Ministry of Electronics and Information Technology (MeitY) has released the draft Digital Personal Data Protection Rules, 2025, for public consultation, inviting feedback by February 18, 2025. These rules aim to operationalize the Digital Personal Data Protection Act, 2023, with a focus on protecting personal data and ensuring compliance. The draft includes provisions for data fiduciaries, registration of consent managers, handling of personal data breaches, and processing personal data for government benefits. It also addresses children’s data, individuals with disabilities, and security safeguards. Feedback can be submitted via the MyGov portal. The draft and explanatory notes are accessible on MeitY’s website.
Ministry of Electronics & IT
MeitY releases Draft Digital Personal Data Protection Rules, 2025 for public consultation; Feedback/comments sought from public by 18th February, 2025
Ministry of Electronics and Information Technology has drafted the Digital Personal Data Protection n Rules, 2025 to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). It aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework. Stakeholder are invited to share feedback/comments on the draft Rules.
Please Click here to view Draft Digital Personal Data Protection Rules, 2025 and Click here to view Explanatory Note on Draft Digital Personal Data Protection Rules, 2025
In line with the SARAL framework, certain principles like simple language, unnecessary cross referencing, contextual definition, and illustrations etc. have been used while drafting the rules. The text of the Rules along with the simplified explanatory notes to enhance accessibility and understanding of the draft Rules is available on the Ministry’s website at https://www.meity.gov.in/d ataprotection-framework
Overview of draft rules
The draft Rules details about the various implementation aspects such as the notice by the Data Fiduciary to the individuals, registration and obligations of Consent Manager, processing of personal data for issuance of subsidy, benefit, service etc. by State, applicability of reasonable security safeguards, intimation of personal data breach, providing details about availing of their rights by the individuals, processing of personal data of child or of person with disability, setting up the Data Protection Board, appointment and service conditions of the Chairperson and other members of the Board, functioning of Board as digital office, procedure to appeal to Appellate Tribunal among others.
Feedback/comments for Draft Rules
In this regard, feedback/comments may be submitted via the MyGov portal at the following link: htt ps://innovateindia.mygov.in/dpdp-rules-2025 and the last date for submission is 18th February, 2025..
The DPDP Act which received the assent of the President of India, establishes a framework for processing digital personal data. It balances the individual’s right to protect personal data with the need to process such personal data for lawful purposes.
*****
Explanatory note to Digital Personal Data Protection Rules, 2025
The Digital Personal Data Protection Act, 2023 (Act) received the assent of the Hon’ble President on 11th August 2023. A draft of the Rules as envisaged under different sections of the Act have been made. The Rules provides for the necessary details and implementation framework of the Act.
During the drafting of Rules, certain principles used in the drafting of the Act, like using simple language, avoiding unnecessary cross referencing, providing contextual definition, and providing illustrations etc. have been followed meticulously. This explanatory note provides a brief overview of the contents of the Rules.
1. Short title and commencement: These rules, called the Digital Personal Data Protection Rules, 2025, come into force upon publication, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
2. Definitions clause: The expression in the act shall have the same meaning as assigned in Act unless context otherwise requires.
3. Notice by Data Fiduciary to Data Principal: The notice provided by the Data Fiduciary to the Data Principal must be clear, standalone, and understandable, distinct from any other information shared by the Data Fiduciary. It must use simple, plain language to provide the Data Principal with a full and transparent account of the information necessary for giving informed consent for the processing of their personal data. Specifically, the notice should include, itemized list of the personal data being collected and clear description of the purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing.
Additionally, the notice must provide a communication link of the Data Fiduciary’s website or app, and describe other methods (if applicable) for the Data Principal to withdraw consent easily as comparable to the process of giving consent, exercise their rights and make complaints with the Board.
4. Registration and obligations of a Consent Manager: Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent.
The application for registration is to be made to the Board. Once registered, the Consent Manager must comply with specific obligations of ensuring that Data Principals can easily give, manage, review, and withdraw consent for data processing, maintaining records of consents and data sharing, and providing transparent access to such records. The Consent Manager is also required to implement strong security measures to protect personal data, avoid conflicts of interest, and ensure transparency by publishing key management details and ownership structures. Additionally, the Board may audit the Consent Manager’s operations, suspend or cancel its registration if necessary, and issue corrective directions to safeguard the interests of Data Principals.
The Consent Manager must also maintain independence, with strict rules to prevent conflicts of interest involving its directors or senior management and Data Fiduciaries. They are prohibited from subcontracting or assigning responsibilities, and they must ensure long-term compliance by regularly reviewing their operations. Any transfer of control of the Consent Manager company, such as through sale or merger, requires prior approval from the Board. Through these provisions, the regulation ensures that Consent Managers uphold high standards of transparency, security, and fiduciary duty in managing personal data.
5. Processing for provision or issue of services by the State or its instrumentality: The State and its instrumentalities may process the personal data of Data Principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as defined under law or policy or using public funds. Processing in these cases must adhere to the specific standards outlined in Schedule II, which ensures lawful, transparent, and secure handling of personal data for such purposes.
According to Schedule II, the processing must meet several key criteria, such as ensuring that personal data is processed lawfully, for the stated purposes, and limited to the data necessary for achieving those purposes. The data must be accurate and retained only as long as necessary, while appropriate security safeguards must be in place to prevent breaches. The Data Principal should be informed about the processing, including the means to access their rights, and the processing must be done in compliance with any applicable laws. The responsible parties must be accountable for adhering to these standards.
The aim is to ensure that personal data processing is transparent, secure, and in line with legal and policy standards, safeguarding the interests of the Data Principals.
6. Reasonable security safeguards: A Data Fiduciary must implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, and data backups etc. These safeguards ensure the confidentiality, integrity, and availability of data, and must include provisions for detecting and addressing breaches and maintenance of logs. Contracts with Data Processors must also ensure security measures are in place. The measures should comply with technical and organizational standards to prevent data breaches.
