January 17, 2025January 17, 2025 Analysis of Draft Digital Personal Data Protection Rules, 2025 By Manvee, Garima Bairagi and Pragati Chaurasiya On 3rd January 2025, MeitY released the most awaited Draft Digital Personal Data Protection (DPDP) Rules 2025 marking a significant step in India’s data privacy framework, emphasizing accountability, user rights, and data security. These rules outline mechanisms for obtaining consent, handling data breaches, and ensuring cross-border data transfers comply with global standards. They aim to balance innovation and privacy by defining obligations for data fiduciaries and processors, such as data minimization, transparency, and grievance redressal mechanisms. The rules also strengthen individuals’ rights, including access, correction, and erasure of data. We have critically analyzed the rules provision-by-provision by analyzing the impact on business and stakeholders. Rule No.RuleAnalysisOur Viewpoint1Short Title and CommencementIt will be called the Digital Personal Data Protection Rules, 2025. These rules about data fiduciaries and consent managers will become effective on a specified date prescribed by the government. Whereas the rules pertaining to the establishment of the Data Protection Board and the Appellate Tribunal will come into effect immediately just after the commencement of the act.Since the MSMEs and Big Techs of the Industry and startups need time for the transition, this step points out the right direction for them to comply with the DPDPA. As per the industry consultation, the timeline that would be provided for the transition will be around 18-24 months. The government’s stance on establishing the Data Protection Board just after the commencement of the DPDP Rules will help in laying down the base or the groundwork for enforcement. It will also help in dealing with the operational aspects of compliance for the businesses.2DefinitionsAll the expression in the rules will have the same meaning as assigned to them under the DPDP Act, 2023N/A3NoticeThe notice by the Data Fiduciary to the Data Principal shall: Be clear and understandable alone without requirement of any other document. Be in a clear and plain language and Enumerate the description of the personal data being collected The purpose for collection such data along with the description of the goods and services for which the data will be used.Provide a link for accessing the website or app or both of the Data Fiduciary and a description of such other means by which the Data Principal may:Withdraw her consent with the ease by which the consent was givenExercise her rights given under the DPDP Act and Make a complaint to the BoardThe rules provide a clarity on how notices are need to be served to the data principals. They clarify that it has to be comprehensive and any other additional information’s shall be dealt independently. The term ‘presented’ in rule 3(a) may further be interpreted as that data fiduciaries may use infographics, any sort of visual representations to improve the accessibility of taking consent from principals. It will make the role of fiduciaries easy that they would be able to comprehend what all data they are consenting to and for what purposes. Since the rules don’t provide any specific templates for serving notice this makes compliance easy for the fiduciaries making it flexible in nature. However, no further information or guidance has been provided for the data fiduciaries as to how to collect personal data for non-digital entities in the offline ecosystem, we think depending on the mode of collection of the personal data several sector-specific practices will further evolve. Considering that the Data Principal’s informed consent would be recorded and channelized via itemized notice data fiduciaries must display the notice on the preliminary UI-UX itself where they are collecting the consent. Infact fiduciaries may consider making a dedicated section for privacy on their applications or the website, something like ‘Privacy Hub’ where the users can easily exercise their rights like modification, erasure, withdrawing consent, raising grievances and so on. Fiduciaries can provide a link to the privacy hub in their itemized notices as an inclusion.4Registration and Obligation of Consent Manager read r/w Schedule IA person may apply to the Board to be registered as a consent manager upon fulfilling the conditions set out in the Part A of first Schedule by furnishing such documents as prescribed by the board on its website. Upon receiving the application board may make inquiry to satisfy itself of the fulfillment of conditions under First Schedule and if it:Is satisfied, register the applicant and intimidate him and also publish his particulars on their website.Is not satisfied, reject the application while stating the reason for rejection.The obligation of the consent manager is defined under Part B of the first ScheduleIf the consent manager does not adhere with the conditions and obligations under this rule, after hearing him the board may direct him to ensure the adherence of the rules.If board is satisfied that it is in the interest of the Data Principal, after giving consent manager the opportunity of being heard and recording the