The Ministry of Electronics and Information Technology (MeitY) on Thursday released the Digital Personal Data Protection (DPDP) Rules, 2025, aiming to regulate how personal data is handled.
Among other things, the rules state that Data Principals (users), who have given consent for processing their personal data, must be issued an “identifier” by Data Fiduciaries, including social media and e-commerce platforms.
For context, an identifier can be any sequence of characters issued by the Data Fiduciary to identify the Data Principal, including a customer identification file number, customer acquisition form number, application reference number, enrolment ID, email address, mobile number or licence number that enables such identification.
As per the DPDP Rules, 2025, all Data Fiduciaries and Consent Managers must also:
Publish Details: Companies need to provide clear-cut instructions on their website or app or both for Data Principals to make requests for exercising their rights. They must also publish particulars, such as username or other “identifier” of Data Principal that may aid in their identification.
Grievance Redressal: Every Data Fiduciary and Consent Manager must establish a grievance redressal mechanism and address concerns of Data Principals within 90 days.
Right To Access Information About Personal Data
Individuals are entitled to access information about their personal data to review what information Data Fiduciaries hold and share with third parties. Data Principals must also provide identification and necessary details to aid businesses in locating their data.
The DPDP Rules, 2025 state that:
- The Data Fiduciary must give a fair account of the details necessary for the Data Principal to give informed consent for processing their personal data. These instructions must at least include:
- An itemised description of such personal data; and
- the specified purpose or purposes of, and specific description of the goods or services to be provided
2. The Data Fiduciary must also notify the Data Principal immediately in case their personal data is compromised in the event of a breach. Affected users can be contacted through their user account or any other mode of communication registered by them with the Data Fiduciary. The intimation of personal data breach must include the following—
- a description of the breach, including its nature, extent and the timing of its occurrence;
- the relevant consequences that are likely to result from the breach;
- the measures implemented and being implemented by the Data Fiduciary to tackle the potential risks;
- steps that the Data Principal may take to ensure their safety; and
- business contact information of a person who can respond on behalf of the Data Fiduciary to queries of the Data Principal.
Right To Correction and Erasure
Data Principals have the right to request corrections to their personal data if it is inaccurate,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
