Thanks to visit codestin.com
Credit goes to www.scribd.com

0% found this document useful (0 votes)
50 views8 pages

DRAFT DPDPA RULES Decodified

The draft DPDPA Rules, 2025 outline the phased implementation of compliance and data protection regulations, including requirements for data fiduciaries and consent managers. Key provisions include clear notice requirements for data principals, obligations for consent managers, and security measures for personal data protection. The rules also establish the powers of the Data Protection Board and the process for addressing grievances and appeals.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
50 views8 pages

DRAFT DPDPA RULES Decodified

The draft DPDPA Rules, 2025 outline the phased implementation of compliance and data protection regulations, including requirements for data fiduciaries and consent managers. Key provisions include clear notice requirements for data principals, obligations for consent managers, and security measures for personal data protection. The rules also establish the powers of the Data Protection Board and the process for addressing grievances and appeals.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

DRAFT DPDPA RULES, 2025


Commencement and implementation: The Rules will be implemented in different phases

COMPLIANCE-RELATED RULES RULES CONCERNING THE DATA PROTECTION


e.g. how notice is to be provided or how a BOARD (e.g., the appointment of members, their
personal data breach should be reported terms of service, and allied techno-legal measures)
With effect from dates that the Central Will come into force upon being published in the
Government will specify. Official Gazette
Rules 3 to 15, rule 21 and rule 22 All others except Rules 3 to 15, rule 21 and rule 22

NOTICE BY DATA FIDUCIARY TO DATA PRINCIPAL (DP): Rule 3


BOTH PAST, PRESENT &
➢ Must be clear, standalone, and understandable,
NEW DP
➢ Distinct from any other information shared by the Data Fiduciary.
➢ In simple, plain language
➢ Provide the Data Principal with a full and transparent information
➢ Purpose:- Necessary for giving informed consent for the processing of their personal data.

NOTICE MUST INCLUDE: -

➢ Itemized list of the personal data being collected


➢ Clear description of the purpose for processing
➢ Itemized explanation of the goods, services, or uses enabled by such processing.
➢ A communication link of the data fiduciary’s website or app, and
➢ Describe other methods to withdraw consent as easily as process of giving consent,
➢ Methods to exercise their rights and
➢ Methods to make complaints with the board.

REGISTRATION AND OBLIGATIONS OF A CONSENT MANAGER: Rule 4

➢ Must be a company incorporated in India


➢ Sound financial and operational capacity,
➢ minimum net worth of 2 crore rupees,
➢ a reputation for fairness and integrity in its management, and
➢ a certified interoperable platform enabling Data Principals to manage their consent.

Application for registration to be made to Data Protection Board

Obligations of a Consent Manager:

Ensure that Data Principals Further obligations w.r.t. Data principals


➢ can easily give, ➢ Maintaining records of consents and
➢ manage, ➢ Data sharing,
➢ review, and ➢ Providing transparent access to such records.
➢ withdraw consent
Responsibilities of ➢ To implement strong security measures to protect
consent Manager:- personal data,
➢ Avoid conflicts of interest, And
➢ Ensure transparency by publishing key management
details and ownership structures

ADV. GANAT JUNEJA 1


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

POWER OF THE BOARD

Board may

➢ audit the Consent Manager's operations,


➢ suspend or
➢ cancel its registration, if necessary,
➢ Issue corrective directions to safeguard the interests of Data Principals.

Consent Manager must strict rules to prevent conflicts of interest


maintain independence ➢ involving its directors or
➢ senior management
➢ and
➢ Data Fiduciaries
Prohibition on Consent from subcontracting or assigning responsibilities
Managers
Obligations Ensure long-term compliance by regularly reviewing their operations
Transfer of control of the Consent Manager company requires prior
approval from the Board
Purpose To ensures that Consent Managers uphold high standards of
transparency, security, and fiduciary duty in managing personal data.

PROCESSING FOR PROVISION OR ISSUE OF SERVICES BY STATE OR ITS INSTRUMENTALITY Rule 5

Processing of personal Data Purpose:- To As defined under Processing must


by provide or issue ➢ Law or adhere to the
➢ State and subsidies, ➢ Policy or specific standards
➢ its instrumentalities benefits, ➢ Using public in
services, funds. Schedule II
certificates,
licenses, or
permits.