7. Intimation of Personal Data Breach: When a Data Fiduciary becomes aware of a personal data breach, it is required to promptly notify all affected Data Principals. This notification must be clear and straightforward, explaining the breach’s nature, extent, and timing, along with potential consequences for the affected individuals. The Data Fiduciary must also inform the Data Principal of any measures taken to mitigate the risks and provide safety recommendations for protecting their data. Furthermore, contact information of a responsible person for inquiries must be included.
Additionally, the Data Fiduciary must inform the Board about the breach without delay. Within 72 hours or a longer time if permitted, the Data Fiduciary is obligated to provide detailed information, including the events that led to the breach, actions taken to mitigate risks, and the identity of the individual responsible, if known. The Data Fiduciary must also report on the remedial steps taken to prevent future breaches and details on the notifications sent to affected Data Principals.
8. Time period for specified purpose to be deemed as no longer being served: Under this provision, if a Data Fiduciary processes personal data for purposes outlined in Schedule III and the Data Principal does not engage with the Fiduciary within a specified period, the personal data must be erased unless required for legal compliance. The time period for this erasure is defined in Schedule III for different classes of Data Fiduciaries, such as e-commerce entities, online gaming intermediaries, and social media platforms. These entities may retain personal data for up to three years from the last interaction or the coming in effect of rules, whichever is later, except when the data is needed for the principal to access their account or virtual tokens.
Before erasure, the Data Fiduciary must notify the Data Principal at least 48 hours in advance, alerting them that their data will be erased unless they log in or initiate contact with the Fiduciary to fulfil the specified purpose. The notification gives the Data Principal an opportunity to preserve their data by taking action. This rule provides a clear process for erasing personal data if the Data Principal has not interacted with the Data Fiduciary within the specified time, ensuring that data is retained only when necessary for continued use or legal obligations, while offering the Data Principal a chance to retain their data by taking proactive steps.
9. Contact information for addressing data processing queries: This mandates that every Data Fiduciary must clearly display on their website or app the contact details of a designated person who can address questions regarding the processing of personal data. If applicable, this could be the Data Protection Officer (DPO). The contact information should be easily accessible and visible to Data Principals, enable that they can reach out with any concerns or queries about how their personal data is being processed. Additionally, the same contact details must be included in all responses to communications from Data Principals who wish to exercise their rights under the Data Protection Act.
The intent of this provision is to ensure transparency and accountability in data processing practices of Data Fiduciaries, by providing clear contact information, easier access to Data Principals to inquire about their personal data and its processing.
10. Verifiable consent for processing personal data of children and persons with disabilities: This provision outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable. For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details. This verification process is critical to ensure that consent is being given by a responsible adult, in compliance with relevant laws. Examples are provided to clarify how this process should work, particularly in cases where the parent is already a registered user or when the parent needs to provide identity details using a Digital Locker service.
11. Exemptions from obligations in processing personal data of children: This provision outlines certain exemptions to the standard requirements for processing the personal data of children, as stated in section 9 of the Act. These exemptions are applicable to specific types of Data Fiduciaries and for certain purposes, subject to conditions laid out in Schedule IV. According to Part A of the schedule, certain classes of Data Fiduciaries, such as healthcare professionals, educational institutions, and childcare providers, are exempt from specific provisions related to children’s data. The processing of children’s personal data by these entities is permitted, but it is restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking. These activities must be necessary for the well-being and safety of the child, ensuring that data processing is done within a defined and limited scope. Part B of the schedule outlines specific purposes for which the exemptions apply, such as processing for legal duties, issuing subsidies or benefits to children, creating user accounts for communication purposes, or ensuring the child does not have access to harmful information. In these cases, processing is restricted to what is necessary to perform the function, service, or duty, with an emphasis on protecting the child’s best interests. The provision acknowledges that certain activities, such as verifying the age of a data subject to confirm they are not a child, also fall under this exemption, as long as the processing remains limited to the necessary scope. These exemptions aim to strike a balance between protecting children’s personal data and enabling necessary activities for their health, education, and safety.
12 Additional obligations of Significant Data Fiduciaries: This provision brings specific responsibilities for Significant Data Fiduciaries. It mandates that these Fiduciaries must conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year. The results of these assessments and audits must be reported to the Board, which need to contain key findings related to their adherence to data protection requirements.
Further, the provision holds Significant Data Fiduciaries accountable for verifying that any algorithmic software they use to process personal data does not pose a risk to the rights of Data Principals. This includes algorithms used for data hosting, storage, and sharing.
Entities must adopt measures to ensure that personal data identified by the Central Government is processed in compliance with specific restrictions, ensuring that the data and any related traffic data are not transferred outside of India.
13. Rights of Data Principals: Data Fiduciaries and Consent Managers must clearly publish on their website or app the process by which Data Principals can exercise their rights under the Act, including identifying details like usernames to facilitate identification. Data Principals can request to access and erase their personal data by contacting the Data Fiduciary. A Data Fiduciary must also provide clear timelines for responding grievances, ensuring an effective process with the necessary technical and organizational safeguards. Data Principals may nominate one or more individuals to exercise their rights under the law, following the procedures set by the Data Fiduciary and applicable legal norms.
14. Processing of personal data outside India: Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities. This is intended to ensure that personal data remains protected under the Act.
15. Exemption from Act for research, archiving, or statistical purposes: The Act does not apply to the processing of personal data carried out for research, archiving, or statistical purposes if it adheres to the specific standards outlined in Schedule II. This exemption ensures that necessary data processing for academic and policy research can occur while maintaining certain safeguards and standards to protect personal data.
16. Appointment of Chairperson and other Members: A Search-cum-Selection Committee shall be formed by the Central Government to recommend candidates for the position of Chairperson of the Data Protection Board. The committee will be led by the Cabinet Secretary , Secretary MeitY, Secretary DLA and include two subject matter experts. Similarly, the committee will also recommend candidates for the position of other Board Members, with the Ministry of Electronics and Information Technology Secretary overseeing the process.
