Linking the DPDP Act 2023 with the DPDP Rules, 2025
This document provides a clear linkage between the DPDP Act, 2023 and the DPDP Rules, 2025, showing how the high-level legal mandates in the Act are operationalized through detailed, enforceable rules. It maps key sections of the Act—covering notices, consent management, security safeguards, breach reporting, data retention and erasure, children's data protection, Significant Data Fiduciary obligations, user rights, cross-border data transfers, research exemptions, and government information requests—to their corresponding Rules and Schedules. By connecting statutory obligations with specific procedural requirements, timelines, and standards, the document helps Data Fiduciaries and Data Principals understand what the law requires and how compliance must be implemented in practice, making it a practical reference for DPDPA readiness and ongoing compliance efforts.
Scroll Below for the Full Resource
Download the Resource as PDF
Fill out the form below to download this resource instantly.
Understand how DPDPA Act sections map to specific Rules, providing a clear connection between legal mandates and implementation requirements
| Section No. (Act) | Mandate Summary (Act) | Linked Rule(s) (2025) |
|---|---|---|
Section 5(1) & 5(2) | Mandates providing a Notice before consent and to legacy users. | Rule 3: Specifies the manner of the notice (independent, itemised, clear language). |
Section 6(7), (8) & (9) | Allows users to use Consent Managers; mandates CM registration. | Rule 4 & Schedule 1: Defines registration conditions, vetting process, and obligations for Consent Managers. |
Section 7(b) | Allows processing for State subsidies, benefits, and licenses. | Rule 5 & Schedule 2: Mandates that State processing must follow specific standards (privacy policy, security, data minimization). |
Section 8(5) | Mandates "reasonable security safeguards" to prevent breaches. | Rule 6: Defines "reasonable" as encryption, access control, 1-year log retention, and specific contract clauses with processors. |
Section 8(6) | Mandates reporting personal data breaches to the Board and Users. | Rule 7: Specifies content of the user notice (including contact person) and the 72-hour deadline for reporting to the Board. |
Section 8(7) & 8(8) | Mandates data erasure when the purpose is served or consent withdrawn. | Rule 8 & Schedule 3: Sets specific timelines (e.g., 3 years for e-commerce) and requires a 48-hour prior notification before deletion. |
Section 8(9) | Mandates publishing contact information for grievance redressal. | Rule 9: Requires publishing contact details prominently on the website/app and in every response to a user query. |
Section 9(1) | Mandates verifiable parental consent for children and persons with disabilities. | Rule 10 (Children) & Rule 11 (Disabilities): Prescribes methods for age verification, digital tokens, and guardianship verification. |
Section 9(4) | Allows exemptions for certain classes of Fiduciaries regarding child data. | Rule 12 & Schedule 4: Exempts schools and healthcare from tracking bans if processing is for education or safety. |
Section 10 | Mandates additional obligations for Significant Data Fiduciaries (SDF). | Rule 13: Requires SDFs to conduct DPIAs and audits every 12 months and verify algorithms for risk. |
Section 11, 12, 13, 14 | Grants rights to Access, Correction, Grievance Redressal, and Nomination. | Rule 14: Specifies the "identifiers" required to exercise rights and sets a max 90-day response time for grievances. |
Section 16 | Empowers Govt to restrict cross-border data transfers. | Rule 15: States data can be transferred subject to adherence to any future negative lists or specific government orders. |
Section 17(2)(b) | Exempts processing for research, archiving, or statistics. | Rule 16 & Schedule 2: Mandates that research processing must follow the same security standards as State processing. |
Section 36 | Empowers Govt to call for information from Fiduciaries. | Rule 23 & Schedule 7: Authorizes specific officers (e.g., from MeitY) to demand info for national security or SDF assessment. |
Note: Only Sections of the Act and Rules relating to Data Principals and Data Fiduciaries are listed here.