Rights of Data Principals under the DPDP Act, 2023: Access, Correction, Erasure, and Grievance Redressal
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive framework of rights for Data Principals (individuals whose personal data is processed). These rights empower individuals to access, correct, erase their data, and seek redress for grievances.
Unlike earlier fragmented protections under the IT Act, the DPDP Act introduces statutory, enforceable rights that place accountability directly on Data Fiduciaries. Fiduciaries must respond to requests within defined timelines and provide clear mechanisms for exercising rights.
This article analyses the statutory rights of Data Principals, highlights practical implications across industries, compares India’s regime with global frameworks, and sets out compliance strategies for organizations. Hypothetical examples illustrate how these rights will operate in practice.
Table of Contents
Introduction: Empowering the Individual
The cornerstone of any modern data protection law is the empowerment of individuals to control their personal data. By granting enforceable rights, the DPDP Act transforms individuals from passive subjects into active stakeholders.
The Act recognises four primary rights:
1. Right to Access Information.
2. Right to Correction and Updating.
3. Right to Erasure.
4. Right to Grievance Redressal.
Together, these rights create a data autonomy framework, ensuring transparency, accountability, and remedies for misuse.
Right to Access
Statutory Scope: The DPDP Act entitles data principals to obtain:
- A summary of their personal data being processed.
- Processing purposes and categories of data.
- Identities of recipients with whom data has been shared.
- Details of rights and grievance mechanisms available.
Practical Application
- Banks must provide customers with details of what KYC data is stored and for what purpose.
- E-commerce platforms must disclose what purchase history, addresses, and payment data they retain.
- Social media platforms must inform users of what profile and behavioral data is processed for advertising.
Hypothetical Example: A consumer requests her e-wallet provider to disclose what financial data it holds. The provider must issue a clear, user-friendly statement within a reasonable period, rather than burying details in complex backend logs.
Right to Correction and Updating
Statutory Scope: Data principals can demand correction of inaccurate data and completion of incomplete data. Fiduciaries must update data to ensure accuracy and relevance.
Practical Application
- Employers must correct an employee’s updated address or bank details upon request.
- Hospitals must correct errors in patient records.
- Credit bureaus must promptly update credit histories when errors are identified.
Hypothetical Example: An individual finds that his telecom bill reflects an incorrect address. Upon request, the provider must correct it in its records and confirm to the customer that the update has been made.
Right to Erasure
Statutory Scope: Data principals may require fiduciaries to erase personal data once:
- The purpose for which it was collected is fulfilled, or
- Consent has been withdrawn, unless retention is required by law.
Practical Application
- E-commerce platforms must delete customer account data when a user permanently closes their account.
- Healthcare providers must delete diagnostic data after the legally required retention period expires.
- Employers must erase personal files of former employees unless statutory retention applies.
Hypothetical Example: A user deletes her profile from a dating app. The platform must erase her personal data, including photographs and chats, unless specific records are required by law enforcement.
Right to Grievance Redressal
Statutory Scope: Every Data Fiduciary must establish an accessible grievance redressal mechanism. If a grievance is not resolved within the prescribed time, the data principal may escalate to the Data Protection Board of India.
Practical Application
- Banks must establish dedicated privacy grievance channels alongside existing customer service.
- E-commerce platforms must allow users to file complaints about misuse of purchase history for marketing.
- Social media companies must provide dashboards for privacy complaints, distinct from content moderation.
Hypothetical Example: A consumer complains that an e-commerce company is sending promotional messages despite withdrawing consent. If the company fails to resolve the complaint, the user can approach the Board for redressal.
Limitations and Exemptions
- Where retention is mandated by law (e.g., tax, corporate records).
- For State functions relating to sovereignty, security, and public order.
- For processing necessary for legal proceedings, investigation, or enforcement.
- Thus, while rights are expansive, they are not absolute. Fiduciaries must carefully balance rights against statutory obligations.
Sectoral Challenges
Banking and Fintech
- Must reconcile DPDP obligations with RBI-mandated record retention.
- Correction rights may trigger disputes with credit bureaus if data updates lag.
Healthcare and Health-Tech
- Patients’ rights to erasure may conflict with statutory retention of medical records.
- Hospitals must maintain strong access mechanisms without breaching confidentiality.
E-Commerce and Retail
- Customers will exercise rights frequently to erase accounts or purchase histories.
- Systems must ensure deletion cascades across marketing databases.
Social Media and Digital Platforms
- Users will demand access to behavioral data and profiling logic.
- Platforms must prepare to handle bulk rights requests at scale.
Employment Context
- Former employees may request erasure of HR records.
- Employers must distinguish between mandatory retention (e.g., PF, tax) and erasable data.
Comparison with Global Frameworks
- GDPR (EU): Provides broader rights including data portability and right to restrict processing. Includes “right to be forgotten,” which is more expansive than DPDP’s erasure right.
- LGPD (Brazil): Offers rights to access, correction, deletion, portability, and explanation of processing.
- PDPA (Singapore): Provides rights to access and correction but limits erasure rights where retention is necessary.
- CCPA (California): Grants rights to know, delete, and opt-out of data sale.
India’s framework is narrower, focusing on core rights but excluding portability and restriction of processing.
Compliance Strategies for Fiduciaries
- Rights Request Portals: Develop digital portals for submitting and tracking requests. Ensure multilingual accessibility.
- Defined Timelines: Establish internal SLAs for responding to rights requests. Train staff to route requests to privacy teams.
- Verification Protocols: Implement secure identity verification before fulfilling access or erasure requests.
- Data Mapping: Map data flows to identify where data resides for quick retrieval, correction, or deletion.
- Audit Trails: Maintain logs of requests received, actions taken, and timelines met.
- Coordination with Regulators: Establish clear escalation protocols to the Data Protection Board.
Risks of Non-Compliance
- Regulatory Penalties: Fines up to ₹250 crore for failure to honour rights.
- Litigation: Class actions or PILs for systemic failure to respond to rights.
- Reputational Harm: Perceived disregard for consumer rights undermines trust.
- Operational Risk: Poorly managed rights requests create inefficiencies and backlogs.
Conclusion & Key Takeaways
The DPDP Act enshrines access, correction, erasure, and grievance redressal as enforceable rights, marking a major step in India’s data protection landscape.
Key takeaways for businesses:
- Build rights management infrastructure now—waiting until designation as an SDF is risky.
- Train teams to distinguish between erasable and non-erasable data.
- Expect frequent rights requests in consumer-facing sectors such as banking, healthcare, and e-commerce.
- Ensure grievance mechanisms are independent, accessible, and accountable.
For Indian companies, respecting these rights is not only a legal mandate but also a strategic trust-building tool. Effective implementation will distinguish responsible organizations in India’s rapidly expanding digital economy.
Contributed by – Aurelia Menezes
By entering the email address you agree to our Privacy Policy.