After considering the recommended individuals’ suitability, the Central Government will appoint the Chairperson or Members to the Board.
17. Salary, allowances, and other terms of service for Chairperson and Members: the Rule provides for Salary, allowances, and other service-related conditions for the Chairperson and Members of the Data Protection Board are provided. The Chairperson is entitled to a consolidated salary of ₹4,50,000 per month, while each Member receives ₹4,00,000 per month, with no provisions for housing or a car. A detail description of service conditions is provided for in this Schedule V.
18. Procedure for meetings of the Board and authentication of orders: the Rule outlines the procedure for the meetings of the Data Protection Board, including how they are convened, conducted, and how decisions are made. The Chairperson is responsible for setting the date, time, place, and agenda of the meetings, with the authority to delegate these duties. Meetings are chaired by the Chairperson, or in her absence, by another Member chosen by those present. A quorum for the meetings is one-third of the Board’s membership, and decisions are made by majority vote, with the Chairperson having a casting vote in the event of a tie. If a Member has a conflict of interest in any matter being discussed, they are prohibited from participating or voting on that matter. In urgent situations, the Chairperson has the authority to take immediate action, which must then be ratified at the next Board meeting. Additionally, certain issues may be decided by circulating the item to Members for approval, and the Chairperson or any authorized individual can authenticate the Board’s orders, directions, or instruments. Also, the Board is required to complete inquiries within six months, extendable for a further three months if necessary.
19. Functioning of the Board as a digital office: The Board is to operate as a digital office, utilizing technology to conduct its proceedings efficiently. This provision allows the Board to adopt techno-legal measures to carry out its functions without requiring the physical presence of individuals. The Board retains the power to summon individuals and examine them under oath. The aim is to streamline processes, reduce the need for physical attendance, and enhance the overall efficiency of the Board’s operations.
20. Terms and conditions of appointment and service of officers and employees of the Board: the rule outlines the procedures for the appointment and service terms of officers and employees working for the Data Protection Board. It specifies that the Board can appoint officers and employees necessary for carrying out its functions, with prior approval from the Central Government. The appointments can be made on deputation from various government bodies or public sector enterprises. Additionally, the officers and employees can be appointed from the National Institute for Smart Government, with salaries aligned to market standards and other terms decided by the Board.
Schedule VI elaborates on the specifics of the terms and conditions of service for these officers and employees.
21. Appeal to Appellate Tribunal: the rule outlines the process for filing appeals to the Appellate Tribunal for persons dissatisfied with orders or directions of the Board. The appeal must be submitted digitally, in line with the procedure set by the Appellate Tribunal on its website. The appeal is required to be accompanied by a fee, the Appellate Tribunal’s Chairperson may decide to reduce or waive it. The Appellate Tribunal has the authority to regulate its procedures. Additionally, the Tribunal operates as a digital office, utilizing technology to conduct its proceedings, which eliminates the need for physical presence while retaining the power to summon individuals and administer oaths when necessary. This digital approach allows for more flexible and efficient handling of appeals.
22. Calling for information from Data Fiduciary or Intermediary: enables the Central Government to require Data Fiduciaries or intermediaries to provide specific information for purposes outlined in Schedule VII. In cases where the disclosure of information might compromise the sovereignty, integrity, or security of India, the authorized person may restrict disclosure unless prior written permission is obtained. Fulfilling these information requests is part of the legal obligations under Section 36 of the Act. The government is empowered to request data for various purposes, including national security, legal compliance, or to assess the status of certain Data Fiduciaries.
***
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
NOTIFICATION
New Delhi, the 3rd January, 2025
G.S.R. 02(E).—Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby; and notice is hereby given that the said draft rules shall be taken into consideration after 18th February, 2025;
Objections and suggestions, if any, may be submitted on the website of MyGov (https://mygov.in) by the said date;
The objections and suggestions, which may be received from any person with respect to the said draft rules before the expiry of the period specified above, shall not be attributed to the persons submitting publicly and shall be held in fiduciary capacity to enable them to provide the same freely, and shall be considered by the Central Government.
DRAFT RULES
1. Short title and commencement.—(1) These rules may be called the Digital Personal Data Protection Rules, 2025.
(2) Rules 3 to 15, rule 21 and rule 22 shall come into force with effect from .
(3) These rules, except rules 3 to 15 and rules 21 and 22, shall come into force on the date of their publication in the Official Gazette.
2. Definitions.—Unless the context otherwise requires, all expressions shall have the meaning assigned to them in the Digital Personal Data Protection Act, 2023 (22 of 2023) (hereinafter referred to as “Act”).
3. Notice given by Data Fiduciary to Data Principal.—The notice given by the Data Fiduciary to the Data Principal shall—
(a) be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary;
(b) give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,—
(i) an itemised description of such personal data; and
(ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing; and
(c) the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may—
(i) withdraw her consent, with the ease of doing so being comparable to that with which such consent was given;
(ii) exercise her rights under the Act; and
(iii) make a complaint to the Board.
4. Registration and obligations of Consent Manager.—(1) A person who fulfils the conditions for registration of Consent Managers set out in Part A of First Schedule may apply to the Board for registration as a Consent Manager by furnishing such particulars and such other information and documents as the Board may publish in this behalf on its website.
(2) On receipt of such application, the Board may make such inquiry as it may deem fit to satisfy itself regarding fulfilment of the conditions set out in Part A of First Schedule, and if it—
(a) is satisfied, register the applicant as a Consent Manager, under intimation to the applicant, and publish on its website the particulars of such Consent Manager; or
(b) is not satisfied, reject the application and communicate the reasons for the rejection to the applicant.
(3) The Consent Manager shall have obligations as specified in Part B of First Schedule.
