Section 40 of The Digital Personal Data Protection Act, 2023 View Chapter 9

Power to make rules.

   (1)  The Central Government may, by notification, and subject to the condition of previous publication, make rules not inconsistent with the provisions of this Act, to carry out the purposes of this Act.

   (2)  In particular and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely:—

    (a)  the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5;

    (b)  the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5;

    (c)  the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6;

    (d)  the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6;

    (e)  the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7;

    (f)  the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 8;

    (g)  the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8;

    (h)  the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8;

    (i)  the manner of obtaining verifiable consent under sub-section (1) of section 9;

    (j)  the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9;

    (k)  the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;

    (l)  the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10;

    (m)  the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11;

    (n)  the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12;

    (o)  the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 13;

    (p)  the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14;

    (q)  the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17;

    (r)  the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19;

    (s)  the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20;

    (t)  the manner of authentication of orders, directions and instruments under sub-section (1) of section 23;

    (u)  the terms and conditions of appointment and service of officers and employees of the Board under section 24;

    (v)  the techno-legal measures to be adopted by the Board under sub-section (1) of section 28;

    (w)  the other matters under clause (d) of sub-section (7) of section 28;

    (x)  the form, manner and fee for filing an appeal under sub-section (2) of section 29;

    (y)  the procedure for dealing an appeal under sub-section (8) of section 29;

    (z)  any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules.