Skip to main content

Rule 11: Exemptions From Certain Obligations Applicable to Processing of Personal Data of Child

Statutory Text — Rule 11:Exemptions from certain obligations applicable to processing of personal data of child. (click to expand)

(1) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child by such class of Data Fiduciaries as are specified in Part A of Fourth Schedule, subject to such conditions as are specified in the said Part.

(2) The provisions of sub-sections (1) and (3) of section 9 of the Act shall not be applicable to processing of personal data of a child for such purposes as are specified in Part B of Fourth Schedule, subject to such conditions as are specified in the said Part.

Rule 11 introduces narrowly defined exemptions that relax the otherwise strict obligations placed on Data Fiduciaries processing children’s personal data under Section 9(1) and Section 9(3) of the Digital Personal Data Protection Act, 2023.

These subsections generally require prior verifiable parental consent and prohibit tracking, behavioural profiling, and targeted advertising directed at children. However, where the processing clearly benefits the child and the risk to privacy is minimal, the Rules provide conditional flexibility through the Fourth Schedule.

1. Exemption Based on Class of Data Fiduciary (Part A – Fourth Schedule)

Certain classes of Data Fiduciaries—typically those operating in education, healthcare, or child-safety-related services—may be exempted from obtaining fresh verifiable parental consent every time they process a child’s data.
This applies only when:

  • The processing is integral to a service legitimately used by or for the child,
  • The purpose is educational, medical, or welfare-related, and
  • Strong safeguards such as access control, encryption, and limited data retention are maintained.

These Fiduciaries remain bound by principles of fairness and security; they simply benefit from procedural ease where obtaining repeated consent could interrupt essential services.

Example – Educational Institution

A digital-learning platform used by schools stores students’ attendance and performance data under an institutional contract.

Because the platform qualifies as an educational Data Fiduciary under Part A of the Fourth Schedule, it may process such information without obtaining new parental consent for every login, provided it uses the data solely for teaching, grading, or curriculum delivery.

2. Exemption Based on Purpose of Processing (Part B – Fourth Schedule)

Processing may also be exempted when the purpose itself justifies limited relaxation—such as child-healthcare, preventive safety, or judicial proceedings. Here, the exemption is purpose-driven rather than organisation-driven.

Even so, the Fiduciary must apply:

  • Data-minimisation (collect only what is necessary),
  • Strict retention limits, and
  • No secondary use beyond the stated purpose.
Example – Healthcare Scenario

A paediatric hospital processes vaccination records and allergy data of minors. Because the processing is for medical treatment and health protection, it falls within the purpose-based exemption in Part B of the Fourth Schedule. The hospital can process and share data with authorised labs without separate parental consent, but must maintain medical confidentiality and secure access logs.

3. Boundaries of the Exemption

These exemptions do not create a free pass for unrestricted processing. They operate subject to explicit conditions listed in the Fourth Schedule, which typically include:

  • Processing limited to the defined lawful context;
  • No commercial exploitation or behavioural advertising;
  • Compliance with reasonable security safeguards under Rule 6; and
  • Mandatory deletion once the service or purpose is fulfilled.

Any deviation—such as monetising child data or using it for analytics unrelated to welfare or education—would immediately revoke the exemption and expose the organisation to penalties.

4. Implementation Guidance

Data Fiduciaries intending to rely on these exemptions should:

  • Map their operations to the specific clause of the Fourth Schedule;
  • Maintain a documented “Exemption Register” recording the basis, scope, and safeguards applied;
  • Conduct a risk assessment confirming minimal impact on the child’s privacy; and
  • Publish a clear privacy notice stating reliance on the exemption and the lawful reason.

Tools such as OneTrust Data Mapping, Privado, or open-source DPIA templates can help automate this documentation process.

Demonstrating Responsible Exemption Use

Even when exemptions apply, organisations should maintain the same level of transparency and technical protection as if parental consent were required.

  • Rule 11 offers context-sensitive flexibility while preserving the spirit of child-data protection.
  • It acknowledges that some processing—such as schooling, healthcare, or social-welfare services—serves the child’s best interests and should not be obstructed by excessive procedural friction.
  • However, every exemption is conditional, monitored, and reversible if misused; transparency and accountability remain the cornerstone of compliance.