bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,426 +1,426 @@
1
- # DPDPA — Data Fiduciary Obligations and Data Principal Rights
2
-
3
- Deep-dive reference for compliance teams. All obligations cite the Act section AND the
4
- implementing Rule where applicable. Rules references are to the DPDP Rules, 2025 (notified
5
- 13 November 2025, effective 13 May 2027 unless phased earlier).
6
-
7
- ---
8
-
9
- ## Part A — Data Fiduciary Core Obligations (Section 8)
10
-
11
- ### A.1 Notice Obligation (Section 5 + Rule 3)
12
-
13
- **Trigger:** Before or at the time of requesting consent for any processing.
14
-
15
- **Mandatory contents of notice (Rule 3(1)):**
16
-
17
- | Element | Requirement |
18
- |---------|-------------|
19
- | Identity of Data Fiduciary | Full legal name and contact details |
20
- | Categories of personal data | Description of the data sought to be collected |
21
- | Specified purpose | Each purpose for which data will be processed — specific, not generic |
22
- | Recipients | Categories of Processors and other Data Fiduciaries who will receive the data |
23
- | Retention period | Duration for which data will be retained, or criteria used to determine it |
24
- | Data Principal rights | Summary of rights under Sections 11–14 |
25
- | Complaint mechanism | How to lodge a complaint with the Data Fiduciary and with the Board |
26
- | Withdrawal procedure | How to withdraw consent and the consequences of withdrawal |
27
-
28
- **Format requirements (Rule 3(2)):**
29
- - **Plain language** — no legalese, jargon, or unnecessarily complex syntax
30
- - **Standalone document** — cannot be buried in terms of service, privacy policy footnotes, or general conditions
31
- - **Retrievable at any time** — must be accessible via the Data Fiduciary's platform or website at any point
32
- - **Available in English and other languages** per the Eighth Schedule of the Constitution (Rule 3(3)) if the Data Principal requests translation
33
-
34
- **Existing data (Section 5(2)):**
35
- For data collected before commencement of the Act but still being processed:
36
- - Fiduciaries must issue a notice of equivalent content
37
- - Notice must be given within the prescribed period after commencement
38
- - This is the "legacy data compliance" obligation — organisations should map all pre-Act data and prepare retrospective notices
39
-
40
- **Common errors:**
41
- - Embedding notice in general T&Cs — non-compliant
42
- - Vague purposes such as "to improve services" — non-compliant
43
- - Notice only available at registration, not retrievable afterwards — non-compliant
44
- - Single notice covering multiple services without purpose separation — risk of invalid consent
45
-
46
- ---
47
-
48
- ### A.2 Consent Obligations (Section 6 + Rule 4)
49
-
50
- **Validity standard:** Consent is valid ONLY if all five elements are present simultaneously:
51
-
52
- | Element | What it means operationally |
53
- |---------|----------------------------|
54
- | Free | Not conditioned on acceptance of a service or product |
55
- | Specific | For each distinct, identified purpose separately |
56
- | Informed | Given after the Data Principal has received the Section 5 notice |
57
- | Unconditional | No coercion, inducement, or consequence attached to refusal |
58
- | Unambiguous | Clear affirmative action — no pre-ticked boxes, no silence as consent |
59
-
60
- **Section 6(4) — Withdrawal:**
61
- - Must be as easy to withdraw as it was to give
62
- - One-click or equivalent in-app mechanism required where consent was given digitally
63
- - Email-only withdrawal is likely insufficient if consent was given via a button click
64
- - Prior lawful processing is not invalidated by later withdrawal
65
- - Processing MUST stop promptly after withdrawal — no "grace periods" unless legally justified
66
-
67
- **Section 6(5) — Burden of proof:**
68
- The Data Fiduciary must be able to demonstrate that valid consent was obtained. This requires:
69
- - Consent audit logs with timestamp, mechanism used, and content presented at time of consent
70
- - Version control for notices — the notice version presented must be retrievable
71
- - Linkage between consent record and the data processed under it
72
-
73
- **Section 6(6):** Any consent obtained in violation of these requirements is **void ab initio** — the processing was unlawful from the start.
74
-
75
- **Consent Manager (Section 6(3) + Rule 5):**
76
- - A Consent Manager is a body corporate registered by the Board
77
- - Data Principals may give, manage, review, and withdraw consent for multiple Data Fiduciaries through a single Consent Manager platform
78
- - Consent Managers must maintain interoperability across registered Data Fiduciaries
79
- - Engaging a Consent Manager does not absolve the Data Fiduciary of its consent validity obligations
80
-
81
- ---
82
-
83
- ### A.3 Data Quality Obligation (Section 8(2))
84
-
85
- Data Fiduciaries must ensure personal data is:
86
- - **Accurate** — free from errors that would affect Data Principals' interests
87
- - **Complete** — not missing material information
88
- - **Consistent** — aligned across systems when used for decisions or shared with other Fiduciaries
89
-
90
- **Scope limitation:** This obligation applies specifically when the data will be:
91
- 1. Used to make a decision affecting the Data Principal, or
92
- 2. Disclosed to another Data Fiduciary
93
-
94
- **Practical implication:** Data used solely for internal analytics that does not affect individual decisions has a lower data quality obligation. Data used for credit scoring, benefit eligibility, or shared with business partners has a higher obligation.
95
-
96
- ---
97
-
98
- ### A.4 Security Safeguards Obligation (Section 8(3) + Rule 7)
99
-
100
- **Principle:** Appropriate technical and organisational measures to prevent personal data breaches.
101
-
102
- **Rule 7 — Minimum security standards:**
103
-
104
- | Safeguard Category | Specific Requirement |
105
- |--------------------|---------------------|
106
- | Encryption | Encrypt personal data at rest and in transit |
107
- | Access controls | Role-based access; least-privilege principle |
108
- | Access logging | Maintain logs of who accessed what data and when |
109
- | Pseudonymisation | Where processing permits separation of identifying elements from operational data |
110
- | System hardening | Regular patching, vulnerability assessment, hardening of ICT systems |
111
- | Incident detection | Capability to detect and alert on unauthorised access or anomalous data processing activity |
112
- | Business continuity | Measures to ensure personal data availability and integrity during system failures |
113
- | Data minimisation | Collect and retain only what is necessary for the specified purpose |
114
-
115
- **Highest penalty tier:** Failure to implement security safeguards = ₹250 crore maximum (Section 33 Schedule).