Note:- Schedule II ensures lawful, transparent, and secure handling of personal data for
such purposes.
Conditions:- ➢ Personal data is processed lawfully,
➢ for the stated purposes,
➢ Limited to the data necessary for achieving those purposes.
➢ data must be accurate
➢ Retained only as long as necessary,
➢ Appropriate security safeguards to prevent breaches.

Data Principal 1. About the processing, Purpose:- To ensure that personal data
should be informed 2. Means to access their processing is transparent, secure,
rights and in line with legal and policy
standards, safeguarding the
interests of the Data Principals.
Processing must be Wider Scope by covering The responsible parties must be accountable
done in compliance other laws along with for adhering to these standards.
with any applicable DPDPA
laws

ADV. GANAT JUNEJA 2


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

REASONABLE SECURITY SAFEGUARDS Rule 6

A Data Fiduciary must implement reasonable security measures to protect personal data,

Security Measures includes Encryption, Access Control, Monitoring For Unauthorized Access,
And Data Backups etc.
Also applicable on Contracts with Data Processors must adhere to above measures
Measures must comply with technical and organizational standards to prevent
data breaches
To ensure ➢ Confidentiality, integrity, and
➢ Availability of data, and
➢ Must include provisions for detecting and
➢ Addressing breaches and
➢ Maintenance of logs.

INTIMATION OF PERSONAL DATA BREACH Rule 7

Data Fiduciary becomes aware Immediately notify all affected Data Principals
of a personal data breach
Must inform the Board about the breach without delay.
Notification must be clear and ➢ Breach's nature,
straightforward explaining ➢ Extent, and
➢ Timing,
➢ Along with potential consequences for the affected
individuals
➢ Measures taken to mitigate the risks
Update ➢ Safety recommendations for protecting their data.
➢ Contact information of a DPO/responsible person for
inquiries must be included
Time limit Within 72 hours or a longer time if permitted
Further obligation to provide detailed information on all above aspects
Additionally The identity of the individual responsible, if known
Must also Report On the remedial steps taken to prevent future breaches and
details on the notifications sent to affected Data Principals

TIME PERIOD FOR SPECIFIED PURPOSE TO BE DEEMED AS NO LONGER BEING SERVED Rule 8

The personal data must be erased if Data Fiduciary processes personal data for purposes outlined
in Schedule III
Purpose Provides a clear process for erasing personal data
if the Data Principal has not interacted with the Data Fiduciary within
the specified time.
To ensure Data is retained only when necessary for continued use or legal
obligations
Classes of Data E-commerce entities, online gaming intermediaries, and social media
Fiduciaries platforms
Condition Data Principal does not engage with the Fiduciary within a specified
period
Exception Required for legal compliance, must not be erased.

ADV. GANAT JUNEJA 3


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

Time period for this Defined in Schedule III


erasure
Time period May Retain Personal Data for up to 3 years
Reckoning of Time period ➢ From the last interaction
➢ or
➢ Implementation of rules,
WHICHEVER IS LATER
Exclusion When the data is needed for the principal to access their account or
virtual tokens
Notify the Data Principal Must notify the Data Principal at least 48 hours in advance
When Before Erasure
Purpose To provide an opportunity to preserve data by Data Principal by taking
appropriate action.
Method/Action required Log in or initiate contact with the Fiduciary to fulfil the specified
purpose.

