DPDP Rules,2024

DPDP Rules,2024

MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY

NOTIFICATION

New Delhi, the ___,  2024

G.S.R. ___ (E).—Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby; and notice is hereby given that the said draft rules shall be taken into consideration after ___ 2024;

Objections and suggestions, if any, may be submitted on the website of MyGov (________________) by the said date;

The objections and suggestions, which may be received from any person with respect to the said draft rules before the expiry of the period specified above, shall not be attributed to the persons submitting publicly and shall be held in fiduciary capacity to enable them to provide the same freely, and shall be considered by the Central Government.

DRAFT RULES

1. Short title and commencement.— (1) These rules may be called the Digital Personal Data Protection Rules, 2024.

(2) These rules, except rules 3 to 14, 19 and 20, shall come into force on the date of their publication in the Official Gazette.

(3) Rules 3 to 14, 19 and 20 shall come into force with effect from ___.

2. Definitions.— (1) In these rules, unless the context otherwise requires—

(a) “Act” means the Digital Personal Data Protection Act, 2023 (22 of 2023);

(b) “app” means a computer program or software application, designed to run on a mobile device;

(c) “authority” means any authority as referred to in Article 12 of the Constitution;

(d) “certificate issued under government policy” shall mean a certificate issued under any policy or instruction of the Central Government or any State Government;

(e) “computer resource” shall have the same meaning as is assigned to it in the Information Technology Act, 2000   (21 of 2000);

(f) “Consent Artifact” means a machine-readable electronic record, which—

(i) is capable of enabling—

(I) a Data Fiduciary to give any notice referred to in these rules or to Request for Consent; and

(II) a Data Principal to directly or through a Consent Manager acting on her behalf, give, manage, review and withdraw her consent, indicate that she does not consent to the use of personal data voluntarily provided by her for a specified purpose or exercise the Rights of the Data Principal;

(ii) contains—

(I) information to enable identification of the Data Principal and Data Fiduciary;

(II) an itemised description of the personal data to which such notice, Request for Consent, withdrawal, indication or exercise of rights relates, but does not contain such personal data, save for the information to enable identification of the Data Principal;

(III) a description of the specified purpose;

(IV) a sequence of characters to uniquely identify such electronic record; and

(V) the electronic signature of such Data Principal, Data Fiduciary and Consent Manager, whichever is applicable; and

(iii) is consistent with the technical specifications for a consent artifact, as contained in the Electronic Consent Framework published by the Ministry of Electronics and Information Technology on its website;

(g) “Digital Locker service provider” means such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);

(h) “electronic record” shall have the same meaning as is assigned to it in the Information Technology Act, 2000 (21 of 2000);

(i) “electronic signature” shall have the same meaning as is assigned to it in the Information Technology Act, 2000 (21 of 2000);

(j) “intermediary” shall have the same meaning as is assigned to it in the Information Technology Act, 2000 (21 of 2000);

(k) “Notice to Inform of Processing Done” means a notice as referred to in sub-section (2) of section 5;

(l) “Notice to Seek Consent” means a notice as referred to in sub-section (1) of section 5;

(m) “Personal Data Breach Intimation Artifact” means a machine-readable electronic record, which—

(i) is capable of enabling a Data Fiduciary or a Consent Manager to give the Board an intimation of a personal   data breach in accordance with rule 7;

(ii) contains—

(I) information regarding the identity of such Data Fiduciary or Consent Manager;

(II) a sequence of characters to uniquely identify such electronic record; and

(III) the electronic signature of such Data Fiduciary or Consent Manager; and

(iii) is consistent with such technical specifications as the Board may publish on its website under rule 19;

(n) “Request for Consent” means a request for consent under section 6;

(o) “Rights of the Data Principal”,—

(i) where the Data Fiduciary is a person other than the State or any of its instrumentalities, means the rights conferred by Chapter III of the Act; and

(ii) where the Data Fiduciary is the State or an instrumentality of the State, means the rights conferred by Chapter III of the Act other than the right of the Data Principal under section 12 to erasure of her personal data;

(p) “section” shall mean a section of the Act;

(q) “service, certificate, license or permit provided or issued under law” shall mean a service, certificate, license or permit provided or issued in exercise of any power of or the performance of any function by the State or such instrumentality under any law for the time being in force;

(r) “Standards for Processing by State and its Instrumentalities” mean the standards referred to in sub-rule (1) of rule 6;

(s) “subsidy, benefit or service provided using public funds” shall mean a subsidy, benefit or service for which expenditure is incurred from, or the receipt therefrom, forms part of, –

(i) in respect of the Central Government or a State Government, the Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or

(ii) in respect of any local or other authority within the territory of India or under the control of the Government of India, the fund or funds of such authority;

(t) “terms of service”, in relation to a Data Principal, means the terms of service, by whatever name called, of the Data Fiduciary or Consent Manager, as the case may be, for processing her personal data; and

(u) “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, and other similar presences by means of which she is able to access the services offered by such Data Fiduciary.

(2) Words and expressions used herein and not defined in these rules, but defined in the Act shall have the meanings respectively assigned to them in the Act.

3. [u/s 5(1)]Notice to seek consent of Data Principal.— (1) Every Request for Consent made to the Data Principal shall be accompanied or preceded by a notice given by the Data Fiduciary to such Data Principal, in the following manner, namely: –

(a) The notice shall be so made that it is –

(i) an electronic record or document presented independently of any other information that is or may be made available by such Data Fiduciary;

(ii) understandable independently of any other information that is or may be made available by such Data Fiduciary;

(iii) storable by the Data Fiduciary independently of the personal data to which such notice pertains; and

(iv) easily storable or preservable by the Data Principal for future reference; and

(b) The notice shall inform, in clear and plain language, the details necessary to enable her to give specific and informed consent for the processing of her personal data, which shall include, at the minimum, –

(i) an itemised description of such personal data;

(ii) the specific purpose of such processing;

(iii) a declaration that only such personal data is proposed to be processed as is necessary for such purpose;

(iv) a description of the goods or services (including the offering of any service) to be provided, or the uses to be enabled, as a result of such processing;

(v) the specific duration or point in time till which such personal data shall be processed;

(vi) a list of the Rights of the Data Principal; and

(vii) the particular communication link for accessing the website or app, or both, of such Data Fiduciary using which such Data Principal may withdraw her consent, exercise the Rights of the Data Principal or make a complaint to the Board, and a description of other means, if any, using which she may so withdraw exercise such rights or make a complaint.

(2) Where the Data Fiduciary is the State or any of its instrumentalities and makes a Request for Consent to the Data Principal for the processing of her personal data to provide or issue to her any subsidy, benefit, service, certificate, licence or permit, the Notice to Seek Consent shall also contain the following, namely:

(a) intimation of such processing; and

(b) a statement conveying that such personal data may also be processed by the State or any of its instrumentalities to provide or issue to her any other—

(i) subsidy, benefit or service provided using public funds;

(ii) service, certificate, licence or permit provided or issued under law; or

(iii) certificate issued under government policy,

in accordance with the Standards for Processing by State and its Instrumentalities being

followed.

(3) The contents of the Notice to Seek Consent may be modelled on those of the model notice set out in Schedule I.

(4) A Data Fiduciary may use a Consent Artifact for the purpose of giving the Notice to Seek Consent.

(5) The Data Fiduciary shall maintain every notice relating to processing of personal data on the basis of consent given by the Data Principal till the expiry of such period, beyond the date of erasure of such personal data, as may be applicable by law to limitation on the institution of any suit, filing of any appeal or making of any application in relation to such personal data.

4. [u/s 5(2)] Notice to inform of processing done where Data Principal has given consent before commencement of Act.— (1) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of the Act, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice, in the following manner, namely:—

(a) The notice shall be made in like manner as is provided for a Notice to Seek Consent, and shall be understandable independently of any other information that has been made available by such Data Fiduciary; and

(b) The notice shall inform, in clear and plain language, the details necessary to enable her to exercise the Rights of the Data Principal, including—

(i) such minimum details as are required in respect of a Notice to Seek Consent; and

(ii) description of the goods or services (including the offering of any service) that were provided, or the uses that were enabled, as a result of such processing.

(2) A Data Fiduciary may use a Consent Artifact for the purpose of giving the Notice to Inform of Processing Done.

5. [u/s 8(6) & u/s 8(9)] Registration, accountability and obligations of a Consent Manager.— (1) Registration of a Consent Manager with the Board shall be subject to fulfilment of the following conditions, namely:

(a) The Consent Manager shall be a company other than a foreign company:

(b) The directors, key managerial personnel and senior management of the Consent Manager shall be individuals with a general reputation and record of fairness and integrity;

(c) In the discharge of its obligations as a Consent Manager, it shall, at all times, –

(i) act in a fiduciary capacity in relation to the Data Principal; and

(ii) avoid conflict of interest with Data Fiduciaries, including in respect of its promoters and key managerial personnel;

(iii) ensure that measures are in place to avoid conflicts of interest between its directors, key managerial personnel and senior management and Data Fiduciaries on account of any directorship held, financial interest, employment or beneficial ownership in Data Fiduciaries, or any material pecuniary relationship with them;

(d) publish on her website or app, or both, as the case may be, information regarding—

(i) the promoters, directors and key managerial personnel of the company;

(ii) every person who holds shares in excess of two per cent of the shareholding of the company;

(iii) every body corporate in whose shareholding any promoter, director or key managerial personnel of the Consent Manager holds shares in excess of two per cent.; and

(iv) such other information as the Board may direct the Consent Manager to disclose in the interests of transparency;

(e) net worth of not less than two crore rupees;

(f) independent certification that the interoperable platform that—

(i) enables the Data Principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as the Board may specify; and

(ii) the Consent Manager has implemented appropriate technical and organisational measures to ensure effective observance of the obligations under sub-rule (3); and

(g) such other conditions as the Board may specify.

(2) Information under clause (d) of sub-rule (1) shall, in relation to a –

(a) app, be published in an easily accessible manner on the home screen of the app or on an app screen directly accessible from the home screen; and

(b) website, be published in an easily accessible manner on the home page of the website or on a web page directly accessible from the home page.

(3) Every Consent Manager shall have the following obligations, namely;—

(a) to establish an accessible, transparent and interoperable platform that enables a Data Principal to give, manage, review and withdraw her consent to herself obtain her personal data from a Data Fiduciary or to ensure that such personal data is shared with another Data Fiduciary of her choice, without the Consent Manager being in a position to access that personal data;

(b) to maintain a digital record of, and offer to a Data Principal digital access to, –

(i) every Request for Consent approved or rejected by her; and

(ii) every Data Fiduciary who has shared her personal data in response to a Request for Consent approved by her;

(c) to retain the digital record referred to in clause (b) for a period of seven years, unless the Data Principal and the Consent Manager agree to retain for a longer period or compliance with any law for the time being in force requires retention;

(d) to make the digital record referred to in clause (b) available to the Data Principal, on her request, in a machine-readable electronic form, in accordance with the terms of service of the Consent Manager;

(e) to develop and maintain a website or app as the primary means through which a Data Principal may access the services provided by the Consent Manager;

(f) to not sub-contract or assign the performance of any of its obligations as Consent Manager;

(g) to take reasonable security safeguards to prevent personal data breach; and

(h) to have in place effective audit mechanisms to review, monitor and evaluate technical and organisational controls, systems, procedures and safeguards, and report the outcome of such audit to the Board periodically and on such other occasions as the Board may direct.

(4) Where the Board is of the view that a Consent Manager is not adhering to the conditions under sub-rule (1) or has not fulfilled the obligations under sub-rule (3), the Board may, after giving an opportunity of being heard, shall inform the Consent Manager of such non-adherence and direct that the Consent Manager take measures to ensure adherence.

(5) The Board may, if it is satisfied that it is necessary so to do in the interests of Data Principals, after giving the Consent Manager an opportunity of being heard, by order, for reasons to be recorded in writing,—

(a) suspend or cancel the registration of such Consent Manager; and

(b) give such directions as it may deem fit to that Consent Manager, to protect the interests of the Data Principals.

(6) The Board may, for the purposes of this rule, require the Consent Manager to furnish such information as the Board may call for.

(7) In this rule,—

(a) the expression “body corporate” shall include a company, a body corporate as defined under clause (11) of section 2 of the Companies Act, 2013 (18 of 2013), a firm, a financial institution or a scheduled bank or a public sector enterprise established or constituted by or under any Central Act or State Act, and any other incorporated association of persons or body of individuals;

(b) the expressions “company”, “director”, “foreign company” and “key managerial personnel” shall have the same meanings as are respectively assigned to them in the Companies Act, 2013 (18 or 2013):

(c) the expression “net worth” shall mean the aggregate value of total assets as reduced by the value of liabilities of the Consent Manager as appearing in her books of accounts; and

(d) the expressions “promoter” and “senior management” shall have the same meaning as are assigned to them in the Companies Act, 2013 (18 or 2013).

6. [u/s 7(b)] Processing of personal data for provision of subsidy, benefit, service, certificate, licence or permit. (1) Where a Data Principal has previously consented to the processing of her personal data by the State or any of its instrumentalities as the Data Fiduciary for the purpose of providing or issuing to her any—

(a) subsidy, benefit or service provided using public funds;

(b) service, certificate, licence or permit provided or issued under law; or

(c) certificate issued under government policy,

the State or such an instrumentality may process such personal data to also provide or issue to such Data Principal any other such subsidy, benefit, service, certificate, licence or permit, subject to adherence to the Standards for Processing by State and its Instrumentalities set out in Schedule II.

(2) In this rule, the expressions—

(a) “Consolidated Fund of India” and “Consolidated Fund of the State” shall mean the funds so named and referred to in clause (1) of Article 266 of the Constitution; and

(b) “public account of India” and “public account of the State” shall mean the accounts so named and referred to in clause (2) of Article 266 of the Constitution.

7. [u/s 8(6)] Intimation of personal data breach.— (1) On becoming aware of any personal data breach in respect of personal data collected by the Data Fiduciary or generated by processing the same, the Data Fiduciary shall forthwith intimate the Board, through the website of the Board in such form as may be provided thereat, to the best of the knowledge of the Data Fiduciary,—

(a) a description of the breach, including its nature;

(b) the date and time when the Data Fiduciary became aware of the breach;

(c) the timing or duration of occurrence of the breach;

(d) the location where the breach occurred;

(e) the extent of the breach, in terms of the nature and quantum of data involved; and

(f) the potential impact of the breach.

(2) The Data Fiduciary shall also intimate to the Board the details of such personal data breach, through the website of the Board in such form as may be provided thereat, to the best of the knowledge of the Data Fiduciary, within seventy-two hours of becoming aware of the same,—

(a) the broad facts related to the events, circumstances and reasons leading to the breach;

(b) a detailed description of the extent of the breach, including details regarding the actual or estimated number of Data Principals affected or likely to be affected;

(c) updated information, if any, in respect of the intimation given under sub-rule (1);

(d) the measures implemented or proposed, if any, to mitigate risk to Data Principals;

(e) any findings regarding the person who caused the breach; and

(f) remedial measures taken to prevent the recurrence of such a breach.

(3) A Data Fiduciary may use a Personal Data Breach Intimation Artifact for the purpose of giving an intimation under sub-rule (1) or sub-rule (2).

