Chapter 1 – Preliminary (DPDP Act 2023)
Chapter 2 – Obligations of Data Fiduciary
Chapter 3 – Rights and Duties of Data Principal
Chapter 4 – Special Provisions
Chapter 5 – Data Protection Board of India
Chapter 6 – Powers & Procedures of the Board
Chapter 7 – Appeals & Alternate Dispute Resolution
Chapter 8 – Penalties & Adjudication
Chapter 9 – Miscellaneous
Schedule – DPDP Act 2023
Rule 1 – DPDP Draft Rule 1
Rule 2 – DPDP Draft Rule 2
Rule 3 – DPDP Draft Rule 3
Rule 4 – DPDP Draft Rule 4
Rule 5 – DPDP Draft Rule 5
Rule 6 – DPDP Draft Rule 6
Rule 7 – DPDP Draft Rule 7
Rule 8 – DPDP Draft Rule 8
Rule 9 – DPDP Draft Rule 9
Rule 10 – DPDP Draft Rule 10
Rule 11 – DPDP Draft Rule 11
Rule 12 – DPDP Draft Rule 12
Rule 13 – DPDP Draft Rule 13
Rule 14 – DPDP Draft Rule 14
Rule 15 – DPDP Draft Rule 15
Rule 16 – DPDP Draft Rule 16
Rule 17 – DPDP Draft Rule 17
Rule 18 – DPDP Draft Rule 18
Rule 19 – DPDP Draft Rule 19
Rule 20 – DPDP Draft Rule 20
Rule 21 – DPDP Draft Rule 21
Rule 22 – DPDP Draft Rule 22
Conditions for Registration of Consent Manager
Schedule Second – DPDP Draft Rules
Schedule Third – DPDP Draft Rules
Schedule Fourth – DPDP Draft Rules
Schedule Fifth – DPDP Draft Rules
Schedule Sixth – DPDP Draft Rules
Schedule Seventh – DPDP Draft Rules
DPDP Final Rule 1
DPDP Final Rule 2
DPDP Final Rule 3
DPDP Final Rule 4
DPDP Final Rule 5
DPDP Final Rule 6
DPDP Final Rule 7
DPDP Final Rule 8
DPDP Final Rule 9
DPDP Final Rule 10
DPDP Final Rule 11
DPDP Final Rule 12
DPDP Final Rule 13
DPDP Final Rule 14
DPDP Final Rule 15
DPDP Final Rule 16
DPDP Final Rule 17
DPDP Final Rule 18
DPDP Final Rule 19
DPDP Final Rule 20
DPDP Final Rule 21
DPDP Final Rule 22
DPDP Final Rule 23
First Schedule – DPDP Final Rules
Second Schedule – DPDP Final Rules
Third Schedule – DPDP Final Rules
Fourth Schedule – DPDP Final Rules
Fifth Schedule – DPDP Final Rules
Sixth Schedule – DPDP Final Rules
Seventh Schedule – DPDP Final Rules
Rule - 7
(1) On becoming aware of any personal data breach, the Data
Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and
plain manner and without delay, through her user account or any mode of communication registered by her
with the Data Fiduciary, —
(a) a description of the breach, including its nature, extent and the timing of its occurrence;
(b)the consequences relevant to her, that are likely to arise from the breach;
(c)the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
(d)the safety measures that she may take to protect her interests; and
(e)business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.
(2)On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board, —
(a)without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
(b)within seventy-two hours of becoming aware of the breach, or within such longer period as the
Board may allow on a request made in writing in this behalf, —
(i)updated and detailed information in respect of such description;
(ii)the broad facts related to the events, circumstances and reasons leading to the breach;
(iii)measures implemented or proposed, if any, to mitigate risk;
(iv)any findings regarding the person who caused the breach;
(v)remedial measures taken to prevent recurrence of such breach; and
(vi)a report regarding the intimations given to affected Data Principals.