Data Principal Rights

Data Principal Rights Under the DPDP Act: What Your Customers Can Demand

The DPDP Act 2023 grants individuals enforceable rights over their personal data. Every Indian business must build systems to honour these rights within defined timelines.

7 min read

The DPDP Act 2023 does not only impose obligations on businesses. It grants enforceable rights to every individual whose personal data is processed. The Act calls these individuals Data Principals.

These rights are not aspirational. They are statutory. When a Data Principal exercises a right, the Data Fiduciary must respond within the timelines specified by the Act. Failure to do so is a violation subject to penalties up to ₹250 crore.

The Rights Defined by the Act

Right to Information About Processing

Every Data Principal has the right to obtain a summary of the personal data being processed and the processing activities being carried out by the Data Fiduciary. This includes:

  • What categories of personal data are held
  • The purpose for which each category is being processed
  • The categories of third parties with whom the data has been shared

This is not a request the business can decline or delay indefinitely. The Act requires a response within the timeframe prescribed by rules.

Right to Correction and Erasure

Data Principals can demand that inaccurate or incomplete personal data be corrected. They can also request erasure of personal data that is no longer necessary for the purpose for which it was collected.

The correction right covers:

  • Factual inaccuracies: Wrong name, address, contact details, or any other personal data field
  • Incomplete records: Missing information that creates a misleading profile
  • Outdated information: Data that was accurate at collection but is no longer current

The erasure right applies when:

  • The purpose for which data was collected has been fulfilled
  • Consent has been withdrawn and no other lawful basis for retention exists
  • The data was processed in violation of the Act

Right to Grievance Redressal

If a Data Principal believes their rights have been violated, they can file a grievance directly with the Data Fiduciary. The business must acknowledge and address the grievance within the prescribed timeline.

If the Data Fiduciary fails to resolve the grievance satisfactorily, the Data Principal can escalate the complaint to the Data Protection Board of India. The Board has the authority to investigate, direct remediation, and impose penalties.

This means every Data Fiduciary must operate an internal grievance mechanism. A contact form that goes to an unmonitored inbox does not qualify.

Right to Nominate

The Act grants Data Principals the right to nominate another individual to exercise their rights in the event of death or incapacity. The nominee can:

  • Request information about the deceased or incapacitated principal’s data
  • Request correction or erasure of that data
  • File grievances on behalf of the Data Principal

This right requires businesses to build nomination workflows into their systems. The nominee must be verifiable, and their authority must be recorded.

Duties of Data Principals

The Act balances rights with responsibilities. Data Principals have duties including:

  • Not filing false or frivolous complaints with the Data Protection Board
  • Not providing false information when exercising rights or registering grievances
  • Not impersonating another Data Principal when making requests

Violations of these duties can result in penalties of up to ₹10,000 imposed on the Data Principal. This provision protects businesses from abuse of the rights framework.

Operational Requirements for Businesses

Honouring these rights requires infrastructure. A business that processes personal data must build:

  1. A rights request intake system: A documented, accessible channel through which Data Principals can submit requests. This must be clearly communicated to individuals at the point of data collection.

  2. Identity verification: Before fulfilling a rights request, the business must verify the identity of the requestor. Fulfilling an erasure request from an unverified individual creates a different compliance problem.

  3. Data discovery and mapping: When a Data Principal requests information about their data, the business must be able to locate all instances of that individual’s data across all systems. This requires a data inventory.

  4. Response tracking and audit: Every rights request must be logged with timestamps showing when it was received, acknowledged, and fulfilled. These records are evidence of compliance during regulatory audits.

  5. Automated downstream propagation: When data is corrected or erased, the change must propagate to all systems and third parties that received the original data. Manual propagation across dozens of systems is not operationally viable at scale.

Response Timelines

The specific timelines for responding to rights requests will be defined through rules issued under the Act. International precedent (GDPR mandates 30 days) suggests timelines will be strict. Businesses should design systems capable of fulfilling requests within 30 days or less.

Rights and consent are deeply connected. When a Data Principal withdraws consent:

  • The right to erasure is automatically triggered for data processed under that consent
  • The business must stop all processing activities linked to the withdrawn consent
  • Any downstream processors must be notified and must also cease processing

A consent management system that does not trigger rights fulfilment workflows on withdrawal is incomplete. The two systems must operate as a single compliance framework.

What Happens When Rights Are Not Honoured

The penalty framework under the DPDP Act does not distinguish between intentional violations and operational failures. If a Data Principal exercises a right and the business fails to respond:

  • The Data Principal files a complaint with the Data Protection Board
  • The Board investigates and may direct the business to comply
  • If non-compliance is established, the Board can impose financial penalties
  • Repeat violations increase both the severity and visibility of enforcement action

The reputational cost often exceeds the financial penalty. A public enforcement action signals to every current and potential customer that the business cannot be trusted with personal data.

Assess Your Readiness

The DPDP compliance checklist includes specific items for Data Principal rights readiness. To understand your current position, take the free DPDP Gap Assessment. You will receive a personalised report identifying which rights fulfilment capabilities your organisation currently lacks.