reasons in writing and by order:Suspend or cancel his registrationGive such directions as it may deem fit to protect the interest of the Data Principal.The consent manager may be required to furnish such information to the board as the board may call for. Under the Rules Consent Manager can be seen playing major role in protecting the interests of the Data Principals in the digital ecosystem. Infact it will play a crucial role in protecting the data of minors wherever its involved, considering that consent mechanism in such cases is complicated. The Data protection board will have direct oversight for the consent managers as they will be monitoring the timely audits conducted by them. In fact, the consent managers can’t even change the company’s control without the permit of the board. For that they need a prior approval of the Data Protection Board. However, the precise scope and nature of the consent managers is still note clear and is pretty ambiguous. In fact, its also not clear that what incentive a consent manager will get to provide consent management services. The rules state that the Consent Manager to onboard Data Fiduciaries but how will they onboard the fiduciaries its not clear yet? What method or technology will they use is not clearly provided in the rules. Moreover, further clarity is needed on whether a single consent manager will oversee all the personal information in all the sectors. Or any sector-specific consent management framework is needed for the consent managers. If there are sector specific consent managers it would aid in complying with the DPDPA 2023 as well as the sector specific requirements.5Exemptions from Data Protection – Processing by Government Instrumentalities for issuing subsidy/certificate/license/service r/w Schedule II The State or any of its instrumentalities may process the personal data of a Data Principal under the section 7 sub clause (b)of the Act to issue any subsidy, certificate, license, permit that is given under law or policy or using public fundsThe standards for processing under this rule are specified in the Second schedule.In this rule and the Second Schedule, reference to any subsidy, benefit, service, certificate, licence, or permit being provided or issued—(a) Under law means it’s given by the State or its agencies based on any law that’s currently in effect.(b) Under policy means it’s provided according to a policy or instruction from the Central or State Government, using its executive powers.(c) Using public funds means the subsidy, benefit, service, certificate, licence, or permit is funded by:(i) The Consolidated Fund or public account of India or the State;(ii) The funds of any local or other authority under the government’s control.The Rules allow the States and their instrumentalities to process personal data for broader purposes but it lack specificity with respect to the scope and limitations of such processing. This creates a situation for the potential misuse of processing of the data. K.S Puttaswamy vs Union of India states the principles of ‘proportionality’ and ‘necessity’ which is quite essential to safeguard the data protection regime but the language used within this provision avoids the limitations emerging from the judgment. The term ‘instrumentalities’ that has been used in Section 7 of the DPDPA was expected to be defined in the rules and provide clarification however this remains still unclear and ambiguous as the rules don’t provide any definition for it. 6Reasonable Security SafeguardsIt is the duty of the data fiduciary to protect the personal data in their possession and its processing by it or the Data Processor. The minimum security safeguards shall include: Personal data should be secured using methods like encryption, masking, or virtual tokens to keep it safe. Measures must be in place to limit who can access the computer systems that hold the data. Regular checks, logs, and monitoring should be done to spot any unauthorized access, investigate the issue, and prevent it from happening again.There should be systems to keep things running smoothly, even if data is lost or compromised, like regular backups.Keep logs and personal data for at least a year, so any unauthorized access can be tracked, investigated, and resolved, unless the law says otherwise.When a Data Fiduciary works with a Data Processor, the contract should make sure both parties are committed to keeping the data secure.Both technical and organizational steps must be taken to make sure security safeguards are followed properly.The expression ‘computer resource’ here has the same meaning as assigned to it under IT Act 2000.Some technical framework may be suggested by the government for encryption, masking and virtual tokens and government may also recommend some international standards for it. Government should also provide some directions as to how log retention to be done? How access control measures to be taken? For retaining the logs and Personal information for a 1 year time period it is still not clear that will the request for erasure by a data principal will supersede the personal information retention post data breach? What are the types of logs that has to be maintained mandatorily? Now the Data Fiduciaries