More Stories

Informist, Friday, Nov. 14, 2025

 

NEW DELHI – The government has notified the Digital Personal Data Protection Rules, 2025, which seeks to protect citizens' digital data. The government has established the Data Protection Board of India, an adjudicatory body under the Digital Personal Data Protection Act, 2023, to enforce the law, enquire into data breaches and impose penalties. The Board will consist of four members and its head office will be in the National Capital Region.

 

The government has said some of the provisions of the 2025 Rules relating to appointment of the Board's members will come into effect immediately. Remaining provisions such as consent manager's obligations and notice from companies to individuals on personal data usage will be rolled out in a staggered manner after one year and 18 months, respectively.

 

On the appointment of chairperson of the Board, the government shall constitute a search-cum-selection committee with the cabinet secretary as the chairperson. Further, the committee will include the secretary to the Department of Legal Affairs and the secretary to the Ministry of Electronics and Information Technology, along with two experts with special knowledge or practical experience. The government shall, after considering the suitability of individuals recommended by the search-cum-selection committee, appoint the chairperson of the Board. Regarding other members' appointment, the search-cum-selection committee will be headed by the secretary to the Ministry of Electronics and Information Technology, with other selection members remaining the same except the cabinet secretary. These provisions will come into effect immediately.

 

The provision regarding registration and obligations of consent manager in the 2025 Rules will come into force after one year. A consent manager is a registered intermediary who will act as a single point of contact for individuals to manage their personal data consent. It provides an accessible, transparent, and interoperable platform for individuals to give, review, and withdraw consent about how their data is used by companies. The 2025 Rules state that consent managers must apply for registration with the Data Protection Board and adhere to strict criteria regarding neutrality, technical capacity, and financial fitness. The consent manager shall ensure that the manner of making available the personal data or its sharing is such that the contents thereof are not readable by it. 

 

Further, the consent manager shall maintain on its platform a record of consents given, denied or withdrawn, notices preceding or accompanying requests for consent and sharing of personal data with a company. The consent manager shall give individuals access to those records. The consent manager shall maintain such records for at least seven years or for such a longer period as the data principal and consent manager may agree upon or as may be required by law. 

 

The provisions, which will be rolled out 18 months since the gazette notification published Thursday, are regarding notice given by a company to an individual on their personal data. This notice will inform the individual about how their personal data will be collected and processed, enabling them to give informed consent. It must include a list of the data being collected, the purpose of processing, and how the data principal can withdraw consent, exercise their rights, and file a complaint. 

 

Further, the 2025 Rules said that processing of the personal data of an individual by data fiduciaries shall be done following the standards specified. The standards include that the processing of personal data was done in a lawful manner. Personal data should be retained till required for such uses or achieving such purposes, as the case may be, or for compliance with any law for the time being in force. These provisions will come into effect after 18 months from the gazette notification. A data fiduciary is any individual, company, or organisation that determines the purpose and means of processing personal data.

 

A data fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent breach of personal data. A data processor is an entity that processes personal data on behalf of a data fiduciary and acts based on the fiduciary's instructions. On becoming aware of any personal data breach, the data fiduciary shall intimate the affected individual in a concise, clear, and plain manner and without delay, through the user account or any mode of communication registered by the user with the data fiduciary. These provisions, along with intimation of personal data breach by the data fiduciary to the individual, will come into effect after 18 months.

 

Another provision, which will also come into effect after 18 months, relates to the data fiduciary erasing personal data after its processing purpose is met, unless retaining the data is necessary by law. The government has also given 18 months for the data fiduciaries to give contact information of a person to answer questions about data processing. 

 

Some other notable provisions which will come into effect after 18 months are regarding verifiable consent for processing of personal data of children, transfer of personal data outside the territory of India, exemption from the 2023 Act for research, archiving or statistical purposes and others. Further, provisions of appeals by individuals from the Board's decision to an appellate tribunal and the government calling for information from a data fiduciary or intermediary will also come into effect after 18 months.

 

Parliament passed the Digital Personal Data Protection Act in 2023. The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and digitised. It also applies to such processing outside India, if it is for offering goods or services in India. The Act grants certain rights to individuals, including the right to obtain information, seek correction and erasure, and to seek redressal of grievances.  End

 

Reported by Surya Tripathi

Edited by Tanima Banerjee

 

For users of real-time market data terminals, Informist news is available exclusively on the NSE Cogencis WorkStation.

 

Cogencis news is now Informist news. This follows the acquisition of Cogencis Information Services Ltd. by NSE Data & Analytics Ltd., a 100% subsidiary of the National Stock Exchange of India Ltd. As a part of the transaction, the news department of Cogencis has been sold to Informist Media Pvt. Ltd.

 

Informist Media Tel +91 (22) 6985-4000

Send comments to feedback@informistmedia.com

 

© Informist Media Pvt. Ltd. 2025. All rights reserved.