DPDP Act 2023
Draft DPDP Rules 2025
Final DPDP Rules 2025
Ministry of Law and Justice

Chapter 1 – Preliminary (DPDP Act 2023)

Chapter 2 – Obligations of Data Fiduciary

Chapter 3 – Rights and Duties of Data Principal

Chapter 4 – Special Provisions

Chapter 5 – Data Protection Board of India

Chapter 6 – Powers & Procedures of the Board

Chapter 7 – Appeals & Alternate Dispute Resolution

Chapter 8 – Penalties & Adjudication

Chapter 9 – Miscellaneous

Schedule – DPDP Act 2023

Rule 1 – DPDP Draft Rule 1

Rule 2 – DPDP Draft Rule 2

Rule 3 – DPDP Draft Rule 3

Rule 4 – DPDP Draft Rule 4

Rule 5 – DPDP Draft Rule 5

Rule 6 – DPDP Draft Rule 6

Rule 7 – DPDP Draft Rule 7

Rule 8 – DPDP Draft Rule 8

Rule 9 – DPDP Draft Rule 9

Rule 10 – DPDP Draft Rule 10

Rule 11 – DPDP Draft Rule 11

Rule 12 – DPDP Draft Rule 12

Rule 13 – DPDP Draft Rule 13

Rule 14 – DPDP Draft Rule 14

Rule 15 – DPDP Draft Rule 15

Rule 16 – DPDP Draft Rule 16

Rule 17 – DPDP Draft Rule 17

Rule 18 – DPDP Draft Rule 18

Rule 19 – DPDP Draft Rule 19

Rule 20 – DPDP Draft Rule 20

Rule 21 – DPDP Draft Rule 21

Rule 22 – DPDP Draft Rule 22

Conditions for Registration of Consent Manager

Schedule Second – DPDP Draft Rules

Schedule Third – DPDP Draft Rules

Schedule Fourth – DPDP Draft Rules

Schedule Fifth – DPDP Draft Rules

Schedule Sixth – DPDP Draft Rules

Schedule Seventh – DPDP Draft Rules

DPDP Final Rule 1

DPDP Final Rule 2

DPDP Final Rule 3

DPDP Final Rule 4

DPDP Final Rule 5

DPDP Final Rule 6

DPDP Final Rule 7

DPDP Final Rule 8

DPDP Final Rule 9

DPDP Final Rule 10

DPDP Final Rule 11

DPDP Final Rule 12

DPDP Final Rule 13

DPDP Final Rule 14

DPDP Final Rule 15

DPDP Final Rule 16

DPDP Final Rule 17

DPDP Final Rule 18

DPDP Final Rule 19

DPDP Final Rule 20

DPDP Final Rule 21

DPDP Final Rule 22

DPDP Final Rule 23

First Schedule – DPDP Final Rules

Second Schedule – DPDP Final Rules

Third Schedule – DPDP Final Rules

Fourth Schedule – DPDP Final Rules

Fifth Schedule – DPDP Final Rules

Sixth Schedule – DPDP Final Rules

Seventh Schedule – DPDP Final Rules

Home Draft DPDP Rules Conditions for registration of Consent Manager

Conditions for Registration of Consent Manager

  • 1. The applicant is a company incorporated in India.
  • 2. The applicant has adequate capacity including technical, operational and financial capability to perform its obligations as a consortium manager.
  • 3. The financial position and general character of management of the applicant is sound
  • 4. The net worth of the applicant is not less than Rs. 2 crore.
  • 5. The volume of potential business available to the applicant and the capital structure and earning prospects are adequate.
  • 6. The directors, key management personnel and senior management of the applicant company are persons of general integrity and honesty and honesty.
  • 7. The Memorandum of Association and Articles of Association of the applicant company contain provisions for complying with the obligations under items 9 and 10 of Part B, have policies and procedures in place to ensure such compliance, and such provisions can be amended only with the prior approval of the Board
  • 8. The operations proposed to be undertaken by the applicant are in the interest of the data owner.
  • 9. It is independently certified that-
    • (a) the Applicant’s interoperable platform that enables the data owner to consent, manage, review and withdraw data is compliant with such data protection standards and assurance frameworks as may be published by the Board on its website from time to time; and
    • (b) appropriate technical and organisational measures are in place to ensure compliance with such standards and frameworks and to ensure effective discharge of the obligations under Item 11 of Part B.

