A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

Data Principal Rights Under DPDP Act 2023

Every Indian citizen has rights over their personal data under DPDP. Here's a comprehensive guide to the rights of Data Principals — access, correction, erasure, nomination, and grievance.

Hey there! Ever wondered what happens to your personal data when you share it with a website, an app, or even your local shop? Well, India’s new Digital Personal Data Protection Act, 2023 (DPDP Act) gives you, the individual, significant control over your information. It’s not just about what businesses can’t do; it’s also about what you can do to manage your digital footprint.

At DPDP Consulting, we’re all about making this law understandable. Think of this guide as your chai-time chat about DPDP data principal rights – the powers you hold over your own data. If you’re a small business owner, a startup founder, or just someone feeling a bit lost in the legal jargon, this guide is for you. We’ll break down what these rights mean, what businesses need to do, and how you can ensure you’re respecting your customers’ privacy.

What DPDP Means for Data Principal Rights

Under the DPDP Act, you, the individual whose data is being processed, are called a Data Principal. The business or entity that collects and processes your data is known as a Data Fiduciary. The Act lays down several fundamental rights for Data Principals, ensuring transparency and control. These aren’t just fancy legal terms; they’re concrete powers that empower individuals.

Let’s dive into the core DPDP data principal rights:

  • Right to Access Information: As a Data Principal, you have the right to ask a Data Fiduciary what personal data they hold about you, how they’re processing it, and the categories of data shared with third parties. It’s like asking for a report card on your own information.
  • Right to Correction & Erasure: Found an error in your details? You can ask the Data Fiduciary to correct inaccurate or incomplete data. Even better, you have the DPDP right to erasure, meaning you can ask them to delete your data once the purpose for which it was collected is no longer valid, or if you withdraw your consent.
  • Right to Grievance Redressal: If you have concerns or complaints about how your data is being handled, you have the right to file a grievance with the Data Fiduciary. They are obligated to respond and address your issues.
  • Right to Nomination: This is a unique one. You can nominate another person who will exercise your rights in case of your death or incapacity. It ensures continuity of control over your data.
  • Right to Withdraw Consent: You can withdraw your consent for data processing at any time. When you do, the Data Fiduciary must stop processing your data, provided there’s no legal obligation to continue.

These rights form the backbone of the DPDP Act, placing individuals firmly in control of their digital identity.

Practical Requirements for Businesses

For businesses (Data Fiduciaries), respecting DPDP data principal rights isn’t optional; it’s a legal necessity. This means putting systems and processes in place to effectively handle requests from Data Principals. Think of it as providing good customer service, but for data.

Here’s what practical requirements look like:

  • Designated Contact Person: You must have a clearly identifiable contact point (like a Grievance Officer) for Data Principals to submit their requests or grievances. This person’s details should be easily found on your website or app.
  • Request Mechanism: You need a clear, accessible way for Data Principals to make requests. This could be a dedicated email address, an online form, or a specific section within your user account settings. For example, an e-commerce store should have a “My Data Rights” section where customers can view their stored information, request corrections, or initiate deletion.
  • Response Timeframes: While the Act doesn’t specify exact timeframes, the expectation is that requests are handled in a reasonable and timely manner. Ignoring requests is a sure way to invite trouble.
  • Verification Process: When someone requests to access or delete their data, you must have a way to reasonably verify their identity to prevent fraudulent requests. Imagine a scammer trying to delete a customer’s account – robust verification prevents this.
  • Record Keeping: You need to maintain records of all requests received, how they were handled, and the actions taken. This is crucial for demonstrating compliance if ever audited.

These aren’t just abstract ideas; they require concrete actions and internal policy adjustments.

Data Types & Risk Levels

Understanding the types of data you handle and their associated risk levels is crucial when fulfilling data subject rights India. Different types of data might require different levels of verification or have varying implications for erasure.

Here’s a quick look:

Data TypeExampleRelevance to Data Principal RightsRisk Level
Basic Personal DataName, address, email, phone numberCore data for access, correction, deletion.Medium
Sensitive Personal DataFinancial details (bank account), health recordsHigher scrutiny for access, correction, deletion; requires explicit consent.High
Behavioral/Usage DataWebsite browsing history, app usage, preferencesOften aggregated, but individuals can request insight or deletion of linked profiles.Medium
Biometric DataFingerprints, facial recognitionVery high risk; strict consent and security for processing, challenging to “erase”.High
Publicly Available DataSocial media profiles (public), listed businessesGenerally lower risk, but still subject to correction/access if used by Fiduciary.Low

Businesses must tailor their response to requests based on the sensitivity and nature of the data involved.

Common Mistakes to Avoid

Even with the best intentions, businesses can stumble when it comes to respecting DPDP data principal rights. Being aware of these pitfalls can save you a lot of headache (and potential penalties!).