(4) On becoming aware of any personal data breach in respect of personal data collected by the Data Fiduciary from a Data Principal or generated by processing the same, the Data Fiduciary shall intimate such breach to such affected Data Principal, specifying in a concise, clear and plain manner the following details, namely:—

(a) a description of the breach, including its nature, such as whether it was on account of unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data;

(b) the timing or duration of occurrence of the breach;

(c) the extent of the breach, insofar as it relates to the Data Principal;

(d) the consequences to the Data Principal that are likely to arise from the breach;

(e) measures implemented by the Data Fiduciary, if any, to mitigate risk to the Data Principal;

(f) safety measures that the Data Principal may take to protect her interests; and

(g) name and contact details of the Data Protection Officer or any other person as specified in rule 8 for purposes of any communication regarding such breach.

(5) The intimation under sub-rule (4) shall be—

(a) given through any mode of communication of the Data Principal that is registered with the Data Fiduciary, or through any other effective method, such as an in-app notification; and

(b) easily storable or preservable by the Data Principal for future reference.

(6) The Board may, in relation to a personal data breach, upon a request being made in writing by the Data Fiduciary in this behalf, if it is satisfied that there are grounds for doing so, allow such Data Fiduciary a longer period for giving an intimation under sub-rule (2), or to intimate the details required to be intimated thereunder in a phased manner or as and when they become available.

8.[u/s 8(8)] Time period for specified purpose to be deemed as no longer being served.—

(1) The specified purpose shall be deemed to no longer be served in respect of a Data Fiduciary who belongs to a class of Data Fiduciaries specified in column (2) of the Table in Schedule III, for the purpose specified in the corresponding entry in column (3), in relation to a Data Principal who has not approached such Data Fiduciary for the performance of such specified purpose and has not exercised any of her rights in relation to her personal data, for the time period specified in the corresponding entry in column (4).

(2) The Data Fiduciary shall, no later than forty-eight hours prior to expiry of the applicable time period for erasure to be effected under sub-rule (1), intimate the Data Principal that—

(a) her personal data shall be erased upon such expiry since she has not initiated contact with such Data Fiduciary for the performance of the specified purpose; and

(b) such erasure shall not be effected if, before such expiry, she logs into her user account or otherwise initiates such contact.

(3) The intimation under sub-rule (2) shall be given in like manner as is provided for an intimation of personal data breach in sub-rule (4) of rule 7.

9.[u/s 8(9)] Publishing of contact information of person who is able to answer questions about processing.— (1) A Data Fiduciary shall—

(a) publish on her website or app, or both, as the case may be; and

(b) intimate the Data Principal through in-app notification and every piece of correspondence with her,

the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.

(2) If the Data Fiduciary is a Significant Data Fiduciary, the business contact information published under sub-rule (1) shall be that of its Data Protection Officer.

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5.

10. [u/s 9(1)] Verifiable consent for processing personal data of child or person with disability who has lawful guardian.—

(1) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the parent of a child for the processing of personal data of such child, shall observe due diligence to confirm that such individual is not a child and to reliably identify such individual providing the consent in case her identification is required in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India, by—

(a) reference to reliable details of identity and age available with the Data Fiduciary or collected by her with the consent of such individual; or

(b) the use of a token in electronic form, mapped to the identity and age details of such individual and voluntarily provided by her, which has been generated by—

(i) an entity entrusted or permitted by law or by the Central Government or a State Government with the maintenance of the details of the identity and age of individuals;

(ii) any person who is appointed or authorised by such entity, is duly permitted to access such details, and generation of such token by whom would not be inconsistent with any requirement under law or the terms and conditions of licence or agreement governing her appointment or authorisation; or

(iii) a Digital Locker service provider.

(2) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability in respect of whom such guardian is appointed, shall observe due diligence to ensure that such appointment has been duly made, is currently valid and such guardianship is consistent with the law applicable to guardianship in respect of such individual.

(3) In this rule, the expression—

(a) “electronic form” shall have the meaning assigned to it in the Information Technology Act, 2000 (21 of 2000); and

(b) “law applicable to guardianship” includes the Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999).

11.[u/s 9(4)] Exemptions from processing of personal data of child.— The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child by such class of Data Fiduciaries or for such purpose as is specified in column (2) of the Table in Schedule IV, subject to the conditions specified in the corresponding entry in column (3) thereof.

12.[u/s 10(2)(c)(i) &(iii)] Measures to be undertaken by Significant Data Fiduciary.— (1) A Significant Data Fiduciary shall, in addition to the measures provided under the Act, undertake the following measures, namely:—

(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data;

(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer; and

(c) Undertake the periodic Data Protection Impact Assessment and the periodic audit under the provisions of the Act at least once in every year.

(2) In this rule, the expression “every year”, in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which—

(a) these rules come into force; or

(b) such Data Fiduciary becomes a Significant Data Fiduciary,

whichever is later.

13. [u/s 11(1), 12(3), 13(2) & 14(1) Rights of Data Principal.— (1) For enabling Data Principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app, or both, as the case may be:—

(a) the details of the means using which a Data Principal may make a request for the exercise of such rights;

(b) the particulars, such as the username or other identifier of such a Data Principal, which may be required to identify her under the terms of service of such Data Fiduciary or Consent Manager;

(c) the particulars, under the terms of service of such Data Fiduciary or Consent Manager, which may be required to locate the previously given consent referred to in the Act in relation to the Right to Access Information, Right to Correction of Personal Data or Right to Erasure of Personal Data, which may include the sequence of characters that uniquely identifies the Consent Artifact pertaining to such consent; and

(d) the details, under the terms of service of such Data Fiduciary or Consent Manager, regarding the form in which a request for nomination may be made, changed or withdrawn, and whether the Data Principal may nominate one or more individuals for the exercise of her rights ni respect of processing of her personal data.

