The mandatory deadline within which Data Fiduciaries must respond to Data Principal rights requests under DPDPA.
Under DPDPA and its Rules, Data Fiduciaries must respond to Data Principal rights requests within prescribed timelines. The general deadline is 30 days from receipt of a valid request. This applies to access, correction, erasure, and other rights. If the Fiduciary cannot comply (e.g., due to a legal retention obligation), they must provide a reasoned refusal within the same timeline. Extensions are not available under the current framework — the 30-day deadline is absolute.
Missing a single 30-day deadline gives the Data Principal grounds to complain to the DPB. At scale, even a 5% miss rate can generate significant regulatory exposure. SLA tracking and escalation workflows are essential.
A Bengaluru fintech receives an erasure request on March 1st. By March 31st, they must either: (a) confirm deletion is complete, or (b) provide a written response explaining why certain data cannot be deleted (e.g., RBI KYC retention mandate). Silence is non-compliance.
The 30-day clock starts from when you receive the request, not from when you verify the requester's identity. You cannot use lengthy identity verification as a mechanism to extend your response deadline.
DPDPA Shield automates Data Principal Rights. See how →