Here are some common mistakes:

  • Ignoring Requests: The biggest mistake is simply not responding to a Data Principal’s request. Whether it’s for access, correction, or erasure, every request deserves a timely acknowledgment and action. Scenario: A customer emails an online store asking to see what purchase data they hold. The store’s support team never replies. This is a direct violation and a bad user experience.
  • Lack of Clear Process: If your employees don’t know how to handle a data request, delays and errors are inevitable. Scenario: An HR department receives an employee’s request to update their address, but the person who usually handles it is on leave, and no one else knows the procedure. The update is delayed for weeks.
  • Inadequate Identity Verification: Releasing data to the wrong person or deleting data based on an unverified request can lead to major security breaches. Always verify the Data Principal’s identity diligently. Scenario: An imposter sends an email impersonating a client and requests all their financial transaction history. Without proper verification, a business might accidentally disclose sensitive information.
  • Failure to Act on Erasure/Correction: Promising to delete data but failing to do so, or not updating records after a correction request, undermines trust and compliance. The DPDP right to erasure means actual erasure. Scenario: A user requests their marketing profile be deleted. The business deletes it from the active database but keeps it in a backup system that isn’t regularly purged, meaning the data isn’t truly gone.
  • Hiding the Process: Making it difficult for Data Principals to find information about their rights or how to make a request is a subtle but significant mistake. Transparency is key.

Remember, the penalties for non-compliance with the DPDP Act can be steep, reaching up to ₹250 Crore. It’s not just a suggestion; it’s a serious obligation. For more insights on general compliance, check out our analyses.

How to Comply with Data Principal Rights

Compliance isn’t a one-time task; it’s an ongoing commitment. To effectively respect data subject rights India, Data Fiduciaries need to embed privacy into their operational DNA.

Here are concrete steps to ensure compliance:

  • Develop Clear Policies: Create internal policies and procedures for handling all types of Data Principal requests (access, correction, erasure, withdrawal of consent, nomination). Make sure these policies cover verification, response times, and record-keeping.
  • Train Your Team: Educate all relevant employees (customer service, HR, IT, marketing) on their roles and responsibilities concerning data principal rights. Regular training sessions ensure everyone knows what to do when a request comes in.
  • Implement a Request Management System: Whether it’s a simple shared inbox or a dedicated software tool, have a system to log, track, and manage all Data Principal requests from receipt to completion. This helps prevent requests from falling through the cracks.
  • Review Data Retention Policies: Regularly audit the data you hold. If data is no longer needed for its original purpose and there’s no legal basis to keep it, it should be securely deleted, aligning with the DPDP right to erasure.
  • Update Privacy Notices: Ensure your website’s privacy policy clearly outlines the Data Principal rights and how individuals can exercise them, including contact details for your Grievance Officer.
  • Test Your Processes: Periodically conduct internal “mock requests” to test if your systems and team can effectively handle Data Principal requests. This helps identify and fix bottlenecks before real requests come in.

For deeper dives into industry-specific compliance, explore our industry guides. Adopting these proactive measures will build trust with your customers and keep your business on the right side of the law.

Quick Actions You Can Start This Week

Feeling a bit overwhelmed? Don’t worry, here are 5-7 concrete steps you can take this week to begin or improve your DPDP compliance regarding Data Principal rights:

  1. Identify Your Grievance Officer: Designate a person or team responsible for handling data privacy requests and grievances.
  2. Update Your Privacy Policy: Add clear, easy-to-understand information about Data Principal rights (access, correction, erasure, nomination) and how to exercise them on your website or app.
  3. Create a Dedicated Email Address: Set up an email like privacy@yourbusiness.com or dataprotection@yourbusiness.com for Data Principal requests.
  4. Draft a Basic Response Template: Prepare a template for acknowledging requests and outlining next steps, even if it’s just to confirm receipt.
  5. Brief Your Front-Line Staff: Inform your customer service or support team about the new privacy rights and how to escalate incoming data requests to the designated Grievance Officer.
  6. Inventory Your Data: Start listing the types of personal data you collect, why you collect it, and where it’s stored. This helps you prepare for access and erasure requests.

Real-World Examples Companies struggling with this issue

Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

⚠️ Consent mechanism bundled with service terms — not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
⚠️ Data retention period undefined — uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report
Telecom

Airtel

48

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

⚠️ Vague data retention periods — 'as long as necessary' language
⚠️ Lack of explicit DPDP Act 2023 references throughout
+5 more gaps detected
Mar 2026 View Report
Fintech

Angel One

68

Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.

⚠️ Consent is still bundled with general platform access and browsing
⚠️ No specific mention of the Right to Nominate under Section 14
+3 more gaps detected
Mar 2026 View Report
📞 Free Consultation