Media Centre

India Published the Implementing Rules and Applicability Dates for the Digital Personal Data Protection Act

Ariel Yosefi Or Noy

17 November 2025

Further to our previous update on the enactment of India’s Digital Personal Data Protection Act, 2023, India published on 14 November 2025 the Digital Personal Data Protection Rules, 2025, effectively setting India’s privacy act into motion.

The rules provide detailed guidance on the implementation of the act and clarify timelines and procedural requirements for compliance.

Below is an overview of the key provisions under the new rules:

 

1. Phased Compliance Timeline

The rules introduce a phased implementation period. The majority of obligations under the act – including the core compliance requirements such as governance measures, risk assessments, transparency obligations and data management standards – will become applicable in 18 months (i.e., on 14 May 2027). Other requirements – the registration requirements and obligations applicable to Consent Managers (Rule 4) will come into effect earlier, within 12 months.
This phased approach is intended to provide organizations with sufficient time to implement and operationalize the new compliance standards.

 

2. Consent and Legal Basis

The rules elaborate on the form and process for obtaining consent from data subjects. Consent must remain free, specific, informed, unconditional and unambiguous, based on clear affirmative action and linked to a specific and transparent purpose. The rules also clarify situations where consent is not required, aligning with the “legitimate use” exceptions under the act.

In addition, Consent Managers – entities that assist individuals in managing consent across platforms – must be incorporated in India.

 

3. Cross-Border Data Transfers

The rules provide further guidance on transferring digital personal data outside India, including conditions, safeguards and documentation requirements. Transfers to jurisdictions not included in the forthcoming “restricted list” remain permitted, provided the transfer meets prescribed contractual and security standards.

Significant Data Fiduciaries, which the Ministry of Electronics and IT will designate in the future based on the nature and volume of personal data they handle, may be subject to enhanced compliance obligations. For these entities, measures may be required to ensure that certain personal data and traffic data is not transferred outside India.

 

4. Data Breach Reporting

The rules set out thresholds and procedures for notifying both the Data Protection Board of India and affected data subjects. Notifications must explain the nature and consequences of the breach, remedial measures taken, and provide contact information for support.

These requirements apply in addition to the existing CERT-In reporting obligations under India’s IT regulations.

 

5. Data Subject Rights

The rules clarify processes and timelines for requests concerning data subject rights, including the rights of access, correction, deletion and grievance handling, as well as the right to nominate another individual to exercise such rights on their behalf. Data controllers (or Data Fiduciaries, as defined in the act) must respond to rights requests within a maximum of 90 days.

 

6. Transparency and Accountability

Data controllers must provide clear and accessible contact information (e.g.,  Data Protection Officer) to enable individuals to raise questions regarding personal data processing.

 

7. Children’s Data

The rules require verifiable parental consent prior to the processing of the personal data of children under the age of 18.

 

8. Data Protection Board

A new Digital Data Protection Board will be established and operate entirely online, allowing individuals to file and track complaints through a dedicated digital platform.

 

With the publication of the rules and the formal commencement of the long-awaited Digital Personal Data Protection Act, 2023, India has entered a new era of data protection regulatory regime. Companies processing the personal data of individuals in India should carefully review the rules and assess any necessary updates to their privacy notices, consent mechanisms, data governance practices and incident reporting procedures.

Feel free to contact us if you have any questions regarding the impact of the new act and rules on your organization or if you would like our assistance in preparing for compliance with the new requirements.

Related Practice Areas

Related Lawyers

More news

Alabama Joins States Enacting Comprehensive Privacy Law
Oklahoma Becomes the 20th State to Enact Privacy Law
Detecting and Mitigating Dark Patterns on Digital Platforms
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.