116
-
117
- **Key audit questions:**
118
- - Is personal data encrypted at rest and in transit?
119
- - Is access to personal data logged and monitored?
120
- - How quickly can the organisation detect a breach?
121
- - Are all Data Processors bound by equivalent security obligations?
122
-
123
- ---
124
-
125
- ### A.5 Breach Notification Obligation (Section 8(6) + Rule 6)
126
-
127
- **Trigger:** Any "personal data breach" — unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability.
128
-
129
- **Notification timeline:**
130
-
131
- | Step | Timeline | Content |
132
- |------|----------|---------|
133
- | Initial notification to Board | **Within 72 hours** of becoming aware | Type of breach; categories and approximate number of Data Principals affected; likely consequences; measures taken or proposed |
134
- | Notification to affected Data Principals | As directed by the Board | Board may require or waive Data Principal notification |
135
- | Supplementary report | As directed by the Board | Additional investigation findings |
136
-
137
- **Rule 6 — Content requirements:**
138
- - Nature of the breach (unauthorised access, accidental disclosure, ransomware, etc.)
139
- - Personal data categories affected (categories, not necessarily exhaustive item list)
140
- - Approximate volume of records and number of affected Data Principals
141
- - Name and contact details of responsible officer (equivalent to DPO contact)
142
- - Likely consequences of the breach
143
- - Measures taken to address the breach and mitigate harm
144
- - Measures proposed to prevent recurrence
145
-
146
- **Key operational points:**
147
- - The 72-hour clock runs from when the organisation **becomes aware** of a breach — not when breach is fully investigated
148
- - Partial notifications are permissible — notify within 72 hours with available information, supplement later
149
- - Unlike GDPR, the Act does not prescribe a risk-threshold for notification — **all breaches must be notified to the Board**
150
- - The Board decides whether to require notification to affected Data Principals
151
-
152
- **Penalty:** Failure to notify = ₹200 crore maximum.
153
-
154
- **Recommended breach response protocol:**
155
- 1. Detection → Incident ticket opened (T=0)
156
- 2. T+4 hours: Initial containment and impact triage
157
- 3. T+24 hours: Preliminary classification — is this a personal data breach?
158
- 4. T+48 hours: Gather notification content; prepare Rule 6 report
159
- 5. T+72 hours: Submit to Board (even if investigation ongoing)
160
- 6. T+ongoing: Supplementary reporting as investigation progresses
161
-
162
- ---
163
-
164
- ### A.6 Data Retention and Erasure Obligation (Section 8(7) + Rule 8)
165
-
166
- **Mandatory erasure triggers:**
167
- 1. Consent withdrawn by the Data Principal
168
- 2. Purpose for which data was collected is fulfilled
169
- 3. Data Principal exercises erasure right under Section 12(3)
170
- 4. Retention no longer necessary for the specified purpose or required by law
171
-
172
- **Erasure extends to Processors:**
173
- - Data Fiduciaries must direct all Data Processors to erase personal data upon termination of the processing engagement
174
- - Data Processors must confirm erasure — contractual clause and confirmation procedure required
175
-
176
- **Retention exceptions (Section 8(7) proviso):**
177
- - Where retention is required by applicable law (e.g., statutory record-keeping under Companies Act, GST records, etc.)
178
- - Where retention is necessary to enforce or defend legal rights or claims
179
-
180
- **Practical retention schedule design:**
181
- - Map each data category to its lawful retention trigger
182
- - For consent-based processing: retention ends at withdrawal or purpose fulfilment (whichever first)
183
- - For Section 7 legitimate uses: retention ends when the legitimate use purpose is fulfilled
184
- - Statutory overlays: apply the longer of DPDPA retention limits and applicable statutory requirement
185
-
186
- ---
187
-
188
- ### A.7 Grievance Mechanism Obligation (Section 8 + Section 13)
189
-
190
- **Minimum requirements:**
191
- - Accessible mechanism for Data Principals to submit grievances (web form, email, phone — at minimum one channel)
192
- - Acknowledgement within prescribed period (Rules specify timelines — verify against Rule schedule)
193
- - Resolution within prescribed period (Rules specify timelines)
194
- - Escalation path to the Board clearly communicated (Section 13(3) — exhaustion of fiduciary mechanism required before Board complaint)
195
-
196
- **Critical design point:** The grievance mechanism is the mandatory first step before Board intervention. A deficient or non-responsive grievance mechanism not only violates the Act but creates the conditions for Board complaints and regulatory escalation.
197
-
198
- ---
199
-
200
- ### A.8 Data Processing Agreements (Section 8(1) + Rule 16)
201
-
202
- Every Data Processor engaged must be under a **written contract** that specifies:
203
-
204
- | Contract Element | Requirement |
205
- |-----------------|-------------|
206
- | Processing instructions | Processor may only process as instructed by the Fiduciary |
207
- | Purpose limitation | Processing restricted to specified purposes |
208
- | Security measures | Processor must implement equivalent safeguards to Rule 7 |
209
- | Sub-processing | Must obtain Fiduciary's prior written approval for sub-processors |
210
- | Audit rights | Fiduciary must have right to audit Processor's compliance |
211
- | Breach notification | Processor must notify Fiduciary promptly upon detecting a breach |
212
- | Erasure on termination | Processor must erase data upon termination of engagement and confirm erasure |
213
- | Data Fiduciary's liability | Fiduciary remains liable to Data Principals for Processor's acts — Fiduciary may seek indemnity from Processor contractually |
214
-
215
- **Rule 16 additional requirements:**
216
- - Contract must be executed before processing begins (not retrospectively)
217
- - Processor-to-sub-processor agreements must flow down all obligations
218
- - Fiduciary must maintain a register of all Processors and sub-processors
219
-
220
- ---
221
-
222
- ## Part B — Children's Data (Section 9 + Rules 10 and 12)
223
-
224
- ### B.1 Age Threshold
225
-
226
- **18 years** — uniform across India, no regional variation.
