Data Principal’s Right to Nominate under the DPDP Act, 2023: Succession of Rights after Death or Incapacity

Posted On - 13 October, 2025 • By - Jidesh Kumar

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces an innovative concept: the Data Principal’s Right to Nominate. For the first time in Indian law, individuals are empowered to designate a nominee who may exercise their data protection rights in the event of their death or incapacity.

This provision ensures continuity in privacy rights beyond the individual’s lifetime and addresses practical questions about what happens to digital assets and personal data after death. Fiduciaries must prepare frameworks for handling nominee requests across sectors like social media, banking, healthcare, and e-commerce, while mitigating risks of fraud and disputes.

Introduction: Privacy Beyond Life

The right to privacy is typically understood as personal and extinguished upon death. However, in the digital era, individuals leave behind vast digital footprints like emails, social media accounts, financial records, health data, and online purchases. Questions naturally arise: Who controls this data after death? Can heirs demand deletion? Can a guardian manage accounts during incapacity?

The DPDP Act answers these questions by granting individuals the right to nominate another person to exercise their rights posthumously or during incapacity. This innovation blends privacy protection with succession planning, ensuring that digital legacies are responsibly managed.

Statutory Framework under the DPDP Act

The DPDP Act provides that:

  • A data principal may nominate another individual to exercise rights on their behalf in the event of death or incapacity.
  • The nominee may exercise rights including access, correction, erasure, and grievance redressal.
  • Fiduciaries must honour requests from duly verified nominees.
  • This is the first statutory recognition of post-mortem privacy rights in India.

Scope of the Nominee’s Rights

  • Request Access: Obtain information about the deceased/incapacitated person’s data.
  • Request Correction: Correct or update records to prevent misuse.
  • Request Erasure: Demand deletion of data (e.g., closure of social media accounts, deletion of health records).
  • File Grievances: Escalate unresolved complaints to the Data Protection Board.

The nominee does not automatically inherit the economic value of data (e.g., loyalty points, e-wallet balances)—those are governed by succession and contract law. The nominee’s role is primarily about privacy and data governance.

Relationship with Other Indian Laws

  • Succession Laws: Property rights over digital assets remain governed by the Indian Succession Act, Hindu Succession Act, or personal laws. The DPDP Act only confers control over privacy rights.
  • Contract Law: Platform terms of service (e.g., banking, telecom, social media) will continue to bind the nominee.
  • Disability Law: In cases of incapacity, lawful guardianship under the Rights of Persons with Disabilities Act, 2016 may overlap with nomination provisions.

Fiduciaries must harmonise these laws to avoid conflicts.

Practical Issues for Fiduciaries

1. Verification of Death or Incapacity: Fiduciaries must develop protocols to verify death (death certificates) or incapacity (medical/legal documentation) as fraudulent claims pose significant risk.

2. Verification of Nominee Identity: Fiduciaries must confirm that the nominee matches the designation recorded by the data principal; digital signatures, Aadhaar-linked records, or notarised declarations may serve as proof.

3. Conflicts between Nominee and Heirs: Nominee’s privacy rights may conflict with heirs’ property rights (e.g., heirs seeking access to financial records for succession while nominee seeks erasure). Fiduciaries must distinguish privacy rights under DPDP from property rights under succession law.

Sectoral Implications

Social Media Platforms

  • Must allow nominees to request account deletion, memorialisation, or limited access. Example: A deceased user’s nominee requests deletion of a profile to prevent identity misuse.

Banking and Fintech

  • Nominee may request erasure of personal identifiers but cannot claim financial assets unless succession laws recognise them. Example: A nominee ensures closure of online accounts to avoid fraud after the account holder’s death.

Healthcare and Health-Tech

  • Nominee may request deletion of sensitive health data post-death, unless required by law to retain records. Example: A guardian-nominee requests deletion of psychiatric records of a deceased patient to protect family privacy.

E-Commerce and Digital Wallets

  • Nominee may demand closure of accounts and erasure of purchase history. Example: A nominee deletes shopping and payment histories of a deceased person to prevent spam or fraud.

Employment and HR Data

  • Employers must allow nominees to request erasure of personal employee data post-death, except statutory records.

Illustrative Examples

  • Social Media: A 25-year-old nominates her sibling. Upon her death, the sibling requests deletion of her social media account. The platform verifies the death certificate and nominee identity, then erases the account.
  • Digital Wallet: A user nominates his spouse. After his death, the spouse requests closure of his wallet account. The platform erases personal data but informs that the balance must be claimed under succession law.
  • Healthcare: A parent nominates a child to manage health data. After death, the child requests erasure of genetic test results from a hospital’s database.
  • Education: A student nominates a parent. Upon incapacity, the parent ensures deletion of the student’s online ed-tech records.

Global Comparisons

  • GDPR (EU): Does not explicitly regulate post-mortem rights. Member States have discretion; e.g., France allows heirs to exercise certain rights.
  • LGPD (Brazil): Silent on post-mortem rights but privacy rights generally extinguish upon death.
  • PDPA (Singapore): Does not extend rights beyond death.
  • CCPA (California): Provides consumer rights but not post-mortem succession.
  • India is unique in expressly creating a statutory nomination mechanism for privacy rights succession.

Compliance Strategies for Fiduciaries

1. Nomination Infrastructure: Build systems allowing data principals to nominate individuals (via app settings, online forms, contractual clauses).

2. Verification Protocols: Require death/incapacity certificates and nominee ID before acting.

3. Separation of Rights: Distinguish privacy rights (under DPDP) from property rights (under succession law).

4. Notices and Disclosures: Inform data principals clearly about the scope of nominee powers.

5. Audit Trails: Maintain logs of nominee requests and fiduciary responses.

Risks of Misuse or Disputes

  1. Fraudulent Claims: Fake nominees or forged documents.
  2. Heir vs. Nominee Conflicts: Heirs seeking access for succession purposes may clash with nominee’s request for erasure.
  3. Operational Burden: Verifying nominee claims across millions of accounts.
  4. Regulatory Penalties: Mishandling nominee requests may attract penalties up to ₹250 crore.

Conclusion & Key Takeaways

The DPDP Act’s Right to Nominate introduces a pioneering framework for managing personal data rights after death or incapacity. It ensures individuals can control their digital legacy and protect their privacy even posthumously.

Key takeaways for businesses:

  • Fiduciaries must establish nomination and verification systems.
  • Nominee powers extend only to privacy rights, not economic entitlements.
  • Robust safeguards are needed to prevent fraud and resolve conflicts with heirs.
  • Sector-specific protocols (social media memorialisation, wallet closures, health record deletions) are essential.

For India, this right reflects a forward-looking approach embedding dignity, autonomy, and continuity of privacy into the digital age.

Co–Authored by – Aurelia Menezes