DPDP Act Grievance Redressal: Setting Up Your Process
How to build a DPDP Act-compliant grievance redressal mechanism — who handles complaints, required timelines, escalation to the Data Protection Board, and operational setup.
- Section 13 requires every Data Fiduciary to have an effective grievance redressal mechanism for Data Principals.
- Data Principals must exhaust the Data Fiduciary's grievance process before escalating to the Data Protection Board.
- Significant Data Fiduciaries must route grievances through their Data Protection Officer.
- Grievances must be acknowledged and resolved within timeframes to be specified in the Rules.
- A non-functional grievance mechanism attracts penalties and undermines your entire compliance posture.
In this guide
Statutory Grievance Redressal Requirement
Section 13 of the DPDP Act requires every Data Fiduciary to establish an effective mechanism to redress grievances of Data Principals. The contact details of the grievance officer (or DPO for Significant Data Fiduciaries) must be published in the privacy notice. The obligation applies to all Data Fiduciaries, not just large companies or SDFs.
The grievance mechanism is the first-level dispute resolution channel between Data Principals and Data Fiduciaries. The Data Protection Board operates as the second level — Data Principals can escalate to the Board only after they have raised a grievance with the Data Fiduciary and either received an unsatisfactory response or not received any response within the prescribed period.
This stepped approach is designed to reduce the volume of Board complaints by resolving most issues at the Data Fiduciary level. Companies that handle grievances effectively and promptly will avoid most Board escalations. Companies with non-functional grievance mechanisms will face both direct penalty exposure and an avalanche of Board complaints.
Who Handles Grievances: DPO vs. Contact Officer
For Significant Data Fiduciaries, Section 10(2)(a) requires appointment of a Data Protection Officer (DPO). The DPO is the designated point of contact for grievances and must be contactable through the privacy notice. The DPO's name and contact details (or at minimum a contact channel) must be publicly accessible.
For non-SDF Data Fiduciaries, there is no statutory requirement to appoint a DPO. However, Section 13 still requires a mechanism and a contact channel. In practice, this means designating an internal grievance officer — a named individual or a role (e.g., "Privacy Officer") — and publishing their contact details. A generic "contact us" form is insufficient if it does not route privacy grievances to a knowledgeable handler.
The grievance handler must have sufficient knowledge of the Act and your data processing activities to assess and resolve complaints. They need access to your data systems to investigate access, correction, and erasure requests. They need authority to direct technical teams to take action. A junior customer support agent without these capabilities cannot discharge the grievance function.
Response and Resolution Timelines
The Act itself does not specify a numeric response timeline — this will be prescribed in the Rules. Based on global norms and the Draft Rules consultation, the expected standard is: acknowledgement within 24-48 hours; resolution within 30 days for standard grievances; with provision for complex matters requiring extended investigation.
Build your internal SLAs to be more ambitious than the regulatory minimum. A 30-day SLA is the legal floor; aiming for resolution within 7-14 days for straightforward requests (access, correction) demonstrates genuine responsiveness and reduces the risk of Board escalations.
Document every grievance: date received, nature of complaint, actions taken, date resolved, and outcome. This log is evidence of compliance and will be reviewed by the Board if a complaint is escalated. A Data Principal who claims they never received a response cannot be refuted without documented evidence that you responded.
Escalation Path: Board Complaints
Section 25(2) requires Data Principals to first raise a grievance with the Data Fiduciary under Section 13. Only after receiving an unsatisfactory response, or no response within the prescribed period, can they file a complaint with the Data Protection Board. This is a mandatory pre-filing step, not optional.
When a Data Principal files a Board complaint, the Board will request your evidence of grievance handling — did you receive the grievance? When? What did you do? Did you respond? This is why documented grievance records are essential. A Board investigation that reveals you never responded to a grievance is a straightforward enforcement case against you.
The Board has powers to call for information, conduct hearings, and impose penalties. Penalties for failure to fulfil grievance redressal obligations are up to ₹10,000 per Data Principal — but the investigation may uncover broader compliance failures that carry much larger penalties.
Setting Up Your Grievance Mechanism
Minimum requirements for a compliant grievance mechanism: (1) a dedicated grievance channel — a specific email address (privacy@yourcompany.com), an in-app grievance form, or a dedicated web form; (2) a named contact person or role published in the privacy notice; (3) an acknowledgement system that confirms receipt with a reference number and expected resolution timeline; (4) an internal routing and escalation process; and (5) a resolution logging system.
For companies with large user bases, an automated acknowledgement system is essential — do not rely on manual email replies that may be delayed. Your CRM or helpdesk system (Zendesk, Freshdesk, Zoho Desk) can be configured with a "privacy" ticket category that routes to your privacy team, sends automated acknowledgements, and tracks resolution times.
Train your grievance handlers. They need to understand: the rights Data Principals have under the Act; how to investigate an access or erasure request; when to escalate internally (to legal counsel or senior management); and how to draft appropriate responses. Invest in annual privacy training for all grievance handlers.
Tracking Grievance Metrics for Compliance
Track the following metrics as compliance indicators: total grievances received (by month and by type); average time to acknowledge; average time to resolve; percentage resolved within SLA; percentage escalated to the Board; and outcome breakdown (upheld, partially upheld, declined). Report these metrics to senior management quarterly.
A sudden spike in grievances is a leading indicator of a compliance problem — a process change, a product feature launch, or a security incident may have triggered a wave of user concerns. Act on spikes immediately rather than treating them as a routine helpdesk backlog.
Annual compliance reviews should include an analysis of grievance patterns. Recurring themes in grievances — many users unable to exercise erasure rights, many users disputing accuracy of their data — indicate systemic compliance gaps that need process fixes, not just individual responses.
Common Grievance Types and How to Handle Them
"I want to delete my account and all my data" — this is an erasure request under Section 12. Verify identity, process the erasure across all systems (including downstream processors), confirm completion to the user, and document. Note any data you are legally required to retain and explain this to the user.
"I never consented to receiving marketing emails" — investigate your consent records for this user. If you cannot evidence valid consent, suppress the user from marketing, apologise, and review your consent capture process for systematic issues. If consent records confirm valid consent, explain to the user how to withdraw it.
"I want to know what data you hold about me" — this is an access request under Section 11. Compile a summary of the data categories you hold, the purposes, and any processors you have shared data with. Respond within your SLA. Do not delay access responses — they are among the most visible exercises of rights and the most likely to be escalated.
Frequently Asked Questions
Can a Data Principal go directly to the Data Protection Board without first contacting us?
What is the penalty for having a non-functional grievance mechanism?
Can we use a third-party grievance management service?
How long should we retain grievance records?
Does our grievance mechanism need to handle grievances in regional languages?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free