2. Request for Consent from Data Principal [Section 5(1)]

Consent to be taken from Data Principal should be accompanied or preceded by a Notice of Information as specified to the Data Principal.

3. Consents withdrawn by Data Principal [Section 5(2)(b)]

Data fiduciary to discontinue the usage of the Data once consent has been withdrawn by the Data Principal

4. Data Principal can access the contents of the Notice [Section 5(2)(c)]

The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution

5. Consent from Data Principal should be free, specific, informed, unconditional & unambiguous [Section 6(1)]

Consent given by Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to processing of personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose

6. Retention of Access Logs for at least one year [Rule 6(e)]

Organization must retain access logs and related personal data for one year to detect, investigate, and prevent unauthorized access and enable continued processing, unless a longer retention period is mandated by other laws.

7. Intimation of Personal Data Breach [Rule 7]

On becoming aware of any personal data breach, the Data Fiduciary must promptly notify affected Data Principals through their registered communication mode and inform the Board within 72 hours, providing clear details of the breach and mitigation steps.

• • Data Fiduciary must promptly notify all affected Data Principals once it becomes aware of any personal data breach.
  • The intimation must be clear and concise and may be sent through the user account or registered communication mode.
  • It should include the breach description (nature, extent, timing), possible consequences to the Data Principal, risk-mitigation measures taken or planned, recommended safety actions for the individual, and contact details of a responsible person.
  • The Data Fiduciary must also inform the Board without delay, providing the breach description, impact and location.
  • Within 72 hours (or extended time allowed by the Board), updated details must be submitted, including facts and reasons of occurrence, mitigation steps, identity of persons responsible, remedial actions to avoid recurrence, and confirmation of intimations sent to Data Principals.

8. Pre-Erasure Notification to Data Principals [Rule 8(2)]

Mandatory pre-erasure notification that Data Fiduciaries must provide to Data Principals. Specifically, at least forty-eight hours before the designated time period for personal data erasure concludes, the Data Fiduciary is obligated to inform the Data Principal of the impending deletion.

9. Contact Information of Responsible Person for Data Processing Queries [Rule 9]

Every Data Fiduciary shall prominently publish on its website and/or app the business contact information of: i. The Data Protection Officer (DPO), if applicable; ii. Or another authorized person able to answer questions regarding the processing of personal data

10. Observe due diligence while obtaining consent from a lawful guardian of a person with disability (Digital Personal Data Protection Rules, 2025 – Rule 11)

A Data Fiduciary, while obtaining consent from a lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law / designated authority / local level committee, under the law applicable to guardianship.

11. Annual Data Protection Impact Assessment & Audit by Significant Data Fiduciary (Digital Personal Data Protection Rules, 2025 – Rule 13(1))

 A Significant Data Fiduciary (SDF) must undertake a Data Protection Impact Assessment (DPIA) and a data audit once every twelve months from the date it is notified as SDF.

• • DPIA and audit must assess compliance with the Act and rules.
  • SDF must appoint qualified persons to conduct DPIA and audit.
  • This ensures identification of risks, corrective measures, and compliance maturity.
  • Documentation must be maintained for Board review.
  • Annual cycle must be tracked from the date of SDF notification

12. Submission of DPIA & Audit Report to Data Protection Board (Digital Personal Data Protection Rules, 2025 – Rule 13(2))

• • The SDF must ensure that the person conducting the DPIA and audit furnishes a report containing all significant observations to the Data Protection Board (“the Board”).
  • Report must include identified risks, corrective actions, deviations, compliance gaps, and recommendations.
  • SDF should maintain proof of submission and acknowledgment.
  • Timely reporting ensures transparency and regulatory oversight.

13. Due Diligence on Technical & Algorithmic Measures (Digital Personal Data Protection Rules, 2025 – Rule 13(3))

SDF must verify that all technical and algorithmic tools used do not risk the rights of Data Principals

• • SDF must follow due diligence procedures to ensure that technical tools, including algorithmic software used for hosting, processing, displaying, transmitting, modifying, or sharing personal data, do not harm Data Principal rights.
  • Tools must be assessed for bias, discrimination, privacy risks, data leakage, or inaccuracies.
  • SDF must maintain records of evaluations, tests, audits, and approvals.
  • Risk mitigation steps must be documented and periodically reviewed.

14. Ensure Restricted Processing of Specified Personal & Traffic Data (Digital Personal Data Protection Rules, 2025 – Rule 13(4))

SDF must ensure that specified personal and traffic data is processed with restriction that it is not transferred outside India

• • Central Government may specify categories of personal data requiring restricted processing.
  • Such personal data and associated traffic data must not be transferred outside India.
  • SDF must implement geo-fencing, data localisation, access control, and monitoring measures.
  • Systems must ensure data stays within India for storage, processing, and flow.
  • Internal controls and vendor contracts must reflect the restriction.

15. Publish Means for Exercising Rights of Data Principals and Grievance Redressal System (Digital Personal Data Protection Rules, 2025 – Rule 14(1))

Data Fiduciary/Consent Manager must publish details on website/app showing how Data Principals can request exercise of rights and required identifiers

• • Data Fiduciary (DF) and Consent Manager must prominently publish the procedure for Data Principals to exercise their rights under the Act.
  • Details must include: (a) channels for making requests (email, portal, helpdesk, app section), and (b) identifiers required such as username, email, mobile, customer ID, account reference, etc.
  • Publication must be clear, accessible, and visible on website or mobile application.
  • DF must ensure all identifiers required are disclosed as per terms of service.

16. Enable Data Principal Requests Using Prescribed Means (Digital Personal Data Protection Rules, 2025 – Rule 14(2))

Data Fiduciary must accept rights-related requests from Data Principals using prescribed channels and identifiers previously notified.

• • Data Principal may request to exercise her rights only through the Data Fiduciary to whom she earlier provided consent.
  • DF must ensure request channels are functional and the identifiers it requires are clearly communicated.
  • DF must verify identity using the published identifiers and process the request as per Act and terms of service.
  • System must allow tracking, acknowledgment, and resolution workflow.