The DPDP Act 2023 + Rules 2025
India's privacy law, in plain English.
The Digital Personal Data Protection Act, 2023 with the DPDP Rules 2025 is now in force. Maximum penalty ₹250 Crore per violation. Here's what every section means — and where Vishwaas AI handles it.
Act sections
What each section requires.
§5
Notice
A data fiduciary must give every data principal a clear, standalone notice in English plus any of the 22 Eighth Schedule languages — before or at the time of collection. Must list legal entity, DPO, grievance officer, DPBI registration (for SDFs), rights portal URL, and withdrawal portal URL.
§6
Consent
Consent must be free, specific, informed, unambiguous, and revocable. Pre-ticked boxes are invalid. Withdrawal must be as easy as grant. The fiduciary must be able to prove what was consented to, by whom, when, in which language.
§7
Legitimate Uses
Eight narrow sub-grounds (employment, public interest, medical emergency, pandemic, etc.) allow processing without consent. Activities under §7 never appear in privacy notices and are never consent-collected — but still subject to data minimisation and audit.
§8
Fiduciary Obligations
Maintain Record of Processing Activities (§8(4)), notify the DPBI within 72 hours of a breach (§8(6)), restrict processing to declared purposes. Significant Data Fiduciaries face heightened obligations under §10.
§9
Children's Data
Verifiable parental / guardian consent required for anyone under 18. No tracking, behavioural monitoring, or targeted advertising to children. Vishwaas AI supports five guardian-verification strategies including DigiLocker.
§10
Significant Data Fiduciaries
Tenants designated as SDFs must complete DPIAs, appoint a DPO, audit annually, and meet additional obligations. Vishwaas AI gates these obligations on the
is_sdf tenant flag.§11–14
Data Principal Rights
Right to access (§11), correction + erasure (§12), grievance redressal (§13 — 30-day SLA, DPBI escalation), nomination (§14). All six rights orchestrated in one DPR module.
§16
Cross-Border Transfers
Transfer of personal data outside India only to countries notified by the Central Government. Vishwaas AI tracks adequacy status, flags non-adequate countries, and enforces DPIA gating for SDFs.
§17
Carve-outs
The fiduciary may reject rights requests under specified grounds (legal obligation, freedom of expression, public interest). Reasons must be documented; the principal may escalate.
DPDP Rules 2025
The three rules that bite first.
Rule 3 — Notice readiness
Notice must be standalone, multilingual, and version-locked before publishing. The Vishwaas notice composer enforces a six-check publish gate.
Rule 4 — Consent records
7-year retention of consent records. Withdrawals must be possible at the same point and ease as grant. Vishwaas keeps an append-only hash-chained ledger.
Rule 8(3) — Pre-deletion notice
48-hour pre-deletion notice with a retraction link before any erasure executes. Vishwaas enforces this with a
scheduled_deletion_at ≥ pre_notice_sent_at + 47h constraint.Obligation mapping
Every obligation, mapped to a module.
The full DPDP Act and Rules 2025 obligation set, mapped to the Vishwaas AI module that operationalises it.
| Provision | Obligation | Vishwaas module |
|---|---|---|
| §5 | Notice before processing | Privacy Notice Management → |
| §6 · Rule 3 | Free, specific, informed consent + notice gate | Consent Lifecycle (hash-chained ledger) → |
| §7 | Legitimate-use sub-grounds (no consent required) | Processing activity register → |
| §8(6) | Breach notification to DPBI + principals | Breach Management (72h countdown) → |
| §8(7) | Retention limitation + erasure | Data Inventory & Retention → |
| §9 | Verifiable parental consent for children | Consent Lifecycle (age + guardian gates) → |
| §§11–14 | Access, correction, erasure, grievance, nomination | DPR Management (90-day SLA) → |
| Rule 3 | Itemised notice in English + 22 languages | Notice gate workflows → |
| Rule 4 | Consent Manager registration & interoperability | Consent Manager-ready architecture → |
| Cl.10 / §10 | Significant Data Fiduciary duties (DPIA, audit, board report) | DPIA + SDF compliance pack → |
Common gaps
Where most organisations are non-compliant today.
⚠️ No cryptographic consent proof
Only database timestamps that any DBA can alter.
⚠️ English-only privacy notices
Rule 3 requires Eighth Schedule languages.
⚠️ DPR requests in spreadsheets
No 30-day grievance SLA enforcement.
⚠️ No 48-hour pre-deletion notice
Rule 8(3) violations on every erasure.
⚠️ Ad hoc breach notifications
No 72-hour DPBI countdown discipline.
See where you stand — in 20 minutes.
Use our free Readiness Gap Analyser to identify the highest-risk gaps across six DPDP compliance pillars. No login required.