Skip to main contentChat with us

DPDP Act 2023 · DPDP Rules 2025

DPDP Rules
2025

The Digital Personal Data Protection Rules, 2025 provide the operational framework for implementing the DPDP Act 2023. With 23 rules and 7 schedules, these rules detail compliance requirements for all organizations.

Released January 3, 2025, the Rules convert the Act's principles into operational obligations — from consent notices and security safeguards to breach reporting and cross-border transfer.

Get Expert GuidanceExplore the DPDP Hub
23Rules
7Schedules
Jan 2025Released

MeitY · 23 Rules + 7 Schedules · Last reviewed June 2026

Rule by Rule

All 23 Rules Explained

Preliminary (Rules 1-3)

Rule 1
Short title and commencement

Rules come into force on publication in Official Gazette

Rule 2
Definitions

Key terms including Consent Manager, itemised data, verifiable consent

Rule 3
Notice by Data Fiduciary

Requirements for notice to Data Principals with itemised description of personal data

Obligations of Data Fiduciary (Rules 4-5)

Rule 4
Consent Manager Registration

Registration requirements, conditions, and obligations for Consent Managers

Rule 5
State Processing Standards

Standards for processing by State and instrumentalities for subsidies, benefits, services

Rights and Duties (Rules 6-8)

Rule 6
Security Safeguards

Reasonable security safeguards including encryption, access controls, monitoring

Rule 7
Breach Notification

Intimation of personal data breach to Board and affected Data Principals

Rule 8
Data Retention Period

Time periods after which purpose is deemed no longer served

Special Provisions (Rules 9-12)

Rule 9
Contact Information

Person designated to answer questions about processing

Rule 10
Child Consent

Verifiable consent requirements for processing children's data

Rule 11
Guardian Consent

Verifiable consent for persons with disability having lawful guardian

Rule 12
Child Data Exemptions

Classes of Data Fiduciaries exempt from certain child data obligations

Data Protection Board (Rules 13-15)

Rule 13
Significant Data Fiduciary

Additional obligations including DPIA, periodic audits, DPO appointment

Rule 14
Data Principal Rights

Procedures for exercising rights of access, correction, erasure

Rule 15
Cross-Border Transfer

Requirements for transfer of personal data outside India

The Annexures

7 Schedules

Schedule I
Consent Manager

Part A: Conditions of registration | Part B: Obligations

Schedule II
State Processing Standards

Standards for processing under Section 7 and Section 17(2)(b)

Schedule III
Data Retention

Class of Data Fiduciaries, Purposes, and Time periods

Schedule IV
Child Data Exemptions

Part A: Classes exempt | Part B: Purposes exempt from Section 9(1) and 9(3)

Schedule V
Board Terms

Terms and conditions of service of Chairperson and Members

Schedule VI
Board Staff

Terms of appointment and service of officers and employees

Schedule VII
Authorized Persons

Purpose and Authorised person table for information requests

Keep Exploring

Related Reading

Privacy

DPDP Knowledge Hub

Rules 2025, penalties, SDF obligations and 14 deep-dive guides.

Read more
Privacy

DPDP Compliance Checklist

A step-by-step checklist for DPDP Act readiness.

Read more
Privacy

DPDP Penalties & Enforcement

Penalty tiers up to ₹250 Cr and the Data Protection Board process.

Read more
Privacy

Significant Data Fiduciary

Enhanced obligations for large-scale data processors under the DPDP Act.

Read more
Privacy

DPDP Implementation Roadmap

Phased roadmap from gap assessment to full compliance.

Read more
Privacy

DPDP Act Overview

India's Digital Personal Data Protection Act, explained.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations