★ Founding Cohort open: limited seats remaining Back to main site →

Why you can trust this course

We don't ask you to take our word for it. Every claim in every lesson is anchored to a Section, Rule, or judgment. This page is the master register of every authority we cite.

Our verification promise

  1. Every factual claim has a source. If we say "Section 9 allows a three-month limitation period", you can click the [Lx-Cy] marker next to it and read the verbatim text of Section 9 of the Sexual Harassment of Women at Workplace Act, 2013.
  2. Every source is on this page. Below you will find every Section, Rule and judgment we have relied on, grouped by category, with the verbatim text we hold in our register.
  3. Every source has a public link. Wherever an authoritative public link exists (India Code, the official court website, a reputable law-reports portal), we link to it.
  4. Bug bounty for errors. If you find a factual error in any lesson, write to hello@dcomply.in with the lesson, the claim and the corrected source. We will credit your account ₹1,000 for the first report of any verifiable error, ₹5,000 for a substantial error.
8
modules
35
lessons
27
cited authorities
,
last reviewed
Legal basis snapshot: DPDP Act 2023 (No. 22 of 2023) + DPDP Rules 2025 (G.S.R. 843(E)-846(E), notified 13 November 2025)

The full citation register

Every authority used in any lesson appears below. Click a row to expand the verbatim text.