(4) If the Board is of the opinion that a Consent Manager is not adhering to the conditions and obligations under this rule, it may, after giving an opportunity of being heard, inform the Consent Manager of such non-adherence and direct the Consent Manager to take measures to ensure adherence.
(5) The Board may, if it is satisfied that it is necessary so to do in the interests of Data Principals, after giving the Consent Manager an opportunity of being heard, by order, for reasons to be recorded in writing,—
(a) suspend or cancel the registration of such Consent Manager; and
(b) give such directions as it may deem fit to that Consent Manager, to protect the interests of the Data Principals.
(6) The Board may, for the purposes of this rule, require the Consent Manager to furnish such information as the Board may call for.
5. Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.—(1) The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds.
(2) Processing under this rule shall be done following the standards specified in Second Schedule.
(3) In this rule and Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued—
(a) under law shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit in exercise of any power of or the performance of any function by the State or any of its instrumentalities under any law for the time being in force;
(b) under policy shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit under any policy or instruction issued by the Central Government or a State Government in exercise of its executive power; and
(c) using public funds shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit by incurring expenditure on the same from, or with accrual of receipts to,—
(i) in case of the Central Government or a State Government, the
Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or
(ii) in case of any local or other authority within the territory of India or under the control of the Government of India or of any State, the fund or funds of such authority.
6. Reasonable security safeguards.—(1) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include, at the minimum,—
(a) appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor;
(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data-backups;
(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and
(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.
(2) In this rule, the expression “computer resource” shall have the same meaning as is assigned to it in Information Technology Act, 2000 (21 of 2000).
7. Intimation of personal data breach.—(1) On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,—
(a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
(b) the consequences relevant to her, that are likely to arise from the breach;
(c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may take to protect her interests; and
(e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
(2) On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board,—
(a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,—
(i) updated and detailed information in respect of such description;
(ii) the broad facts related to the events, circumstances and reasons leading to the breach;
(iii) measures implemented or proposed, if any, to mitigate risk;
(iv) any findings regarding the person who caused the breach;
(v) remedial measures taken to prevent recurrence of such breach; and
(vi) a report regarding the intimations given to affected Data Principals.
(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.
8. Time period for specified purpose to be deemed as no longer being served.—
(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, if, for the corresponding time period specified in the said Schedule, the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
(2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which she is able to access the services of such Data Fiduciary.
9. Contact information of person to answer questions about processing.—Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data.
10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian.—(1) A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—
(a) reliable details of identity and age available with the Data Fiduciary; or
(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider.
Illustration.
C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1: C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 2: C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
Case 3: P identifies herself as C’s parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 4: P identifies herself as C’s parent and informs DF that she herself is not a registered user on DF’s platform. Before processing C’s personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.
(2) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship.
(3) In this rule, the expression—
(a) “adult” shall mean an individual who has completed the age of eighteen years;
(b) “Digital Locker service provider” shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);
(c) “designated authority” shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity;
(d) “law applicable to guardianship” shall mean,—
(i) in relation to an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who despite being provided adequate and appropriate support is unable to take legally binding decisions, the provisions of law contained in Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and
(ii) in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of such conditions and includes a person suffering from severe multiple disability, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and the rules made thereunder;
(e) “local level committee” shall mean a local level committee constituted under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999);
(f) “person with disability” shall mean and include—
(i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and
(ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability.
11. Exemptions from certain obligations applicable to processing of personal data of child.—(1) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child by such class of Data Fiduciaries as are specified in Part A of Fourth Schedule, subject to such conditions as are specified in the said Part.
(2) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child for such purposes as are specified in Part B of Fourth Schedule, subject to such conditions as are specified in the said Part.
12. Additional obligations of Significant Data Fiduciary.—(1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.
(2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
(4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
13. Rights of Data Principals.— (1) For enabling Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on its website or app, or both, as the case may be, —
(a) the details of the means using which a Data Principal may make a request for the exercise of such rights; and
(b) the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.
(2) To exercise the rights of the Data Principal under the Act to access information about personal data and its erasure, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights.
(3) Every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures.
(4) To exercise the rights of the Data Principal under the Act to nominate, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such right.
(5) In this rule, the expression “identifier” shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification.
14. Processing of personal data outside India.—Transfer to any country or territory outside India of personal data processed by a Data Fiduciary—
(a) within the territory of India; or
(b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.
15. Exemption from Act for research, archiving or statistical purposes.—The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving or statistical purposes if it is carried on in accordance with the standards specified in Second Schedule.
16. Appointment of Chairperson and other Members.—(1) The Central Government shall constitute a Search-cum-Selection Committee, with the Cabinet Secretary as the chairperson and the Secretaries to the Government of India in charge of the Department of Legal Affairs and the Ministry of Electronics and Information Technology and two experts of repute having special knowledge or practical experience in a field which in the opinion of the Central Government may be useful to the Board as members, to recommend individuals for appointment as Chairperson.
(2) The Central Government shall constitute a Search-cum-Selection Committee, with the Secretary to the Government of India in the Ministry of Electronics and Information Technology as the chairperson and the Secretary to the Government of India in charge of the Department of Legal Affairs, and two experts of repute having special knowledge or practical experience in a field which in the opinion of the Central Government may be useful to the Board as members, to recommend individuals for appointment as a Member other than the Chairperson.
(3) The Central Government shall, after considering the suitability of individuals recommended by the Search-cum-Selection Committee, appoint the Chairperson or other Member, as the case may be.
(4) No act or proceeding of the Search-cum-Selection Committee specified in sub-rules (1) of this rule shall be called in question on the ground merely of the existence of any vacancy or absences in such committee or defect in its constitution.
17. Salary, allowances and other terms and conditions of service of Chairperson and other Members.—The Chairperson and every other Member shall receive such salary and allowances and shall have such other terms and conditions of service as are specified in Fifth Schedule.
