DPDP Act and Rules: A Quick Guide Series Compliances for Businesses – Data Fiduciaries D

Cutting Edge

DPDP Act and Rules: A Quick Guide Series Compliances for Businesses – Data Fiduciaries D

Suvarna Mandal | November 2025

Lex Witness, in collaboration with the Data Protection and Regulatory Compliance Practice Desk at Saikrishna & Associates, presents a five‑part special guide on the Digital Personal Data Protection Act (DPDPA) 2025 Rules.

Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) have been notified on 13th November 2025 by the Ministry of Electronics and Information Technology (“MeitY”).

DPDP Rules operationalizes the broader principles of the DPDP Act with clear implementation timelines.

The phased implementation of the DPDP Act and the DPDP Rules:

(a) Phase I i.e. 13th November 2025: No immediate compliance obligations

The DPDP Act provisions and DP Rules relating to the establishment of the Data Protection Board of India (“Board”) and other provisions for establishing the regulatory infrastructure comes into force on 13th November 2025.

(b) Phase II i.e. 13th November 2026: Operationalization of the Consent Manager Framework

The DPDP Act provisions and DPDP Rules relating to Consent Managers, including registration comes into force after a year on 13th November 2026. Entities intending to register as Consent Managers and Data Fiduciaries planning to use Consent Managers should assess this framework carefully.

(c) Phase III i.e. 13th May 2027: Commencement of all compliance obligations and enforcement mechanisms.

The remaining rules and provisions on all compliance obligations of a Data Fiduciary (on notice, consent, rights, transfer, penalties, etc.) as well as the Board’s inquiry, penalty & enforcement powers come into force after 18 months on 13th May 2027.

THE REQUIREMENTS OF THIS GUIDE COME INTO FORCE ON 13TH MAY 2027.

Applicability Applies to –

processing of digital personal data within India when the data is collected in digital form or non-digital form but digitised subsequently.
processing of digital personal data outside India if it relates to any activity for offering of goods or services to Data Principals within India.
“Processing” means wholly/partly automated operation/set of operations performed on digital personal data, and includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, indexing, sharing, disclosure, restriction, erasure, etc.

Does not apply to –

digital personal data processed for personal/domestic purpose.
digital personal data that is made publicly available by Data Principal or any other person under an obligation/ law.

Whom does the Act apply to?

Data Principal: individual to whom the personal data relates.

In case of a child/person with disabilities, includes the parent/legal guardian of such persons Data Fiduciary
Entity that alone or in conjunction with others determines the purpose and means of processing
Significant Data Fiduciary/SDF notified by the Central Government based on certain factors

Data Processor

Entity/person who processes personal data on behalf of a Data Fiduciary

Consent Managers

A person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

Grounds for processing

Consent of Data Principal
Certain legitimate uses (non-consent based processing on identified grounds)
- voluntary disclosure for specified purpose
- employment purposes
- legal obligations
- compliance with judgement/order
- medical treatment
- health services, disaster relief, etc.

COMPLIANCES FOR BUSINESS (DATA FIDUCIARY)

Consent

Request for consent should be –

Free, Specific, Informed, Unconditional
Unambiguous with a clear affirmative action
Signify agreement to the processing of personal data
Limited to personal data necessary for specified purpose
Presented in a clear and plain language
Providing the option to access such a request in English or any language specified in the Eighth Schedule of the Constitution
Providing the contact details of a Data Protection Officer (in case of a Significant Data Fiduciary) or any other authorised person to respond to any communication from the Data Principal
Providing the manner of withdrawing consent. It should be as easy as securing consent Keep record of consent secured from Data Principal which may have to be furnished in case of a grievance or dispute.

Key Takeaways –

Seek consent for each type/purpose of processing carried out.
Do not use pre-ticked boxes as the consent method for processing digital personal data.
Obtain consent through mechanisms such as click wrap agreements, ‘I agree’ buttons or unticked checkboxes.
Create a mechanism for Consent Manager to provide consent on behalf of Data Principal.
Keep record of consent secured.

