Grievance Redressal Mechanism under the DPDP Act, 2023: Duties of Data Fiduciaries and Role of the Data Protection Board

Posted On - 14 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) requires Data Fiduciaries to establish accessible, transparent, and efficient grievance redressal mechanisms to address complaints from Data Principals. If a grievance is not satisfactorily resolved, the matter may be escalated to the Data Protection Board of India (DPB), the statutory body empowered to investigate, adjudicate, and impose penalties.

This dual-level framework ensures that grievances are first addressed at the fiduciary level but allows an independent authority to intervene when fiduciaries fail to comply. The regime imposes strict timelines, accountability, and transparency obligations, making grievance redressal a central pillar of compliance.

Introduction: Grievance Redressal as a Cornerstone of Privacy

A data protection law is only as effective as its enforcement mechanism. The DPDP Act recognises this by requiring every Data Fiduciary to provide accessible grievance channels and by establishing the Data Protection Board of India to oversee escalations.

Grievance redressal serves multiple functions:

  • It empowers individuals to enforce their rights.
  • It provides fiduciaries with a structured mechanism to resolve disputes.
  • It creates a compliance audit trail for regulators.

Statutory Obligations of Data Fiduciaries

  • Establishment of Mechanism
  • Every Data Fiduciary must establish a grievance redressal mechanism.
  • For Significant Data Fiduciaries (SDFs), the DPO serves as the nodal grievance officer.

Timelines

  • Fiduciaries must acknowledge and resolve grievances within a reasonable time (to be prescribed by rules).
  • If unresolved, Data Principals may approach the DPB.

Accessibility

  • Mechanisms must be user-friendly, multilingual, and inclusive.
  • Options may include web portals, mobile apps, email, helplines, and in-person centres.

Transparency

  • Fiduciaries must publish details of grievance mechanisms in notices.
  • Regular reports on grievance handling may be required for audits.

Role of the Data Protection Board of India

The DPB is an independent adjudicatory body with the following powers:

  • Receive complaints from Data Principals when fiduciaries fail to act.
  • Conduct inquiries and hearings.
  • Direct fiduciaries to take corrective measures (e.g., erasure, correction).
  • Impose monetary penalties (up to ₹250 crore per breach).
  • Enforce compliance through binding orders.
  • The Board acts as both a regulatory backstop and a deterrent, ensuring fiduciaries take grievance handling seriously.

Interaction between Fiduciaries, DPOs, and the Board

  • At the first level, grievances are handled internally by grievance officers (or DPOs for SDFs).
  • If unresolved, complaints escalate to the DPB.
  • The DPB may call for fiduciary records, audit logs, and grievance history.
  • Fiduciaries must maintain evidence of attempts at resolution.
  • This layered model ensures efficiency at the ground level while preserving regulatory oversight.

Illustrative Grievance Scenarios

Scenario 1: Banking – Denial of Erasure: A customer requests erasure of personal data from a digital bank. The bank refuses, citing RBI’s mandatory record retention. The grievance is escalated to the DPB. The Board examines whether the refusal was lawful and directs partial erasure of non-mandatory records.

Scenario 2: Social Media – Consent Withdrawal: A teenager withdraws consent for data processing, but the platform continues targeted advertising. The grievance is filed with the platform but remains unresolved. The nominee escalates to the DPB, which orders cessation of profiling and imposes penalties.

Scenario 3: Healthcare – Incorrect Records: A patient finds incorrect entries in her electronic health record and requests correction. The hospital delays action. The DPB directs correction, imposes a fine, and orders the hospital to improve grievance timelines.

Scenario 4: E-Commerce – Spam Marketing: A customer unsubscribes from marketing emails but continues to receive promotions. The DPB holds that failure to act on grievance constitutes non-compliance and orders remedial action.

Sectoral Challenges

Banking and Fintech

  • Balancing DPDP rights with RBI obligations.
  • High grievance volume due to sensitive financial data.

Healthcare and Health-Tech

  • Resolving grievances while maintaining confidentiality.
  • Conflicts with statutory medical record retention periods.

Social Media and Digital Platforms

  • Enormous grievance volumes, especially regarding consent withdrawal and advertising.
  • Difficulty verifying identity of complainants at scale.

E-Commerce and Retail

  • Managing grievances across large consumer bases.
  • Distinguishing between contractual disputes (refunds) and privacy complaints.

Employment and HR

  • Handling employee grievances relating to monitoring, retention, or profiling.

Global Comparisons

GDPR (EU)

  • Supervisory Authorities handle complaints.
  • Strong investigatory and penalty powers.
  • No statutory internal grievance mechanism equivalent to DPDP’s first layer.

LGPD (Brazil)

  • Requires controllers to provide grievance officers.
  • National Data Protection Authority handles escalations.

PDPA (Singapore)

  • Encourages resolution at the organizational level first.
  • Personal Data Protection Commission intervenes only if unresolved.

CCPA (California)

  • Provides enforcement through the California Privacy Protection Agency but relies heavily on consumer rights requests rather than layered grievance models.
  • India’s model is unique in mandating internal redressal plus a statutory Board, ensuring both accessibility and enforcement.

Compliance Strategies for Fiduciaries

1. Dedicated Grievance Portals

  • Develop multilingual, mobile-friendly portals for lodging complaints.
  • Enable real-time tracking of grievance status.

2. Clear Timelines

  • Implement internal SLAs shorter than statutory requirements.
  • Ensure automatic escalation for unresolved cases.

3. Integration with DPOs

  • For SDFs, empower DPOs to resolve grievances directly.
  • Maintain independence from commercial decision-makers.

4. Audit Trails

  • Maintain logs of all grievances, actions taken, and timelines.
  • Share with auditors and regulators when required.

5. Employee Training

  • Train staff across departments to identify and route privacy grievances correctly.

6. Regular Reporting

  • Publish anonymised statistics on grievance handling for transparency.

Risks of Mishandling Grievances

  • Regulatory Penalties: Non-compliance may attract fines up to ₹250 crore.
  • Litigation Risk: Class actions or PILs for systemic failures.
  • Reputational Harm: Mishandling grievances, especially by consumer-facing platforms, undermines trust.
  • Operational Inefficiency: Poor systems may create backlogs and non-compliance exposure.

Conclusion & Key Takeaways

The DPDP Act makes grievance redressal a central compliance pillar, combining fiduciary obligations with oversight by the Data Protection Board of India.

Key takeaways for businesses

  • Build accessible, multilingual, transparent grievance systems.
  • Train teams and empower DPOs for swift resolutions.
  • Maintain audit-ready logs for regulatory scrutiny.
  • Expect grievances to be common in consumer-heavy sectors like banking, healthcare, social media, and e-commerce.
  • Mishandling grievances is not just a legal risk but a reputational liability.

For Indian companies, grievance redressal should not be treated as a compliance burden but as a trust-building opportunity. Effective grievance handling will become a key differentiator in India’s competitive digital economy.

Co–Authored by :- Aurelia Menezes