CONTACT INFORMATION FOR ADDRESSING DATA PROCESSING QUERIES Rule 9

Every Data Fiduciary must clearly display on their WEBSITE contact details of a designated
OR person
APP
Purpose ➢ To address queries regarding the processing of personal data.
➢ To ensure transparency and accountability
➢ To provide clear contact information,
➢ For easier access to Data Principals
➢ To inquire about their personal data and its processing.
➢ To exercise their rights under the Data Protection Act
Designated Person could be the Data Protection Officer (DPO)
Contact information should be easily accessible and visible to Data Principals
must be included in all responses to communications from Data
Principals

VERIFIABLE CONSENT FOR PROCESSING PERSONAL DATA OF CHILDREN AND PERSONS WITH
DISABILITIES Rule 10

In case processing the Requirements for obtaining verifiable consent from parents
personal data of children or
or legal guardians
persons with disabilities
Obligation on Data Fiduciary must implement measures
Purpose To ensure that the person providing consent for a child’s data
processing is the
child’s parent or legal guardian, and that the parent or guardian is
identifiable
Data Fiduciary must that the parent is an adult by using reliable identity details
verify For a child or
a virtual token mapped to such details.
Objective To ensure that consent is being given by a responsible adult, in
compliance with relevant laws.

ADV. GANAT JUNEJA 4


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

EXEMPTIONS FROM OBLIGATIONS IN PROCESSING PERSONAL DATA OF CHILDREN Rule 11

Certain exemptions to the for processing the personal data of children, as stated in section 9 of
standard requirements the Act
Exemptions granted to specific types of Data Fiduciaries and for certain purposes, subject
to conditions laid out in Schedule IV
Aim Protecting children's personal data
and
Enabling necessary activities for their health, education, and safety.
Part A of the schedule IV Certain classes of Data Fiduciaries, such as healthcare professionals,
educational institutions, and childcare providers are exempt from
specific provisions related to children's data.
What is permitted processing of children's personal data
Restriction Processing is restricted to specific activities like health services,
educational activities, safety monitoring, and transportation
tracking.
When Activities is required for the well-being and safety of the child,
ensuring that data processing is done within a defined and limited
scope.

Part B of the schedule IV Specific purposes for which the exemptions apply
Specific Purpose ➢ Processing for legal duties,
➢ Issuing subsidies or benefits to children,
➢ Creating user accounts for communication purposes, or
➢ Ensuring the child does not have access to harmful
information
➢ Verifying the age of a data subject
Necessary scope of Processing is restricted to what is necessary to perform the
processing function, service, or duty, with an emphasis on protecting the child’s
best interests.

ADDITIONAL OBLIGATIONS OF SIGNIFICANT DATA FIDUCIARIES Rule 12

Obligations of Significant SDF must conduct a Data Protection Impact Assessment (DPIA)
Data Fiduciaries (SDF) and
a comprehensive audit once every year
Reporting to Board Results of the DPIA and audits must be reported to the Board
Content of Report key findings & adherence to data protection requirements
Self Declaration by SDF Any Algorithmic software they use to process personal data does
not pose a risk to the rights of Data Principals
includes algorithms used for data hosting, storage, and sharing.
Entities must adopt To ensure that personal data identified by the Central Government
measures is processed in compliance with specific restrictions
ensuring that the data and any related traffic data are not
transferred outside of India.

ADV. GANAT JUNEJA 5


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

Obligations of Data Fiduciaries and Consent Managers

Obligation on Data Fiduciaries and Consent Managers


To clearly publish on their website or app
The process by which Data Principals can exercise their rights under the Act
Provide Clear for responding grievances,
Timelines ensuring an effective process with the necessary technical and organizational
safeguards.
To facilitate identifying details like usernames
identification
Rights to be Data Principals can request to access and erase their personal data by
exercised by the contacting the Data Fiduciary
DP
Nomination by Data Principals may
Data Principal ➢ nominate
➢ one or more individuals
➢ to exercise their rights under the law.
Condition Procedures of the Data Fiduciary and applicable legal norms must be adhered

DATA PROCESSING BY DATA FIDUCIARIES OUTSIDE INDIA Rule 14

➢ Processing of data within India or


➢ in connection with offering goods or services to Data Principals from outside India
➢ must comply with any requirements the Central Government sets
➢ in respect of making such personal data available to a foreign State or its entities.

This is intended to ensure that personal data remains protected under the Act.

