New Delhi — Union government has notified the Digital Personal Data Protection (DPDP) Rules 2025, marking the full implementation of the DPDP Act 2023. The new rules aim to strengthen citizens’ privacy rights and ensure the responsible use of personal data by both public and private organisations.
The Act, passed by Parliament in August 2023, establishes a national framework for handling digital personal data. It sets out obligations for companies and government entities that process data—referred to as “Data Fiduciaries”—and defines the rights of individuals, called “Data Principals”. The government said the system has been designed to be simple and accessible, with clear language and examples to help ordinary users understand their rights.
The framework rests on seven key principles: obtaining consent and maintaining transparency, limiting the purpose for which data is collected, minimising data use, ensuring accuracy, applying time limits for data storage, protecting data through security safeguards, and holding organisations accountable for compliance.
The Ministry of Electronics and Information Technology (MeitY) said the rules were finalised after public consultations across multiple cities, including Delhi, Mumbai, Bengaluru and Kolkata. Inputs were taken from startups, micro and small enterprises, industry bodies and civil society groups.
The government has introduced an 18-month transition period for organisations to comply with the new requirements. During this period, companies must issue clear consent notices stating how personal data will be used. Consent managers—entities that help individuals review or withdraw permissions—will have to be registered Indian companies.
DPDP Rules 2025 – clear protocols and child safeguards
Under the DPDP Rules, any data breach must be reported to affected individuals in plain language, detailing what occurred, possible consequences, steps taken and contact points for assistance.
Special provisions apply to the data of children and persons with disabilities. Data Fiduciaries must obtain verified consent before processing the personal data of minors, except in cases related to essential services such as healthcare and education.
For individuals with severe disabilities who cannot make independent decisions, consent must be obtained from a legal guardian.
Data Fiduciaries must display contact details of their Data Protection Officer or other designated personnel to respond to citizen concerns. Entities identified as “Significant Data Fiduciaries” will face stricter requirements, including independent audits and regular impact assessments of their technology use.
The framework reinforces the right of individuals to access, correct or delete their personal data, as well as to nominate a representative to manage these rights. Data Fiduciaries must respond to such requests within 90 days.
Digital-first grievance redressal system
A Data Protection Board will oversee compliance and address complaints through an online platform and mobile app. Citizens will be able to file and track complaints digitally, with appeals directed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Officials said the rules aim to balance privacy protection with innovation and economic growth. The framework offers flexibility for startups and small businesses while upholding high data protection standards.
The Ministry said that, with a clear compliance roadmap and digital-first mechanisms, the DPDP Act and Rules seek to make India’s data governance model transparent, citizen-centric and globally competitive.