Schedule , Penalty matrix 11 Aug 2023
Plain summary: Sets out maximum penalties: up to Rs 250 crore for failing to take reasonable security safeguards to prevent breach; up to Rs 200 crore for failing to intimate breach; up to Rs 200 crore for failing to fulfil children's data obligations; up to Rs 150 crore for SDF additional obligation breaches; up to Rs 10,000 for Data Principal duty breaches; up to Rs 50 crore for any other breach.
THE SCHEDULE [See section 33(1)] Penalties for breaches: 1. Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8: may extend to two hundred and fifty crore rupees. 2. Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8: may extend to two hundred crore rupees. 3. Breach in observance of additional obligations in relation to children under section 9: may extend to two hundred crore rupees. 4. Breach in observance of additional obligations of Significant Data Fiduciary under section 10: may extend to one hundred and fifty crore rupees. 5. Breach in observance of the duties under section 15: may extend to ten thousand rupees. 6. Breach of any term of voluntary undertaking accepted by the Board under section 32: up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. 7. Breach of any other provision of this Act or the rules made thereunder: may extend to fifty crore rupees.
Section 1 , Short title and commencement 11 Aug 2023
Plain summary: The Act is called the Digital Personal Data Protection Act, 2023. It comes into force on dates appointed by the Central Government, and different dates may be appointed for different provisions.
1. (1) This Act may be called the Digital Personal Data Protection Act, 2023. (2) It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
Section 10 , Additional obligations of Significant Data Fiduciary 11 Aug 2023
Plain summary: Central Government may notify a Data Fiduciary as a Significant Data Fiduciary based on volume and sensitivity of data, risk, electoral democracy, security, and public order. SDF must appoint a Data Protection Officer in India, an independent data auditor, and conduct periodic DPIAs and audits.
10. (1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including— (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order. (2) The Significant Data Fiduciary shall— (a) appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act. The Data Protection Officer shall— (i) be based in India; (ii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iii) be the point of contact for the grievance redressal mechanism under the provisions of this Act; (b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and (c) undertake the following other measures, namely:— (i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; (ii) periodic audit; and (iii) such other measures, consistent with the provisions of this Act, as may be prescribed.
Section 11 , Right to access information about personal data 11 Aug 2023
Plain summary: Data Principal has the right to obtain from the Data Fiduciary a summary of personal data being processed, the processing activities, and the identities of Data Fiduciaries and Data Processors with whom personal data has been shared.
11. (1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7, for processing of personal data, upon making to it a request in such manner as may be prescribed,— (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed. (2) Nothing contained in clause (b) of sub-section (1) shall apply in respect of the sharing of any personal data by the Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
Section 12 , Right to correction and erasure of personal data 11 Aug 2023
Plain summary: Data Principal has the right to correction, completion, updating, and erasure of personal data for the processing of which she has previously given consent. The Data Fiduciary shall erase personal data unless retention is required by law.
12. (1) The Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. (2) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data. (3) The Data Principal shall make a request in such manner as may be prescribed for erasure of her personal data to the Data Fiduciary, who shall, upon receipt of such request, erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.
Section 13 , Right of grievance redressal 11 Aug 2023
Plain summary: Data Principal has the right of readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager. The Data Fiduciary must respond within the prescribed time. The Data Principal shall exhaust this remedy before approaching the Board.
13. (1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. (2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. (3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board.
Section 14 , Right to nominate 11 Aug 2023
Plain summary: Data Principal has the right to nominate another individual to exercise her rights in the event of death or incapacity. This is a unique feature of the DPDP Act.
14. (1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. (2) For the purposes of this section, the expression "incapacity" means inability to exercise the rights of the Data Principal under the provisions of this Act due to unsoundness of mind or infirmity of body.
Section 15 , Duties of Data Principal 11 Aug 2023
Plain summary: Data Principal shall comply with applicable law; not impersonate; not suppress material information; not register false or frivolous grievances; and furnish only authentic information when exercising the right to correction or erasure.
15. A Data Principal shall— (a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act; (b) ensure not to impersonate another person while providing her personal data for a specified purpose; (c) ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities; (d) ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and (e) furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
Section 16 , Processing of personal data outside India 11 Aug 2023
Plain summary: Central Government may by notification restrict the transfer of personal data by a Data Fiduciary for processing to a country or territory outside India.
16. (1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. (2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.
Section 2 , Definitions 11 Aug 2023
Plain summary: Defines key terms including Data Principal, Data Fiduciary, Data Processor, personal data, processing, consent, child, gain, harm, Significant Data Fiduciary, and the Board.
2. In this Act, unless the context otherwise requires, the following definitions apply (selected, abridged for reference; consult the Act for the complete list): (f) "child" means an individual who has not completed the age of eighteen years; (i) "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; (j) "Data Principal" means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf; (k) "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary; (t) "personal data" means any data about an individual who is identifiable by or in relation to such data; (x) "processing" in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; (z) "Significant Data Fiduciary" means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10.