CALLING FOR INFORMATION FROM DATA FIDUCIARY OR INTERMEDIARY BY CG Rule 22

Central Government is empowered To retrieve specific information for purposes outlined in


Schedule VII
From Data Fiduciaries or intermediaries
Legal obligation under under Section 36 of the Act
Purpose For purposes, including national security, legal compliance,
or to assess the status of certain Data Fiduciaries.
Authorized person may restrict where the disclosure of information might compromise
disclosure unless prior written the sovereignty, integrity, or security of India
permission is obtained

EXEMPTION FROM ACT Rule 15

➢ For research, archiving, or statistical purposes


➢ Condition: - if it adheres to the specific standards outlined in Schedule II.
➢ This exemption ensures that necessary data processing for academic and policy research can
occur while maintaining certain safeguards and standards to protect personal data.

ADV. GANAT JUNEJA 6


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

DATA PROTECTION BOARD Rule 16 to 20


Shall comprise of A CHAIRPERSON OTHER MEMBERS
Salary, consolidated salary of consolidated salary of
allowances, ₹4,50,000 per month ₹4,00,000 per month to each
and other terms of service As member
per Schedule V
No provisions for housing or a car

Officers and Employees of the Board can appoint officers and employees necessary for carrying
Board out its functions, with prior approval from the Central
Government.
Appointments On deputation from various government bodies or public sector
enterprises
Or
can be appointed from the National Institute for Smart
Government
Salaries salaries aligned to market standards and other terms decided by
the Board
Other Terms & conditions of As per Schedule VI
Appointments

CG shall form A Search-cum-Selection To recommend candidates for


Committee (SSC) Chairperson & other members
of DPB
Constituents of Committee 1. The Cabinet Secretary,
2. Secretary MeitY,
3. Secretary DLA (Department of Legal Affairs) and
4. Include 2 (two) subject matter experts or practical
experienced personnels
Cabinet Secretary shall act Chairperson of SSC
Power of CG CG shall appoint the Chairperson and other members after
consideration of suitability and recommendation of SSC

Meetings of the Board and


authentication of orders
Chairperson shall decide date, time, place, and agenda of the meetings
authorized to delegate these duties
Meetings to be Chaired by The Chairperson
If absent By another Member chosen by those present

Quorum One-third of the Board's membership


Decisions Making By majority vote
In case of tie/dead lock Chairperson having a casting vote

In case of conflict of Interest Member prohibited from participating or voting on the matter
In urgent situations Chairperson has the authority to take immediate action, which
must then be ratified at the next Board meeting

ADV. GANAT JUNEJA 7


ZEDROIT GLOBAL SOLUTIONS PRIVATE LIMITED

Resolution by Circulation If required, certain issues may be decided by circulating the item
to Members for approval
Delegation of Authority Chairperson or any authorized individual can authenticate the
Board's orders, directions, or instruments
Inquiries by Board to complete inquiries within six months
Extension further three months if necessary

Powers of the Board ➢ To operate as a digital office


➢ To carry out meetings in online mode.
➢ To adopt techno-legal measures to carry out its
functions without requiring the physical presence of
individuals
➢ To summon individuals and examine them under oath.

APPEAL TO APPELLATE TRIBUNAL Rule 21

Person dissatisfied with orders ➢ Persons may file the appeal


or directions of the Board ➢ Must be submitted digitally
Procedure ➢ Procedure set by the Appellate Tribunal on its website
➢ Appellate Tribunal has the authority to regulate its
procedures
Fees for filing the appeal ➢ As prescribed
➢ Appellate Tribunal’s Chairperson may decide to reduce
or waive it
Power of the Appellate ➢ Same as powers of the board
Tribunal

TIMELINES PRESCRIBED UNDER RULES

TIMELINE EVENT Provision Description


DATA Rule 7 Immediately notify all Breach's nature, extent,
IMMEDIATE

BREACH affected Data Principals Timing, potential


7(1) (a) to (e) consequences for the affected
individuals and measures
taken to mitigate the risks
Must inform the Data --do--
Protection Board about the
breach without delay. 7(2)(a)
72 hours Detailed information to the Data Protection Board about the
breach. 7(2)(b)
1 year Rule 6 Retention of log and personal Data
3 year In case of Erasure of personal data by Must inform data principal at
inactivity E-commerce, online gaming least 48 hours before erasure
etc.

ADV. GANAT JUNEJA 8

You might also like