The Ministry of Electronics and Information Technology (hereinafter referred to as ‘MeitY’) has released the finalized Digital Personal Data Protection Rules, 2025 (hereinafter referred to as ‘DPDP Rules/ Rules’) vide Gazette Notification dated November 13, 2025. This comes after a long wait of 10 months since the Draft Rules were released on January 3, 2025. With this notification, the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘DPDPA’) becomes enforceable.

1. Date of Notification i.e., November 13, 2025 – Rules 1 (Short Title), 2 (Definitions) and 17 to 21 (appointment and operations of the Data Protection Board - Board). Application of these Rules indicates that the government will initiate the process of making the Board functional by constituting a Search-cum-Selection Committee with the Cabinet Secretary, joined by the Secretaries of the Department of Legal Affairs and the MeitY, along with two experts of repute possessing practical or specialised knowledge relevant to the Board’s mandate.

2. After 12 months (One year) i.e., November 13, 2026 – Rule 4 that lays down the requirements for Registration and obligations of Consent Manager. 12 months for consent managers to get themselves registered with the Board and comply with the relevant obligations is allowed.

3. A transition period of 18 months for Organizations to comply i.e., May 13, 2027 - Rules 3, 5 to 16, 22 and 23 pertain to essential aspects of the DPDPA, including obligations of data fiduciaries, Notice and Consent requirements, rights of data principals, reasonable security safeguards, processing children's data, exemptions and cross-border data transfers. Organisations are given an 18-months deadline to comply with these obligations i.e., by May 13, 2027.

1. One (01) year retention period - Insertion of Rule 8(3) states that a Data Fiduciary must ensure that any personal data it processes, whether directly or through a Data Processor, along with related traffic data and processing logs, is retained for at least one year from the date of processing for the purposes listed in the Seventh Schedule. After this period, the data and logs must be erased, unless a longer retention is required under any other law or by government notification. Schedule 7 lists three purposes for this retention:

a. Use by the State or any of its instrumentalities, of personal data of a Data Principal in the national interest.  

b. Use by the State or any of its instrumentalities for the following purposes, namely:—

- Performance of any function under any law for the time being in force; or

- Disclosure of any information for fulfilling any obligation under any law for the time being in force.  

c. Carrying out an assessment for notifying any Data Fiduciary or Significant Data Fiduciary (SDF).

2. Illustrations for the one-year mandatory retention compliance under Rule 8(3) – The DPDP Rules lay down 2 illustrations for explaining the one-year retention compliance:

a. Case 1: X, a Data Principal, purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if X deletes her account.

b. Case 2: X, a company, engages a cloud service provider C as its Data Processor to host customer records. X, as the Data Fiduciary, is required to ensure that the C also retains the data and associated logs for at least one year before erasure, unless any other applicable law requires a longer period.

3. Time period to respond to the data principal’s rights –Rule 14(3), sets a time limit of 90 days for responding to Data Principal Requests for exercising their rights.

4. Restriction of cross-border transfer of data by SDFs – Rule 13(4) prohibits the SDFs from transferring any traffic data outside the territory of India pertaining to the flow of personal information, along with and application of any other stricter sectoral laws in force.

5. Constitution of Committee to recommend measures to be taken by Significant Data Fiduciaries – Rule 13(5) is inserted to provide that the committee be constituted to recommend to the Central Government the notifying measures to be taken by SDFs.

6. Processing Children’s data for real-time monitoring – Section 9 of the DPDPA mandates obtaining verifiable consent of a child’s parent/ guardian before processing her personal information, while prohibiting tracking or behavioral monitoring of children with some exceptions under the Draft Rules. Part B of Schedule 4 of the Rules now defines such purposes with an insertion of a new exception – tracking of real-time location of such child restricted to the interest of her safety and protection or security.

1. What if a Complaint is made once the Board is established but before the 12 month or 18 month deadline?  

As of November 13, 2025, the Rules pertaining to the establishment and operationalizing of the Board have been enforced. Assuming that the Board is established in January 2026, and a complaint is made. The compliance deadline for consent managers and organizations is still 10 months and 16 months away, respectively. Since the provisions relating to penalties would not have been enforced by then, one would think that the DPB would not take any adverse steps, taking cognizance of such a complaint. On the contrary, the Board may not impose penalties, but it could issue notice to the respondent organization to initiate corrective measures, or monitor its data privacy practices. Though it would not impose a monetary burden, it can result in customer trust being affected. Therefore, it is recommended to start compliance as soon as practicable.

2. Notification of the Rules repeal Section 43A of the IT Act and the SPDI Rules.

Since the Rules are notified and the Act is enforced, the SPDI Rules should stand repealed. While the SPDI Rules prescribed compliance with the ISO standards, Rule 6 of the Rules, instead of prescribing any standards, itself lays down the standards for ‘reasonable security measures’, thus favouring small organizations and startups with limited resources.

3. Status of Legacy data/ Personal Information already collected and processed?

The DPDPA and the Rules are not retrospective in nature to the extent of obtaining consent of the Data Principal. However, as per Section 5(2) of the DPDPA, a clear notice shall be provided to the data principals mentioning the types of data processed and the purposes for which it is processed, mandating data mapping exercises to be conducted by organisations.

4. Do People with Disabilities include Senior Citizens/ Elderly?

The DPDPA and Rules are silent on this aspect.

5. Is there a concept of Joint Data Fiduciary under the DPDPA?

As per Section 2(i) of the DPDPA, Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The phrase “in conjunction with” encompasses Joint Data Fiduciary within this definition.

6. What is the time limit within which the DPB shall complete its investigation?

The DPDP Rules prescribe a 6 month limit to complete an investigation, which can be extended up to 3 months, with reasons recorded.

7. Penalties of Non-compliance by Data Fiduciaries and Significant Data Fiduciaries are the same.

The  Rules do not define the criteria for notifying SDFs. It is pertinent to note that the penalties prescribed under the DPDPA are the same for both DFs and SDFs.

8. Can the Data Processors claim safe harbor under Section 79 of the IT Act as an intermediary?

A ‘data processor’ may not always be the same as an ‘intermediary’ as defined under the IT Act. A data processor collects and processes the personal information as per the directions of the data fiduciary. This in no way means that the data processor has no visibility or knowledge of the nature and types of personal information being collected and processed. The safe harbor is applicable to intermediaries who have no knowledge of a particular unlawful third-party content being uploaded on their platform.

9. What is the time limit prescribed to report a Data Breach?

The DPDP Rules prescribe a 72 hour limit to report the description of the breach, including its nature, extent, timing and location of occurrence and the likely impact of such breach.

10. Is there any provisions governing AI Compliance?

Rule 13(3) of the Rules states that an SDF shall observe due diligence to verify that technical measures, including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it, are not likely to pose a risk to the rights of Data Principals.

About the authors: Vikrant Rana is the Managing Partner at SS Rana & Co. Anuradha Gandhi is a Managing Associate and Prateek Chandghotia is an Associate at the Firm.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.