DPDP Act18 May 2026 8 min read

Data Principal Rights Under DPDP Act: Access, Erasure, Grievance

A full guide to Data Principal rights under the DPDP Act 2023 — right to access, correction, erasure, grievance redressal, and nominee rights — with operational guidance.

Key Takeaways

Data Principals have four core rights under the DPDP Act: access, correction and erasure, grievance redressal, and nomination.
Data Fiduciaries must acknowledge and respond to rights requests within timeframes to be specified in the Rules.
Ignoring rights requests attracts a penalty of up to ₹10,000 per affected Data Principal.
Grievances must first be raised with the Data Fiduciary before escalation to the Data Protection Board is permitted.
Nominee rights allow designated individuals to exercise rights over deceased persons' data.

In this guide

Overview of Data Principal Rights
Right to Access: Section 11
Right to Correction and Erasure: Section 12
Right to Withdraw Consent
Right to Grievance Redressal: Section 13
Nominee Rights: Section 14
Implementing a Rights Request Process

Overview of Data Principal Rights

Sections 11-14 of the DPDP Act codify the rights of Data Principals — the individuals whose personal data is processed. These rights are modelled on international best practice but calibrated to the Indian context. Compared to GDPR, the rights framework is somewhat narrower — there is no explicit right to data portability and no right to object to processing based on legitimate interests (since the DPDP Act has no legitimate interests basis for commercial processing).

The rights are not absolute. Section 11(4) allows the Central Government to specify circumstances where a Data Fiduciary may not be required to comply with a rights request — for example, where compliance would conflict with a legal obligation or where the data is required for national security purposes.

Importantly, Data Principals must exercise rights directly with the Data Fiduciary first. They cannot go directly to the Data Protection Board with a rights complaint until they have raised a grievance with the Data Fiduciary and either received an unsatisfactory response or not received a response within the prescribed timeframe.

Right to Access: Section 11

Section 11(1) gives each Data Principal the right to obtain from the Data Fiduciary: (a) a summary of personal data being processed and the processing activities; and (b) the identities of all Data Processors and other Data Fiduciaries with whom the personal data has been shared, along with any other information as prescribed.

This is an information right, not a full data portability right. The Data Principal can find out what is being processed and who has it, but the Act does not require the Data Fiduciary to provide a machine-readable copy of all data (unlike GDPR's Article 20 portability right).

Operationally, responding to access requests requires a data inventory that maps personal data by Data Principal. Companies without this infrastructure will struggle to respond to requests accurately and within the prescribed timeframe. Building and maintaining a personal data inventory is therefore both a compliance obligation and an operational foundation for rights fulfilment.

Right to Correction and Erasure: Section 12

Section 12 gives Data Principals the right to: (a) correction and updating of inaccurate or misleading personal data; (b) completion of incomplete personal data; and (c) erasure of personal data that is no longer necessary for the purpose for which it was collected. The Data Fiduciary must take reasonable steps to inform Data Processors to act upon the correction or erasure.

The erasure right is purpose-linked: the Data Principal can request erasure when the purpose for which data was collected has been achieved or when consent has been withdrawn. This is narrower than GDPR's "right to be forgotten," which also covers erasure for objection to processing.

Data Fiduciaries may retain data notwithstanding an erasure request where retention is legally required — for tax records, financial audit trails, or court-ordered preservation. In such cases, the Data Fiduciary should communicate the legal basis for retention to the Data Principal when responding to the request.

Section 6(4) gives Data Principals the right to withdraw consent at any time. The withdrawal must be as easy as giving consent — companies cannot create friction that discourages withdrawal (such as requiring a phone call to withdraw consent given online, or making the opt-out mechanism difficult to find).

When consent is withdrawn, the Data Fiduciary must cease processing the personal data and take reasonable steps to inform Data Processors to stop. However, processing that occurred lawfully before withdrawal is not retrospectively invalidated — withdrawal operates prospectively.