have to undertake the baseline and additional technical as well as the operational measures proportionate to the volume and nature of the data being processed by them. In fact, these measures have to be drafted in their data processing agreements as well. If the Fiduciaries wanted to comply with the law they might have to undertake assessments of the vendors on a periodic basis, this will ensure that vendors and data processors are compliant with the requirements prescribed by the data fiduciary.7Intimation of personal data breachIt is the duty of the Data Fiduciary that when he gets aware of any personal data breach to inform to each affected Data principal in a clear, concise and plain manner either through her user account or any other mode of communication registered by her stating the:Description including the nature, extent, timing and location of the breach.The consequences of the breach relevant to her.The measure taken by the Data Fiduciary if any to mitigate riskSafety measure that she can take to protect her interest.The contact information of a person who can respond to her queries on behalf of the Data Fiduciary.Additionally, the Data Fiduciary shall inform to the Board about the personal data breach-Without delay, description including nature, extent, timing and location and the likely impact.the following information must be provided within 72 hours (or a longer period as allowed by the Board upon written request):Provide updated and detailed information about the breach.Share the key facts about what happened, including the circumstances and reasons behind the breach.Outline any measures taken or proposed to reduce the risk.Include findings about the person or entity responsible for the breach.Describe the steps taken to prevent similar breaches in the future. Provide a report on how affected individuals were notified.A “user account” is simply the online account a Data Principal creates with the Data Fiduciary, which can include things like profiles, pages, email addresses, phone numbers, and other details used to access the services.This approach of breach reporting will impact the data fiduciaries by mandating for having a proactive approach to data security and data breach management. Now the Data fiduciaries have to remain vigilant and super-responsive to the potential data breaches and security threats. This is a win-win situation for the Data Principals as they will get complete transparency and assurance that their personal data is handled safely. The rules state that breaches must be notified without delay but it doesn’t specify the threshold for the notification and a timeline range. This will lead to a sense of confusion among the data fiduciaries. The fiduciaries might have to report the breaches to CERT-In in addition to the Data Protection Board (“DPB”). If there are any sectoral regulations governing breach reporting they might have to comply to that as well. Therefore, it’s essential for the government to streamline the breach notification timelines, this will bring uniformity by avoiding hurdles and business confusion. So, the pertinent question arises here, what solutions do the data fiduciaries have to comply with this? They may (i) establish an incident response plan (ii) data breach and management policy (iii) data breach investigation policy (iv) sample breach notification template. These policies will help fiduciaries in keeping the outline of the information to be collected and provided within the prescribed timeline to all the affected individuals, and the DPB. It would also set out the information that would be required to be retained for the prescribed period.8Data Retention and Erasure Time PeriodA Data Fiduciary must erase personal data if the Data Principal has not interacted with them for the specified purpose or exercised their rights during the time period mentioned in the Third Schedule, unless retention is required by law.48 hours before this data is erased, the Data Fiduciary must notify the Data Principal that the data will be erased unless they log in or contact the Fiduciary to continue the service or exercise their rights.“User account” refers to the online account registered by the Data Principal with the Data Fiduciary, including profiles, pages, email, phone number, or other identifiers used to access services.While this step is progressive in nature and is going in the right direction but there is not much clarity in terms that why its only applicable to specific class of data fiduciaries (in Schedule III) and why not to others. So, post consultation either government should remove this class as a whole or should notify the other set of classes as well, In case there is no substantial change in this then, most of the classes of fiduciaries may assume the retention period to be 3 years and then they will have to tailor their practices accordingly. However now the companies in order to ensure compliance have to review their contracts to place obligations on sub-contractors or outsourced agencies for the erasure of the data and also to oversee the audit rights.9Contact information of the person to answer the questions about processingEvery Data Fiduciary shall publish on their website or app and mention in response to