18. Procedure for meetings of Board and authentication of its orders, directions and instruments.—(1) The Chairperson shall fix the date, time and place of meetings of the Board, approve the items of agenda therefor, and cause notice specifying the same to be issued under her signature or that of such other individual as the Chairperson may authorise by general or special order in writing.
(2) Meetings of the Board shall be chaired by the Chairperson and, in her absence, by such other Member as the Members present at the meeting may choose from amongst themselves.
(3) One-third of the membership of the Board shall be the quorum for its meetings.
(4) All questions which come up before any meeting of the Board shall be decided by a majority of the votes of Members present and voting, and, in the event of an equality of votes, the Chairperson, or in her absence, the person chairing, shall have a second or casting vote.
(5) If a Member has an interest in any item of business to be transacted at a meeting of the Board, she shall not participate in or vote on the same and, in such a case, the decision on such item shall be taken by a majority of the votes of other Members present and voting.
(6) In case an emergent situation warrants immediate action by the Board and it is not feasible to call a meeting of the Board, the Chairperson may, while recording the reasons in writing, take such action as may be necessary, which shall be communicated within seven days to all Members and laid before the Board for ratification at its next meeting.
(7) If the Chairperson so directs, an item of business or issue which requires decision of the Board may be referred to Members by circulation and such item may be decided with the approval of majority of the Members.
(8) The Chairperson or any Member of the Board, or any individual authorised by it by a general or special order in writing, may, under her signature, authenticate its order, direction or instrument.
(9) The inquiry by the Board shall be completed within a period of six months from the date of receipt of the intimation, complaint, reference or direction under section 27 of the Act, unless such period is extended by it, for reasons to be recorded in writing, for a further period not exceeding three months at a time.
19. Functioning of Board as digital office.—The Board shall function as a digital office which, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual.
20. Terms and conditions of appointment and service of officers and employees of Board.—(1) The Board may, with previous approval of the Central Government and in such manner as the Central Government may by general or special order specify, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of the Act.
(2) The terms and conditions of service of officers and employees of the Board shall be such as are specified in Sixth Schedule.
21. Appeal to Appellate Tribunal.—(1) An appeal, including any related documents, by a person aggrieved by an order or direction of the Board, shall be filed in digital form, following such procedure as may be specified by the Appellate Tribunal on its website.
(2) An appeal filed with the Appellate Tribunal shall be accompanied by fee of like amount as is applicable in respect of an appeal filed under the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless reduced or waived by the Chairperson of the Appellate Tribunal at her discretion, and the same shall be payable digitally using the Unified Payments Interface or such other payment system authorised by the Reserve Bank of India as the Appellate Tribunal may specify on its website.
(3) The Appellate Tribunal—
(a) shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the provisions of the Act, may regulate its own procedure; and
(b) shall function as a digital office which, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual.
22. Calling for information from Data Fiduciary or intermediary.—(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, specify the time period within which the same shall be furnished and, where disclosure in this regard is likely to prejudicially affect the sovereignty and integrity of India or security of the State, require the Data Fiduciary or intermediary to not disclose the same except with the previous permission in writing of the authorised person.
(2) Provision of information called for under this rule shall be by way of fulfilment of obligation under section 36 of the Act.
FIRST SCHEDULE
[See rule 4]
PART A
Conditions of registration of Consent Manager
1. The applicant is a company incorporated in India.
2. The applicant has sufficient capacity, including technical, operational and financial capacity, to fulfil its obligations as a Consent Manager.
3. The financial condition and the general character of management of the applicant are sound.
4. The net worth of the applicant is not less than two crore rupees.
5. The volume of business likely to be available to and the capital structure and earning prospects of the applicant are adequate.
6. The directors, key managerial personnel and senior management of the applicant company are individuals with a general reputation and record of fairness and integrity.
7. The memorandum of association and articles of association of the applicant company contain provisions requiring that the obligations under items 9 and 10 of Part B are adhered to, that policies and procedures are in place to ensure such adherence, and that such provisions may be amended only with the previous approval of the Board.
8. The operations proposed to be undertaken by the applicant are in the interests of Data Principals.
9. It is independently certified that—
(a) the interoperable platform of the applicant to enable the Data Principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as may be published by the Board on its website from time to time; and
(b) appropriate technical and organisational measures are in place to ensure adherence to such standards and framework and effective observance of the obligations under item 11 of Part B.
PART B
Obligations of Consent Manager
1. The Consent Manager shall enable a Data Principal using its platform to give consent to the processing of her personal data by a Data Fiduciary onboarded onto such platform either directly to such Data Fiduciary or through another Data Fiduciary onboarded onto such platform, who maintains such personal data with the consent of that Data Principal.
Illustration.
Individuals are enabled to give, manage, review and withdraw their consent to the processing of their personal data through P, a platform maintained by a Consent Manager. X, an individual, is a registered user on P. B1 and B2 are banks onboarded onto P.
Case 1: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains the bank account statement as a digital record in her digital locker. X uses P to directly give her consent to B1, and proceeds to give B1 access to her bank account statement.
Case 2: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains her bank account with B2. X uses P to route her consent through B2 to B1, while also digitally instructing B2 to send her bank account statement to B1. B2 proceeds to send the bank account statement to B1.
2. The Consent Manager shall ensure that the manner of making available the personal data or its sharing is such that the contents thereof are not readable by it.
3. The Consent Manager shall maintain on its platform a record of the following, namely:—
(a) Consents given, denied or withdrawn by her;
(b) Notices preceding or accompanying requests for consent; and
(c) Sharing of her personal data with a transferee Data Fiduciary.
4. The Consent Manager—
(a) shall give the Data Principal using such platform access to such record;
(b) shall, on the request of the Data Principal and in accordance with its terms of service, make available to her the information contained in such record, in machine-readable form; and
(c) shall maintain such record for at least seven years, or for such longer period as the Data Principal and Consent Manager may agree upon or as may be required by law.
