The Ministry of Electronics and Information Technology (MeitY), through its notification dated 14 November 2025, issued the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”). These Rules operationalize India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), establishing a citizen-centric framework for the responsible use of personal data.
The DPDP Act, read with the Rules, constitutes the country’s primary legal framework for the protection of digital personal data. It prescribes clear obligations for the lawful processing of personal data and safeguards against misuse and unauthorized access.
The DPDP Act and the Rules apply to entities processing digital personal data in connection with goods or services, including personal data that is initially collected in non-digital form and subsequently digitized.
The Act introduces three key entities: the Data Principal, the Data Fiduciary, and the Data Processor.
The DPDP Act establishes the statutory framework, while the DPDP Rules set out the operational details- with this enforcement – the regime transitions from a policy framework into a fully enforceable compliance structure. It further delineate the roles, responsibilities, and specific obligations applicable to Data Fiduciaries, Data Processors, and Consent Managers.
A.Notice and Consent:
A Data Fiduciary is required to provide a clear and standalone notice prior to the collection of personal data, specifying the nature of data collected and the precise purpose of its use. The notice must also include simple mechanisms for withdrawal of consent, exercise of rights, and grievance redressal before the Data Protection Board, with the Rules emphasizing that withdrawal of consent should be as easy as giving it. In the case of children’s data, verifiable consent must be obtained from a parent or legal guardian prior to processing.
The Rules permit cross-border data transfers subject to prescribed conditions by the government and require organizations to implement reasonable security safeguards, including encryption, access controls, and periodic audits.
B.Obligation of Consent Managers:
The DPDP Rules also introduces Consent Managers who are entities that enable data principals to give, manage, review, and withdraw their consent for the processing of their personal data. The Rules cast an obligation on the Consent Manager to operate a secure and accessible digital platform that allows individuals to view, manage, and withdraw consent. They must publish required company information, avoid conflicts of interest, and cannot outsource their obligations. They must retain records for seven years and maintain a strong audit mechanism, reporting outcomes to the Data Protection Board when required. Only a company incorporated in India and having a net worth of Rs. 2 crore and above can become Consent Managers.
C.Security Safeguard Measure
Under this measure both Data Fiduciaries and Data Processors are obligated to implement adequate security safeguards, formalized through contractual arrangements that address data protection measures such as encryption, masking, access controls, and incident detection. Adequate back-up and continuity plain must be maintained, with Logs, traffic data, and related information should be retained for at least one year.
Further is obligatory on the Data Fiduciary to report any data breach to the Data Protection Board. The detailed report must be submitted within 72 hours, outlining the facts, causes, impact, mitigation steps, and notifications made to affected individuals. The Fiduciary must also alert impacted individuals as early as possible. Similarly if the breach occurs at the Data Processor’s end, the Processor must immediately inform the Data Fiduciary.
D.Right of Data Principal
Under the Rules, individuals have a right to access, correct, update, or erase their personal data. They can also authorize another person to exercise these rights on their behalf. Data Fiduciaries must respond to these requests within 90 days, ensuring timely redressal for citizens
E.Data Retention and Erasure
Obligation has been imposed on Data Fiduciaries Data Processors to delete the personal data after the purpose is fulfilled, unless the law requires it to be kept longer. Data Processors of certain large platforms (e-commerce, social media intermediaries, or gaming platforms with two crore+ users) must retain data for three years and notify individuals 48 hours before deletion. All processing logs must be kept for at least one year.
F.Significant Data Fidicuraies
Lastly, certain entities may be designated as Significant Data Fiduciaries based on factors such as volume and sensitivity of data processed. These entities are subject to enhanced compliance obligations, including conducting periodic Data Protection Impact Assessments, undergoing independent audits, appointing a Data Protection Officer, and adhering to additional regulatory requirements, including those relating to cross-border data transfers.
The implementation of the DPDP Rules, as notified by the Government, follows a phased approach to ensure a smooth transition into compliance. In the initial phase as on 13th November, 2025, institutional mechanisms such as the Data Protection Board are established, and the legal framework under the DPDP Act and Rules is formalized.
In the second phase, effective within 12 months, a regulatory regime for Consent Managers is to come into force, requiring registration with the Data Protection Board and compliance with prescribed technical and operational standards, with a transition window provided for alignment.
In the third phase, effective within 18 months, the DPDP framework becomes fully enforceable, making all obligations mandatory for Data Fiduciaries, Data Processors, and Significant Data Fiduciaries, with non-compliance attracting regulatory penalties.
Under the DPDP Act, penalties are not uniform and are scrutinized on case to case basis. The Act specifies maximum penalty amounts applicable for different types of non-compliance.
This approach ensures fair penalties based on the seriousness of the breach.
| Type of Non-Compliance | What the Violation Involves | Maximum Penalty |
| Failure to implement reasonable security safeguards | Weak technical or organisational measures, inadequate access controls, preventable data breaches | Up to ₹250 crore |
| Failure to report a personal data breach | Delayed, incomplete, or suppressed breach notification to the Board or Data Principals | Up to ₹200 crore |
| Failure to meet SDF obligations | Not appointing a DPO, skipping DPIAs, or failing to conduct mandatory audits | Up to ₹150 crore |
| Other contraventions of the DPDP Act | Violations related to notice, consent, purpose limitation, or processing obligations | Up to ₹50 crore |
| Breach of duties of Data Principals | Misuse of rights or submission of false information | Up to ₹10,000 |
The Digital Personal Data Protection Act, 2023, along with the DPDP Rules, 2025, establishes a structured framework for data fiduciaries in India, requiring organisations to align their data processing practices with legal requirements. The roadmap outlines a phased approach for both organisations beginning and those already progressing on their compliance journey, categorised into immediate, short-term, and long-term actions to achieve and sustain compliance.
INTRODUCTION The Ministry of Electronics and Information Technology (MeitY), through its notification dated 14 November 2025, issued the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”). These Rules operationalize India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), establishing a citizen-centric framework for the responsible use of personal data. The DPDP Act, read with the
Introduction The Labour laws in India have undergone massive reforms. The laws related to labour were predominantly framed during the British era and required updating. The Central Government through its notification issued by the Ministry of Labour and Employment, dated 21st November, 2025, announced the implementation of the he Code on Wages, 2019 (“Wage Code“),
INTRODUCTION The Indian arbitration system has undergone massive changes in the recent years. The parent legislation brought into force in the year 1996, called as Arbitration and Conciliation Act of 1996 (the “Arbitration Act”) has since then undergone significant transformation. In 2015 the Act was amended to minimize judicial interference and make India an arbitration
