ From the last interaction
➢ or
➢ Implementation of rules,
WHICHEVER IS LATER
Exclusion When the data is needed for the principal to access their account or
virtual tokens
Notify the Data Principal Must notify the Data Principal at least 48 hours in advance
When Before Erasure
Purpose To provide an opportunity to preserve data by Data Principal by taking
appropriate action.
Method/Action required Log in or initiate contact with the Fiduciary to fulfil the specified
purpose.
CONTACT INFORMATION FOR ADDRESSING DATA PROCESSING QUERIES Rule 9
Every Data Fiduciary must clearly display on their WEBSITE contact details of a designated
OR person
APP
Purpose ➢ To address queries regarding the processing of personal data.
➢ To ensure transparency and accountability
➢ To provide clear contact information,
➢ For easier access to Data Principals
➢ To inquire about their personal data and its processing.
➢ To exercise their rights under the Data Protection Act
Designated Person could be the Data Protection Officer (DPO)
Contact information should be easily accessible and visible to Data Principals
must be included in all responses to communications from Data
Principals
VERIFIABLE CONSENT FOR PROCESSING PERSONAL DATA OF CHILDREN AND PERSONS WITH
DISABILITIES Rule 10
In case processing the Requirements for obtaining verifiable consent from parents
personal data of children or
or legal guardians
persons with disabilities
Obligation on Data Fiduciary must implement measures
Purpose To ensure that the person providing consent for a child’s data
processing is the
child’s parent or legal guardian, and that the parent or guardian is
identifiable
Data Fiduciary must that the parent is an adult by using reliable identity details
verify For a child or
a virtual token mapped to such details.
Objective To ensure that consent is being given by a responsible adult, in
compliance with relevant laws.
ADV. GANAT JUNEJA 4
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
EXEMPTIONS FROM OBLIGATIONS IN PROCESSING PERSONAL DATA OF CHILDREN Rule 11
Certain exemptions to the for processing the personal data of children, as stated in section 9 of
standard requirements the Act
Exemptions granted to specific types of Data Fiduciaries and for certain purposes, subject
to conditions laid out in Schedule IV
Aim Protecting children's personal data
and
Enabling necessary activities for their health, education, and safety.
Part A of the schedule IV Certain classes of Data Fiduciaries, such as healthcare professionals,
educational institutions, and childcare providers are exempt from
specific provisions related to children's data.
What is permitted processing of children's personal data
Restriction Processing is restricted to specific activities like health services,
educational activities, safety monitoring, and transportation
tracking.
When Activities is required for the well-being and safety of the child,
ensuring that data processing is done within a defined and limited
scope.
Part B of the schedule IV Specific purposes for which the exemptions apply
Specific Purpose ➢ Processing for legal duties,
➢ Issuing subsidies or benefits to children,
➢ Creating user accounts for communication purposes, or
➢ Ensuring the child does not have access to harmful
information
➢ Verifying the age of a data subject
Necessary scope of Processing is restricted to what is necessary to perform the
processing function, service, or duty, with an emphasis on protecting the child’s
best interests.
ADDITIONAL OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARIES Rule 12
Obligations of Significant SDF must conduct a Data Protection Impact Assessment (DPIA)
Data Fiduciaries (SDF) and
a comprehensive audit once every year
Reporting to Board Results of the DPIA and audits must be reported to the Board
Content of Report key findings & adherence to data protection requirements
Self Declaration by SDF Any Algorithmic software they use to process personal data does
not pose a risk to the rights of Data Principals
includes algorithms used for data hosting, storage, and sharing.
Entities must adopt To ensure that personal data identified by the Central Government
measures is processed in compliance with specific restrictions
ensuring that the data and any related traffic data are not
transferred outside of India.
ADV. GANAT JUNEJA 5
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
Obligations of Data Fiduciaries and Consent Managers
Obligation on Data Fiduciaries and Consent Managers
To clearly publish on their website or app
The process by which Data Principals can exercise their rights under the Act
Provide Clear for responding grievances,
Timelines ensuring an effective process with the necessary technical and organizational
safeguards.
To facilitate identifying details like usernames
identification
Rights to be Data Principals can request to access and erase their personal data by
exercised by the contacting the Data Fiduciary
DP
Nomination by Data Principals may
Data Principal ➢ nominate
➢ one or more individuals
➢ to exercise their rights under the law.
Condition Procedures of the Data Fiduciary and applicable legal norms must be adhered
DATA PROCESSING BY DATA FIDUCIARIES OUTSIDE INDIA Rule 14
➢ Processing of data within India or
➢ in connection with offering goods or services to Data Principals from outside India
➢ must comply with any requirements the Central Government sets
➢ in respect of making such personal data available to a foreign State or its entities.