5. The Consent Manager shall develop and maintain a website or app, or both, as the primary means through which a Data Principal may access the services provided by the Consent Manager.
6. The Consent Manager shall not sub-contract or assign the performance of any of its obligations under the Act and these rules.
7. The Consent Manager shall take reasonable security safeguards to prevent personal data breach.
8. The Consent Manager shall act in a fiduciary capacity in relation to the Data Principal.
9. The Consent Manager shall avoid conflict of interest with Data Fiduciaries, including in respect of their promoters and key managerial personnel.
10. The Consent Manager shall have in place measures to ensure that no conflict of interest arises on account of its directors, key managerial personnel and senior management holding a directorship, financial interest, employment or beneficial ownership in Data Fiduciaries, or having a material pecuniary relationship with them.
11. The Consent Manager shall publish in an easily accessible manner, on its website or app, or both, as the case may be, information regarding—
(a) the promoters, directors, key managerial personnel and senior management of the company registered as Consent Manager;
(b) every person who holds shares in excess of two per cent of the shareholding of the company registered as Consent Manager;
(c) every body corporate in whose shareholding any promoter, director, key managerial personnel or senior management of the Consent Manager holds shares in excess of two per cent. as on the first day of the preceding calendar month; and
(d) such other information as the Board may direct the Consent Manager to disclose in the interests of transparency.
12. The Consent Manager shall have in place effective audit mechanisms to review, monitor, evaluate and report the outcome of such audit to the Board, periodically and on such other occasions as the Board may direct, in respect of—
(a) technical and organisational controls, systems, procedures and safeguards;
(b) continued fulfilment of the conditions of registration; and
(c) adherence to its obligations under the Act and these rules.
13. The control of the company registered as the Consent Manager shall not be transferred by way of sale, merger or otherwise, except with the previous approval of the Board and subject to fulfilment of such conditions as the Board may specify in this behalf.
Note: In this Schedule,—
(a) the expression “body corporate” shall include a company, a body corporate as defined under clause (11) of section 2 of the Companies Act, 2013 (18 of 2013), a firm, a financial institution, a scheduled bank or a public sector enterprise established or constituted by or under any Central Act, Provincial Act or State Act, and any other incorporated association of persons or body of individuals;
(b) the expressions “company”, “control”, “director” and “key managerial personnel” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013);
(c) the expression “net worth” shall mean the aggregate value of total assets as reduced by the value of liabilities of the Consent Manager as appearing in its books of accounts; and
(d) the expressions “promoter” and “senior management” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013).
SECOND SCHEDULE
[See rules 5(2) and 15]
Standards for processing of personal data by State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub-section (2) of section 17
Implementation of appropriate technical and organisational measures to ensure effective observance of the following, in accordance with applicable law, for the processing of personal data, namely:—
(a) Processing is carried out in a lawful manner;
(b) Processing is done for the uses specified in clause (b) of section 7 of the Act or for the purposes specified in clause (b) of sub-section (2) of section 17 of the Act, as the case may be;
(c) Processing is limited to such personal data as is necessary for such uses or achieving such purposes, as the case may be;
(d) Processing is done while making reasonable efforts to ensure the accuracy of personal data;
(e) Personal data is retained till required for such uses or achieving such purposes, as the case may be, or for compliance with any law for the time being in force;
(f) Reasonable security safeguards to prevent personal data breach to protect personal data in the possession or under control of the Data Fiduciary, including in respect of any processing undertaken by it or on its behalf by a Data Processor;
(g) Where processing is to be done under clause (b) of section 7 of the Act, the same is undertaken while giving the Data Principal an intimation in respect of the same and—
(i) giving the business contact information of a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data;
(ii) specifying the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may exercise her rights under the Act; and
(iii) is carried on in a manner consistent with such other standards as may be applicable to the processing of such personal data under policy issued by the Central Government or any law for the time being in force; and
(h) Accountability of the person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, for effective observance of these standards.
THIRD SCHEDULE
[See rule 8(1)]
| S. no. |
Class of Data Fiduciaries |
Purposes | Time period |
| (1) | (2) | (3) | (4) |
| 1. | Data Fiduciary who is an e- commerce entity having not less than two crore registered users in India |
For all purposes, except for the following:
(a) Enabling the Data (b) Enabling the Data |
Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest |
| 2. | Data Fiduciary who is an online gaming intermediary having not less than fifty lakh registered users in India |
For all purposes, except for the following:
(a) Enabling the Data (b) Enabling the Data Principal to access |
Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest |
| 3. | Data Fiduciary who is a social media intermediary having not less than two crore registered users in India |
For all purposes, except for the following:
(a) Enabling the Data (b) Enabling the Data Principal to access |
Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest |
Note: In this Schedule,—
(a) “e-commerce entity” means any person who owns, operates or manages a digital facility or platform for e-commerce as defined in the Consumer Protection Act, 2019 (35 of 2019), but does not include a seller offering her goods or services for sale on a marketplace e-commerce entity as defined in the said Act;
(b) “online gaming intermediary” means any intermediary who enables the users of its computer resource to access one or more online games;
(c) “social media intermediary” means an intermediary as defined in the Information Technology Act, 2000 (21 of 2000) who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using her services; and
(d) “user”, in relation to—
(i) an e-commerce entity, means any person who accesses or avails any computer resource of an e-commerce entity; and
(ii) an online gaming intermediary or a social media intermediary, means any person who accesses or avails of any computer resource of an intermediary for the purpose of hosting, publishing, sharing, transacting, viewing, displaying, downloading or uploading information.
