MeitY Notifies Final Digital Personal Data Protection Rules 2025

By Vikrant Rana, Anuradha Gandhi and Prateek Chandgothia

Introduction

Ministry of Electronics and Information Technology (hereinafter referred to as ‘MeitY’) has released the finalized Digital Personal Data Protection Rules, 2025[1] (hereinafter referred to as ‘DPDP Rules/ notified rules’) vide Gazette Notification No. G.S.R. 846(E) dated November 13, 2025. This comes after a long wait of 10 months since the Draft Digital Personal Data Protection rules[2] (hereinafter referred to as ‘Draft Rules’) were released on January 3, 2025. With this notification, the Digital Personal Data Protection Act, 2023[3] (hereinafter referred to as ‘DPDPA’) has been made applicable and enforceable.

Timeline of enforcement

The Rules will become effective in a phased manner:

1. From the date of Notification i.e., November 13, 2025 – Rules 1(Short Title), 2(Definitions) and 17 to 21 that primarily deal with the appointment and operations of the Data Protection Board. Application of these Rules indicates that Government will initiate the process of making the Data Protection Board functional by constituting a  Search-cum-Selection Committee with the Cabinet Secretary at the helm, joined by the Secretaries of the Department of Legal Affairs and the Ministry of Electronics and Information Technology (MeitY), along with two experts of repute possessing practical or specialised knowledge relevant to the Board’s mandate.
2. After 12 months (One year) i.e., November 13, 2026 – Rule 4 that lays down the requirements for Registration and obligations of Consent Manager. The Government has allowed a 12 month time period to consent managers to get themselves registered with the Data Protection Board and comply with the relevant obligations as laid down.
3. A transition period of 18 months for Organizations to comply i.e., May 13, 2027 – Rules 3, 5 to 16, 22 and 23 pertain to essential aspects of the DPDPA including obligations of data fiduciaries, Notice and Consent requirements, rights of data principals, reasonable security safeguards, processing children data, exemptions and cross-border data transfers. The Government has given an 18 months deadline to organizations to comply with these obligations i.e., the organizations must comply with these rules by May 13, 2027.

(To read more on what the organizations need to do to comply with the DPDPA, refer to the following –

1. https://ssrana.in/articles/meity-introduces-draft-digital-personal-data-protection-rules-2025-for-public-consultation/
2. https://ssrana.in/articles/dpdp-rules-to-be-notified-by-april/ )

What has changed from the Draft Rules?

1. One (01) year retention period – Insertion of Rule 8(3)[4] which states that a Data Fiduciary must ensure that any personal data it processes, whether directly or through a Data Processor, along with related traffic data and processing logs, is retained for at least one year from the date of processing for the purposes listed in the Seventh Schedule. After this period, the data and logs must be erased, unless a longer retention is required under any other law or by government notification. Schedule 7 lists three purposes for this retention:
   1. Use by the State or any of its instrumentalities, of personal data of a Data Principal in the interest of sovereignty and integrity of India or security of the State
   2. Use by the State or any of its instrumentalities for the following purposes, namely:—
      1. Performance of any function under any law for the time being in force in India; or
      2. Disclosure of any information for fulfilling any obligation under any law for the time being in force in India
   3. Carrying out assessment for notifying any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary
2. Illustrations for the one year mandatory retention compliance under Rule 8(3) – The DPDP Rules lay down 2 illustrations for explaining the one year retention compliance:
   1. Case 1: X, a Data Principal purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if X deletes her account.
   2. Case 2: X, a company engages a cloud service provider C as its Data Processor to host customer records. X as the Data Fiduciary, is required to ensure that the C also retains the data and associated logs for at least one year before erasure, unless any other applicable law requires a longer period
3. Time period to respond to the data principal’s rights – Under Rule 14(3), the notified rules have now set a time limit of 90 days for responding Data Principal Requests for exercising their rights. Initially there was no such limit in the draft rules.
4. Restriction of Cross border transfer of data by SDFs – As per Rule 13(4) of the DPDP Rules, the SDFs are prohibited from transferring any traffic data outside the territory of India pertaining to the flow of personal information. Additionally, if there are any stricter sectoral laws regulating cross border transfers in a particular sector, such rules shall be applicable.
5. Constitution of Committee to recommend measures to be taken by Significant Data Fiduciaries – Rule 13(5) has been inserted in the notified Rules. The committee constituted to recommend the Central Government on notifying measures to be taken by Significant Data Fiduciaries from time to time would include officials from MeitY and may include officials from other Ministries or Department of the Central Government.
6. Processing Children’s data for real time monitoring – Section 9 of the DPDPA mandates obtaining verifiable consent of a child’s parent/ guardian before processing her personal information. It also prohibits undertaking tracking or behavioral monitoring of children or targeted advertising directed at children. However, for certain purposes, this compliance and prohibition does not apply. The DPDP Rules have amended the Part B of Schedule 4 which defines such purposes. One such purpose has been inserted i.e., for the determination of real-time location of a child. This expands the scope of exemption under the schedule, however, processing for this purpose is restricted to the tracking of real-time location of such child, in the interest of her safety and protection or security.