227
-
228
- ### B.2 Parental Consent (Section 9(1) + Rule 12)
229
-
230
- **Requirement:** Verifiable consent from parent or lawful guardian before processing any personal data of a child.
231
-
232
- **Rule 12 — Verification methods (prescribed):**
233
-
234
- | Method | Description |
235
- |--------|-------------|
236
- | DigiLocker | Digital credentials authenticated via DigiLocker platform (government ID-linked) |
237
- | Government token | Any other government-issued digital token prescribed by MeitY |
238
- | Existing verified data | If the Data Fiduciary already holds verified parent/guardian details from a prior KYC or similar process, these may be relied upon |
239
- | Virtual token | Anonymised tokens issued by entities operating token-based identity infrastructure |
240
-
241
- **Key design requirements:**
242
- - Verification must confirm the consenting individual is an adult (18+)
243
- - Verification must confirm the consenting individual is the parent or lawful guardian of the child
244
- - The verification process itself must not collect excessive personal data about the child or parent
245
-
246
- **Exemption possibility (Section 9(3)):**
247
- The Central Government may exempt certain classes of Data Fiduciaries (e.g., healthcare providers, educational institutions, essential digital services for children) from the verifiable parental consent requirement. These exemptions must be positively notified — no self-certification of exemption is permitted.
248
-
249
- ### B.3 Absolute Prohibitions (Section 9(2))
250
-
251
- Regardless of consent, the following are **prohibited for all children** (no exceptions unless separately notified):
252
-
253
- 1. **Tracking or behavioural monitoring** — geolocation tracking, persistent identifiers, browsing history, app usage analytics on individual children
254
- 2. **Targeted advertising** — advertising directed at a child based on their personal data, browsing patterns, or inferred characteristics
255
- 3. **Any processing likely to cause detrimental effect on the child's well-being**
256
-
257
- **Compliance implication:**
258
- - An analytics platform that tracks individual child users violates Section 9(2) even if parental consent is obtained
259
- - An advertising-funded platform that profiles children for ad targeting violates Section 9(2) regardless of consent
260
- - Age-verification must precede any personalised or tracked service — not a post-onboarding check
261
-
262
- **Penalty:** ₹200 crore maximum — second-highest penalty tier.
263
-
264
- ### B.4 Practical Age-Gate Requirements
265
-
266
- - Age declaration at registration: must capture claimed age
267
- - Verification trigger: if claimed age is under 18, parental consent verification must be initiated before data processing begins
268
- - False age declaration: Data Fiduciary is protected if it relied in good faith on a verified parental consent — responsibility shifts to the declarant
269
- - Dark patterns: age-gate mechanisms must not use deceptive design to bypass age checks
270
-
271
- ---
272
-
273
- ## Part C — Significant Data Fiduciary Obligations (Section 10 + Rule 13)
274
-
275
- ### C.1 SDF Designation
276
-
277
- **Who designates:** Central Government (MeitY) by notification in the Official Gazette.
278
-
279
- **Criteria (Section 10 + Rule 13(1)):**
280
-
281
- | Factor | Indicators |
282
- |--------|-----------|
283
- | Volume of data | Large-scale processing of personal data across a significant number of Data Principals |
284
- | Sensitivity | Processing of special categories (financial, health, biometric, location) at scale |
285
- | Risk to rights | Potential for harm, discrimination, or manipulation of Data Principals |
286
- | Sovereignty and security | Impact on India's sovereignty, integrity, national security |
287
- | Electoral democracy | Potential to influence electoral processes or democratic participation |
288
- | Public order | Processing that could affect public order, communal harmony |
289
-
290
- **Current status (April 2026):** The Central Government has not yet published the first list of SDFs. Entities should assess their processing profile and prepare for potential SDF designation.
291
-
292
- ### C.2 India-Resident Data Protection Officer (Section 10(2)(a) + Rule 13(2))
293
-
294
- | Requirement | Detail |
295
- |-------------|--------|
296
- | Residency | Must be **resident in India** (not abroad) |
297
- | Individual | Must be a natural person — not an entity or external law firm |
298
- | Role before Board | Sole official representative of the SDF before the Data Protection Board |
299
- | Data Principal contact | Primary contact for Data Principal grievances |
300
- | Reporting line | Must have direct access to the highest management of the SDF |
301
-
302
- **Key distinction from GDPR DPO:**
303
- - The DPDPA DPO is the SDF's spokesperson and Board liaison — a more operational role than the GDPR advisory DPO
304
- - The DPDPA DPO does not independently audit the organisation; that function is the Data Auditor's
305
- - The DPDPA DPO must physically reside in India — a non-India-based privacy officer does not satisfy this requirement
306
-
307
- ### C.3 Data Protection Impact Assessment (Section 10(2)(b) + Rule 13(3))
308
-
309
- **Frequency:** Annual — covering the preceding year's processing activities.
310
-
311
- **Mandatory content (Rule 13(3)):**
312
-
313
- | Assessment Element | What to Cover |
314
- |-------------------|---------------|
315
- | Compliance review | Review of all processing activities against Act and Rules obligations |
316
- | Rights exercise analysis | How Data Principals exercised their rights; complaints received; resolution rate |
317
- | Safeguard adequacy | Assessment of whether security safeguards remain adequate given current threats |
318
- | Third-party risk | Review of all Data Processor relationships and their compliance |
319
- | Large-scale processing risks | Specific risks arising from high-volume or high-sensitivity processing |
320
- | Mitigation measures | Actions taken and proposed to address identified risks |
321
-
322
- **Output:** DPIA report submitted to the Board as part of the annual compliance cycle.
