A Data Principal's right to obtain confirmation and a summary of their personal data being processed.
The Right to Access under DPDPA Section 11 allows any Data Principal to request and obtain: a summary of personal data being processed, the processing activities undertaken, the identities of other Data Fiduciaries and Processors with whom data has been shared, and any other information the Rules may prescribe. The Data Fiduciary must respond within the timeline prescribed by Rules (currently 30 days). The response must be clear, intelligible, and provided free of charge.
Access requests are the most common rights exercise. You need systems to locate all data about an individual across every database and processor within 30 days, or face DPB enforcement. Manual processes fail at scale.
A customer of a Bengaluru neobank submits an access request. Within 30 days, the bank must provide: account details, transaction history, KYC documents held, third parties data was shared with (credit bureaus, UPI), and purposes for each sharing activity.
The right to access does not require providing raw database dumps. You must provide a clear, human-readable summary of the data and processing activities — not CSV exports of database tables.
DPDPA Shield automates Data Principal Rights. See how →