DPDP Act Nominee Rights: Data Access After Death
Understanding DPDP Act nominee rights under Section 14 — how Data Principals designate nominees, what rights nominees can exercise, and how platforms should handle these requests.
- Section 14 of the DPDP Act allows a Data Principal to nominate another person to exercise their data rights in the event of death or incapacity.
- Nominee rights cover access, correction, erasure, and grievance redressal — the same rights the Data Principal could have exercised.
- Platforms must build a nomination mechanism and a verified nominee request process.
- Without a nominee designation, platforms face ambiguity about who can access a deceased user's data — risking both privacy violations and estate complications.
- Incapacity (not just death) triggers nominee rights — build processes for both scenarios.
In this guide
Why Nominee Rights Matter in the DPDP Act
The DPDP Act 2023 includes a unique provision that distinguishes it from many other data protection laws: the right to nominate. Most privacy laws are silent on what happens to personal data after a Data Principal dies or becomes incapacitated. This creates operational and legal ambiguity for platforms — who can access a deceased user's data? Can a family member request deletion? Can an estate executor obtain financial records?
Section 14 of the DPDP Act addresses this ambiguity directly by allowing Data Principals to designate a nominee who can exercise their rights on their behalf in the event of death or incapacity. This is particularly significant in India given cultural and legal norms around estate management and the importance of digital assets — banking records, insurance documents, government service accounts — in estate administration.
For Indian SaaS companies, particularly those in fintech, healthcare, e-commerce, and government services, nominee rights create both a product requirement and a compliance obligation. Platforms that process personal data for millions of users will inevitably encounter nominee requests, and having no process in place when they arrive is not an acceptable compliance posture.
Section 14: What the Law Says
Section 14 of the DPDP Act provides that a Data Principal may, in accordance with the Rules, nominate another individual who shall, in the event of the death or incapacity of the Data Principal, exercise the rights of the Data Principal under the Act. The section is relatively brief in the statute — the detailed mechanics of nomination and nominee rights exercise will be specified in the DPDP Rules.
The rights exercisable by a nominee are the same rights the Data Principal could have exercised: the right to access personal data (Section 11(a)), the right to correction, completion, updating, and erasure (Section 11(b)), and the right to grievance redressal (Section 12). This means a nominee can request a full account data export, request correction of inaccurate records, or request deletion of an account following the Data Principal's death.
The Rules are expected to specify: the form in which nomination must be made, any witnessing or notarisation requirements, the process for revoking or changing a nomination, and what documentation a nominee must provide to establish their nomination and the Data Principal's death or incapacity. Until the Rules are published, companies should design their nominee processes with reasonable identity and authorisation verification.
Building a Nominee Designation Feature
Build a nominee designation feature in your product that allows logged-in users to designate a nominee. The feature should collect: the nominee's name, their relationship to the Data Principal, their contact information (email and/or phone), and the scope of rights granted (all rights, or specific rights if the Rules permit granularity). Confirm the designation to both the Data Principal and the nominee.
The designation flow should include clear explanations of what a nominee can and cannot do. Many users will be unfamiliar with the concept and will benefit from plain-language guidance: "Your nominee will be able to access and manage your account data if you pass away or become unable to manage it yourself." Provide a link to your privacy policy's nominee section for more detail.
Implement a revocation mechanism: Data Principals should be able to change their nominee or revoke the designation at any time. Keep a timestamped record of the current and historical nominations. If a Data Principal has not designated a nominee, consider reminding them — particularly in high-stakes contexts like financial services, healthcare, or government service accounts.
Verifying Death or Incapacity
When a nominee submits a request to exercise rights on behalf of a deceased or incapacitated Data Principal, you must verify both the nominee's identity and the triggering event (death or incapacity). Accepting unverified claims creates serious risks — fraud, privacy violations, and potential liability to the Data Principal's estate.
For death verification: accept government-issued death certificates. The death certificate must match the name and identifying information of the Data Principal in your system. For accounts with significant financial or sensitive data, consider also requiring proof of relationship (birth certificate, marriage certificate) to confirm the nominee is who they claim to be.
For incapacity verification: this is more complex and the Rules will provide guidance. In the interim, a letter from a registered medical practitioner confirming the condition, combined with a legal power of attorney or guardianship order, provides a reasonable basis for accepting a nominee request. Err on the side of caution — requiring robust documentation protects both the Data Principal and your platform from fraud.
Processing Nominee Rights Requests
Establish a dedicated process for nominee requests separate from your standard DSAR process. Nominee requests require additional steps (identity verification of the nominee, verification of the triggering event, confirmation of the nomination record) that standard requests do not. The process should be handled by a senior member of your privacy or legal team who has the authority to make judgement calls on ambiguous verification scenarios.
When a nominee request is received: (1) verify the nominee's identity; (2) confirm the nomination record in your system; (3) verify the death or incapacity documentation; (4) assess what rights the nominee is requesting and whether any restrictions apply; (5) process the request in the same way you would process a standard Data Principal request; (6) document all steps and decisions.
Communicate clearly with the nominee throughout. They are dealing with a difficult personal circumstance alongside navigating a legal process. Plain-language communications, a dedicated contact for follow-up questions, and a clear timeline for processing reduce friction and demonstrate sensitivity to the situation.
Scope and Limits of Nominee Rights
Nominee rights are derivative — they exist to allow exercise of the Data Principal's rights, not to create new rights. A nominee can access, correct, or request erasure of the Data Principal's personal data, but cannot create new processing relationships or consent to new uses of the data. The scope of processing by the platform does not expand because of a nominee request.
Consider whether granting a nominee full access to a deceased user's account data might infringe the privacy of third parties whose data may also be in that account. For example, a user's email account contains emails from third parties who also have privacy rights in their own communications. A nominee accessing all account data may inadvertently access data that belongs to others. Design access exports that focus on the Data Principal's own personal data rather than all content in their account.
Platforms should also consider the interaction between nominee rights and confidentiality obligations. In healthcare contexts, a deceased patient's records may be subject to medical confidentiality that extends beyond death under Indian law. Consult legal counsel on how nominee rights interact with sector-specific confidentiality rules before providing unrestricted access.
Handling Accounts Without a Nominee
Not all users will designate nominees. When a Data Principal dies without having designated a nominee, the platform faces a practical question: what to do with the account. The DPDP Act does not directly address this scenario beyond the nominee provision, and the Rules may provide further guidance.
In the absence of a nominee, family members or estate executors may still seek access under other legal frameworks (Indian Succession Act, family court orders). Legal counsel should review any such requests. A reasonable approach for most platforms: treat accounts of deceased users without nominees in the same way as inactive accounts — apply your storage limitation and retention schedule, and ultimately delete after the prescribed period if no legal claim or order is received.
Proactively prompt users to set nominees during account onboarding and during periodic account reviews. In high-stakes products (digital wills, financial management, health records), consider making nominee designation a strongly encouraged — if not mandatory — step. Reducing the volume of nominee-less accounts reduces future operational complexity and serves users' interests.
Frequently Asked Questions
Can a nominee be anyone, or must they have a specific relationship to the Data Principal?
What if a deceased user had multiple accounts or apps with our services? Does the nominee need to request separately for each?
Can a parent exercise nominee rights on behalf of a minor child who is incapacitated?
Must we build a nominee feature before the Rules are finalised?
What happens to a Data Principal's data if a nominee requests erasure?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free