323
-
324
- ### C.4 Annual Independent Data Audit (Section 10(2)(c) + Rule 13(4))
325
-
326
- **Auditor:** External, independent, qualified data auditor (not the SDF's own privacy team or affiliated entity).
327
-
328
- **Scope:**
329
- - Compliance with all obligations under the Act and Rules
330
- - Adequacy of security safeguards
331
- - Data processing agreements with Processors
332
- - Data Principal rights fulfilment
333
- - Breach notification history and response adequacy
334
- - Children's data compliance (if applicable)
335
-
336
- **Output:** Audit report submitted to the Board. Board may use audit findings in investigations and penalty proceedings.
337
-
338
- ### C.5 Data Localisation (Section 10(2)(d))
339
-
340
- **Mechanism:** Central Government may, by notification, require SDFs to retain specified categories of personal data only within India — even if cross-border transfer is otherwise permitted.
341
-
342
- **Current status (April 2026):** No localisation notifications issued for SDFs. Entities should monitor MeitY gazette.
343
-
344
- **Planning requirement:** SDFs must be capable of implementing localisation on notification — this requires data mapping to identify which data categories and which systems would be affected, and architecture capable of separating India-stored data from globally replicated data.
345
-
346
- ---
347
-
348
- ## Part D — Data Principal Rights Fulfilment Procedures
349
-
350
- ### D.1 Right to Access (Section 11)
351
-
352
- **What the Data Principal may request:**
353
- 1. Summary of personal data currently being processed
354
- 2. Description of processing activities (purpose, legal basis, duration)
355
- 3. All Data Fiduciaries and Processors who hold or process the data, with their contact details
356
- 4. What data has been shared with each recipient and when
357
-
358
- **Response timeline:** Within the prescribed period under Rules (verify against Rule schedule).
359
-
360
- **Form of response:** Must be in a format accessible to the Data Principal — plain language, understandable categories, not raw database extracts.
361
-
362
- **Limitations:**
363
- - Data Fiduciaries may decline to provide information where disclosure would endanger another person
364
- - Information subject to legal privilege or security exemptions (Section 17) may be withheld
365
- - Must provide a reason for any refusal (enabling Board escalation)
366
-
367
- ### D.2 Right to Correction, Completion, and Updating (Section 12(1))
368
-
369
- **Process:**
370
- 1. Data Principal submits correction/completion/update request
371
- 2. Data Fiduciary verifies the request
372
- 3. Data Fiduciary makes the requested correction, completion, or update
373
- 4. Data Fiduciary notifies any Data Processors or other Fiduciaries who received the incorrect data (where feasible)
374
-
375
- **Practical requirement:** Systems must be capable of propagating corrections across linked databases and to downstream Processors.
376
-
377
- ### D.3 Right to Erasure (Section 12(3))
378
-
379
- **Trigger:** Data Principal requests erasure of personal data no longer necessary for the specified purpose.
380
-
381
- **Limitation grounds where Fiduciary may refuse (Section 12(4)):**
382
- 1. Data is still necessary for the specified purpose
383
- 2. Retention required by law (statutory obligation)
384
- 3. Retention necessary to enforce or defend legal rights
385
-
386
- **Process:**
387
- 1. Data Principal submits erasure request
388
- 2. Data Fiduciary assesses whether any refusal ground applies
389
- 3. If no refusal ground: erase from own systems AND direct all Processors to erase
390
- 4. If refusal ground applies: notify Data Principal with explanation and right to escalate to Board
391
-
392
- ### D.4 Right of Grievance Redressal (Section 13)
393
-
394
- **Mandatory exhaustion:** Data Principals MUST exhaust the Data Fiduciary's grievance mechanism before filing a complaint with the Board.
395
-
396
- **Fiduciary obligations:**
397
- - Grievance mechanism must be accessible (not buried or inaccessible)
398
- - Acknowledgement and resolution within prescribed timelines
399
- - Records of grievances and resolutions must be maintained
400
-
401
- **Escalation to Board:** If the Data Principal is unsatisfied with the Fiduciary's response, or if the Fiduciary fails to respond within the prescribed period, the Data Principal may approach the Board.
402
-
403
- ### D.5 Right to Nominate (Section 14)
404
-
405
- **Available triggers:**
406
- - Death of the Data Principal
407
- - Incapacity (unsoundness of mind or physical infirmity preventing exercise of rights)
408
-
409
- **Nominee's powers:** The nominee may exercise all rights under Sections 11, 12, and 13 as if they were the Data Principal.
410
-
411
- **Operational requirement:** Data Fiduciaries must provide a mechanism for Data Principals to register nominations, update nominations, and for nominees to authenticate themselves upon claiming rights.
412
-
413
- ---
414
-
415
- ## Part E — Response Timelines Quick Reference
416
-
417
- | Right/Obligation | Prescribed Timeline |
418
- |-----------------|---------------------|
419
- | Breach notification to Board | 72 hours from awareness |
420
- | Grievance acknowledgement | As prescribed by Rules (monitor Rule schedule) |
421
- | Grievance resolution | As prescribed by Rules |
422
- | Access request response | As prescribed by Rules |
423
- | Correction/erasure response | As prescribed by Rules |
424
- | Notice for existing data | Within prescribed period after commencement |
425
-
426
- > **Note on prescribed timelines:** The DPDP Rules 2025 set specific timelines for several obligations. Where the table above states "as prescribed by Rules," verify the current Rule text as timelines may be specified in schedules or subsequent notifications. Monitoring MeitY's official gazette is essential for SDF-designated and high-volume Data Fiduciaries.
1
+ # DPDPA — Data Fiduciary Obligations and Data Principal Rights
2
+
3
+ Deep-dive reference for compliance teams. All obligations cite the Act section AND the
4
+ implementing Rule where applicable. Rules references are to the DPDP Rules, 2025 (notified
5
+ 13 November 2025, effective 13 May 2027 unless phased earlier).