Section 3 , Application of the Act 11 Aug 2023
Plain summary: Applies to processing of digital personal data within India, and to processing outside India in connection with offering goods or services to Data Principals in India. Excludes personal/domestic use and certain other cases.
3. Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data within the territory of India where the personal data is collected— (i) in digital form; or (ii) in non-digital form and digitised subsequently; (b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India; (c) not apply to— (i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data that is made or caused to be made publicly available by— (A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
Section 33 , Penalty for breach of provisions 11 Aug 2023
Plain summary: The Board may, after inquiry, impose monetary penalties as specified in the Schedule, having regard to the nature, gravity, duration of the breach, type and nature of personal data affected, repetition, any gain or loss avoided, and mitigating action taken.
33. (1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such monetary penalty specified in the Schedule. (2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:— (a) the nature, gravity and duration of the breach; (b) the type and nature of the personal data affected by the breach; (c) repetitive nature of the breach; (d) whether the person, as a result of the breach, has realised a gain or avoided any loss; (e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action; (f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and (g) the likely impact of the imposition of the monetary penalty on the person. (3) The amount realised as a result of any monetary penalty imposed under sub-section (1) shall be credited to the Consolidated Fund of India.
Section 4 , Grounds for processing personal data 11 Aug 2023
Plain summary: Personal data may be processed only for a lawful purpose, either with the Data Principal's consent or for certain legitimate uses listed in Section 7.
4. (1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. (2) For the purposes of this section, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.
Section 5 , Notice 11 Aug 2023
Plain summary: Before or at the time of seeking consent, the Data Fiduciary must give the Data Principal a notice describing the personal data, the purpose of processing, how to exercise rights, and how to complain to the Board.
5. (1) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed. (2) Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,— (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board. (3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution of India.
Section 6 , Consent 11 Aug 2023
Plain summary: Consent must be free, specific, informed, unconditional, unambiguous, and limited to the personal data necessary for the specified purpose. The Data Principal can withdraw consent at any time with comparable ease.
6. (1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. (2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. (3) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. (4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. (5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. (6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. (7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. (8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. (9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. (10) Where, for the processing of personal data, the consent given by the Data Principal is the subject matter of a dispute or question relating to compliance with the provisions of this Act, it shall be for the Data Fiduciary to prove that a notice was given by it to such Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.
Section 7 , Certain legitimate uses 11 Aug 2023
Plain summary: Lists situations where personal data may be processed without explicit consent, including for purposes voluntarily provided by the Data Principal, by the State for benefits and services, in medical emergencies, during disasters, and for employment-related purposes.
7. A Data Fiduciary may process personal data of a Data Principal for any of the following uses, namely:— (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data; (b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed; (c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; (d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; (e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; (f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order; (i) for the purposes of employment or those related to safeguarding the employer from loss or liability.
Section 8 , General obligations of Data Fiduciary 11 Aug 2023
Plain summary: Data Fiduciary is responsible for compliance, including by its Data Processors, with respect to processing for or on its behalf. Requires accuracy, security safeguards, breach notification, erasure when purpose served or consent withdrawn, and a grievance redressal mechanism.
8. (1) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. (2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. (3) Where personal data processed by a Data Fiduciary is— (a) likely to be used to make a decision that affects the Data Principal; or (b) likely to be disclosed to another Data Fiduciary, the Data Fiduciary shall ensure its completeness, accuracy and consistency. (4) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. (5) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. (6) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. (7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force, erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, and cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. (8) A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. (9) A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. (10) For the purposes of this section, it is hereby clarified that a Data Fiduciary's responsibility for compliance with the provisions of this Act in respect of processing undertaken by it or on its behalf is irrespective of any contractual arrangement to the contrary between the Data Fiduciary and the Data Processor.
Section 9 , Processing of personal data of children 11 Aug 2023
Plain summary: Before processing a child's personal data, the Data Fiduciary must obtain verifiable consent of the parent or lawful guardian. Tracking, behavioural monitoring, and targeted advertising at children are prohibited unless exempted.
9. (1) The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. (2) A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. (3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. (4) The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. (5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, by notification, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of any of the obligations under sub-sections (1) and (3) in so far as such processing is concerned.