FOURTH SCHEDULE
[See rule 11]
PART A
Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply
| S. No. | Class of Data Fiduciaries | Conditions |
| (1) | (2) | (3) |
| 1. | A Data Fiduciary who is a clinical establishment, mental health establishment or healthcare professional |
Processing is restricted to provision of health services to the child by such establishment or professional, to the extent necessary for the protection of her health. |
| 2. | A Data Fiduciary who is an allied healthcare professional | Processing is restricted to supporting implementation of any healthcare treatment and referral plan recommended by such professional for the child, to the extent necessary for the protection of her health. |
| 3. | A Data Fiduciary who is an educational institution | Processing is restricted to tracking and behavioural monitoring—
(a) for the educational activities of such institution; or (b) in the interests of safety of children enrolled with such |
| 4. | A Data Fiduciary who is an individual in whose care infants and children in a crèche or child day care centre are entrusted | Processing is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted in the care of such institution, crèche or centre. |
| 5. | A Data Fiduciary who is engaged by an educational institution, crèche or child care centre for transport of children enrolled with such institution, crèche or centre |
Processing is restricted to tracking the location of such children, in the interests of their safety, during the course of their travel to and from such institution, crèche or centre. |
PART B
Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply
| S. No. | Purposes | Conditions |
| (1) | (2) | (3) |
| 1. | For the exercise of any power, performance of any function or discharge of any duties in the interests of a child, under any law for the time being in force in India | Processing is restricted to the extent necessary for such exercise, performance or discharge. |
| 2. | For the providing or issuing of any subsidy, benefit, service, certificate, licence or permit, by whatever name called, under law or policy or using public funds, in the interests of a child, under clause (b) of section 7 of the Act |
Processing is restricted to the extent necessary for such provision or issuance. |
| 3. | For the creation of a user account for communicating by email | Processing is restricted to the extent necessary for creating such user account, the use of which is limited to communication by email. |
| 4. | For ensuring that information likely to cause any detrimental effect on the well- being of a child is not accessible to her | Processing is restricted to the extent necessary to ensure that such information is not accessible to the child. |
| 5. | For confirmation by the Data Fiduciary that the Data Principal is not a child and observance of due diligence under rule 10 | Processing is restricted to the extent necessary for such confirmation or observance. |
Note: In this Schedule—
(a) “allied healthcare professional” shall have the same meaning as is assigned to it in the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);
(b) “clinical establishment” means and includes all establishments and places—
(i) falling within the meaning assigned to the term “clinical establishment” in clause (c) of section 2 of the Clinical Establishments (Registration and Regulation) Act, 2010 (23 of 2010); and
(ii) as referred to in sub-clauses (i) or (ii) of the said clause that is owned, controlled or managed by any force constituted under the Army Act, 1950 (46 of 1950), the Air Force Act, 1950 (45 of 1950) or the Navy Act, 1957 (62 of 1957);
(c) “educational institution” shall mean and include an institution of learning that imparts education, including vocational education;
(d) “healthcare professional” shall have the same meaning as is assigned to it in the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);
(e) “health services” shall mean the services referred to in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021); and
(f) “mental health establishment” shall have the same meaning as is assigned to it in the Mental Healthcare Act, 2017 (10 of 2017).
FIFTH SCHEDULE
[See rule 17]
Terms and conditions of service of Chairperson and other Members
1. Salary.—(1) The Chairperson shall be entitled to receive a consolidated salary of rupees four lakh fifty thousand per month, without the facility of house and car.
(2) Every Member other than the Chairperson shall be entitled to receive a consolidated salary of rupees four lakh per month, without the facility of house and car.
2. Provident Fund.—The Chairperson and every other Member shall be eligible to contribute to the Provident Fund of the Board, and the manner and terms and conditions applicable in this regard shall, mutatis mutandis, be the same as those applicable to other officers and employees of the Board for their Provident Fund.
3. Pension and gratuity.—The Chairperson and every other Member shall not be entitled to payment of pension or gratuity for service rendered in the Board.
4. Travelling allowance.—(1) The Chairperson and every other Member, while on transfer to join the Board, or on the expiry of her term with the Board for proceeding to her home town with family (including in respect of journey undertaken by her and her family), or on tour within India, shall be entitled to journey allowance, daily allowance and reimbursement of expense on transportation of personal effects at such scales and rates as are applicable to an officer of the Central Government in the following level of the pay matrix, namely:—
(a) level 17, in the case of the Chairperson; and
(b) level 15, in the case of every other Member.
(2) The Chairperson and every other Member may undertake tour outside India only in accordance with guidelines or instructions issued by the Central Government, and in respect of such tour, she shall be entitled to draw the same allowances as an officer of the Central Government, in the following level of the pay matrix, is entitled to draw, namely:—
(a) level 17, in the case of the Chairperson; and
(b) level 15, in the case of every other Member.
5. Medical assistance.—(1) The Chairperson and every other Member shall be entitled to such medical assistance as may be admissible to them under any group health insurance scheme of the Board for officers and employees of the Board and their eligible dependants.
(2) If the Chairperson or other Member has retired from Government service, or from the service of a public sector entity or a body corporate established by a Central Act, Provincial Act or State Act, and there are a separate set of rules for the grant of medical assistance for such service, she may, in lieu of medical assistance under sub-paragraph (1), opt to be governed by such rules.
6. Leave.—(1) The authority competent to sanction leave shall be the Central Government in respect of the Chairperson, and the Chairperson in respect of any other Member.
(2) The Chairperson and every other Member may avail of such kinds of leave as are admissible to a Government servant under sub-clause (i) of clause (a) and clause (b) of sub-rule (1) of rule 26, rules 27, 29, 30 and 40 to 43-C of the Central Civil Services (Leave) Rules, 1972 (hereinafter referred to as “Leave Rules”).
(3) Leave shall be subject to the conditions applicable to a Government servant under rules 7 to 11 and 22 to 25 of the Leave Rules, and the Central Government may, if satisfied that the operation of any of the said rules causes undue hardship in a particular case, by order relax the requirements of that rule to such extent and subject to such exceptions and conditions as it may consider necessary for dealing with the case in a just and equitable manner.
(4) The Chairperson and every other Member shall be entitled to casual leave to such extent as is admissible to a Government servant under instructions issued by the Central Government.