 (To read more on online tracking under the DPDPA, refer to – https://ssrana.in/articles/legality-of-online-tracking-under-the-data-privacy-act-2023/ )

(To read more on processing of personal information of minors under the DPDPA, refer to – https://ssrana.in/articles/ensuring-student-privacy-in-education-compliance-with-the-digital-personal-data-protection-act-2023/ )

Initial understanding of the Notified Rules

1. What if a Complaint is made once the Data Protection Board is established but before the 12 month or 18 month deadline as prescribed under Rule 1 of the DPDP Rules?

   As of November 13, 2025, rules pertaining to establishment and operationalizing the Data Protection Boards have been enforced. Let’s assume that the DPB is established in January 2026 and a complaint is made before the DPB. The compliance deadline for consent managers and organizations is still 10 months and 16 months away respectively. Now, since the provisions relating to penalties would not have been enforced by then, one would think that the DPB would not take any adverse steps taking cognizance of such a complaint. This assumption would be incorrect. Although the DPB may not impose penalties as prescribed under the DPDPA, it could issue notices to the respondent organization to issue corrective measures or monitor its data privacy practices. These notices may not impose a monetary burden on the organization but may result in loss of consumer trust. Therefore, it is recommended to start compliance as soon as practicable.

2. Notification of the DPDP Rules repeal Section 43A of the IT Act and the SPDI Rules.

   Since now with the Rules being notified and enforcement of the Act, the SPDI Rules should stand repealed. What needs to be measured is how SPDI Rules prescribed compliance with the ISO standards while the Rule 6 of the DPDP Rules, instead of prescribing any standards, itself lay down the standards for ‘reasonable security measures’ which is favorable for small organizations and startups with limited resources. This approach balances regulations with innovation.

3. What is the status regarding Legacy data/ Personal Information already collected and processed?

   The DPDPA and the DPDP Rules are not retrospective in nature to the extent of obtaining consent of the Data Principal. However, as per Section 5(2) of the DPDPA, a clear notice shall be provided to the data principals mentioning the types of data processed and for what purposes their personal data is being processed. For this, organizations must carry out a data mapping exercise to ensure visibility over the previous collection and processing of the Personal Information.

4. Does People with Disabilities include Senior Citizens/ Elderly?
   The DPDPA and DPDP Rules are silent on this aspect and presently only mandates verifiable consent from guardians of People with Disabilities.
5. Is there a concept of Joint Data Fiduciary under the DPDPA?

   As per section 2(i) of the DPDPA, Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The phrase “in conjunction with” encompasses Joint Data Fiduciary within this definition. Therefore, no separate definition is required for the same.

6. What is the time limit within which the DPB shall complete its investigation?

The DPDP Rules prescribe a 6 month limit to complete an investigation. This limit may be extended by 3 months, for which reasons must be recorded in writing.

7. Can the Chief Information Security Officer (CISO) and the Data Protection Officer (DPO) be the same person?

   As per the initial reading of the rules and general legal principles, the answer to this question would be ‘No’ because the underlying legislations and legislative intent behind the IT Act and DPDPA are inherently different. Appointing the same person as the CISO and the DPO would lead to conflict of interest. Therefore, it is recommended to have a distinct CISO and DPO.

8. Penalties of Non-compliance by Data Fiduciaries and Significant Data Fiduciaries are the same.
   The DPDP rules do not define the criteria for notifying SDFs. It is pertinent to note that the penalties prescribed under the DPDPA are the same for both DFs and SDFs.
9. Can the Data Processors claim safe harbor under Section 79 of the IT act as an intermediary?

   A ‘data processor’ may not always be the same as an ‘intermediary’ as defined under the IT Act. A data processor collects and processes the personal information as per the directions of the data fiduciary. This in no way means that the data processor has no visibility or knowledge of the nature and types of personal information being collected and processed. The safe harbor under Section 79 of the IT Act is applicable to intermediaries who have no knowledge of a particular unlawful third party content being uploaded on their platform.

10. What is the time limit prescribed to report a Data Breach?
    The DPDP Rules prescribe a 72 hour limit to report the description of the breach, including its nature, extent, timing and location of occurrence and the likely impact of such breach.
11. Is there any provisions governing AI Compliance?
    Rule 13(3) of the DPDP Rules state that a Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.

[1] https://egazette.gov.in/(S(tg3nubbhowstyiwkmaeck1jz))/ViewPDF.aspx

[2] https://www.dpdpa.in/dpdpa_rules_2025/dpdpa_draft_rules_english_.pdf

[3] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

[4] Rule 8 (2) of the DPDP Rules, 2025 -Time period for specified purpose to be deemed as no longer being served