Back to Blog
How-To 7 min read

How to Respond to a DPDP Act Data Subject Request

The DPDP Act gives data principals rights to access, correct, and erase their personal data. Learn how to build a request handling process that satisfies the Act.

Key Takeaways
  • The DPDP Act gives data principals three core rights: access, correction/erasure, and grievance redress.
  • Data Fiduciaries must respond to requests within timeframes specified in Rules (not yet published as of early 2026).
  • Build a request intake mechanism (form, email, in-product) and a documented response workflow.
  • Erasure requests must be evaluated — some data cannot be erased if retention is required by law.
  • Every request and its resolution must be logged for compliance evidence.

In this guide

  1. Data Principal Rights Under DPDP Act
  2. Building a Request Intake Process
  3. Identity Verification
  4. Handling Access Requests
  5. Handling Erasure Requests
  6. Grievance Redress
  7. Logging and Evidence

Data Principal Rights Under DPDP Act

Section 11 of the DPDP Act gives data principals the right to obtain a summary of the personal data being processed and the processing activities undertaken. Section 12 gives the right to correction, completion, updating, and erasure of personal data. Section 13 gives the right to grievance redress through the Data Fiduciary's grievance mechanism.

These rights are narrower than GDPR's data subject rights (which include portability, objection, and restriction), but they are legally enforceable obligations. Data Fiduciaries must have processes in place to handle each type of request.

Building a Request Intake Process

Create a dedicated channel for data principal requests. Options: a privacy request form on your website or app, a dedicated email address (privacy@yourcompany.com), or an in-product "My Data" section. Document which channel is used and publicise it in your privacy notice.

When a request is received: log the request immediately (date, type, requester contact), assign an owner, and acknowledge receipt to the requester with an expected response timeline.

Use a ticketing system (Jira, Linear, Notion) to track each request through the workflow. This creates an audit trail without requiring a specialised privacy request management tool.

Identity Verification

Before fulfilling any request, verify that the requester is the data principal (or their authorised nominee). The DPDP Act allows data principals to nominate a person to exercise rights on their behalf in case of death or incapacity.

Identity verification approach: match the requester's contact information against the personal data you hold. For consumer products: verify the registered email or phone number. Do not over-verify — requiring excessive documentation effectively denies legitimate rights.

Handling Access Requests

For an access request (Section 11), provide: a summary of the categories of personal data held, the purposes for which it is processed, and the names of third parties with whom it has been shared. You are not required to provide raw data exports — a clear summary satisfies the Act.

Prepare a template response. Map your data categories in advance (from your data inventory or ROPA) so you can generate accurate responses quickly.

Timeframe: respond within the period specified in Rules. Until Rules are published, use GDPR's 30-day standard as a working target.

Handling Erasure Requests

For an erasure request (Section 12), evaluate: is there a legal obligation to retain the data (tax records, regulatory requirements)? Is there a contractual obligation (active service agreement)? Is the data necessary for an ongoing matter (legal proceedings)?

If erasure is permissible: delete the data from production systems, request deletion from data processors, and confirm deletion to the requester. Document each step.

If erasure is not permissible: explain why in clear language, cite the specific legal or contractual basis for retention, and provide an expected erasure date if retention is time-limited.

Grievance Redress

Section 13 requires Data Fiduciaries to provide an effective mechanism for data principals to raise grievances. Designate a Data Protection Officer or Grievance Officer — for companies below the Significant Data Fiduciary threshold, this can be the person who handles privacy requests generally.

Publish the contact details of your Grievance Officer prominently in your privacy notice. Acknowledge grievances within a reasonable timeframe (30 days is a practical standard). Data principals who are unsatisfied with your response can escalate to the Data Protection Board of India.

Logging and Evidence

Maintain a data subject request register. For each request: date received, type of request, requester identifier (anonymised), response date, resolution (fulfilled/denied/partial), and reason if denied.

This register is your DPDP compliance evidence. It demonstrates that you have a functional rights-handling process and that you respond to requests.

Review the register quarterly: check for unusual patterns, ensure no requests are past due, and use the data to improve your response templates.

Frequently Asked Questions

What is the deadline for responding to DPDP data subject requests?
The DPDP Act itself does not specify response deadlines — specific timeframes will be prescribed in Rules. Until Rules are notified, use GDPR's standard of 30 days for access and erasure requests as a practical working target.
Does the DPDP Act right to erasure apply to data in backups?
The Act requires erasure of personal data including from backups where technically feasible. A practical approach: delete from production systems, flag the data for erasure from backups at the next backup rotation cycle, and document this process.
Can we charge a fee for data subject requests under DPDP Act?
The DPDP Act does not explicitly permit charging fees for responding to requests. Until DPDP Rules provide specific guidance, do not charge fees for standard requests.
How do DPDP Act rights requests work for B2B SaaS companies?
For B2B SaaS, your customers are typically the Data Fiduciaries and you are the Data Processor. Data principals have rights against the Data Fiduciary (your customer). You must contractually commit to assisting your customers in responding to rights requests — typically through your data processing agreement.
What happens if we fail to respond to a data subject request?
Failure to respond can result in the data principal filing a complaint with the Data Protection Board of India. The DPBI can investigate and impose penalties of up to ₹250 crore per violation.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act 2023 Explained: What Every Indian Company Must Know

How-To

How to Build a Privacy Policy That Satisfies DPDP Act

Comparisons

DPDP Act vs GDPR: Side-by-Side Comparison