DPDPA Shield — Knowledge BaseAll Articles

Data Principal Rights Under DPDPA 2023 — Complete Guide

DPDPA 2023 grants Data Principals (individuals whose personal data is being processed) a set of enforceable rights against Data Fiduciaries. These rights are codified in Sections 11 through 14 of the Act. Data Fiduciaries must establish processes to receive, verify, and fulfil these requests within the timelines prescribed by the Rules. Failure to comply exposes the organisation to penalties of up to Rs. 50 crore per violation.

Right to Access (Section 11)

Under Section 11, a Data Principal has the right to obtain from the Data Fiduciary:

  • A summary of personal data being processed and the processing activities undertaken with respect to such personal data.
  • Identities of all Data Processors and third-party Data Fiduciaries with whom their personal data has been shared, along with the categories of data shared with each.
  • Any other information as may be prescribed by rules, relating to the personal data of the Data Principal and the processing thereof.

Important limitations: The right to access does not include the right to obtain the actual raw data (unlike GDPR's right to portability). It is a right to a summary and metadata about processing. The Data Fiduciary must provide the information in a clear and accessible manner.

Right to Correction and Erasure (Section 12)

Section 12 grants Data Principals the right to:

  • Correction — Request that inaccurate or misleading personal data be corrected.
  • Completion — Request that incomplete personal data be completed.
  • Updating — Request that personal data which is no longer current be updated.
  • Erasure — Request deletion of personal data that is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.

Erasure is not absolute. The Data Fiduciary may retain personal data where retention is required by law (e.g., tax records, financial transaction records under Companies Act or GST regulations). However, the Data Fiduciary must inform the Data Principal of the legal basis for continued retention and limit processing to only what is legally required.

Right to Grievance Redressal (Section 13)

Section 13 mandates that every Data Fiduciary must publish a readily available means for Data Principals to submit grievances. This is not merely a "contact us" form — it requires a structured grievance mechanism with:

  • An accessible channel — Must be easy to find and use. Burying it behind multiple navigations or requiring registration to submit a grievance is non-compliant.
  • Acknowledgment — The Data Fiduciary should acknowledge receipt of the grievance within a reasonable timeframe.
  • Response within prescribed timeline — Rule 14(3) prescribes a maximum of 90 days for responding to any Data Principal request (this includes grievances). Note: this is 90 days, not 30 days — GDPR uses 30 days, DPDPA uses 90 days.
  • Escalation path — If the Data Principal is not satisfied with the response, the Act provides for complaint to the Data Protection Board. The notice must inform Data Principals of this escalation path.

Response Timeline — Rule 14(3): 90 Days

Rule 14(3) of the DPDPA Rules 2025 establishes the response timeline for Data Principal rights requests:

  • Maximum response time: 90 days from receipt of the request. This applies to all request types — access, correction, erasure, grievance, and nomination.
  • This is NOT 30 days — 30 days is the GDPR timeline. DPDPA provides 90 days, reflecting the practical realities of Indian business operations and the nascent state of data protection infrastructure.
  • Extensions — Unlike GDPR, DPDPA does not provide an explicit extension mechanism. The 90-day period is the outer limit. Businesses should aim to respond well within this window.
  • Failure consequences — Missing the 90-day SLA constitutes a violation of the Act, exposing the Data Fiduciary to a penalty of up to Rs. 50 crore under the residual penalty provision.

Right to Nominate (Section 14)

Section 14 provides a right unique to DPDPA — the right to nominate another individual to exercise Data Principal rights in the event of death or incapacity:

  • Who can nominate — Any Data Principal can nominate any individual to act on their behalf after death or in case of incapacity.
  • What the nominee can do — Exercise all rights that the Data Principal could have exercised, including access, correction, erasure, and grievance redressal.
  • Registration — The nomination must be registered with the Data Fiduciary. The mechanism for registration must be provided by the Data Fiduciary.
  • Revocation — A Data Principal may revoke or change their nomination at any time while they have capacity to do so.
  • Verification — The Data Fiduciary must verify the identity of the nominee before honouring requests made by them, and must verify the triggering event (death certificate, medical certificate of incapacity).