This is intended to ensure that personal data remains protected under the Act.
CALLING FOR INFORMATION FROM DATA FIDUCIARY OR INTERMEDIARY BY CG Rule 22
Central Government is empowered To retrieve specific information for purposes outlined in
Schedule VII
From Data Fiduciaries or intermediaries
Legal obligation under under Section 36 of the Act
Purpose For purposes, including national security, legal compliance,
or to assess the status of certain Data Fiduciaries.
Authorized person may restrict where the disclosure of information might compromise
disclosure unless prior written the sovereignty, integrity, or security of India
permission is obtained
EXEMPTION FROM ACT Rule 15
➢ For research, archiving, or statistical purposes
➢ Condition: - if it adheres to the specific standards outlined in Schedule II.
➢ This exemption ensures that necessary data processing for academic and policy research can
occur while maintaining certain safeguards and standards to protect personal data.
ADV. GANAT JUNEJA 6
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
DATA PROTECTION BOARD Rule 16 to 20
Shall comprise of A CHAIRPERSON OTHER MEMBERS
Salary, consolidated salary of consolidated salary of
allowances, ₹4,50,000 per month ₹4,00,000 per month to each
and other terms of service As member
per Schedule V
No provisions for housing or a car
Officers and Employees of the Board can appoint officers and employees necessary for carrying
Board out its functions, with prior approval from the Central
Government.
Appointments On deputation from various government bodies or public sector
enterprises
Or
can be appointed from the National Institute for Smart
Government
Salaries salaries aligned to market standards and other terms decided by
the Board
Other Terms & conditions of As per Schedule VI
Appointments
CG shall form A Search-cum-Selection To recommend candidates for
Committee (SSC) Chairperson & other members
of DPB
Constituents of Committee 1. The Cabinet Secretary,
2. Secretary MeitY,
3. Secretary DLA (Department of Legal Affairs) and
4. Include 2 (two) subject matter experts or practical
experienced personnels
Cabinet Secretary shall act Chairperson of SSC
Power of CG CG shall appoint the Chairperson and other members after
consideration of suitability and recommendation of SSC
Meetings of the Board and
authentication of orders
Chairperson shall decide date, time, place, and agenda of the meetings
authorized to delegate these duties
Meetings to be Chaired by The Chairperson
If absent By another Member chosen by those present
Quorum One-third of the Board's membership
Decisions Making By majority vote
In case of tie/dead lock Chairperson having a casting vote
In case of conflict of Interest Member prohibited from participating or voting on the matter
In urgent situations Chairperson has the authority to take immediate action, which
must then be ratified at the next Board meeting
ADV. GANAT JUNEJA 7
ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED
Resolution by Circulation If required, certain issues may be decided by circulating the item
to Members for approval
Delegation of Authority Chairperson or any authorized individual can authenticate the
Board's orders, directions, or instruments
Inquiries by Board to complete inquiries within six months
Extension further three months if necessary
Powers of the Board ➢ To operate as a digital office
➢ To carry out meetings in online mode.
➢ To adopt techno-legal measures to carry out its
functions without requiring the physical presence of
individuals
➢ To summon individuals and examine them under oath.
APPEAL TO APPELLATE TRIBUNAL Rule 21
Person dissatisfied with orders ➢ Persons may file the appeal
or directions of the Board ➢ Must be submitted digitally
Procedure ➢ Procedure set by the Appellate Tribunal on its website
➢ Appellate Tribunal has the authority to regulate its
procedures
Fees for filing the appeal ➢ As prescribed
➢ Appellate Tribunal’s Chairperson may decide to reduce
or waive it
Power of the Appellate ➢ Same as powers of the board
Tribunal
TIMELINES PRESCRIBED UNDER RULES
TIMELINE EVENT Provision Description
DATA Rule 7 Immediately notify all Breach's nature, extent,
IMMEDIATE
BREACH affected Data Principals Timing, potential
7(1) (a) to (e) consequences for the affected
individuals and measures
taken to mitigate the risks
Must inform the Data --do--
Protection Board about the
breach without delay. 7(2)(a)
72 hours Detailed information to the Data Protection Board about the
breach. 7(2)(b)
1 year Rule 6 Retention of log and personal Data
3 year In case of Erasure of personal data by Must inform data principal at
inactivity E-commerce, online gaming least 48 hours before erasure
etc.
ADV. GANAT JUNEJA 8