Data Principal Rights Under DPDPA

Under the Digital Personal Data Protection Act (DPDPA) 2023, data principals have five core rights: the right to information and access (Section 11), the right to correction and erasure (Section 12), the right to grievance redressal (Section 13), the right to nominate another individual to exercise rights on their behalf (Section 14), and the right to withdraw consent at any time (Section 6(5)). These rights are enforceable against data fiduciaries with penalties up to 250 crore for non-compliance.

A data principal can exercise the right to access by submitting a request to the data fiduciary through designated channels such as a self-service portal, email, or in-person submission. Under Section 11(a), the data fiduciary must provide a summary of personal information being processed, the processing activities undertaken, the identities of all data fiduciaries and data processors with whom personal records have been shared, and any other information prescribed by the rules.

The right to erasure under DPDPA Section 12 allows a data principal to request the deletion of personal information that is no longer necessary for the purpose for which it was collected. This right applies when consent is withdrawn, when the specified purpose has been fulfilled, or when the retention period has expired. Data fiduciaries must ensure erasure across all systems including backups, logs, and third-party processors.

The right to nomination under DPDPA Section 14 is unique to Indian data protection law. A data principal can nominate any individual to exercise their privacy rights in the event of death or incapacity. The nominee can then submit access, correction, erasure, and grievance requests on behalf of the data principal. Data fiduciaries must implement workflows to register nominees, verify nominee identity, and activate nominee rights upon triggering events.

Under Section 13, every data fiduciary must establish a grievance redressal mechanism that allows data principals to raise complaints about information processing activities. The data fiduciary must acknowledge the grievance and resolve it within the timelines prescribed by the rules. If the data principal is unsatisfied with the resolution, they have the right to approach the Data Protection Board of India for adjudication.

While the DPDPA empowers the Central Government to prescribe specific timelines through rules, data fiduciaries are expected to respond to rights requests without unreasonable delay. Best practice suggests acknowledging requests within 48 hours, completing identity verification within 1-2 days, and fulfilling the request within 7 days. Organisations should implement SLA tracking and escalation mechanisms to ensure timely compliance.

A data principal must first exhaust the grievance redressal mechanism provided by the data fiduciary before approaching the Data Protection Board of India. If the data fiduciary fails to respond or the data principal is not satisfied with the response, they can file a complaint with the Board. The Board has the power to investigate, impose penalties, and direct the data fiduciary to take corrective action.

DPDPA Section 15 establishes corresponding duties for data principals to balance their rights. Data principals must not register false or frivolous complaints with data fiduciaries or the Data Protection Board, must not furnish false particulars or suppress material information when exercising rights, and must comply with applicable laws while exercising their rights. Violation of these duties can attract penalties up to 10,000 rupees.

DPDPA addresses rights of deceased individuals through the nomination mechanism under Section 14. A registered nominee can exercise data principal rights on behalf of the deceased, including access to personal records, correction, and erasure. Data fiduciaries must verify the nominee identity and the triggering event (death certificate or incapacity documentation) before processing such requests. This is a unique feature of Indian privacy law not found in GDPR or other frameworks.

Under the DPDPA penalty schedule, failure to fulfill data principal rights obligations can attract penalties up to 250 crore per instance. Specific violations include failing to provide access to personal records, not implementing correction or erasure requests, inadequate grievance redressal mechanisms, and non-compliance with nominee management obligations. The Data Protection Board of India determines penalty amounts based on the nature, gravity, and duration of the breach.