6
+
7
+ ---
8
+
9
+ ## Part A — Data Fiduciary Core Obligations (Section 8)
10
+
11
+ ### A.1 Notice Obligation (Section 5 + Rule 3)
12
+
13
+ **Trigger:** Before or at the time of requesting consent for any processing.
14
+
15
+ **Mandatory contents of notice (Rule 3(1)):**
16
+
17
+ | Element | Requirement |
18
+ |---------|-------------|
19
+ | Identity of Data Fiduciary | Full legal name and contact details |
20
+ | Categories of personal data | Description of the data sought to be collected |
21
+ | Specified purpose | Each purpose for which data will be processed — specific, not generic |
22
+ | Recipients | Categories of Processors and other Data Fiduciaries who will receive the data |
23
+ | Retention period | Duration for which data will be retained, or criteria used to determine it |
24
+ | Data Principal rights | Summary of rights under Sections 11–14 |
25
+ | Complaint mechanism | How to lodge a complaint with the Data Fiduciary and with the Board |
26
+ | Withdrawal procedure | How to withdraw consent and the consequences of withdrawal |
27
+
28
+ **Format requirements (Rule 3(2)):**
29
+ - **Plain language** — no legalese, jargon, or unnecessarily complex syntax
30
+ - **Standalone document** — cannot be buried in terms of service, privacy policy footnotes, or general conditions
31
+ - **Retrievable at any time** — must be accessible via the Data Fiduciary's platform or website at any point
32
+ - **Available in English and other languages** per the Eighth Schedule of the Constitution (Rule 3(3)) if the Data Principal requests translation
33
+
34
+ **Existing data (Section 5(2)):**
35
+ For data collected before commencement of the Act but still being processed:
36
+ - Fiduciaries must issue a notice of equivalent content
37
+ - Notice must be given within the prescribed period after commencement
38
+ - This is the "legacy data compliance" obligation — organisations should map all pre-Act data and prepare retrospective notices
39
+
40
+ **Common errors:**
41
+ - Embedding notice in general T&Cs — non-compliant
42
+ - Vague purposes such as "to improve services" — non-compliant
43
+ - Notice only available at registration, not retrievable afterwards — non-compliant
44
+ - Single notice covering multiple services without purpose separation — risk of invalid consent
45
+
46
+ ---
47
+
48
+ ### A.2 Consent Obligations (Section 6 + Rule 4)
49
+
50
+ **Validity standard:** Consent is valid ONLY if all five elements are present simultaneously:
51
+
52
+ | Element | What it means operationally |
53
+ |---------|----------------------------|
54
+ | Free | Not conditioned on acceptance of a service or product |
55
+ | Specific | For each distinct, identified purpose separately |
56
+ | Informed | Given after the Data Principal has received the Section 5 notice |
57
+ | Unconditional | No coercion, inducement, or consequence attached to refusal |
58
+ | Unambiguous | Clear affirmative action — no pre-ticked boxes, no silence as consent |
59
+
60
+ **Section 6(4) — Withdrawal:**
61
+ - Must be as easy to withdraw as it was to give
62
+ - One-click or equivalent in-app mechanism required where consent was given digitally
63
+ - Email-only withdrawal is likely insufficient if consent was given via a button click
64
+ - Prior lawful processing is not invalidated by later withdrawal
65
+ - Processing MUST stop promptly after withdrawal — no "grace periods" unless legally justified
66
+
67
+ **Section 6(5) — Burden of proof:**
68
+ The Data Fiduciary must be able to demonstrate that valid consent was obtained. This requires:
69
+ - Consent audit logs with timestamp, mechanism used, and content presented at time of consent
70
+ - Version control for notices — the notice version presented must be retrievable
71
+ - Linkage between consent record and the data processed under it
72
+
73
+ **Section 6(6):** Any consent obtained in violation of these requirements is **void ab initio** — the processing was unlawful from the start.
74
+
75
+ **Consent Manager (Section 6(3) + Rule 5):**
76
+ - A Consent Manager is a body corporate registered by the Board
77
+ - Data Principals may give, manage, review, and withdraw consent for multiple Data Fiduciaries through a single Consent Manager platform
78
+ - Consent Managers must maintain interoperability across registered Data Fiduciaries
79
+ - Engaging a Consent Manager does not absolve the Data Fiduciary of its consent validity obligations
80
+
81
+ ---
82
+
83
+ ### A.3 Data Quality Obligation (Section 8(2))
84
+
85
+ Data Fiduciaries must ensure personal data is:
86
+ - **Accurate** — free from errors that would affect Data Principals' interests
87
+ - **Complete** — not missing material information
88
+ - **Consistent** — aligned across systems when used for decisions or shared with other Fiduciaries
89
+
90
+ **Scope limitation:** This obligation applies specifically when the data will be:
91
+ 1. Used to make a decision affecting the Data Principal, or
92
+ 2. Disclosed to another Data Fiduciary
93
+
94
+ **Practical implication:** Data used solely for internal analytics that does not affect individual decisions has a lower data quality obligation. Data used for credit scoring, benefit eligibility, or shared with business partners has a higher obligation.
95
+
96
+ ---
97
+
98
+ ### A.4 Security Safeguards Obligation (Section 8(3) + Rule 7)
99
+
100
+ **Principle:** Appropriate technical and organisational measures to prevent personal data breaches.
101
+
102
+ **Rule 7 — Minimum security standards:**
103
+
104
+ | Safeguard Category | Specific Requirement |
105
+ |--------------------|---------------------|
106
+ | Encryption | Encrypt personal data at rest and in transit |
107
+ | Access controls | Role-based access; least-privilege principle |
108
+ | Access logging | Maintain logs of who accessed what data and when |
109
+ | Pseudonymisation | Where processing permits separation of identifying elements from operational data |
110
+ | System hardening | Regular patching, vulnerability assessment, hardening of ICT systems |
111
+ | Incident detection | Capability to detect and alert on unauthorised access or anomalous data processing activity |
112
+ | Business continuity | Measures to ensure personal data availability and integrity during system failures |
113
+ | Data minimisation | Collect and retain only what is necessary for the specified purpose |
114
+
115
+ **Highest penalty tier:** Failure to implement security safeguards = ₹250 crore maximum (Section 33 Schedule).