(2) The information under sub-rule (1) shall be published in like manner as is provided in sub- rule (2) of rule 5.

(3) Rights of the Data Principal may be exercised by her using the means and furnishing the particulars and, where applicable, the details referred to in sub-rule (1) and making a request that describes –

(a) the information sought under the Right to Access Information;

(b) the correction, completion or updating to be carried out under the Right to Correction of personal data;

(e) the erasure to be carried out under the Right to Erasure of Personal Data;

(d) the redressal sought under the Right of Grievance Redressal; or

(e) the nomination sought under the Right to Nominate.

(4) The Data Fiduciary or the Consent Manager, as the case may be, shall, on receipt of a grievance from any Data Principal,—

(a) where any period is provided under any other law for the time being in force for the redressal of or response to such grievance, communicate its response to the grievance within such period; or

(b) where no such period is provided, communicate its response to the grievance within a period of seventy-two hours of receipt of the grievance.

(5) In this rule, the expression –

(a) “identifier” means any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification;

(b) “Right to Access Information” means the right referred to in section 11;

(c) “Right to Correction of Personal Data” means the right of the Data Principal under section 12 to have her personal data corrected, completed or updated;

(d) “Right to Erasure of Personal Data” means the right of the Data Principal under section 12 to erasure of her personal data;

(e) “Right of Grievance Redressal” means the right referred to in section 13;

(f) “Right to Nominate” means the right referred to in section 14; and

(g) “username” means the sequence of characters, issued by the Data Fiduciary or generated by or using her computer resource, that identifies the user account of the Data Principal.

14. [u/s 17(2)(b)] Exemption from Act for research, archiving and statistical purposes.—

The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving and statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with the following standards, namely:—

(a) Reasonable security safeguards to prevent personal data breach are in place to protect personal data in the possession or under control of the Data Fiduciary, including in respect of any processing undertaken by it or on its behalf by a Data Processor; and

(b) If such processing is for the purposes specified in column (2) of the Table in Schedule V, the same is carried on in accordance with the requirements specified in column (3) thereof.

15. [u/s 19(2)] Appointment of Chairperson and other Members.— (1) The Central Government shall, for the purpose of selecting one or more individuals for appointment as the Chairperson, constitute a Search-cum-Selection Committee consisting of—

(a) the Cabinet Secretary, who shall be the chairperson;

(b) two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board;

(c) Secretary to the Government of India in the Department of Legal Affairs; and

(d) Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the convenor.

(2) The Central Government shall, for the purpose of selecting one or more individuals for appointment as a Member who is other than the Chairperson, constitute a Search-cum-Selection Committee consisting of—

(a) Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the chairperson;

(b) two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation, or in any other field which in the opinion of the Central Government may be useful to the Board;

(c) Secretary to the Government of India in the Department of Legal Affairs; and

(d) the Chairperson.

(3) Till such time when the Chairperson is appointed and has entered upon her office, the Search-cum-Selection Committee constituted under sub-rule (2) shall function without the Chairperson.

(4) The Central Government shall, after considering the suitability of the individuals recommended by the Search-cum-Selection Committee, appoint the Chairperson or other Member, as the case may be.

(5) No act or proceeding of the Search-cum-Selection Committee shall be called in question on the ground merely of the existence of any vacancy or absence in such committee or defect in its constitution.

16. [u/s 20(1)] Salary, allowances and other terms and conditions of service of Chairperson and other Members.— (1) The Chairperson and every other Member shall receive such salary and allowances and shall have such other terms and conditions of service as are specified in Schedule VI.

(2) Matters relating to the conditions of service of the Chairperson and every other Member in respect of which no express provision has been made in these rules shall be referred in each case, to the Central Government for its decision and the decision of the Central Government on the same shall be final.

17. [u/s 23(1)] Proceedings of Board and authentication of its orders, directions and instruments.— (1) The Chairperson shall fix the date, time and place of meetings of the Board, approve the items of agenda therefor, and cause notice specifying the same to be issued under her signature or that of such other individual as the Chairperson may authorise by general or special order in writing.

(2) Meetings of the Board shall be chaired by the Chairperson and, in her absence, by such other Member as the Members present at the meeting may choose from amongst themselves.

(3) Save as otherwise provided for in these rules, the Board shall, mutatis mutandis, observe in respect of its meetings such secretarial standards as are applicable in respect of Board meetings of a company under sub-section (10) of section 118 of the Companies Act.

(4) The Chairperson or any Member of the Board, or any individual authorised by it by a general or special order in writing, may, under her signature, authenticate its order, direction or instrument.

(5) For the purposes of this rule, any requirement of—

(a) giving of notice shall be satisfied if the same is given, issued, or maintained, as the case may be, in the form of an electronic record; and

(b) an individual signing any notice, order, direction, instrument, document or electronic record shall be satisfied if she affixes thereon her electronic signature.

18. [u/s 24] Terms and conditions of appointment and service of officers and employees of Board.— (1) The Board may, with previous approval of the Central Government and in such manner as the Central Government may by general or special order specify, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of the Act.