communication with the Data Fiduciary regarding the exercise of their rights, the contact information of the Data Protection Officer if applicable or the person who is able to answer the questions about the processing on behalf of the Data Fiduciary.By publishing the contact information of DPO, it becomes easy for the data principal officers to inquire about the processing of their personal data. This will ensure that there are clear communication channels for the data principles,10Verifiable consent regarding the processing of the personal data of a child or a person with disability having lawful guardianThe Data Fiduciary shall adopt such technical and organizational measures to ensure that verifiable consent is obtained in cases of personal data of a child and shall observe due diligence in identifying the parent as an adult in compliance with any law for time being in force, by reference to-Reliable details of identity and age available with the Data Fiduciary.Identity and age details provided voluntarily, or a virtual token issued by an authorized entity, such as a government body or Digital Locker service provider.A Data Fiduciary must verify that a person claiming to be the lawful guardian of an individual with a disability has been officially appointed by a court, designated authority, or local committee, as per the applicable guardianship laws.Under this rule the expression: “Adult” means a person who is 18 years old or older.“Digital Locker service provider” is a company or government body that has been officially recognized by the Central Government to provide digital storage services, as per the Information Technology Act, 2000. “Designated authority” refers to the organization assigned under the Rights of Persons with Disabilities Act, 2016, to help people with disabilities exercise their legal rights. “Law applicable to guardianship” includes:For people with long-term physical, mental, or intellectual impairments who cannot make legal decisions on their own despite receiving help, the Rights of Persons with Disabilities Act, 2016 and its rules. For individuals with conditions like autism, cerebral palsy, mental retardation, or severe disabilities, the National Trust for the Welfare of Persons with Disabilities Act, 1999 and its rules.“Local level committee” refers to the committee formed under the National Trust for the Welfare of Persons with Disabilities Act, 1999, to support people with disabilities at the local level.“Person with disability” means: Someone with long-term impairments who face barriers in fully participating in society and cannot make legal decisions, even with support. Someone with autism, cerebral palsy, mental retardation, or severe multiple disabilities.The rules fail to address the specific verification methods. It only states Digi locker as the only verification method for the parents and guardians. Instead of simplifying the verification process of parents/guardians for giving consent, it is leading to further collection of the unnecessary sensitive personal data. Moreover, the requirement for Digi Locker verification raises a major concern of centralization of the data. People who don’t want to pursue that verification method will now be forced to use Digi locker to verify their identity. The rules fails to provide other verification methods or even a hint to other methods like verification via phone call, video call or meet, Debit Card/Credit Card information verification etc. The age threshold of 18 years might further complicate the process of compliance as, its mostly seen that teenagers near to that age group do not often take consent or any parental supervision, and when these children become adults by crossing the age of 18 how data fiduciaries are going to process their data, needs to be addressed as well and has not been mentioned in the rules. One of the major concerns is with respect to addressing the Digital Literacy amongst the adults in India. Parents and Guardians may not necessarily with technological needs to give informed consent as a part of the verification process. The repeated requests to provide consent for every instance would lead to consent fatigue and thereby may lead to a loss in subscriber base for the data fiduciaries. What can be done is, that data fiduciaries have their business in sectors targeting children majorly like Gaming, Education, Online Coaching, etc. should consider tie-up with third party verification services providers like Hyperverge etc. in order to reliable details of the guardian or the parent of the child.11Exemptions from Certain Obligations for Processing Child’s Data r/w Fourth ScheduleThe provisions of section 9(1) and 9(3) of the Act do not apply to the processing of a child’s personal data by certain Data Fiduciaries listed in Part A of the Fourth Schedule, as long as they follow the conditions mentioned in that part.The provisions of section 9(1) and 9(3) also do not apply to processing a child’s personal data for specific purposes outlined in Part B of the Fourth Schedule, again subject to the conditions specified in that part. The exemptions provided in the rules are pretty narrow in nature as they only include (i) educational institutes (ii) child day care centers (iii) creches (iv) mental health establishments (v) health care professionals (vi) clinical establishments. However, the government should consider expanding the exemptions to those entities that work towards the development of the cognitive abilities of the children. As there are several dedicated businesses flourishing in this area in these days.12Additional Obligations of Significant Data FiduciaryThey shall conduct a Data Protection Impact Assessment and an audit once every 12 months to ensure that the Act’s provisions and rules are being followed. The person carrying out the audit and assessment shall furnish to the board a report containing observations.They shall also verify that the software that is being used for hosting, uploading, modification, publishing, transmission, storage, updating, or sharing personal data does not impose any risk to the rights of the Data Principal.They shall ensure that the personal data specified by the central government on the basis of the committee’s recommendation is processed with the restriction of its flow not being transferred outside Indian Territory.It is presumed that the government will notify separately the classes of the significant data fiduciaries (SDF). As SDFs are the entities that will be determined on the volume, sensitivity of the data processed, risk to the data principals, etc. SDFs will likely include large social media companies, telecom operators, insurance service providers, big e-commerce entities, healthcare and pharma companies, etc. It might also include food delivery platforms, cab-service platforms, EduTech, and fintech giants. SDF will be obligated to conduct annual Data Protection Impact assessments as a part of oversight measures by the DPB. For this SDFs have to appoint firms engaging in auditing for conducting DPIA and thereafter adequate information has to be submitted to the DPB within the specified timeframe. Rules require SDFs to localize the data, this raises concerns of cross-border data transfer and it will lead to disruption in international trade and services. 13Rights of Data PrincipalTo enable the Data Principal to exercise their rights, the Data Fiduciary and consent manager (where applicable) shall publish on their website or app or both:Details of means by which the Data Principal may make request to exercise their rights.Particular like a username as to identify the Data Principal under terms of service.The Data Principal may make a request to Data Fiduciary whom consent to process the data was given, by using the means and furnishing the particulars to access the information about the personal data and its erasure.The Data Fiduciary and the consent manager shall publish on their website or app or both the time period for the grievance redressal system in responding to grievances and implement technical and organizational measures for effective grievance redressal.To exercise the right to nominate, the Data Principal may as per the terms of service and applicable laws nominate one or more persons using the means and furnishing particulars published by the Data Fiduciary.Here, ‘identifier’ means any sequence of characters issued by Data Fiduciary and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification. This will enhance the controls of the individuals over their data to control what they want to give and what they want to erase. This move will enhance the accountability and transparency in data processing activities. The rights increase the responsibilities of the data fiduciaries as now they have to keep the data principals fully informed regarding all the stages of the processing of their personal data and not just the time of collection of the personal information. As discussed above creating a ‘Privacy Hub’ section on the application or the website of the data fiduciary would prove to be a major step in compliance. The privacy hub has to be set out in a user friendly manner so that principals can easily exercise their rights.14Processing of Personal data outside IndiaThe transfer of personal data by a Data Fiduciary to another country, whether within India or outside, especially when it involves offering goods or services to individuals in India, must follow certain rules. The Data Fiduciary is required to meet specific conditions set by the Central Government when sharing personal data with any foreign government, its agencies, or entities under its control.While the rules don’t impose a blanket ban on cross-border data transfer. However, it empowers the government to impose restrictions where foreign law enforcement agencies, government, or intelligence bodies are requesting access to personal data from India. If it’s found that a foreign agency’s data request poses a national threat in any terms be it public order or individual privacy then the government will restrict the access of the data to that foreign entity.15Act not applicable for research, archiving or statistical purposeThe act will not apply to the processing of personal data necessary for the purpose of research, archiving, or statistical purposes or if it is carried out as per the Second Schedule.This rule exempts the use of personal data for research, archiving, and statistical purposes; however, it doesn’t