This right is particularly important for digital estate planning and has no direct equivalent in GDPR. Indian businesses must build nomination registration and verification workflows.

Right to Withdraw Consent (Section 6(4))

While technically part of the consent framework rather than the rights chapter, withdrawal of consent functions as a Data Principal right in practice:

  • At any time — Consent can be withdrawn for any or all purposes without explanation.
  • Ease requirement — Withdrawal must be as easy as giving consent. If consent was one click, withdrawal must be one click.
  • Granularity — A Data Principal may withdraw consent for specific purposes while maintaining it for others.
  • Consequences — The Data Fiduciary must cease processing for the withdrawn purpose within a reasonable period and must inform the Data Principal of consequences before withdrawal takes effect.
  • 48-hour pre-deletion notice — Under Rule 8(2), before deleting data following consent withdrawal, the Data Fiduciary must provide 48 hours' notice to the Data Principal, giving them the opportunity to request a copy of their data.

Identity Verification Requirements

Before fulfilling any Data Principal rights request, the Data Fiduciary must verify the identity of the requester. DPDPA does not prescribe a specific verification method, but the standard must be:

  • Proportionate — The verification burden should be proportionate to the sensitivity of the data and the nature of the request. An erasure request for sensitive data warrants stronger verification than an access request for basic profile data.
  • Not obstructive — Verification requirements must not be so burdensome that they effectively prevent Data Principals from exercising their rights. Requiring notarised documents or in-person verification for a simple access request would be disproportionate.
  • Common methods — OTP verification to registered email/phone, Aadhaar-based verification (with consent), account login verification, or other electronic means. The method should match how the Data Principal originally interacted with the Data Fiduciary.
  • For nominees — Stronger verification is appropriate: identity of the nominee, proof of nomination, and evidence of the triggering event (death/incapacity).

How to Handle DSR Requests Operationally

A Data Subject Request (DSR) handling process should include:

  1. Intake — Provide a clear submission channel (web form, email, API). Log the request immediately with timestamp. Issue an acknowledgment to the Data Principal.
  2. Verification — Verify the identity of the requester using a proportionate method. Do not begin processing until identity is confirmed.
  3. Assessment — Determine the type of request, scope (which data, which purposes), and any exemptions that may apply (e.g., legal retention requirements for erasure requests).
  4. Fulfilment — Execute the request across all systems. This often requires coordination across multiple databases, third-party processors, and backup systems.
  5. Processor notification — For correction and erasure requests, notify all Data Processors who hold the affected data so they can update their records.
  6. Response — Provide a clear written response to the Data Principal within the 90-day SLA. Include what was done, any data provided (for access), or reasons for refusal if applicable.
  7. Record keeping — Maintain an immutable audit trail of the request, verification, actions taken, and response. This is essential evidence in case of a complaint to the Board.

What Happens If You Miss the 90-Day SLA

Missing the 90-day response deadline constitutes non-compliance with the Act. The consequences include:

  • Complaint to DPB — The Data Principal may file a complaint with the Data Protection Board. Once the Board accepts the complaint, an inquiry process begins.
  • Penalty exposure — The residual penalty under DPDPA Schedule for non-compliance with any provision not specifically listed is up to Rs. 50 crore. Each missed SLA is a separate violation.
  • Reputational risk — Board decisions are expected to be publicly available, creating reputational consequences beyond the financial penalty.
  • Pattern liability — Repeated SLA misses establish a pattern of non-compliance, which is an aggravating factor the Board considers when determining penalty quantum.

DPDPA Shield's Rights Automation

DPDPA Shield provides a complete Data Principal rights management system including: a public-facing rights portal (one URL per organisation, shareable with data principals), automated OTP verification, 90-day SLA countdown tracking with colour-coded alerts, response template library, closure PDF generation with immutable proof storage, real-time analytics, and automated escalation alerts when deadlines approach. The system handles all five request types (access, correction, erasure, grievance, nomination) with full audit trails.

Need to automate DSR handling for your organisation? Book a free demo of DPDPA Shield →