(2) Subject to sub-rule (1), the Board shall have the following classes of officers and employees, namely:—

(a) Officers and employees on deputation, who are members of any all-India service or central civil service or state civil service, or an officer or employee of the Union of India, any State, any body established by a statute, any public sector enterprise of the Union of India or any State or any autonomous institution of the Union of India or any State; and

(b) Officers and employees appointed for a fixed term.

(3) The terms and conditions of service of officers and employees of the Board shall be such as are specified in Schedule VII.

(4) Matters relating to the terms and conditions of service of the officers and employees of the Board in respect of which no express provision has been made in these rules shall be referred in each case, to the Central Government for its decision and the decision of the Central Government on the same shall be final.

19. [u/s 28(1)] Techno-legal measures adopted by Board.— (1) The Board,—

(a) shall adopt techno-legal measures in its functioning as a digital office; and

(b) without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt suitable techno-legal measures that obviate the necessity of personal presence to secure the right of being heard or to tender evidence.

(2) The techno-legal measures adopted by the Board may include measures to enable—

(a) Data Principals to make a complaint to the Board, using such means and following such procedure as the Board may publish on its website and app;

(b) Data Fiduciaries to give intimation of personal data breach using a Personal Data Breach Intimation Artifact that is consistent with such technical specifications as the Board may publish on its website; and

(c) the parties to a dispute to attempt its resolution by mediation by a conciliator of such Online Dispute Resolution Institution as the parties may mutually agree upon, through the Online Dispute Resolution Portal.

(3) In this rule, the expression—

(a) “Online Dispute Resolution Institution” shall mean an institution empanelled as such under the Master Circular for Online Dispute Resolution issued by Securities and Exchange Board of India; and

(b) “Online Dispute Resolution Portal” shall mean the portal so named in the said Master Circular.

20. [u/s 29(2) & 29(8)] Appeal.— (1) An appeal, including any related documents, by a person aggrieved by an order or direction of the Board, shall be filed in electronic form, using such means as may be provided and following such procedure as may be specified by the Appellate Tribunal on its website.

(2) An appeal filed with the Appellate Tribunal shall be accompanied by fee of like amount as is applicable in respect of an appeal filed under section 14A of the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless reduced or waived by the Chairperson of the Appellate Tribunal may at her discretion, which shall be payable in such form as the Appellate Tribunal may specify on its website.

(3) The Appellate Tribunal—

(a) shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the provisions of the Act, may regulate its own procedure;

(b) shall adopt techno-legal measures in its functioning as a digital office; and

(c) without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt suitable techno-legal measures that obviate the necessity of personal presence to secure the right of being heard or to tender evidence.

SCHEDULE I

[see rule 3(3)]

Model Notice

[Data Principal to be given option to access contents of notice in English or any language specified in Eighth Schedule to Constitution]

1. This notice is to inform you of how we, [Name of the Data Fiduciary), want to process your personal data, so that you may give your informed consent.
2. Only the following personal data will be collected from you for the purposes mentioned in this notice:

(a) ‹example: Name ›

(b) <example: Email Id›

(c) <example: Credit card details>

(d) <example: Address>

3. The purposes for which the personal data listed above will be used are as follows:

(a) <Name> and <Email Id> will be used to <example: register you as a customer>.

(b) <Credit card details> will be used to <example: receive payments>.

(c) <Address> will be used to <example: deliver goods>.

We will only collect as much personal data as is necessary for the purposes mentioned.

The personal data will not be used for any other purpose.

4. We will process your personal data only till the purposes mentioned are served.

(a) <Name> and <Email Id> will be retained only till <example: you remain our customer>.

(b) <Credit card details> will be retained only till <example: payment is received>.

(c) <Address> will be retained only till <example: goods are delivered>.

5. You can withdraw your consent for processing of your personal data at any time, by <example: clicking here [hyperlink]>. If you do so, your personal data will be erased, unless there is any legal requirement to retain it.
6. If you have any questions regarding the processing of your data, you can contact us by <example: clicking here [hyperlink for contacting the person who will respond]>.
7. You have the right to:

(a) Access information about your personal data

(b) Correct and update your personal data

(c) Erase your personal data

(d) Seek redress of any grievance regarding processing of your personal data

(e) Nominate someone to exercise these rights in case of death or incapacity

8. You can register any grievance by <example: clicking here [hyperlink]> and can also exercise your other rights by <example: using the same link>. In case you do not receive any reply from us within <example: 72 hours> of registering your grievance or it is not redressed by our response, you can approach the Data Protection Board of India by <example: clicking here [hyperlink]>.

9 . You can save a copy of this notice by <example: clicking here [hyperlink]> and download it on your mobile.

SCHEDULE II

[see rules 3(2) and 6(1)]

Standards for Processing by State and its Instrumentalities

Where the Data Principal has previously consented to the processing of her personal data by the State or any of its instrumentalities to provide or issue to her any subsidy, benefit, service, certificate, licence or permit, such personal data may also be processed by the State or any of its instrumentalities as the Data Fiduciary for the purpose of providing or issuing to her any other such subsidy, benefit, service, certificate, licence or permit, subject to adherence to the following standards, namely:—

(a) Notice is given by the Data Fiduciary to the Data Principal in the following manner, namely:-

(i) The notice shall be made in like manner as is provided for a Notice to Seek Consent; and

(ii) The notice shall include, in clear and plain language, reference to such previous consent and the details necessary to enable her to exercise the Rights of the Data Principal, including such minimum details as are required in respect of a Notice to Seek Consent; and

(b) Processing is carried on in accordance with –

(i) any other policy issued by the Central Government or any State Government; and

(ii) the provisions of any other law for the time being in force in India, applicable to such processing,

which provides for the observance of higher standards applicable to such processing.

SCHEDULE III

(See rule 8)

Table

Note:

In this Schedule,—

(a) “e-commerce” has the same meaning as is assigned to it in the Consumer Protection Act, 2019 (35 of 2019);

(b) “e-commerce entity” means any person who owns, operates or manages digital or electronic facility or platform for electronic commerce, but does not include a seller offering her goods or services for sale on a marketplace e-commerce entity;

(c) “intermediary” means a person defined as such in the Information Technology Act, 2000 (21 of 2000):

(d) “marketplace e-commerce entity” means an e-commerce entity who provides an information technology platform on a digital or electronic network to facilitate transactions between buyers and sellers;

(e) “online gaming intermediary” means any intermediary who enables the users of its computer resource to access one or more online games;

(f) “social media intermediary” means an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using her services;

(g) “seller” means the product seller as defined in clause (37) of section 2 of the Consumer Protection Act, 2019 (35 of 2019) and shall include any service provider;

(h) “user”, in relation—to

(i) an e-commerce entity, means any person who accesses or avails any computer resource of an e-commerce entity; and

(ii) an online gaming intermediary or a social media intermediary, means any person who accesses or avails of any computer resource of an intermediary for the purpose of hosting, publishing, sharing, transacting, viewing, displaying, downloading or uploading information.

SCHEDULE IV

(see rule 11)

Table

Class of Data Fiduciaries to whom, and purpose for which, provisions of sub-section (1) and (3) of section 9 to not apply

Note:

In this Schedule –

(a) “allied healthcare professional” shall have the same meaning as is assigned to it in the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);

(b) “clinical establishment” shall have the same meaning as is assigned to it in the Clinical Establishments (Registration and Regulation) Act, 2010 (23 of 2010);

(c) “educational institution” means and includes an institution of learning that imparts education, including vocational education, which is –

(i) established, owned or controlled by or under a Central Act or State Act;

(ii) established, owned, controlled or recognised by the Central Government, a State Government or a local authority;

(iii) recognised by a body which is established by law for the co-ordination and determination of standards in institutions for higher education or research and scientific and technical institutions and is empowered to regulate such institutions;

(iv) affiliated to a University; or

(v) declared as an institution deemed to be University under the Universities Grants Commission Act, 1956 (3 of 1956);

(d) “healthcare professional” shall have the same meaning as is assigned to it in the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);

(e) “health services” means the services referred to in clause (j) of section 2 of the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);

(f) “local authority” shall have the same meaning as is assigned to it in the Right of Children to Free and Compulsory Education Act, 2009 (35 of 2009);

(g) “mental health establishment” shall have the same meaning as is assigned to it in the Mental Healthcare Act, 2017 (10 of 2017); and

(h) “University” shall have the same meaning as is assigned to it in the Universities Grants Commission Act, 1956 (3 of 1956).

SCHEDULE V

[see rule 14]

Standards of processing for research, archiving and statistical purposes

Table

Note:

In this Schedule, the expression “National Archives of India” shall mean the archives referred to as such in the Public Records Act, 1993 (69 of 1993).

SCHEDULE VI

[see rule 16]

Terms and conditions of service of the Chairperson and other Members

1. Salary— (1) The Chairperson shall be entitled to receive a consolidated salary of rupees four lakh fifty thousand per month, without the facility of house and car.

(2) Every Member other than the Chairperson shall be entitled to receive a consolidated salary of rupees four lakh per month, without the facility of house and car.

2. Provident Fund.—The Chairperson and every other Member shall be eligible to contribute to the Provident Fund of the Board and the manner and terms and conditions applicable in this regard shall, mutatis mutandis, be the same as those applicable to other officers and employees of the Board for their Provident Fund.
3. Pension and gratuity.—The Chairperson and every other Member shall not be entitled to payment of pension or gratuity for service rendered in the Board.
4. Travelling allowance.—(1) The Chairperson and every other Member, while on transfer to join the Board or on the expiry of the term with the Board to proceed to her home town with family (including in respect of journey undertaken by her and her family) or on tour within India, shall be entitled to journey allowance, daily allowance and reimbursement of expense on transportation of personal effects at such scales and rates as are applicable to an officer of the Central Government in the following level of the pay matrix, namely:—

(a) level 17, in the case of the Chairperson; and

(b) level 15, in the case of every other Member.

(2) The Chairperson and every other Member may undertake tour outside India only in accordance with guidelines or instructions issued by the Central Government, and in respect of such tour, she shall be entitled to draw the same allowances as an officer of the Central Government, in the following level of the pay matrix, is entitled to draw, namely:—

(a) level 17, in the case of the Chairperson; and

(b) level 15, in the case of every other Member.

5. Medical assistance.—(1) The Chairperson and every other Member shall be entitled to such medical assistance as may be admissible to them under any group health insurance scheme of the Board for officers and employees of the Board and their eligible dependants.

(2) If the Chairperson or other Member has retired from Government service or from the service of a public sector entity or a body corporate established by a Central or State Act which has a separate set of rules for the grant of medical assistance for such service, she may, in lieu of medical assistance under sub-paragraph (1), opt to be governed by such rules.

