Rule 2: Definitions
Statutory Text — Rule 2: Definitions. (click to expand)
- Definitions.—Unless the context otherwise requires, all expressions shall have the meaning assigned to them in the Digital Personal Data Protection Act, 2023 (22 of 2023) (hereinafter referred to as “Act”).
This rule establishes that all key terms and expressions used in the Digital Personal Data Protection Rules, 2025 carry the same meanings as defined under the Digital Personal Data Protection Act, 2023.
It ensures uniform interpretation between the Act and the Rules, preventing inconsistencies in how words like Data Fiduciary, Data Principal, Consent Manager, and Data Protection Board are understood and applied.
In simple terms, this rule acts as a reference point — it tells us that whenever these Rules mention any defined term, we must look to the Act of 2023 for its official meaning.
This alignment is crucial for implementation, compliance, and enforcement since both the Act and the Rules together form the complete data-protection framework.
Key Definitions and Their Meaning
| Term / Role | Definition (as per the Act) | Explanation and Practical Understanding |
|---|---|---|
| Data Principal | The individual to whom the personal data relates. | This refers to any person whose data is collected, processed, or stored. For example, a customer opening a bank account, a patient visiting a hospital, or a user signing up for a social media platform. The rights under the Act—such as access, correction, and withdrawal of consent—belong to the Data Principal. |
| Data Fiduciary | Any person, company, or government body that determines the purpose and means of processing personal data. | The Data Fiduciary is the main entity responsible for how data is used. For example, a bank, hospital, or e-commerce platform acts as the Data Fiduciary for its customers’ data. It must ensure compliance, security, and transparency. |
| Data Processor | Any person or organisation that processes personal data on behalf of a Data Fiduciary. | Processors handle data as per the instructions of the Data Fiduciary. For example, a cloud service provider, payment gateway, or outsourced analytics firm processing customer data falls under this role. The processor has limited responsibilities but must maintain safeguards and confidentiality. |
| Consent Manager | An entity registered with the Data Protection Board that enables Data Principals to manage, grant, withdraw, or review their consent easily and securely. | Consent Managers serve as intermediaries to make consent management user-friendly. For example, a fintech aggregator or digital consent dashboard allowing users to manage all data permissions from one place. |
| Data Protection Board of India (DPBI) | The independent body established under the Act to monitor compliance, inquire into breaches, and impose penalties. | The Board functions as the enforcement authority—similar to regulators in other sectors. It can investigate data breaches, summon information, and direct corrective measures or fines. |
| Personal Data | Any data about an individual who is identifiable by or in relation to such data. | This includes any information that can identify a person—directly or indirectly—such as name, Aadhaar number, phone number, email, financial records, or biometric data. For example, even a customer ID linked to a mobile number qualifies as personal data. |
| Processing | Any operation performed on personal data such as collection, storage, use, sharing, or deletion. | It covers all actions taken on data throughout its lifecycle. For example, collecting KYC details, storing them in a CRM, or deleting inactive user accounts all count as processing. |
| Significant Data Fiduciary (SDF) | A Data Fiduciary classified as “significant” by the Central Government based on factors like data volume, sensitivity, or risk to individuals. | Large organisations or those processing sensitive or large-scale data—such as banks, social media platforms, or healthcare providers—may be designated as SDFs. They have extra obligations such as Data Protection Impact Assessments and audits. |
| Breach of Personal Data | Any unauthorised access, disclosure, alteration, or loss of personal data that compromises its confidentiality, integrity, or availability. | This includes accidental data leaks, hacking incidents, insider misuse, or improper disposal of data. For instance, a leaked customer database or stolen backup drive qualifies as a breach. |
| Child | An individual who has not completed 18 years of age. | Any online service collecting data from users under 18 must obtain verifiable parental consent and provide safeguards against profiling or targeted advertising. |
| Person with Disability and Lawful Guardian | A person with disability whose personal data may be managed through a lawful guardian as defined under applicable laws. | Organisations handling data of individuals with disabilities must ensure that consent and rights are exercised through their authorised guardian in a verifiable and secure manner. |
| Data Principal’s Rights | Rights granted to individuals such as access, correction, erasure, grievance redressal, and consent withdrawal. | These empower individuals to control their personal data. For example, a user can request deletion of old data or correct incorrect records in an online profile. |
| Obligations of Data Fiduciary | Duties imposed on data fiduciaries such as implementing security safeguards, minimising data collection, and ensuring accuracy. | Every Data Fiduciary must protect personal data, use it only for stated purposes, and comply with all rules and notifications issued by the government. |
Rule 2 ensures that both the Act and the Rules speak the same language. It avoids duplication and legal ambiguity.
For compliance teams, this means every time a term appears in these Rules—such as Data Fiduciary, Processor, or Consent Manager—its meaning must be interpreted exactly as it is defined in the Digital Personal Data Protection Act, 2023.
In practice, this rule acts as the foundation for consistent implementation. Whether in banking, healthcare, Web3, or manufacturing, it ensures that every stakeholder uses a shared understanding of the key roles and responsibilities, reducing confusion and improving regulatory clarity.