The Digital Personal Data Protection (DPDP) Act was enacted on August 11, 2023.
Subsequently, on November 14, 2025, the Government of India notified the DPDP Rules, 2025 to operationalise the said Act.
Given below is a factual summary of the core definitions, the primary provisions of the 2023 Act and the specific procedures introduced by the 2025 Rules.
Key Definitions
Data Principal: The individual to whom the personal data relates.
In the case of children or persons with disabilities, the expression includes their lawful guardian.
Data Fiduciary: The person or entity which determines the purpose and means of processing of personal data.
Consent Manager: A registered entity providing an accessible platform for a Data Principal to give, manage, review and withdraw consent.
Core Provisions of the DPDP Act (2023)
Consent and Notice: Personal data can be processed only for a lawful purpose and with the free, specific, informed and unambiguous consent of the Data Principal.
Every request for consent shall be accompanied by a notice specifying the personal data to be processed and the purpose thereof.
Rights of the Data Principal: The individuals have the right to access information about their data, to request correction or erasure of the same and to access grievance redressal mechanisms.
They further have the right to nominate any other individual to exercise the said rights in the event of death or incapacity.
Penalties: The Act prescribes specific financial penalties for non-compliance.
Failure on the part of a Data Fiduciary to take reasonable security safeguards to prevent a data breach may attract penalty upto ₹ 250 crore.
Failure to intimate the Board and the affected individuals of a breach, or non-observance of obligations qua children, may attract penalty upto ₹ 200 crore.
Key Additions and Timelines in the DPDP Rules (2025)
The 2025 Rules lay down the specific procedures and timelines required for compliance with the 2023 Act.
Compliance Timeline: The Rules provide a period of 18 months for phased compliance in respect of most of the provisions.
Personal Data Breach Notifications: In the event of a personal data breach, the Data Fiduciary shall intimate every affected Data Principal without delay.
The Data Fiduciary shall also intimate the Data Protection Board without delay.
Detailed information regarding the breach shall be furnished within 72 hours.
Grievance Redressal Deadlines: The Data Fiduciaries and the Consent Managers are required to establish a grievance redressal system.
They shall respond to the grievances of the users within a maximum period of 90 days.
Data Erasure and Inactivity: The data shall be erased after a prescribed period of inactivity.
The said period may vary depending upon the nature of the platform and the purpose thereof.
The Third Schedule prescribes a three-year inactivity threshold for erasure in respect of the following entities:
- E-commerce entities having at least 2 crore registered users in India.
- Online gaming intermediaries having at least 50 lakh registered users in India.
- Social media intermediaries having at least 2 crore registered users in India.
Processing Children’s Data: Before processing the personal data of a child, the Data Fiduciary shall obtain verifiable parental consent.
The 2025 Rules provide that the verification of the parent’s identity and age may be done voluntarily by the individual or through a virtual token issued by an authorised entity, such as a Digital Locker service provider.
Certain exemptions to these obligations apply in specific situations, such as processing by clinical establishments or educational institutions for the purposes of health, safety or educational tracking of the child.
Digital Data Protection Board: The Data Protection Board of India as well as the Appellate Tribunal shall function as digital offices.
They shall adopt techno legal measures to conduct proceedings, receive complaints and hold hearings digitally without requiring the physical presence of individuals.