DPDP Act 2023
Draft DPDP Rules 2025
Ministry of Law and Justice

Chapter 1 – Preliminary (DPDP Act 2023)

Chapter 2 – Obligations of Data Fiduciary

Chapter 3 – Rights and Duties of Data Principal

Chapter 4 – Special Provisions

Chapter 5 – Data Protection Board of India

Chapter 6 – Powers & Procedures of the Board

Chapter 7 – Appeals & Alternate Dispute Resolution

Chapter 8 – Penalties & Adjudication

Chapter 9 – Miscellaneous

Schedule – DPDP Act 2023

Rule 1 – DPDP Draft Rule 1

Rule 2 – DPDP Draft Rule 2

Rule 3 – DPDP Draft Rule 3

Rule 4 – DPDP Draft Rule 4

Rule 5 – DPDP Draft Rule 5

Rule 6 – DPDP Draft Rule 6

Rule 7 – DPDP Draft Rule 7

Rule 8 – DPDP Draft Rule 8

Rule 9 – DPDP Draft Rule 9

Rule 10 – DPDP Draft Rule 10

Rule 11 – DPDP Draft Rule 11

Rule 12 – DPDP Draft Rule 12

Rule 13 – DPDP Draft Rule 13

Rule 14 – DPDP Draft Rule 14

Rule 15 – DPDP Draft Rule 15

Rule 16 – DPDP Draft Rule 16

Rule 17 – DPDP Draft Rule 17

Rule 18 – DPDP Draft Rule 18

Rule 19 – DPDP Draft Rule 19

Rule 20 – DPDP Draft Rule 20

Rule 21 – DPDP Draft Rule 21

Rule 22 – DPDP Draft Rule 22

Conditions for Registration of Consent Manager

Schedule Second – DPDP Draft Rules

Schedule Third – DPDP Draft Rules

Schedule Fourth – DPDP Draft Rules

Schedule Fifth – DPDP Draft Rules

Schedule Sixth – DPDP Draft Rules

Schedule Seventh – DPDP Draft Rules

Home Draft DPDP Rules Intimation of personal data breach

Rule - 7

Intimation of personal data breach

(1) On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,—

  • (a) a description of the breach, including its nature, extent and the timing and location of its occurrence;
  • (b) the consequences relevant to her, that are likely to arise from the breach;
  • (c) the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk;
  • (d) the safety measures that she may take to protect her interests; and
  • (e) business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.

(2) On becoming aware of any personal data breach, the Data Fiduciary shall intimate to the Board,—

  • (a) without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact;
  • (b) within seventy-two hours of becoming aware of the same, or within such longer period as the Board may allow on a request made in writing in this behalf,—
    • (i) updated and detailed information in respect of such description;
    • (ii) the broad facts related to the events, circumstances and reasons leading to the breach;
    • (iii) measures implemented or proposed, if any, to mitigate risk;
    • (iv) any findings regarding the person who caused the breach;
    • (v) remedial measures taken to prevent recurrence of such breach; and
    • (vi) a report regarding the intimations given to affected Data Principals.

(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.

Prev Next