Under the Digital Personal Data Protection Act (DPDP Act), 2023, Data Principals—i.e., individuals to whom the personal data relates—are granted specific rights to empower them and ensure greater control over their personal information. These rights form the core of the Act’s data protection framework and mandate corresponding duties for Data Fiduciaries (i.e., entities that determine the purpose and means of processing personal data).
Table of Contents
- Overview
- Right to Information (Access) About Personal Data – Section 11
- Right to Correction & Erasure of Personal Data – Section 12
- Right to Grievance Redressal – Section 13
- Right to Nominate – Section 14
- Data Principal Duties (Section 15)
- Operational Blueprint for Fiduciaries
- Edge Cases & Exemptions
- Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.
1. Overview
Chapters III and IV of the DPDP Act convert privacy from a passive expectation into four actionable rights plus a unique nomination facility. Fiduciaries must build self-service tools and back-office workflows to honour these rights within statutory timelines (to be notified, likely 15 – 30 days).
2. Right to Information (Access) About Personal Data – Section 11
2.1 What the Individual Can Demand
- Confirmation whether or not personal data is being processed.
- A Summary of the personal data currently held.
- Names/categories of third parties with whom data was shared.
- Any additional info specified by rules (likely processing purpose, retention period).
2.2 Fiduciary’s Duty
- Verify requester’s identity.
- Supply information in “clear, concise & intelligible form”, preferably digitally downloadable.
- Deny or redact only if an exemption applies (e.g., an ongoing law‑enforcement probe).
3. Right to Correction & Erasure of Personal Data – Section 12
| Aspect | Correction | Erasure |
| Trigger | Data is inaccurate, incomplete, outdated, or misleading. | The purpose is completed, or consent is withdrawn, and there is no legal basis to retain. |
| Verification | Fiduciary may request documentary proof of new data. | Fiduciary must assess retention laws (tax, RBI, SEBI, etc.). |
| Response | Update across all live systems; optionally annotate backups. | Delete or robustly anonymise; certify completion to the Data Principal. |
If erasure is partially refused (e.g., statutory retention), the Fiduciary must inform the individual of the legal basis.
4. Right to Grievance Redressal – Section 13
- A Data Fiduciary must provide an easily‑accessible grievance redressal mechanism, reachable through (email, helpline, online form).
- The Grievance Officer must acknowledge and resolve complaints within the time limit as may be prescribed. (draft rules – 30 days).
- Unresolved or unsatisfactory complaints may be escalat to the Data Protection Board of India (DPBI).
- DPBI may order investigation, issue remedial directions, or impose penalties for non-compliance
5. Right to Nominate – Section 14
- The Data Principal may nominate any individual to act on his/her behalf upon death or incapacity.
- Nominee can exercise all rights (access, deletion, grievance) by producing proof of entitlement (death certificate, medical incapacity certificate).
- Fiduciary must securely record the nomination (via a UI option in account settings, or in physical form).
6. Data Principal Duties (Section 15)
| Duty | Penalty for Breach |
| Do not file false/frivolous complaints | Up to ₹10 000 |
| Do not impersonate another person | Ditto |
| Do not suppress material info in official documents | Ditto |
| Provide authentic data when seeking correction/erasure | Ditto |
These safeguards deter abuse and balance the rights regime.
7. Operational Blueprint for Fiduciaries
- Rights Portal – authenticate dashboard where users can download data, edit fields, and submit erasure requests.
- Workflow Engine – route requests to data‑owners, log status, enforce deadlines, and auto‑escalate overdue tickets.
- Audit Trail – immutable logs showing request, verification, outcome, and timestamps.
- Notification back to user – clear email or SMS confirming action.
- Training – frontline staff must recognise data‑rights requests (often disguise as customer‑support queries).
8. Edge Cases & Exemptions
- Ongoing litigation – data need as evidence may be retained despite erasure request.
- Research archives – erasure may be refused if data is irreversibly anonymise for research.
- Law‑enforcement hold – fiduciary may delay disclosure if DPB grants exemption for active investigation.
Document the legal grounds when relying on an exemption.
9. Conclusion
Robust fulfilment of Data‑Principal rights is both a statutory obligation and a brand‑trust differentiator. Early movers that build intuitive self‑service portals and transparent policies will reduce regulatory risk and enhance consumer confidence.
The post Rights of Data Principals under the DPDP Act 2023 appeared first on Taxmann Blog.