Notice

If consent given after commencement of

DPDP Act –

Notice to accompany every request for consent, or
Notice to precede every request for consent

If consent is already secured before commencement of DPDP Act –

Notice to be given as soon as reasonably practicable
Company/business can continue to process personal data until consent is withdrawn.

Minimum mandatory requirements in Notice:

Presented and understandable independently
Should be in clear and plain language
Option to provide the Notice in English or any Eighth Schedule language of the Constitution.
Provide necessary details for enabling specific and informed consent, including at minimum –
- An itemised description of personal data
- Specified purpose(s) of processing
- Specific description of goods or services to be provided or uses enabled by such processing
- A communication link (for the website/app/both of Data Fiduciary) using which such Data Principal may:
  - withdraw consent,
  - exercise rights under the Act,
  - raise a complaint with the Data Protection Board.

Obligations of the Data Fiduciary General Obligations –

Ensure completeness, accuracy and consistency of the personal data if it is to be used to make a decision that affects a Data Principal or if it is to be disclosed to another Data Fiduciary.
Implement technical safeguards and reasonable security measures.
Notify the Board and each affected Data Principal about a personal data breach.
Erase the data of a Data Principal upon withdrawal of consent.
Establish a grievance redressal mechanism.
May engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf under a valid contract.
Provide such information as may be called for by the Central Government.
The ease of withdrawal of consent by the Data Principal should be comparable to the ease with which such consent was given in the first place.

Contact Information of DPO/Authorised Person

Details of a Data Protection Officer/DPO (in case of SDF) or a person on behalf of the Data Fiduciary (an Authorised Person) who can answer the questions of a Data Principal about the processing of personal data must be published in the following manner-

Publish business contact details of DPO/authorised person prominently on website/app.
Include these contact details in every response/communication to a Data Principal exercising her rights.

Verifiable consent requirement

Children’s Data –

A ‘child’ means an individual under 18 years of age.

For Processing Children’s Data –

Obtain ‘verifiable consent’ from parent/ lawful guardian before processing any personal data of a child
Don’t undertake processing of personal data likely to cause a detrimental effect on the well-being of a child
Don’t undertake tracking or behavioural monitoring of children or targeted advertising directed at children Verifiable consent for processing of personal data of child.
Adopt technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child.
Observe due diligence for identifying the parent is an adult by referring to –
- Reliable identity and age information already available with the Data Fiduciary.
- Voluntarily provided identity and age information by the parent.
- Voluntarily provided Virtual token mapped to identity and age, issued by an authorised entity.

An “authorised entity” shall mean

an entity entrusted by law/ Central or State Government with the issuance of details of the identity and age or a virtual token mapped to such details
or any person appointed or permitted by the entity above for such issuance, and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider (as per the IT Act).

Exemption from Verifiable Consent and prohibition on tracking/behavioural monitoring/targeted advertising of children’s data

Classes of Data Fiduciaries and the extent to which they are exempt:

Clinical/Mental Health/Healthcare Establishments & Professionals to the extent of providing health services or for the protection of child’s health;
Allied Healthcare Professional to the extent of supporting implementation of healthcare treatment and referral plan necessary for child’s health;
Educational Institutions to the extent of tracking and behavioral monitoring for providing educational activities of such institutes or in the interest of enrolled child’s safety;
Creche or Child day care centre to the extent of tracking and behavioural monitoring in the interest of child’s safety;
Transport Providers for Educational Institutions/Creche/ Childcare centre to the extent of tracking the location of children in the interest of their safety.

