Comprehensive Guide
DPDP Act Implementation Status
Complete Tracker
As of March 2026, the DPDP Act 2023 is in force and the Data Protection Board of India has been established. The DPDP Rules 2025, notified on November 13, 2025, operationalise the bulk of the Act's delegated provisions. Several key areas — including cross-border transfer restrictions, Significant Data Fiduciary designations, and data localisation requirements — remain pending separate government notification.
40 Obligations
26 Notified
14 Pending
8 Categories
Last updated: 9 March 2026
Overview
Implementation Status by Category
Data Protection Board Setup
Partial
7 of 11 notified
Consent Management
Complete
2 of 2 notified
Data Fiduciary Obligations
Complete
5 of 5 notified
Significant Data Fiduciary
Partial
2 of 5 notified
Children's Data Protection
Partial
2 of 4 notified
Cross-border Data Transfer
Pending
0 of 3 notified
Exemptions & Research
Partial
2 of 4 notified
Rights of Data Principals
Complete
6 of 6 notified
Detailed Tracker
Obligation-by-Obligation Status
Data Protection Board Setup
Partial| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Establish the Data Protection Board of India | Section 18(1) | Central Government | Notified | G.S.R. 844(E)(13 November 2025) |
| Notify the headquarters of the Board | Section 18(3) | Central Government | Notified | G.S.R. 844(E)(13 November 2025) |
| Notify the number of Members of the Board besides the Chairperson | Section 19(1) | Central Government | Pending | — |
| Prescribe the manner of appointment of Chairperson and other Members | Section 19(2) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Constitute Search-cum-Selection Committee for appointment of Chairperson | Rule 17(1) | Central Government | Pending | — |
| Constitute Search-cum-Selection Committee for appointment of Members other than Chairperson | Rule 17(2) | Central Government | Pending | — |
| Prescribe salary, allowances and other terms and conditions of service of Chairperson and Members | Section 20(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the procedure for meetings, transaction of business and authentication of orders of the Board | Section 23(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe terms and conditions of appointment and service of officers and employees of the Board | Section 24 | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe techno-legal measures for the Board to function as a digital office | Section 28(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe additional matters in respect of which the Board shall have civil court powers | Section 28(7)(d) | Central Government | Pending | — |
Establish the Data Protection Board of India
NotifiedNotify the headquarters of the Board
NotifiedNotify the number of Members of the Board besides the Chairperson
PendingSource:Section 19(1)
Body:Central Government
Prescribe the manner of appointment of Chairperson and other Members
NotifiedConstitute Search-cum-Selection Committee for appointment of Chairperson
PendingSource:Rule 17(1)
Body:Central Government
Constitute Search-cum-Selection Committee for appointment of Members other than Chairperson
PendingSource:Rule 17(2)
Body:Central Government
Prescribe salary, allowances and other terms and conditions of service of Chairperson and Members
NotifiedPrescribe the procedure for meetings, transaction of business and authentication of orders of the Board
NotifiedPrescribe terms and conditions of appointment and service of officers and employees of the Board
NotifiedPrescribe techno-legal measures for the Board to function as a digital office
NotifiedPrescribe additional matters in respect of which the Board shall have civil court powers
PendingSource:Section 28(7)(d)
Body:Central Government
Consent Management
Complete| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Prescribe the manner and obligations of a Consent Manager acting on behalf of Data Principals | Section 6(8) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the manner of registration of Consent Managers and conditions therefor | Section 6(9) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
Prescribe the manner and obligations of a Consent Manager acting on behalf of Data Principals
NotifiedPrescribe the manner of registration of Consent Managers and conditions therefor
NotifiedData Fiduciary Obligations
Complete| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Prescribe the manner in which a Data Principal may make a complaint to the Board | Section 5(1)(iii)/(2)(iii) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the form and manner of intimation of personal data breach to the Board and affected Data Principals | Section 8(6) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe time periods after which specified purpose is deemed no longer served, for different classes of Data Fiduciaries and purposes | Section 8(8) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the manner of publishing business contact information of the Data Protection Officer or authorised person | Section 8(9) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the period within which the Data Fiduciary or Consent Manager shall respond to grievances | Section 13(2) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
Prescribe the manner in which a Data Principal may make a complaint to the Board
NotifiedPrescribe the form and manner of intimation of personal data breach to the Board and affected Data Principals
NotifiedPrescribe time periods after which specified purpose is deemed no longer served, for different classes of Data Fiduciaries and purposes
NotifiedPrescribe the manner of publishing business contact information of the Data Protection Officer or authorised person
NotifiedPrescribe the period within which the Data Fiduciary or Consent Manager shall respond to grievances
NotifiedSignificant Data Fiduciary
Partial| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Notify Data Fiduciaries or classes of Data Fiduciaries as Significant Data Fiduciaries | Section 10(1) | Central Government | Pending | — |
| Prescribe additional matters comprising the Data Protection Impact Assessment process | Section 10(2)(c)(i) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe other measures that a Significant Data Fiduciary shall undertake | Section 10(2)(c)(iii) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Specify personal data subject to localization restrictions for Significant Data Fiduciaries, based on committee recommendations | Rule 13(4) | Central Government | Pending | — |
| Constitute the committee to recommend personal data subject to localization restrictions | Rule 13(5) | Central Government | Pending | — |
Notify Data Fiduciaries or classes of Data Fiduciaries as Significant Data Fiduciaries
PendingSource:Section 10(1)