If consent withdrawal would prevent the provision of a service, the Data Fiduciary must inform the Data Principal of the consequences before processing the withdrawal. The Data Principal retains the right to withdraw even if it means loss of service access. Charging fees for consent withdrawal is prohibited.

Right to Grievance Redressal: Section 13

Section 13 requires every Data Fiduciary to establish an effective grievance redressal mechanism. Data Principals must be able to raise complaints about the processing of their data, and the Data Fiduciary must respond within a reasonable period (timeframe to be specified in Rules; expected to be 30 days).

For Significant Data Fiduciaries, the DPO is the point of contact for grievance escalation. For all other Data Fiduciaries, a designated contact point must be published in the privacy notice. The Board will not accept complaints from Data Principals who have not first attempted grievance redressal with the Data Fiduciary.

The grievance mechanism must be accessible — published on the Data Fiduciary's website, available in the appropriate language, and operationally functional (not a dead email address). Companies should track grievance volumes and resolution times as metrics in their compliance monitoring.

Nominee Rights: Section 14

Section 14 is a novel provision in the global data protection landscape. It allows a Data Principal to nominate another individual to exercise data rights on their behalf in the event of death or incapacity. The nominee can exercise access, correction, erasure, and grievance rights on behalf of the deceased or incapacitated Data Principal.

This provision reflects Indian social norms around family and estate management. For fintech, healthtech, and insurance companies, nominee rights are particularly significant — customer data held by these companies is likely to be relevant to estate administration after a customer's death.

The Rules will specify the mechanism for nominating a representative and the process for verifying a nominee's authority. Companies should design their account management systems to accommodate nominee designations and build a process for handling verified nominee requests.

Implementing a Rights Request Process

Build a centralised intake mechanism for rights requests — a dedicated email address, a web form, or a self-service portal within your product. The intake channel must be published in your privacy notice. Log all requests with timestamps, request type, and resolution details.

Define internal SLAs for each request type: access requests, correction requests, erasure requests, and grievances. Map each request type to the systems that hold the relevant data. For each system, document how to fulfil a deletion or correction — not all systems have easy deletion APIs, and some data will be in backups or audit logs where deletion is technically constrained.

Use AuditPath or a similar compliance platform to maintain evidence of rights request fulfilment. The Data Protection Board may ask for evidence of compliance when investigating a complaint. Your request log, with timestamps and resolution notes, is the primary evidence that you take rights seriously.

Frequently Asked Questions

Can a Data Principal take a rights complaint directly to the Data Protection Board?

No — not initially. Section 13 requires the Data Principal to first raise a grievance with the Data Fiduciary. Only if the grievance is not addressed satisfactorily, or not addressed within the prescribed timeframe, can the Data Principal escalate to the Board.

Is there a limit on how many rights requests a Data Principal can make?

The Act does not specify a limit. However, the Rules may allow Data Fiduciaries to charge a reasonable fee for excessive or manifestly unfounded requests, similar to GDPR's provision. Until Rules clarify, treat all requests as valid.

Do rights apply to historical data — data collected before the DPDP Act came into force?

The Act does not explicitly address transitional provisions for pre-existing data. As a conservative approach, companies should assume that rights (especially access and erasure) apply to all personal data they hold, regardless of when it was collected. This is also consistent with the Act's rights-based intent.

What if complying with an erasure request would conflict with our legal obligation to retain data?

You can retain the data for the duration of the legal obligation. However, you must inform the Data Principal that you are unable to erase the data and the reason (legal retention requirement). Once the retention obligation expires, the data should be erased.

How does the nominee rights provision work in practice for a deceased customer?

The Rules will specify the verification process. Practically, expect nominees to need to provide proof of nomination (set up during the customer's lifetime), proof of identity, and proof of the customer's death (death certificate). Companies should design their systems to store nominee designations and process these requests through a defined workflow.