Manager 1. The Consent Manager shall enable the data principal using its platform to give consent to the processing of his or her personal data by a data trustee on board such platform, either directly to such data trustee or through another data trustee on board such platform To a third party who retains such personal data with the consent of the data owner

Example

Individuals are enabled to give, manage, review and withdraw their consent for the processing of their personal data through P, a platform maintained by a consent manager. X, an individual, is a registered user on P. B1 and B2 are banks onboarded on P.

Case 1: B1 sends a request to X at P for consent to process the personal data contained in his bank account statement. X maintains the bank account statement as a digital record in his digital locker. X uses P to give his consent directly to B1, and provides B1 access to his bank account statement.

Case 2: B1 sends a request to X at P for consent to process the personal data contained in his bank account statement. X maintains his bank account with B2. X uses P to send his consent to B1 through B2, while also digitally instructing B2 to send his bank account details to B1. B2 proceeds to send the bank account details to B1. 2. The consent manager shall ensure that the manner in which personal data is made available or shared is such that its content cannot be read by him.

Case 3. The consent manager shall maintain a record of the following on its platform, namely:

  • (a) consents given, refused or withdrawn by him;
  • (b) notices before or along with the request for consent; and
  • (c) sharing his/her personal data with the transferee data trustee.

Case 4: The consent manager shall—

  • (a) provide access to such records to the data principal using such platform;
  • (b) make available, at the request of the data principal and in accordance with its terms of service, the information contained in such records in machine-readable form; and
  • (c) retain such records for at least seven years, or for such longer period as the data principal and the consent manager may agree to, or as may be required by law

Case 5: The Consent Manager shall develop and maintain a website or app, or both, as the primary means through which the Data Principal can access the Services provided by the Consent Manager.

Case 6: The Consent Manager shall not sub-contract or assign the performance of any of its obligations under the Act and these Terms.

Case 7: The Consent Manager shall take appropriate security measures to prevent personal data breaches.

Case 8: The Consent Manager shall act in a fiduciary capacity with respect to the Data Principal.

Case 9: The Consent Manager shall avoid conflicts of interest with the Data Trustees, including with respect to their promoters and key managerial personnel.

Case 10: The Concession Manager shall have measures in place to ensure that no conflict of interest arises by reason of its Directors, Key Management Personnel and Senior Management holding directorships, financial interests, employment or beneficial ownership in, or having a material financial relationship with, the Data Trust.

Case 11: The Concession Manager shall publish on its website or App or both, as the case may be, information about the following in an easily accessible manner

  • (a) promoters, directors, key managerial personnel and senior management of a company registered as co-manager;
  • (b) every individual who holds more than two per cent of the shareholding of a company registered as co-manager
  • (c) every corporate body in whose shareholding any promoter, director, key managerial personnel or senior management of the co-manager holds more than two per cent as on the first day of the previous calendar month; and
  • (d) such other information as the Board may direct the co-manager to disclose in the interest of profitability.

Case 12: The Concession Manager shall have effective audit mechanisms to review, monitor, evaluate and report to the Board the results of such audits from time to time and on such other occasions as the Board may direct, with respect to-

  • (a) technical and organisational controls, systems, procedures and safeguards;
  • (b) continued fulfilment of the conditions of registration; and
  • (c) compliance with its obligations under the Act and these Regulations.

Case 13: The control of the company registered as co-manager shall not be transferred by way of sale, merger or otherwise, except with the prior approval of the Board and subject to the fulfilment of such conditions as the Board may specify in this regard. Note: In this Schedule,—

  • (a) “body corporate” shall include a company, a body corporate, a firm, a financial institution, a scheduled bank or a public sector enterprise established or constituted by or under a Central Act, a Provincial Act or a State Act and any other body corporate as defined under clause (11) of section 2 of the Companies Act, 2013 (18 of 2013)
  • (b) the expressions “company”, “control”, “director” and “key managerial personnel” shall have the same meaning as in the case of the company. as specified therein in the Act, 2013 (18 of 2013);
  • (c) the term “net worth” shall mean the aggregate value of total assets reduced by the value of liabilities of the co-manager as shown in his books of accounts; and (d) the terms “principal” and “senior management” shall have the same meanings as under the Companies Act, 2013 (18 of 2013). are specified for them respectively in
Prev Next