Rule 1 , Short title and commencement 14 Nov 2025
Plain summary: The Rules are called the Digital Personal Data Protection Rules, 2025. Rules 1, 2, 17, 18, 19, 20 and 21 come into force at once; the remaining rules come into force on dates appointed by the Central Government.
1. Short title and commencement.— (1) These rules may be called the Digital Personal Data Protection Rules, 2025. (2) The provisions of these rules, except rules 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 22 and 23, shall come into force on the date of their publication in the Official Gazette. (3) The provisions of rule 4 shall come into force on the expiry of a period of one year from the date of publication of these rules in the Official Gazette. (4) The provisions of rules 3, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 22 and 23 shall come into force on the expiry of a period of eighteen months from the date of publication of these rules in the Official Gazette.
Rule 10 , Verifiable consent for processing of personal data of child 14 Nov 2025
Plain summary: Data Fiduciary must verify, before processing the personal data of a child, that the individual identifying herself as a parent is an adult, by reference to reliable identity and age details available to the Data Fiduciary, or details voluntarily provided by such individual, or a virtual token mapped to those details.
10. Verifiable consent for processing of personal data of child.— (1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child, and to observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable, if required, in connection with compliance with any law for the time being in force in India, by reference to,— (a) reliable details of identity and age available with the Data Fiduciary; or (b) voluntarily provided details of identity and age, or a virtual token mapped to such details, issued by an entity entrusted by law or the Central Government with the maintenance of such details, including such an entity providing a service for the issuance of such a token. (2) The Data Fiduciary shall keep records of having obtained verifiable consent of the parent before processing the personal data of the child and details of how that verification was carried out.
Rule 12 , Additional obligations of Significant Data Fiduciary 14 Nov 2025
Plain summary: A Significant Data Fiduciary must conduct a Data Protection Impact Assessment and a data audit once every twelve months, and submit a report of significant findings to the Board. The SDF must also exercise due diligence to verify that algorithmic software used for processing personal data is not likely to pose risk to the rights of Data Principals.
12. Additional obligations of Significant Data Fiduciary.— (1) A Significant Data Fiduciary shall, once every twelve months from the date on which it is notified as such,— (a) undertake a Data Protection Impact Assessment, in accordance with the provisions of the Act; (b) undertake an audit of its observance of the provisions of the Act and the rules made thereunder, in accordance with the provisions of the Act; and (c) cause the person undertaking such Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations. (2) The Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updation or sharing of personal data processed by it is not likely to pose risk to the rights of Data Principals. (3) The Significant Data Fiduciary shall undertake measures to ensure that personal data identified by the Central Government on the recommendation of a committee constituted by it, is processed in a manner that ensures— (a) personal data is processed only within the territory of India; and (b) such traffic data pertaining to its flow as may be specified by the said committee, is not transferred outside the territory of India.
Rule 13 , Rights of Data Principals 14 Nov 2025
Plain summary: Every Data Fiduciary and Consent Manager must publish on its website or app the means by which a Data Principal may make a request for exercise of her rights, identifiers required to identify the Data Principal, and the period within which the right of grievance redressal will be exercised.
13. Rights of Data Principals.— (1) For enabling Data Principals to exercise their rights under the Act, every Data Fiduciary and Consent Manager shall publish on its website or app the means using which a Data Principal may make a request for exercise of her rights under the Act, and any particulars, such as identifier issued to her, that may be required for the Data Fiduciary or Consent Manager to identify such Data Principal. (2) Every Data Fiduciary and Consent Manager shall publish on its website or app the period within which it will respond to such grievances. (3) Every Data Fiduciary and Consent Manager shall implement appropriate technical and organisational measures to ensure effective observance of the rights of Data Principals under the Act, including the right of grievance redressal. (4) A Data Principal may exercise the right to nominate one or more individuals to exercise her rights under the Act, in the event of her death or incapacity, by communicating to the Data Fiduciary or Consent Manager the name, contact details, and such other details of the nominee as may be required by the Data Fiduciary or Consent Manager.
Rule 3 , Notice given by Data Fiduciary to Data Principal 14 Nov 2025
Plain summary: The notice required under Section 5 of the Act must be presented independently of any other information, be clear and standalone, identify the personal data and the specified purpose, describe the goods or services or uses enabled, specify the rights of the Data Principal, and explain the manner of withdrawing consent and lodging a complaint.
3. Notice given by Data Fiduciary to Data Principal.— The notice given by the Data Fiduciary to the Data Principal under sub-section (1) or sub-section (2) of section 5 of the Act shall— (a) be presented and be understandable independently of any other information that may have been given to the Data Principal by the Data Fiduciary, and contain a fair account of the following details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, namely:— (i) the itemised description of such personal data; and (ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing; and (b) contain or provide— (i) the communication link for accessing the website or app, or both, of the Data Fiduciary, and a description of other means, if any, using which the Data Principal may withdraw her consent with the ease comparable to that with which she gave such consent, exercise her rights under the Act and make a complaint to the Board.
Rule 4 , Registration and obligations of Consent Manager 14 Nov 2025
Plain summary: A Consent Manager must satisfy registration conditions in Part A of the First Schedule, including being a company incorporated in India with net worth of at least Rs 2 crore, sound management, and operations in the interests of Data Principals. Registration is granted by the Board.