specify what will qualify as legitimate research and which entities will be responsible for using this exemption, these entities need to be clarified. Moreover, before using the data for research purposes it doesn’t require consent from the principals. In order to prevent misuse it is necessary that government collection and processing of the citizen’s data is regulated.16Appointment of Chairperson and other MembersThe Central Government will form a Search-cum-Selection Committee, led by the Cabinet Secretary, to recommend individuals for the position of Chairperson. The committee will include the Secretaries of the Department of Legal Affairs and the Ministry of Electronics and Information Technology, along with two experts with relevant knowledge or experience.The Central Government will form a Search-cum-Selection Committee, chaired by the Secretary of the Ministry of Electronics and Information Technology, to recommend candidates for the position of Board Member (excluding the Chairperson). The committee will include the Secretary of the Department of Legal Affairs and two experts with relevant knowledge or experience.The Central Government after confirming the suitability of persons recommended will appoint them as Chairperson and members.No action or decision of the Search-cum-Selection Committee can be challenged solely due to a vacancy, absence, or any defect in its constitution.N/A17Salary, allowance and terms of service of Chairperson and membersr/w fifth Schedule These are specified under the fifth Schedule.N/A18Procedure for meetings of Board and authentication of its orders, directions, and instruments.—The Chairperson will set the date, time, and location of Board meetings, approve the agenda, and issue notices. Meetings will be chaired by the Chairperson or, in her absence, by another Member chosen by those present. One-third of the Board’s membership constitutes a quorum. Decisions are made by a majority vote, with the Chairperson having a casting vote in case of a tie. A Member with a conflict of interest in a matter will not vote on it, and the decision will be made by the majority of the remaining Members. In emergencies, the Chairperson may take action on behalf of the Board, which must be communicated to Members and ratified at the next meeting. The Chairperson may refer items to Members by circulation for decisions, with a majority approval. The Chairperson or any authorized individual may authenticate the Board’s orders, directions, or instruments. The Board’s inquiry must be completed within six months unless extended for up to three months, with reasons recorded.N/A19Functioning of Board as digital officeThe Board will function as a digital office, using technology to conduct its proceedings without needing people to be physically present, while still having the power to summon individuals and examine them under oath if necessary.N/A20Terms and conditions of appointment and service of officers and employees of Board N/A21Appeal to Appellate Tribunal N/A22Calling for information from Data Fiduciary or intermediaryThe Central Government can ask Data Fiduciaries or intermediaries for information for the purpose and from the person specified under the Seventh schedule and set a deadline. If disclosure risks India’s security or sovereignty, they need written permission to share it.Provision of information called for under this rule shall be by way of fulfillment of obligation under section 36 of the Act.Section 36 DPDPA read with rule 22 provides the central government via a corresponding authorized person the power to demand any kind of information or personal data from the data fiduciary or an intermediary under purposes provided in Schedule 7 (sovereignty, integrity, obligation under law, etc). The purposes provided are broad in nature as it will allow the government to misuse it in terms of interpretational ambiguity. This will also pose a risk of breaking the end-to-end encryption of several platforms. Most importantly section 36 doesn’t specify the limit or kind of information that the union government may ask in the future, hence it’s a potential threat without any checks and balances. Schedules FIRST SCHEDULE- PART A Conditions of registration of consent manager Certain conditions have been specified for the registration of consent managers such as it should be a company incorporated in India and have sufficient capacity to fulfill its obligations including technical, operational and financial capacities. The general character and financial condition must be sound. The applicant must have a net worth of at least two crore rupees, a strong business outlook, and a trustworthy management team. Their operations should meet data protection standards, with clear policies in place for compliance. They must also provide a certified platform that lets users manage their consent according to these standards. FIRST SCHEDULE- PART B Obligations of Consent Manager The Consent Manager enables data principals to give, manage, and withdraw consent for data processing, ensuring data is shared in a way that’s not readable by it. It must maintain a record of consents and sharing for at least seven years, provide access to data principals, and implement security