116
+
117
+ **Key audit questions:**
118
+ - Is personal data encrypted at rest and in transit?
119
+ - Is access to personal data logged and monitored?
120
+ - How quickly can the organisation detect a breach?
121
+ - Are all Data Processors bound by equivalent security obligations?
122
+
123
+ ---
124
+
125
+ ### A.5 Breach Notification Obligation (Section 8(6) + Rule 6)
126
+
127
+ **Trigger:** Any "personal data breach" — unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability.
128
+
129
+ **Notification timeline:**
130
+
131
+ | Step | Timeline | Content |
132
+ |------|----------|---------|
133
+ | Initial notification to Board | **Within 72 hours** of becoming aware | Type of breach; categories and approximate number of Data Principals affected; likely consequences; measures taken or proposed |
134
+ | Notification to affected Data Principals | As directed by the Board | Board may require or waive Data Principal notification |
135
+ | Supplementary report | As directed by the Board | Additional investigation findings |
136
+
137
+ **Rule 6 — Content requirements:**
138
+ - Nature of the breach (unauthorised access, accidental disclosure, ransomware, etc.)
139
+ - Personal data categories affected (categories, not necessarily exhaustive item list)
140
+ - Approximate volume of records and number of affected Data Principals
141
+ - Name and contact details of responsible officer (equivalent to DPO contact)
142
+ - Likely consequences of the breach
143
+ - Measures taken to address the breach and mitigate harm
144
+ - Measures proposed to prevent recurrence
145
+
146
+ **Key operational points:**
147
+ - The 72-hour clock runs from when the organisation **becomes aware** of a breach — not when breach is fully investigated
148
+ - Partial notifications are permissible — notify within 72 hours with available information, supplement later
149
+ - Unlike GDPR, the Act does not prescribe a risk-threshold for notification — **all breaches must be notified to the Board**
150
+ - The Board decides whether to require notification to affected Data Principals
151
+
152
+ **Penalty:** Failure to notify = ₹200 crore maximum.
153
+
154
+ **Recommended breach response protocol:**
155
+ 1. Detection → Incident ticket opened (T=0)
156
+ 2. T+4 hours: Initial containment and impact triage
157
+ 3. T+24 hours: Preliminary classification — is this a personal data breach?
158
+ 4. T+48 hours: Gather notification content; prepare Rule 6 report
159
+ 5. T+72 hours: Submit to Board (even if investigation ongoing)
160
+ 6. T+ongoing: Supplementary reporting as investigation progresses
161
+
162
+ ---
163
+
164
+ ### A.6 Data Retention and Erasure Obligation (Section 8(7) + Rule 8)
165
+
166
+ **Mandatory erasure triggers:**
167
+ 1. Consent withdrawn by the Data Principal
168
+ 2. Purpose for which data was collected is fulfilled
169
+ 3. Data Principal exercises erasure right under Section 12(3)
170
+ 4. Retention no longer necessary for the specified purpose or required by law
171
+
172
+ **Erasure extends to Processors:**
173
+ - Data Fiduciaries must direct all Data Processors to erase personal data upon termination of the processing engagement
174
+ - Data Processors must confirm erasure — contractual clause and confirmation procedure required
175
+
176
+ **Retention exceptions (Section 8(7) proviso):**
177
+ - Where retention is required by applicable law (e.g., statutory record-keeping under Companies Act, GST records, etc.)
178
+ - Where retention is necessary to enforce or defend legal rights or claims
179
+
180
+ **Practical retention schedule design:**
181
+ - Map each data category to its lawful retention trigger
182
+ - For consent-based processing: retention ends at withdrawal or purpose fulfilment (whichever first)
183
+ - For Section 7 legitimate uses: retention ends when the legitimate use purpose is fulfilled
184
+ - Statutory overlays: apply the longer of DPDPA retention limits and applicable statutory requirement
185
+
186
+ ---
187
+
188
+ ### A.7 Grievance Mechanism Obligation (Section 8 + Section 13)
189
+
190
+ **Minimum requirements:**
191
+ - Accessible mechanism for Data Principals to submit grievances (web form, email, phone — at minimum one channel)
192
+ - Acknowledgement within prescribed period (Rules specify timelines — verify against Rule schedule)
193
+ - Resolution within prescribed period (Rules specify timelines)
194
+ - Escalation path to the Board clearly communicated (Section 13(3) — exhaustion of fiduciary mechanism required before Board complaint)
195
+
196
+ **Critical design point:** The grievance mechanism is the mandatory first step before Board intervention. A deficient or non-responsive grievance mechanism not only violates the Act but creates the conditions for Board complaints and regulatory escalation.
197
+
198
+ ---
199
+
200
+ ### A.8 Data Processing Agreements (Section 8(1) + Rule 16)
201
+
202
+ Every Data Processor engaged must be under a **written contract** that specifies:
203
+
204
+ | Contract Element | Requirement |
205
+ |-----------------|-------------|
206
+ | Processing instructions | Processor may only process as instructed by the Fiduciary |
207
+ | Purpose limitation | Processing restricted to specified purposes |
208
+ | Security measures | Processor must implement equivalent safeguards to Rule 7 |
209
+ | Sub-processing | Must obtain Fiduciary's prior written approval for sub-processors |
210
+ | Audit rights | Fiduciary must have right to audit Processor's compliance |
211
+ | Breach notification | Processor must notify Fiduciary promptly upon detecting a breach |
212
+ | Erasure on termination | Processor must erase data upon termination of engagement and confirm erasure |
213
+ | Data Fiduciary's liability | Fiduciary remains liable to Data Principals for Processor's acts — Fiduciary may seek indemnity from Processor contractually |
214
+
215
+ **Rule 16 additional requirements:**
216
+ - Contract must be executed before processing begins (not retrospectively)
217
+ - Processor-to-sub-processor agreements must flow down all obligations
218
+ - Fiduciary must maintain a register of all Processors and sub-processors
219
+
220
+ ---
221
+
222
+ ## Part B — Children's Data (Section 9 + Rules 10 and 12)
223
+
224
+ ### B.1 Age Threshold
225
+
226
+ **18 years** — uniform across India, no regional variation.
