DPDP Act 2023
Draft DPDP Rules 2025
Final DPDP Rules 2025
Ministry of Law and Justice

Chapter 1 – Preliminary (DPDP Act 2023)

Chapter 2 – Obligations of Data Fiduciary

Chapter 3 – Rights and Duties of Data Principal

Chapter 4 – Special Provisions

Chapter 5 – Data Protection Board of India

Chapter 6 – Powers & Procedures of the Board

Chapter 7 – Appeals & Alternate Dispute Resolution

Chapter 8 – Penalties & Adjudication

Chapter 9 – Miscellaneous

Schedule – DPDP Act 2023

Rule 1 – DPDP Draft Rule 1

Rule 2 – DPDP Draft Rule 2

Rule 3 – DPDP Draft Rule 3

Rule 4 – DPDP Draft Rule 4

Rule 5 – DPDP Draft Rule 5

Rule 6 – DPDP Draft Rule 6

Rule 7 – DPDP Draft Rule 7

Rule 8 – DPDP Draft Rule 8

Rule 9 – DPDP Draft Rule 9

Rule 10 – DPDP Draft Rule 10

Rule 11 – DPDP Draft Rule 11

Rule 12 – DPDP Draft Rule 12

Rule 13 – DPDP Draft Rule 13

Rule 14 – DPDP Draft Rule 14

Rule 15 – DPDP Draft Rule 15

Rule 16 – DPDP Draft Rule 16

Rule 17 – DPDP Draft Rule 17

Rule 18 – DPDP Draft Rule 18

Rule 19 – DPDP Draft Rule 19

Rule 20 – DPDP Draft Rule 20

Rule 21 – DPDP Draft Rule 21

Rule 22 – DPDP Draft Rule 22

Conditions for Registration of Consent Manager

Schedule Second – DPDP Draft Rules

Schedule Third – DPDP Draft Rules

Schedule Fourth – DPDP Draft Rules

Schedule Fifth – DPDP Draft Rules

Schedule Sixth – DPDP Draft Rules

Schedule Seventh – DPDP Draft Rules

DPDP Final Rule 1

DPDP Final Rule 2

DPDP Final Rule 3

DPDP Final Rule 4

DPDP Final Rule 5

DPDP Final Rule 6

DPDP Final Rule 7

DPDP Final Rule 8

DPDP Final Rule 9

DPDP Final Rule 10

DPDP Final Rule 11

DPDP Final Rule 12

DPDP Final Rule 13

DPDP Final Rule 14

DPDP Final Rule 15

DPDP Final Rule 16

DPDP Final Rule 17

DPDP Final Rule 18

DPDP Final Rule 19

DPDP Final Rule 20

DPDP Final Rule 21

DPDP Final Rule 22

DPDP Final Rule 23

First Schedule – DPDP Final Rules

Second Schedule – DPDP Final Rules

Third Schedule – DPDP Final Rules

Fourth Schedule – DPDP Final Rules

Fifth Schedule – DPDP Final Rules

Sixth Schedule – DPDP Final Rules

Seventh Schedule – DPDP Final Rules

Home Final DPDP Rules FIRST SCHEDULE

FIRST SCHEDULE

  • 1. The applicant is a company incorporated in India.
  • 2. The applicant has sufficient capacity, including technical, operational and financial capacity, to fulfil its obligations as a Consent Manager.
  • 3. The financial condition and the general character of management of the applicant are sound
  • 4. The net worth of the applicant is not less than two crore rupees.
  • 5. The volume of business likely to be available to and the capital structure and earning prospects of the applicant are adequate.
  • 6. The directors, key managerial personnel and senior management of the applicant company are individuals with a general reputation and record of fairness and integrity.
  • 7. The memorandum of association and articles of association of the applicant company contain provisions requiring that the obligations under items 9 and 10 of Part B are adhered to, that policies and procedures are in place to ensure such adherence, and that such provisions may be amended only with the previous approval of the Board.
  • 8. The operations proposed to be undertaken by the applicant are in the interests of Data Principals.
  • It is independently certified that—
    • (a)the interoperable platform of the applicant to enable the Data Principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as may be published by the Board on its website from time to time; and
    • (b)appropriate technical and organisational measures are in place to ensure adherence to such standards and framework and effective observance of the obligations under item 11 of Part B.

