Home Legislation India · DPDP Rules 2025 · IN · Subordinate Legislation · In force
India · DPDP Rules 2025
IN · Subordinate Legislation

India's Digital Personal Data Protection Rules, 2025

डिजिटल वैयक्तिक डेटा संरक्षण नियमावली, 2025
India · Made under §40 DPDPA 2023; gazette notification dated 13 Nov 2025, published 14 Nov 2025 · ● In force (phased)
Citation
NameIndia's Digital Personal Data Protection Rules, 2025
TypeSubordinate Legislation (Rules under DPDPA 2023 §40)
TopicPrivacy
Gazette refCG-DL-E-14112025-267650 · No. 760 · Part II §3(i)
VerifiedVerified
Source
Gazette PDFmeity.gov.in ↗
PIB explainerstatic.pib.gov.in ↗
Notification dated13 Nov 2025
Gazette published14 Nov 2025
StatusIn force (phased — see body)
Jurisdiction & enforcer
JurisdictionIndia
ISOIN
RegionAsia Pacific
Parent ActDPDPA 2023
EnforcerData Protection Board of India
Issuing ministryMeitY
Notes & provenance

Made by the Central Government under §40(1) and §40(2) of the Digital Personal Data Protection Act, 2023 (Act 22 of 2023). The draft Rules were published as G.S.R. 02(E) on 3 January 2025 with a 45-day public-comment window; 6,915 inputs were received across consultations in Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. Final Rules notified on 13 November 2025, gazette published 14 November 2025 (Gazette of India Extraordinary, Part II §3(i), No. 760; CG-DL-E-14112025-267650). PAI: AT2 verified Legislation recyFvdOkiQWEYfdJ; Authority rec7w2U4LxH87MOMS (DPDP Board); parent statute recNAzw0GJ0Yhdj2V (DPDPA 2023).

Commencement & scope

Phased entry into force per Rule 1; substantive obligations follow an 18-month implementation window from gazette publication on 14 November 2025.

Immediate (from 14 Nov 2025): Rules 1 (short title and commencement), 2 (definitions), and 17–21 (Data Protection Board operations, members, complaints, appeals, transitional matters). The Board's structural framework is therefore live from gazette publication.

One year after publication (14 Nov 2026): Rule 4 commences. This concerns verifiable consent obligations specific to certain Data Fiduciary categories.

Eighteen months after publication (14 May 2027): Rules 3, 5–16, 22 and 23 commence. These cover the bulk of operational compliance — consent notices, Data Principal rights, breach notification, children's data, processing of personal data outside India, and the registration regime for Significant Data Fiduciaries and Consent Managers.

Key obligations

Substantive duties on Data Fiduciaries and rights of Data Principals codified by the Rules (per the gazette and PIB explainer of 17 November 2025).
  • Consent notices. Each Data Fiduciary must issue a separate, plain-language consent notice independently understandable from any other information, stating the specific purpose of processing.
  • Data Principal rights. Rights to access, correct, update, erase and nominate; Data Fiduciaries must respond within ninety days.
  • Breach notification. Data Principals must be informed of personal data breaches at the earliest, including what happened and what steps they can take.
  • Children's personal data. Verifiable parental or lawful-guardian consent required, with carve-outs for healthcare, education and real-time safety.
  • Persons with disabilities. Lawful guardian consent required where the individual cannot independently exercise rights, with guardian verification under applicable laws.
  • Significant Data Fiduciaries. Stricter checks for new or sensitive technologies; the Central Government may issue directions on restricted data categories, including local-storage requirements.
  • Digital-first Board. Online complaints portal and mobile application; Board to consist of four Members; appeals to TDSAT.
  • RTI Act amendment. Section 8(1)(j) of the Right to Information Act amended consistent with the Supreme Court's Puttaswamy privacy judgment, balancing transparency and personal-data safeguards.

Recent activity citing the DPDP Rules 2025

See all →