Body:Central Government
Prescribe additional matters comprising the Data Protection Impact Assessment process
NotifiedPrescribe other measures that a Significant Data Fiduciary shall undertake
NotifiedSpecify personal data subject to localization restrictions for Significant Data Fiduciaries, based on committee recommendations
PendingSource:Rule 13(4)
Body:Central Government
Constitute the committee to recommend personal data subject to localization restrictions
PendingSource:Rule 13(5)
Body:Central Government
Children's Data Protection
Partial| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Prescribe the manner of obtaining verifiable consent of parent before processing personal data of a child or person with disability | Section 9(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe classes of Data Fiduciaries and purposes exempted from verifiable consent and tracking restrictions for children | Section 9(4) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Notify Data Fiduciaries whose processing of children's data is verifiably safe, specifying the age above which consent obligations are relaxed | Section 9(5) | Central Government | Pending | — |
| Notify Digital Locker service providers for the purpose of verifiable consent for children's data processing | Rule 10(2)(c) | Central Government | Pending | — |
Prescribe the manner of obtaining verifiable consent of parent before processing personal data of a child or person with disability
NotifiedPrescribe classes of Data Fiduciaries and purposes exempted from verifiable consent and tracking restrictions for children
NotifiedNotify Data Fiduciaries whose processing of children's data is verifiably safe, specifying the age above which consent obligations are relaxed
PendingSource:Section 9(5)
Body:Central Government
Notify Digital Locker service providers for the purpose of verifiable consent for children's data processing
PendingSource:Rule 10(2)(c)
Body:Central Government
Cross-border Data Transfer
Pending| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Notify countries or territories to which transfer of personal data by a Data Fiduciary is restricted | Section 16(1) | Central Government | Pending | — |
| Specify requirements for making personal data available to foreign States, persons or entities under control of a foreign State | Rule 15 | Central Government | Pending | — |
| Specify personal data of Significant Data Fiduciaries subject to localization (no transfer outside India) | Rule 13(4) | Central Government | Pending | — |
Notify countries or territories to which transfer of personal data by a Data Fiduciary is restricted
PendingSource:Section 16(1)
Body:Central Government
Specify requirements for making personal data available to foreign States, persons or entities under control of a foreign State
PendingSource:Rule 15
Body:Central Government
Specify personal data of Significant Data Fiduciaries subject to localization (no transfer outside India)
PendingSource:Rule 13(4)
Body:Central Government
Exemptions & Research
Partial| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Prescribe the subsidies, benefits, services, certificates, licences or permits for which the State may process personal data as a legitimate use | Section 7(b) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Notify databases, registers, books or other documents maintained by the State for the purpose of legitimate use processing | Section 7(b)(ii) | Central Government | Pending | — |
| Prescribe standards for processing personal data for research, archiving or statistical purposes | Section 17(2)(b) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Notify Data Fiduciaries or classes including startups exempted from notice, data accuracy/erasure and SDF obligations | Section 17(3) | Central Government | Pending | — |
Prescribe the subsidies, benefits, services, certificates, licences or permits for which the State may process personal data as a legitimate use
NotifiedNotify databases, registers, books or other documents maintained by the State for the purpose of legitimate use processing
PendingSource:Section 7(b)(ii)
Body:Central Government
Prescribe standards for processing personal data for research, archiving or statistical purposes
NotifiedNotify Data Fiduciaries or classes including startups exempted from notice, data accuracy/erasure and SDF obligations
PendingSource:Section 17(3)
Body:Central Government
Rights of Data Principals
Complete| Obligation | Source | Responsible Body | Status | Implementation |
|---|---|---|---|---|
| Prescribe the manner in which a Data Principal may make a request to access information about her personal data | Section 11(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe any other information related to personal data and its processing that a Data Principal may access | Section 11(1)(c) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the manner in which a Data Principal may make a request for erasure of her personal data | Section 12(3) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the manner in which a Data Principal may nominate another individual to exercise her rights in the event of death or incapacity | Section 14(1) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the form, manner and fee for filing an appeal to the Appellate Tribunal | Section 29(2) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
| Prescribe the procedure for dealing with appeals before the Appellate Tribunal | Section 29(8) | Central Government | Notified | G.S.R. 846(E)(13 November 2025) |
Prescribe the manner in which a Data Principal may make a request to access information about her personal data
NotifiedPrescribe any other information related to personal data and its processing that a Data Principal may access
NotifiedPrescribe the manner in which a Data Principal may make a request for erasure of her personal data
NotifiedPrescribe the manner in which a Data Principal may nominate another individual to exercise her rights in the event of death or incapacity
NotifiedPrescribe the form, manner and fee for filing an appeal to the Appellate Tribunal
NotifiedPrescribe the procedure for dealing with appeals before the Appellate Tribunal
NotifiedMethodology
This tracker covers all delegated obligations from the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 that require separate government notification or action before they take effect. It is updated each time a new Gazette notification is published. For the full text of the legislation and notifications referenced here, see our official texts section.
Newsletter Subscription
Research Updates & Insights
Receive scholarly publications, legal analysis, and research updates on data protection law and digital governance.
Academic communications only. Unsubscribe at any time.