6. Leave.—(1) The authority competent to sanction leave shall be the Central Government in respect of the Chairperson, and the Chairperson in respect of any other Member.

(2) The Chairperson and every other Member may avail of such kinds of leave as are admissible to a government servant under sub-clause (i) of clause (a) and clause (b) of sub-rule (1) of rule 26, rules 27, 29, 30 and 40 to 43-C of the Central Civil Services (Leave) Rules, 1972 (hereinafter referred to as “Leave Rules”).

(3) Leave shall be subject to the conditions applicable to a government servant under rules 7 to 11 and 22 to 25 of the Leave Rules, and the Central Government may, if satisfied that the operation of any of the said rules causes undue hardship in a particular case, by order relax the provisions of that rule to such extent and subject to such exceptions and conditions as it may consider necessary for dealing with the case in a just and equitable manner.

(4) The Chairperson and every other Member shall be entitled to casual leave to such extent as is admissible to a government servant under instructions issued by the Central Government.

(5) The Chairperson and every other Member shall be entitled to encashment of earned leave standing to her credit subject to such conditions and in like manner as are applicable to a government servant under rule 38-A, sub-rules (1) and (2) and sub-clauses (i) and (ii) of clause (a) of sub-rule (6) of rule 39, rule 39-A and rule 39-C of the Leave Rules, subject to the maximum extent of encashment under any of the said rules other than rule 38-A being fifty per cent. of the earned leave standing to her credit.

7. Leave travel concession.—(1) Leave travel concession shall be admissible to the Chairperson and every other Member in accordance with the provisions applicable to persons appointed to civil service and posts in connection with the affairs of the Union of India under rule 3, clauses (a) and (d) of rule 4, rules 5 to 15 and rule 17 of the Central Civil Services (Leave Travel Concession) Rules, 1988, and the entitlement for such concession shall be the same as is applicable to officers of the Central Government in level 17 of the pay matrix in the case of the Chairperson, and to officers of the Central Government in level 15 of the pay matrix in the case of a Member.

(2) The Chairperson and every other Member shall be eligible to avail of either leave travel concession to home town or leave travel concession to any place in India in any period of two years from the date of assumption of their office as a Member.

8. Other terms and conditions of service.—(1) The Chairperson and every other Member shall ensure absence of conflict of interest in the performance of the functions of her office and shall not have any such financial or other interests as are likely to prejudicially affect the performance of the functions of such office.

(2) The provisions contained in Part IV to Part IX of the Central Civil Services (Classification, Control and Appeal) Rules, 1965 shall apply, mutatis mutandis, as are applicable to an officer of the Central Government who is a member of a Central Civil Services, Group ‘A’.

(3) The Chairperson and every other Member shall not be entitled to any sitting fee for attending meetings of the Board.

(4) The Chairperson and every other Member shall not be entitled to any sumptuary allowance.

9. In this Schedule, “pay matrix” shall mean the pay matrix referred to in Annexure I to the Central Government’s resolution published in the Official Gazette vide notification no. 1-2/2016-IC, dated the 25^th July, 2016.

SCHEDULE VII

[see rule 18(2)]

Terms and conditions of appointment and service of officers and employees of Board

1. Salary and allowances.—The officers and employees shall be paid such salary and allowances as the Board may fix with previous approval of the Central Government.
2. Provident Fund and pension.—The entitlements, if any, of the officers and employees in respect of Provident Fund and pension shall be such as the Board may determine with previous approval of the Central Government.
3. Gratuity.—The officers and employees shall be entitled to payment of such gratuity as may be admissible under the Payment of Gratuity Act, 1972 (39 of 1972).
4. Travelling allowance.—The travelling allowance payable to the officers and employees shall, mutatis mutandis, be the same as those applicable to the officers and employees of the Central Government.
5. Medical assistance. – The officers and employees shall be entitled to such medical assistance as may be admissible to them and their eligible dependants under any group health insurance scheme of the Board, made with the previous approval of the Central Government.
6. Leave.—(1)The officers and employees may avail of such kinds of leaves as are admissible to a government servant under the Central Civil Services (Leave) Rules, 1972, subject to the conditions applicable under the said rules, and shall be eligible for encashment of earned leave as provided therein.

(2) The officers and employees shall be entitled to casual leave to such extent as is admissible to a government servant under instructions issued by the Central Government.

7. 7. Leave travel concession.—Leave travel concession shall be admissible to the officers and employees in accordance with the provisions applicable to persons appointed to civil services and posts in connection with the affairs of the Union of India under the Central Civil Services (Leave Travel Concession) Rules, 1988.
8. Other service conditions.—(1) The provisions of the Civil Service (Conduct) Rules, 1964 shall apply to the officers and employees in like manner as applicable to a person appointed to a civil service or post in connection with the affairs of the Union of India under the said rules.

(2) The provisions contained in Part VI to Part IX of the Central Civil Services (Classification, Control and Appeal) Rules, 1965 shall apply, mutatis mutandis, to the officers and employees in like manner as applicable to a government servant under the said rules.

9. Deputation. — Any officer or other employee may be taken on deputation by the Board for a period not exceeding five years.

…

( Disclaimer – This rule is available in public domain but not been released officially so far by MEITY)