Purposes of Processing and their extent to which they are exempt:

Exercise of any power, performance of any function/duties in the interests of a child under extant law to the extent it’s necessary for such exercise, performance or discharge;
Providing any Govt. subsidy or benefit to the child under law and to the extent it is necessary for such provision or issuance;
Creation of user account, the use of which is limited to communication by email;
For the determination of real-time location of a child in the interest of her safety and protection or security;
To block access to information, service or advertisement which can likely cause a detrimental effect on the wellbeing of a child;
To ensure compliance with due diligence obligations for obtaining verifiable parental consent.

Persons with Disabilities: Verifiable consent of lawful guardian.

The Data Fiduciary shall before processing any personal data of a person with disability who has a lawful guardian, obtain verifiable consent of the lawful guardian.

While obtaining verifiable consent from the lawful guardian of a person with disability, observe due diligence to verify that such guardian is –

appointed by a court of law,
or by a designated authority
or by a local level committee, under the law applicable to guardianship.

The “law applicable to guardianship” shall mean,

in relation to an individual who has long-term physical, mental, intellectual or sensory impairment, the provisions of law contained in Rights of Persons with Disabilities Act, 2016 and the rules made thereunder; and
in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 and the rules made thereunder;

Additional Obligations of Significant Data Fiduciary

Who –

Data Fiduciary/class of data fiduciaries notified by the Central Government
Basis –
Volume and sensitivity of personal data processed
Risk of harm to Data Principals
Risk to electoral democracy
Public order
Security of the State
Potential impact on the sovereignty and integrity of India

Additional compliances upon notification as SDF-

Appoint a Data Protection Officer based in India.

Appoint independent data auditor.
Conduct an annual DPIA and comprehensive audit.
Individual conducting DPIA and audit must report significant observations to the Data Protection Board of India.
Observe due diligence to verify that technical measures including algorithmic software adopted for hosting, storage, sharing, etc. of personal data processed by it does not pose a risk to the rights of Data Principals.
Cross-border personal data/traffic data transfer restrictions (as may be imposed by Government, based on a committee’s recommendation).

Rights Management Mechanism

Prominently publish on its website or app –
- the details using which a Data Principal may make a request for the exercise of her rights.
- the particulars, if any, such as the username or other identifier of theData Principal required to identify her under its terms of service.
Prominently publish on its website or app, within ninety days its response to grievances.
Implement technical and organizational measures to ensure grievance redressal timeline is followed.

Provide means and terms for enabling Data Principal to nominate one or more individuals to exercise her rights.

Log Maintenance, Retention and Erasure

Logs and personal data must be retained for one year for detection, investigation, remediation and continued processing, unless required otherwise by law.
Erase personal data on withdrawal of consent by the Data Principal or when the specified purpose is no longer being served (unless retention required by law), whichever is earlier.
Cause its Data Processor to erase any personal data on withdrawal of consent.

Classes of Data Fiduciaries and Retention Timeline-

“Specified purpose is no longer being served” has been further qualified for certain classes of Data Fiduciaries: E-commerce platforms (with at least 2 crore/20 million registered users in India), online gaming intermediaries (with at least 50 lakh/5 million registered users in India) and social media intermediaries (with at least 2 crore/20 million registered users in India).
Time period for retention –

Retain data for a period of 3 years from:

the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or
the commencement of the DPDP Rules (i.e. 13th November 2025) whichever is earlier.

Exceptions:

This erasure requirement applies for all purposes of processing by the specified class of Data Fiduciaries except for enabling–
User account access by Data Principal, or

Access to virtual tokens by Data Principal

Notify the Data Principal at least 48 hours in advance about the scheduled erasure, to allow them to log in or contact the Data Fiduciary to retain their personal data.

Processing of Personal Data outside India

Meet the requirements for cross border transfer specified by the Central Government through general or special order relating to –
- any foreign State, or
- to any person or entity under the control of, or any agency of, such State.
Any higher degree of restriction on transfer of personal data outside India in any other law must be followed

About Author

Suvarna Mandal

Suvarna Mandal is a Partner at Saikrishna & Associates. She has over a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.