(5) The Chairperson and every other Member shall be entitled to encashment of earned leave standing to her credit, subject to such conditions and in like manner as are applicable to a Government servant under rule 38-A, sub-rules (1) and (2) and sub-clauses (i) and (ii) of clause (a) of sub-rule (6) of rule 39, rule 39-A and rule 39-C of the Leave Rules, subject to the maximum extent of encashment under any of the said rules, other than rule 38-A, being fifty per cent. of the earned leave standing to her credit.
7. Leave travel concession.—(1) Leave travel concession shall be admissible to the Chairperson and every other Member in accordance with the provisions applicable to persons appointed to civil services and posts in connection with the affairs of the Union of India under rule 3, clauses (a) and (d) of rule 4, rules 5 to 15 and rule 17 of the Central Civil Services (Leave Travel Concession) Rules, 1988, and the entitlement for such concession shall be the same as is applicable to officers of the Central Government in level 17 of the pay matrix in the case of the Chairperson, and to officers of the Central Government in level 15 of the pay matrix in the case of a Member.
(2) The Chairperson and every other Member shall be eligible to avail of either leave travel concession to home town or leave travel concession to any place in India in any period of two years from the date of assumption of their office as a Member.
8. Other terms and conditions of service.—(1) The Chairperson and every other Member shall ensure absence of conflict of interest in the performance of the functions of her office and shall not have any such financial or other interests as are likely to prejudicially affect the performance of the functions of such office.
(2) The provisions contained in Part IV to Part IX of the Central Civil Services (Classification, Control and Appeal) Rules, 1965, as applicable to an officer of the Central Government who is a member of a Central Civil Services, Group ‘A’, shall apply, mutatis mutandis, to the Chairperson and every other Member.
(3) The Chairperson and every other Member shall not be entitled to any sitting fee for attending meetings of the Board.
(4) The Chairperson and every other Member shall not be entitled to any sumptuary allowance.
(5) Any matter relating to the conditions of service of the Chairperson or any other Member, in respect of which no express provision has been made in these rules, shall be referred to the Central Government for its decision, and the decision of the Central Government on the same shall be final.
9. In this Schedule, “pay matrix” shall mean the pay matrix referred to in Annexure I to the Central Government’s Resolution published in the Official Gazette vide Notification no. 12/2016-IC, dated the 25th July, 2016.
SIXTH SCHEDULE
[See rule 20(2)]
Terms and conditions of appointment and service of officers and employees of Board
1. Classes of officials.—(1) The Board may, in accordance with the Fundamental Rules and applicable guidelines issued by the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training, appoint officers and employees on deputation from the Central Government, a State Government, an autonomous body under the overall control of the Central Government or a State Government, a statutory body, or a public sector enterprise, for a period not exceeding five years.
(2) The Board may also receive or take on deputation any officer or other employee from the National Institute for Smart Government, for a period not exceeding five years, with salary and allowances guided by market standards and on such other terms and conditions as the Board may decide.
2. Gratuity.—The officers and employees shall be entitled to payment of such gratuity as may be admissible under the Payment of Gratuity Act, 1972 (39 of 1972).
3. Travelling allowance.—The travelling allowance payable to the officers and employees shall, mutatis mutandis, be the same as those applicable to the officers and employees of the Central Government.
4. Medical assistance.—The officers and employees shall be entitled to such medical assistance as may be admissible to them and their eligible dependants under any group health insurance scheme of the Board, made with the previous approval of the Central Government.
5. Leave.—(1)The officers and employees may avail of such kinds of leaves as are admissible to a Government servant under the Central Civil Services (Leave) Rules, 1972, subject to the conditions applicable under the said rules, and shall be eligible for encashment of earned leave as provided therein.
(2) The officers and employees shall be entitled to casual leave to such extent as is admissible to a Government servant under instructions issued by the Central Government.
6. Leave travel concession.—Leave travel concession shall be admissible to the officers and employees appointed under clause (1) of paragraph 1, in accordance with the provisions applicable to persons appointed to civil services and posts in connection with the affairs of the Union of India under the Central Civil Services (Leave Travel Concession) Rules, 1988.
7. Other terms and conditions of service.—(1) The provisions of the Civil Service (Conduct) Rules, 1964 shall apply to the officers and employees in like manner as applicable to a person appointed to a civil service or post in connection with the affairs of the Union of India under the said rules.
(2) The provisions contained in Part IV to Part IX of the Central Civil Services (Classification, Control and Appeal) Rules, 1965 shall apply, mutatis mutandis, to the officers and employees appointed under clause (1) of paragraph 1, in like manner as applicable to a Government servant under the said rules.
(3) Any matter relating to the terms and conditions of service of the officers and employees appointed under clause (1) of paragraph 1, in respect of which no express provision has been made in these rules, shall be referred to the Central Government for its decision, and the decision of the Central Government on the same shall be final.
SEVENTH SCHEDULE
[See rule 22(1)]
| S. no. | Purpose | Authorised person |
| (1) | (2) | (3) |
| 1. | Use by the State or any of its instrumentalities, of personal data of a Data Principal in the interest of sovereignty and integrity of India or security of the State | Such officer of the State or of any of its instrumentalities notified under sub-section (2) of section 17 of the Act, as the Central Government or the head of such instrumentality, as the case may be, may designate in this behalf |
| 2. | Use by the State or any of its instrumentalities for the following purposes, namely:—
(i) Performance of any function under any law for the time being in force in India; or (ii) Disclosure of any information for fulfilling any obligation under any law for the time being in force in India |
Person authorised under applicable law |
| 3. | Carrying out assessment for notifying any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary | Such officer of the Central Government, in the Ministry of Electronics and Information Technology, as the Secretary in charge of the said Ministry may designate in this behalf |
[F. No. AA-11038/1/2025-CL&ES]
BHUVNESH KUMAR, Addl. Secy.
