Some important points in Draft Digital Personal Data Protection Rules, 2025

1. Complaint to the Board

Rule 3(iii):

• If your data protection rights are violated, you can file a complaint with the Board.

2. Consent Manager Registration and Duties

Rule 4:

• Who is a Consent Manager? A company that helps individuals manage their consent for using personal data.
• Registration Process: Must meet the conditions in Part A of the First Schedule and apply to the Board.
• Obligations: Ensure secure handling of consent, avoid conflicts of interest, and follow data protection rules as per Part B of the First Schedule.

3. Government Data Processing for Public Benefits

Rule 5:

• Purpose: The government can process personal data to provide subsidies, benefits, certificates, or services. Processing must adhere to standards in the Second Schedule.
• Government’s Role in Data Processing: Personal data may be processed by government bodies to: Provide subsidies, licenses, or benefits. Issue certificates or permits under legal frameworks.

4. Security Measures

Rule 6:

• Mandate: Data Fiduciaries must protect personal data with safeguards like: Encryption and secure storage. Monitoring access to detect breaches. Keeping logs for at least a year.

5. Data Breach Notifications

Rule 7:

• To Individuals: Notify affected individuals about the breach, its impact, and recommended safety measures.
• To the Board: Inform the Board within 72 hours, including details of the breach and remedial actions.

6. Retention and Deletion of Data

Rule 8:

• Requirement: Data must be deleted when it is no longer needed. Individuals must be informed 48 hours before data deletion.

7. Rights of Individuals (Data Principals)

Rule 13:

• Empowerment: Individuals can: Access, correct, or delete their personal data. Nominate someone to manage their data rights. Use the grievance redressal system of the Data Fiduciary.

8. Data Transfers Outside India

Rule 14:

• Condition: Exporting personal data is allowed only if it meets conditions set by the Central Government.

9. Exemptions for Research and Archiving

Rule 15, Second Schedule:

• Exemptions apply for: Scientific research. Long-term data archiving. Statistical analysis.
• Conditions: Data must be anonymized where possible. Processing must adhere to specified standards to ensure lawfulness and security.

10. Significant Data Fiduciaries

Rule 12:

• Who They Are: Large organizations (e.g., social media or e-commerce platforms).
• Obligations: Conduct annual data protection audits. Ensure algorithms don’t harm individuals. Keep certain data within India.

11. Children's Data Protection

Rule 10 and 11:

• Parental Consent: Required before processing a child’s personal data.
• Exemptions: Certain activities like healthcare and education have exceptions under the Fourth Schedule.

12. Governance and Oversight by the Board

Rule 16-20:

• Functioning: A Board oversees compliance, functioning digitally, and may summon individuals or organizations.

13. Appeals to the Appellate Tribunal

Rule 21:

• Grievance Redressal: Individuals can appeal the Board’s decisions through a digital process.

#DataProtection #PrivacyMatters? #DigitalIndia #CyberSecurity #DataPrivacy #Compliance #IndiaLaws #DataGovernance #InformationSecurity #PrivacyPolicy #DataRights #DigitalTransformation #CS #CA #CMA #advocate #lawyer #GC