...

  • D-12/77, 2nd Floor, Pillar 392, Sector-8, Rohini East Metro, Delhi 110085

  • info@cyberdefentech.com

Legal Consequences Under DPDP Act 2025

DPDP: Digital Personal Data Protection Rules

  1. Title and Start Date:
  • The regulations are known as the “Digital Personal Data Protection Rules, 2025.”
  • Rules 3–15, 21, and 22 will take effect later, however the majority will take effect immediately following publication.
  1. Definitions:
  • Unless otherwise indicated, terms used in the rules have the same definitions as those found in the DPDP Act, 2023.
  1. Data Fiduciary Notice:
  • The notification regarding the use of your personal data must be clear and distinct from other data.
  • Simple, understandable language should be used in the notice.
  • Everything you need to know to determine whether you consent to the use of your data must be included in the notice.
  • Your name, email address, location, and other personal information must all be explicitly listed in the notice.
  • The notice must specify why your information is being collected (e.g., to send you offers, improve the product, or provide a service).
  • The notification should outline the ways in which processing your data can help you, such as through speedier service or tailored recommendations.
  • A clear method of contacting the business, such as a website or app link, must be included in the notice.
  • Just as you granted permission initially, the notification must outline how to quickly prevent the business from accessing your data.
  • You must be able to access, amend, or remove your data as explained in the notice.
    If you are concerned about the way your data is being used, the notification must outline how to lodge a complaint with the appropriate authorities.
  1. Registration and obligations of a Consent Manager:
  • Only Indian businesses with a solid reputation, sound financial standing, and a trustworthy consent management platform are eligible to register as consent managers.
  • Consent managers must make it simple for individuals to grant, modify, or revoke consent for the use of their data, maintain accurate records of this, and make these records readily available. They must also steer clear of conflicts of interest and give data security a priority.
  • The Board, the governing body, has the authority to keep a careful eye on Consent Managers, stop their operations if necessary, and make sure they always put the interests of the individuals whose data they handle first.
  1. Processing for provision or issue of services by the State or its instrumentality:
  • Your personal information may be used by the government (or government-affiliated organizations) when they offer services, subsidies, permits, etc.
  • In some circumstances, the government must manage your personal information in accordance with specific regulations (included in Schedule II).
  • These guidelines guarantee that your data is used lawfully, solely for the purposes for which it was intended, and only when required. Your data needs to be secure and correct.
  • You must be able to access your rights and know how the government uses your information.
  • The government is in charge of adhering to these regulations and making sure your data is secure.
  1. Reasonable security safeguards:
  • Businesses are required to take precautions to safeguard your personal data, including limiting access, employing encryption, and keeping an eye out for any unwanted access.
  • These precautions are meant to preserve your data’s accuracy, confidentiality, and availability when required.
  • Businesses need to have procedures in place to identify and handle data breaches, which occur when personal information is stolen or used improperly. They ought to document every data activity as well.
  • Businesses need to make sure that any other businesses they collaborate with, known as data processors, have robust security protocols in place to safeguard your information.
  • In order to stop data breaches, the security measures must adhere to industry standards.
  1. Intimation of Personal Data Breach:
  • A business must notify you right away if it has a data breach, which occurs when your personal information is stolen or compromised.
  • What happened, how much data was impacted, when it occurred, and any possible hazards to you must all be made explicit in the notification.
  • The business needs to let you know how they plan to handle the breach and how you can stay safe.
  • They have to give you the contact details of someone you can ask questions of.
  • Within 72 hours, the business must also notify the Board, the appropriate governing body, of the breach.
  • Within 72 hours (or longer if permitted), the corporation is required to submit a comprehensive report to the Board detailing the breach, the actions taken to resolve it, and the name of the culpable party, if known.
  1. Time period for specified purpose to be deemed as no longer being served:
  • Companies (such as social networking platforms, online games, or e-commerce sites) are required to delete your personal information if they gather it for a defined purpose (such as making a purchase or playing a game) and you don’t communicate with them within a predetermined period of time.
  • Schedule III specifies the precise time limit for data erasure, which varies based on the type of business.
  • Businesses may keep your information for up to three years after your last interaction or the regulations’ implementation, whichever comes first.
  • This is particularly true if you require it to access your account or virtual goods.
  • The business must provide you at least 48 hours’ notice before deleting your data so you may take steps to protect it.
  1. Contact information for addressing data processing queries:
  • On their website or app, every business that gathers and uses your personal information is required to provide the contact details of a designated individual, such as a data protection officer.
  • Everyone should be able to easily locate and see this contact information.
  • If you have any issues concerning the collection, use, and security of your personal data, you can use this contact information.
  • All correspondence with clients pertaining to their personal information must utilize the same contact details.
  1. Verifiable consent for processing personal data of children and persons with disabilities:
  • Before collecting and utilizing the personal information of children or people with disabilities, businesses must get the parents’ or legal guardians’ verifiable approval.
  • Businesses must put policies in place to guarantee that the individual providing consent for a child’s data is, in fact, the child’s parent or legal guardian and that their identity can be confirmed.
  • must use trustworthy identification techniques, including government-issued identification documents or a digital token associated with the parent’s identity, to confirm that the parent is an adult for minors.
  • The clause gives particular instances of how this verification procedure ought to operate, such as in situations where the parent is already a registered member of the service or in which they must submit their personal information via a secure digital locker service.

Consequences of Breaking the Rules of the DPDP Act 2025

  1. For Individuals:
  • Unauthorized Sharing of Sensitive Data:
    • Sharing or misusing sensitive personal data without proper consent can result in fines of up to ₹5 lakh.
    • Individuals may also face legal action depending on the severity of the violation.
  1. For Organizations
    • Failure to Protect Data: Organizations that fail to implement adequate security measures may face fines up to ₹25 crore.
    • Misuse of Data: Unauthorized use, sale, or sharing of personal data can lead to heavy penalties and potential legal action.
    • Failure to Notify Data Breaches: A business failing to disclose a data breach within 72 hours could face immediate penalties, in addition to reputational damage.

Notable Changes in Enforcement

  • Establishment of the Data Protection Board: A dedicated body to handle complaints, enforce rules, and resolve disputes.
  • Faster Complaint Resolution: Individuals can expect quicker redressal of grievances related to personal data misuse.
  1. Practical Examples of Violations
  • Failure to Disclose Data Breaches: Businesses failing to notify affected individuals and the Board of a data breach within 72 hours could face immediate penalties.
  • Inadequate Consent Management: Not allowing users to easily withdraw their consent for data processing may result in audits and penalties.
  • Improper Data Retention:Retaining personal data longer than necessary without legal justification can attract fines and regulatory scrutiny.
Categories: Applied AI Cyber Defentech Cyber Security DPDP Act DPDP Act 2023 DPDP Act 2025 Ethical Hacking Ethical hacking institute in delhi Ethical hacking institute in rohini rohini sec 8 Tools WordPress
Related Tags:

Leave A Comment

Cyber Defentech offers comprehensive cybersecurity training and certifications, empowering professionals to safeguard digital environments against evolving cyber threats.

Contact Us

  • D-12/77, Sector-08, Near Rohini East Metro Station Gate No-02, Rohini Delhi 110085
  • info@cyberdefentech.com
  • +91 8448046612
  • +91 9310945866

News & Blog

Course

Copyright 2024 by Cyberdefentech

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.