Module 03 — DPDP Rules 2026 — operational details

Privacy notice must:

1. Be in English + at least one schedule language preferred by data principal
2. State purpose in clear, plain language
3. List categories of personal data processed
4. State rights + how to exercise
5. Include link to Fiduciary's contact + grievance officer
6. Include withdrawal mechanism

Format: maximum 1 page; readable on a phone.

Each consent must be logged with:

1. Identity of data principal
2. Date + time + IP / device fingerprint
3. Purpose for which consent given
4. Verbatim notice text version-stamped

Retention: until consent is withdrawn + 2 years for compliance audit.

Personal data breach → notify within 72 hours:

1. To DPB: incident details, scope, mitigation
2. To affected data principals: nature of breach, expected harm, mitigation steps
3. Even if low-risk, log internally

Failure to notify = penalty up to ₹250 crore (per §33 Schedule).

Verifiable parental consent methods:

1. Aadhaar-linked OTP to parent
2. DigiLocker-issued parent ID
3. Video-call verification + signed consent form

No single method mandated; Fiduciary picks 'reasonable' method.

Central Government can notify restricted countries. Until notified — all destinations open.

For a Fiduciary: monitor MeitY notifications; tag data flows by destination country in your data inventory; have a contingency plan for re-routing if a destination is restricted.

Quiz available from your course dashboard.

• ← Course overview
• Next: Final exam — DPDP Act 2023 + Rules 2026 Crash Course

Last reviewed: 24 April 2026.