1. The Consent Manager shall enable a Data Principal using its platform to give consent to the processing of her personal data by a Data Fiduciary onboarded onto such platform either directly to such Data Fiduciary or through another Data Fiduciary onboarded onto such platform, who maintains such personal data with the consent of that Data Principal.

Illustration.
Individuals are enabled to give, manage, review and withdraw their consent to the processing of their personal data through P, a platform maintained by a Consent Manager. X, an individual, is a registered user on P. B1 and B2 are banks onboarded onto P.
Case 1: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains the bank account statement as a digital record in her digital locker. X uses P to directly give her consent to B1, and proceeds to give B1 access to her bank account statement.
Case 2: B1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains her bank account with B2. X uses P to route her consent through B2 to B1, while also digitally instructing B2 to send her bank account statement to B1. B2 proceeds to send the bank account statement to B1.

2.The Consent Manager shall ensure that the manner of making available the personal data or its sharing is such that the contents thereof are not readable by it.

3. The Consent Manager shall maintain on its platform a record of the following, namely:—

  • (a) Consents given, denied or withdrawn by her;
  • (b) Notices preceding or accompanying requests for consent; and
  • (c) Sharing of her personal data with a transferee Data Fiduciary.

4. The Consent Manager: —

  • (a) shall give the Data Principal using such platform access to such record;
  • (b) shall, on the request of the Data Principal and in accordance with its terms of service, make available to her the information contained in such record, in machine-readable form; and
  • (c) shall maintain such record for at least seven years, or for such longer period as the Data Principal and Consent Manager may agree upon or as may be required by law

5. The Consent Manager shall develop and maintain a website or app, or both, as the primary means through which a Data Principal may access the services provided by the Consent Manager.

6. The Consent Manager shall not sub-contract or assign the performance of any of its obligations under the Act and these rules.

7. The Consent Manager shall take reasonable security safeguards to prevent personal data breach.

8. The Consent Manager shall act in a fiduciary capacity in relation to the Data Principal.

9. The Consent Manager shall avoid conflict of interest with Data Fiduciaries, including in respect of their promoters and key managerial personnel.

10. The Consent Manager shall have in place measures to ensure that no conflict of interest arises on account of its directors, key managerial personnel and senior management holding a directorship, financial interest, employment or beneficial ownership in Data Fiduciaries, or having a material pecuniary relationship with them.

11. The Consent Manager shall publish in an easily accessible manner, on its website or app, or both, as the case may be, information regarding: —

  • (a) the promoters, directors, key managerial personnel and senior management of the company registered as Consent Manager;
  • (b) every person who holds shares in excess of two per cent. of the shareholding of the company registered as Consent Manager;
  • (c) everybody corporate in whose shareholding any promoter, director, key managerial personnel or senior management of the Consent Manager holds shares in excess of two per cent. as on the first day of the preceding calendar month; and
  • (d) such other information as the Board may direct the Consent Manager to disclose in the interests of transparency.

12. The Consent Manager shall have in place effective audit mechanisms to review, monitor, evaluate and report the outcome of such audit to the Board, periodically and on such other occasions as the Board may direct, in respect of—

  • (a) technical and organisational controls, systems, procedures and safeguards;
  • (b) continued fulfilment of the conditions of registration; and
  • (c) adherence to its obligations under the Act and these rules.

Case 13: The control of the company registered as the Consent Manager shall not be transferred by way of sale, merger or otherwise, except with the previous approval of the Board and subject to fulfilment of such conditions as the Board may specify in this behalf. Note: In this Schedule, —

  • (a) the expression “body corporate” shall include a company, a body corporate as defined under clause (11) of section 2 of the Companies Act, 2013 (18 of 2013), a firm, a financial institution, a scheduled bank or a public sector enterprise established or constituted by or under any Central Act, Provincial Act or State Act, and any other incorporated association of persons or body of individuals;
  • (b) the expressions “company”, “control”, “director” and “key managerial personnel” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 of 2013);
  • (c) the expression “net worth” shall mean the aggregate value of total assets as reduced by the value of liabilities of the Consent Manager as appearing in its books of accounts; and
  • (d) the expressions “promoter” and “senior management” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013).
Prev Next