227
+
228
+ ### B.2 Parental Consent (Section 9(1) + Rule 12)
229
+
230
+ **Requirement:** Verifiable consent from parent or lawful guardian before processing any personal data of a child.
231
+
232
+ **Rule 12 — Verification methods (prescribed):**
233
+
234
+ | Method | Description |
235
+ |--------|-------------|
236
+ | DigiLocker | Digital credentials authenticated via DigiLocker platform (government ID-linked) |
237
+ | Government token | Any other government-issued digital token prescribed by MeitY |
238
+ | Existing verified data | If the Data Fiduciary already holds verified parent/guardian details from a prior KYC or similar process, these may be relied upon |
239
+ | Virtual token | Anonymised tokens issued by entities operating token-based identity infrastructure |
240
+
241
+ **Key design requirements:**
242
+ - Verification must confirm the consenting individual is an adult (18+)
243
+ - Verification must confirm the consenting individual is the parent or lawful guardian of the child
244
+ - The verification process itself must not collect excessive personal data about the child or parent
245
+
246
+ **Exemption possibility (Section 9(3)):**
247
+ The Central Government may exempt certain classes of Data Fiduciaries (e.g., healthcare providers, educational institutions, essential digital services for children) from the verifiable parental consent requirement. These exemptions must be positively notified — no self-certification of exemption is permitted.
248
+
249
+ ### B.3 Absolute Prohibitions (Section 9(2))
250
+
251
+ Regardless of consent, the following are **prohibited for all children** (no exceptions unless separately notified):
252
+
253
+ 1. **Tracking or behavioural monitoring** — geolocation tracking, persistent identifiers, browsing history, app usage analytics on individual children
254
+ 2. **Targeted advertising** — advertising directed at a child based on their personal data, browsing patterns, or inferred characteristics
255
+ 3. **Any processing likely to cause detrimental effect on the child's well-being**
256
+
257
+ **Compliance implication:**
258
+ - An analytics platform that tracks individual child users violates Section 9(2) even if parental consent is obtained
259
+ - An advertising-funded platform that profiles children for ad targeting violates Section 9(2) regardless of consent
260
+ - Age-verification must precede any personalised or tracked service — not a post-onboarding check
261
+
262
+ **Penalty:** ₹200 crore maximum — second-highest penalty tier.
263
+
264
+ ### B.4 Practical Age-Gate Requirements
265
+
266
+ - Age declaration at registration: must capture claimed age
267
+ - Verification trigger: if claimed age is under 18, parental consent verification must be initiated before data processing begins
268
+ - False age declaration: Data Fiduciary is protected if it relied in good faith on a verified parental consent — responsibility shifts to the declarant
269
+ - Dark patterns: age-gate mechanisms must not use deceptive design to bypass age checks
270
+
271
+ ---
272
+
273
+ ## Part C — Significant Data Fiduciary Obligations (Section 10 + Rule 13)
274
+
275
+ ### C.1 SDF Designation
276
+
277
+ **Who designates:** Central Government (MeitY) by notification in the Official Gazette.
278
+
279
+ **Criteria (Section 10 + Rule 13(1)):**
280
+
281
+ | Factor | Indicators |
282
+ |--------|-----------|
283
+ | Volume of data | Large-scale processing of personal data across a significant number of Data Principals |
284
+ | Sensitivity | Processing of special categories (financial, health, biometric, location) at scale |
285
+ | Risk to rights | Potential for harm, discrimination, or manipulation of Data Principals |
286
+ | Sovereignty and security | Impact on India's sovereignty, integrity, national security |
287
+ | Electoral democracy | Potential to influence electoral processes or democratic participation |
288
+ | Public order | Processing that could affect public order, communal harmony |
289
+
290
+ **Current status (April 2026):** The Central Government has not yet published the first list of SDFs. Entities should assess their processing profile and prepare for potential SDF designation.
291
+
292
+ ### C.2 India-Resident Data Protection Officer (Section 10(2)(a) + Rule 13(2))
293
+
294
+ | Requirement | Detail |
295
+ |-------------|--------|
296
+ | Residency | Must be **resident in India** (not abroad) |
297
+ | Individual | Must be a natural person — not an entity or external law firm |
298
+ | Role before Board | Sole official representative of the SDF before the Data Protection Board |
299
+ | Data Principal contact | Primary contact for Data Principal grievances |
300
+ | Reporting line | Must have direct access to the highest management of the SDF |
301
+
302
+ **Key distinction from GDPR DPO:**
303
+ - The DPDPA DPO is the SDF's spokesperson and Board liaison — a more operational role than the GDPR advisory DPO
304
+ - The DPDPA DPO does not independently audit the organisation; that function is the Data Auditor's
305
+ - The DPDPA DPO must physically reside in India — a non-India-based privacy officer does not satisfy this requirement
306
+
307
+ ### C.3 Data Protection Impact Assessment (Section 10(2)(b) + Rule 13(3))
308
+
309
+ **Frequency:** Annual — covering the preceding year's processing activities.
310
+
311
+ **Mandatory content (Rule 13(3)):**
312
+
313
+ | Assessment Element | What to Cover |
314
+ |-------------------|---------------|
315
+ | Compliance review | Review of all processing activities against Act and Rules obligations |
316
+ | Rights exercise analysis | How Data Principals exercised their rights; complaints received; resolution rate |
317
+ | Safeguard adequacy | Assessment of whether security safeguards remain adequate given current threats |
318
+ | Third-party risk | Review of all Data Processor relationships and their compliance |
319
+ | Large-scale processing risks | Specific risks arising from high-volume or high-sensitivity processing |
320
+ | Mitigation measures | Actions taken and proposed to address identified risks |
321
+
322
+ **Output:** DPIA report submitted to the Board as part of the annual compliance cycle.