measures to prevent breaches. The Consent Manager must act in a fiduciary capacity, avoid conflicts of interest, and ensure transparency by disclosing information about its management and shareholders. Additionally, it must have audit mechanisms and obtain Board approval for control transfers. SECOND SCHEDULE Standards for data processing by State and its instrumentalities Data Fiduciaries must implement technical and organizational measures to ensure personal data is processed lawfully, for the specified purposes, and with only the necessary data. They must ensure data accuracy, retain it only as long as needed, and apply security safeguards to prevent breaches. If processing involves a Data Principal’s data, the Data Fiduciary must provide clear contact information, a way to access rights, and ensure compliance with relevant laws. Lastly, the person responsible for data processing must be accountable for ensuring these standards are met. THIRD SCHEDULE Herein the Data Fiduciaries have been classified under different classes with the purpose for the data processing along with the time period for data erasure. The Data Fiduciary categories outlined are for e-commerce entities, online gaming intermediaries, and social media intermediaries with large user bases in India—at least two crore registered users for e-commerce and social media entities, and fifty lakh for online gaming. These entities must retain personal data for three years from the last interaction with the Data Principal for specific purposes, or from the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later. However, data retention exemptions apply for enabling access to user accounts and virtual tokens that can be used for transactions like money, goods, or services. FOURTH SCHDEULE- PART A Classes of Data Fiduciaries in respect of whom provisions of sub-sections (1) and (3) of section 9 shall not apply Healthcare providers can only process data for children’s health services. Allied healthcare professionals are restricted to processing data for treatment support. Educational institutions can track students’ activities and ensure their safety. Childcare centers can monitor children’s safety, and transport services working with schools or daycare centers can track children’s locations for safety during travel. FOURTH SCHEDULE- PART B Purposes for which provisions of sub-sections (1) and (3) of section 9 shall not apply When performing legal duties or providing public services for a child, data can only be processed as necessary. For creating a user account for email, processing is limited to that function. Data can also be processed to block harmful content from children and to confirm whether a Data Principal is a child for due diligence, but only as needed. FIFTH SCHEDULE Terms and conditions of service of Chairperson and other Members Salary: for chairperson, Rs. 4.5 lakh per month and for members it is Rs. 4 lakh per month. Provident Fund: Both Chairperson and Members can contribute to the Board’s Provident Fund under the same terms as other employees. Pension and gratuity: Neither the chairperson nor members are entitled for this. Travelling allowance: The Chairperson and Members receive travel allowances as per Central Government scales when relocating, returning to their hometown, or traveling within India. Foreign travel is allowed with specific guidelines. Medical Assistance: They are covered under the Board’s health insurance scheme or can opt for medical benefits from their previous service if applicable. Leave: Leave is granted as per government rules, with the option for earned leave encashment. The Chairperson’s leave is approved by the Central Government, while Members’ leave is approved by the Chairperson. Leave Travel Concession: The Chairperson and Members can claim Leave Travel Concession to their hometown or elsewhere in India once every two years. Other Terms: They must avoid conflicts of interest, follow Central Civil Services conduct rules, and are not entitled to sitting fees or sumptuary allowances. Any unresolved service issues are referred to the Central Government. SIXTH SCHEDULE Terms and conditions of appointment and service of officers and employees of Board The Board can hire officers and employees on deputation for up to five years from various government bodies. They are entitled to benefits like gratuity, travel allowances, medical assistance, and leave according to government rules. Leave travel concessions also apply. The Civil Service rules govern their conduct and disciplinary matters, and if any issues arise regarding their service terms, the Central Government will make the final decision. SEVENTH SCHEDULE Central govt. can ask for the information from the persons specified under seventh schedule for the purpose mentioned therein. For national security or sovereignty, an officer designated by the Central Government is responsible for personal data use. For legal functions or obligations, the authorized person under relevant laws handles the data. For designating Significant Data Fiduciaries, an officer from the Ministry of Electronics and Information Technology is responsible. Post Views: 318 Related Technology Law data privacydata protectiondigital datadpdp actdpdpa