4. Registration and obligations of Consent Manager.— (1) A person who fulfils the conditions for the registration of a Consent Manager specified in Part A of the First Schedule may make an application to the Board for grant of registration as a Consent Manager. (2) The Board shall, upon being satisfied that the applicant fulfils such conditions, grant registration as a Consent Manager, subject to such conditions as it may impose. (3) Every Consent Manager shall comply with the obligations specified in Part B of the First Schedule. (4) The Board may, on its own motion or on a complaint made to it, after giving the Consent Manager a reasonable opportunity of being heard, by order, suspend or cancel the registration of a Consent Manager.
Rule 6 , Reasonable security safeguards 14 Nov 2025
Plain summary: Data Fiduciary must protect personal data through reasonable security safeguards, including encryption, obfuscation, masking or use of virtual tokens; access controls; logging and monitoring of access to detect unauthorised access; continuity of processing in the event of a personal data breach; and retention of logs for at least one year.
6. Reasonable security safeguards.— (1) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include— (a) appropriate data security measures, including its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data; (b) appropriate measures to control access to the computer resource used by such Data Fiduciary or Data Processor; (c) appropriate measures for visibility on access to personal data, through logs and other means, in such manner as may help in detecting unauthorised access, its investigation and remediation, to prevent recurrence; (d) reasonable measures to ensure continued processing in the event of confidentiality, integrity or availability of personal data being compromised due to such breach, including data backups; (e) retention of logs and personal data, for a period of one year, unless retention for a longer period is required by law, for the purpose of enabling the investigation of personal data breach; (f) appropriate provisions in the contract entered into by the Data Fiduciary with the Data Processor regarding the taking of reasonable security safeguards by such Data Processor; and (g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
Rule 7 , Intimation of personal data breach 14 Nov 2025
Plain summary: On becoming aware of any personal data breach, the Data Fiduciary must intimate each affected Data Principal without delay describing the breach, the consequences, mitigation measures, safety measures the Data Principal may take, and contact details. The Board must be intimated without delay with a description of the breach, and a detailed report furnished within 72 hours including events leading to the breach, mitigation, identity of the person who caused the breach (if known), remedial measures, and intimation given to affected Data Principals.
7. Intimation of personal data breach.— (1) On becoming aware of any personal data breach, the Data Fiduciary shall, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any other mode of communication registered by her with the Data Fiduciary,— (a) a description of the breach, including its nature, extent, timing and location of occurrence, and the likely consequences relevant to her; (b) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate the risk; (c) the safety measures that she may take to protect her interests; and (d) the business contact information of a person who is able to respond on behalf of the Data Fiduciary to queries, if any, of such Data Principal. (2) The Data Fiduciary shall, on becoming aware of any personal data breach, also intimate to the Board— (a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence; and (b) within seventy-two hours of becoming aware, or such longer period as the Board may, on a request made in writing in this behalf by the Data Fiduciary allow,— (i) updated and detailed information regarding the breach, including its nature, extent, timing and location of occurrence and likely impact; (ii) the events, circumstances and reasons leading to the breach; (iii) measures implemented and being implemented, if any, to mitigate the risk; (iv) the findings regarding the person who caused the breach, if known; (v) remedial measures taken to prevent recurrence of such breach; and (vi) a report regarding the intimations given to affected Data Principals under sub-rule (1).
Rule 8 , Time period for retention 14 Nov 2025
Plain summary: For e-commerce, online gaming, and social media intermediaries with two crore or more registered users in India, personal data of a Data Principal who has not engaged for three years is deemed no longer needed, and the Data Fiduciary must erase it, except where retention is required by law. Affected Data Principal must be notified at least 48 hours before erasure.
8. Time period for specified purpose to be deemed as no longer being served.— (1) A Data Fiduciary, being an e-commerce entity having not less than two crore registered users in India, an online gaming intermediary having not less than fifty lakh registered users in India, or a social media intermediary having not less than two crore registered users in India, shall, in respect of a Data Principal who has not, for a period of three years, approached such Data Fiduciary for the performance of the specified purpose or the exercise of her rights, be deemed to no longer require to retain her personal data and shall erase such personal data, unless retention of such personal data is necessary for compliance with any law for the time being in force. (2) Before erasing personal data under sub-rule (1), the Data Fiduciary shall, at least forty-eight hours before such erasure, intimate the Data Principal through her user account or any other mode of communication registered by her, that her personal data will be erased upon expiry of forty-eight hours from such intimation, unless she logs in to her user account or initiates any communication for the performance of the specified purpose, or for the exercise of her rights, within that time.

Found an error? We pay for it.

If you find a factual error in any lesson, write to hello@dcomply.in with the lesson title, the specific claim, and the corrected source.

  • ₹1,000 credit for the first report of any verifiable factual error.
  • ₹5,000 credit for a substantial error (e.g. a wrong section number, an obsolete ruling, a misrepresented holding).
  • Credit on your dcomply Academy account usable against any future course.

We pay because we'd rather know than not know. If the law changes (and it will), we want to be the first to fix our lessons.

On this page
  • 🟢 Our verification promise
  • 📊 Course statistics
  • 📚 Full citation register
  • 🐛 Bug bounty for errors

Maintained by the dcomply Academy editorial team. Last reviewed ,.