323
+
324
+ ### C.4 Annual Independent Data Audit (Section 10(2)(c) + Rule 13(4))
325
+
326
+ **Auditor:** External, independent, qualified data auditor (not the SDF's own privacy team or affiliated entity).
327
+
328
+ **Scope:**
329
+ - Compliance with all obligations under the Act and Rules
330
+ - Adequacy of security safeguards
331
+ - Data processing agreements with Processors
332
+ - Data Principal rights fulfilment
333
+ - Breach notification history and response adequacy
334
+ - Children's data compliance (if applicable)
335
+
336
+ **Output:** Audit report submitted to the Board. Board may use audit findings in investigations and penalty proceedings.
337
+
338
+ ### C.5 Data Localisation (Section 10(2)(d))
339
+
340
+ **Mechanism:** Central Government may, by notification, require SDFs to retain specified categories of personal data only within India — even if cross-border transfer is otherwise permitted.
341
+
342
+ **Current status (April 2026):** No localisation notifications issued for SDFs. Entities should monitor MeitY gazette.
343
+
344
+ **Planning requirement:** SDFs must be capable of implementing localisation on notification — this requires data mapping to identify which data categories and which systems would be affected, and architecture capable of separating India-stored data from globally replicated data.
345
+
346
+ ---
347
+
348
+ ## Part D — Data Principal Rights Fulfilment Procedures
349
+
350
+ ### D.1 Right to Access (Section 11)
351
+
352
+ **What the Data Principal may request:**
353
+ 1. Summary of personal data currently being processed
354
+ 2. Description of processing activities (purpose, legal basis, duration)
355
+ 3. All Data Fiduciaries and Processors who hold or process the data, with their contact details
356
+ 4. What data has been shared with each recipient and when
357
+
358
+ **Response timeline:** Within the prescribed period under Rules (verify against Rule schedule).
359
+
360
+ **Form of response:** Must be in a format accessible to the Data Principal — plain language, understandable categories, not raw database extracts.
361
+
362
+ **Limitations:**
363
+ - Data Fiduciaries may decline to provide information where disclosure would endanger another person
364
+ - Information subject to legal privilege or security exemptions (Section 17) may be withheld
365
+ - Must provide a reason for any refusal (enabling Board escalation)
366
+
367
+ ### D.2 Right to Correction, Completion, and Updating (Section 12(1))
368
+
369
+ **Process:**
370
+ 1. Data Principal submits correction/completion/update request
371
+ 2. Data Fiduciary verifies the request
372
+ 3. Data Fiduciary makes the requested correction, completion, or update
373
+ 4. Data Fiduciary notifies any Data Processors or other Fiduciaries who received the incorrect data (where feasible)
374
+
375
+ **Practical requirement:** Systems must be capable of propagating corrections across linked databases and to downstream Processors.
376
+
377
+ ### D.3 Right to Erasure (Section 12(3))
378
+
379
+ **Trigger:** Data Principal requests erasure of personal data no longer necessary for the specified purpose.
380
+
381
+ **Limitation grounds where Fiduciary may refuse (Section 12(4)):**
382
+ 1. Data is still necessary for the specified purpose
383
+ 2. Retention required by law (statutory obligation)
384
+ 3. Retention necessary to enforce or defend legal rights
385
+
386
+ **Process:**
387
+ 1. Data Principal submits erasure request
388
+ 2. Data Fiduciary assesses whether any refusal ground applies
389
+ 3. If no refusal ground: erase from own systems AND direct all Processors to erase
390
+ 4. If refusal ground applies: notify Data Principal with explanation and right to escalate to Board
391
+
392
+ ### D.4 Right of Grievance Redressal (Section 13)
393
+
394
+ **Mandatory exhaustion:** Data Principals MUST exhaust the Data Fiduciary's grievance mechanism before filing a complaint with the Board.
395
+
396
+ **Fiduciary obligations:**
397
+ - Grievance mechanism must be accessible (not buried or inaccessible)
398
+ - Acknowledgement and resolution within prescribed timelines
399
+ - Records of grievances and resolutions must be maintained
400
+
401
+ **Escalation to Board:** If the Data Principal is unsatisfied with the Fiduciary's response, or if the Fiduciary fails to respond within the prescribed period, the Data Principal may approach the Board.
402
+
403
+ ### D.5 Right to Nominate (Section 14)
404
+
405
+ **Available triggers:**
406
+ - Death of the Data Principal
407
+ - Incapacity (unsoundness of mind or physical infirmity preventing exercise of rights)
408
+
409
+ **Nominee's powers:** The nominee may exercise all rights under Sections 11, 12, and 13 as if they were the Data Principal.
410
+
411
+ **Operational requirement:** Data Fiduciaries must provide a mechanism for Data Principals to register nominations, update nominations, and for nominees to authenticate themselves upon claiming rights.
412
+
413
+ ---
414
+
415
+ ## Part E — Response Timelines Quick Reference
416
+
417
+ | Right/Obligation | Prescribed Timeline |
418
+ |-----------------|---------------------|
419
+ | Breach notification to Board | 72 hours from awareness |
420
+ | Grievance acknowledgement | As prescribed by Rules (monitor Rule schedule) |
421
+ | Grievance resolution | As prescribed by Rules |
422
+ | Access request response | As prescribed by Rules |
423
+ | Correction/erasure response | As prescribed by Rules |
424
+ | Notice for existing data | Within prescribed period after commencement |
425
+
426
+ > **Note on prescribed timelines:** The DPDP Rules 2025 set specific timelines for several obligations. Where the table above states "as prescribed by Rules," verify the current Rule text as timelines may be specified in schedules or subsequent notifications. Monitoring MeitY's official gazette is essential for SDF-designated and high-volume Data Fiduciaries.