Rights of Data Principals under the DPDP Act 2023

Under the Digital Personal Data Protection Act (DPDP Act), 2023, Data Principals—i.e., individuals to whom the personal data relates—are granted specific rights to empower them and ensure greater control over their personal information. These rights form the core of the Act’s data protection framework and mandate corresponding duties for Data Fiduciaries (i.e., entities that determine the purpose and means of processing personal data).

Table of Contents

1. Overview
2. Right to Information (Access) About Personal Data – Section 11
3. Right to Correction & Erasure of Personal Data – Section 12
4. Right to Grievance Redressal – Section 13
5. Right to Nominate – Section 14
6. Data Principal Duties (Section 15)
7. Operational Blueprint for Fiduciaries
8. Edge Cases & Exemptions
9. Conclusion

Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Overview

Chapters III and IV of the DPDP Act convert privacy from a passive expectation into four actionable rights plus a unique nomination facility. Fiduciaries must build self-service tools and back-office workflows to honour these rights within statutory timelines (to be notified, likely 15 – 30 days).

2. Right to Information (Access) About Personal Data – Section 11

2.1 What the Individual Can Demand

• Confirmation whether or not personal data is being processed.
• A Summary of the personal data currently held.
• Names/categories of third parties with whom data was shared.
• Any additional info specified by rules (likely processing purpose, retention period).

2.2 Fiduciary’s Duty

• Verify requester’s identity.
• Supply information in “clear, concise & intelligible form”, preferably digitally downloadable.
• Deny or redact only if an exemption applies (e.g., an ongoing law‑enforcement probe).

3. Right to Correction & Erasure of Personal Data – Section 12

If erasure is partially refused (e.g., statutory retention), the Fiduciary must inform the individual of the legal basis.

4. Right to Grievance Redressal – Section 13

1. A Data Fiduciary must provide an easily‑accessible grievance redressal mechanism, reachable through (email, helpline, online form).
2. The Grievance Officer must acknowledge and resolve complaints within the time limit as may be prescribed. (draft rules – 30 days).
3. Unresolved or unsatisfactory complaints may be escalat to the Data Protection Board of India (DPBI).
4. DPBI may order investigation, issue remedial directions, or impose penalties for non-compliance

5. Right to Nominate – Section 14

• The Data Principal may nominate any individual to act on his/her behalf upon death or incapacity.
• Nominee can exercise all rights (access, deletion, grievance) by producing proof of entitlement (death certificate, medical incapacity certificate).
• Fiduciary must securely record the nomination (via a UI option in account settings, or in physical form).

6. Data Principal Duties (Section 15)

These safeguards deter abuse and balance the rights regime.

7. Operational Blueprint for Fiduciaries

1. Rights Portal – authenticate dashboard where users can download data, edit fields, and submit erasure requests.
2. Workflow Engine – route requests to data‑owners, log status, enforce deadlines, and auto‑escalate overdue tickets.
3. Audit Trail – immutable logs showing request, verification, outcome, and timestamps.
4. Notification back to user – clear email or SMS confirming action.
5. Training – frontline staff must recognise data‑rights requests (often disguise as customer‑support queries).

8. Edge Cases & Exemptions

• Ongoing litigation – data need as evidence may be retained despite erasure request.
• Research archives – erasure may be refused if data is irreversibly anonymise for research.
• Law‑enforcement hold – fiduciary may delay disclosure if DPB grants exemption for active investigation.

Document the legal grounds when relying on an exemption.

9. Conclusion

Robust fulfilment of Data‑Principal rights is both a statutory obligation and a brand‑trust differentiator. Early movers that build intuitive self‑service portals and transparent policies will reduce regulatory risk and enhance consumer confidence.

Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals