Data Principal Rights Under DPDPA

DPDPA grants data principals five core rights: access, correction, erasure, grievance redressal, and nomination. Organisations must establish intake mechanisms, response workflows, and tracking systems ensuring timely compliance. This article examines each right, response timelines, and operational implementation.

Data principals may request confirmation of processing, categories of personal data held, identities of third-party recipients, and other prescribed information. Response must be in clear, plain language accessible to the requestor. Complex data inventories must be translated into comprehensible summaries within prescribed timelines.

Upon request, organisations must correct inaccurate data, complete incomplete data, update outdated data, and erase data no longer necessary for stated purpose. Erasure obligations are subject to retention requirements under other laws—the organisation must document applicable retention periods and communicate exceptions to requestors.

Section 13 requires Data Fiduciaries to establish grievance redressal mechanisms. Complaints must be resolved within 90 days. If unresolved, data principals may approach the Data Protection Board. Organisations must designate grievance officers, publish contact details, and maintain complaint registers demonstrating timely resolution.

Section 14 permits data principals to nominate representatives to exercise rights in case of death or incapacity. Organisations must establish nomination registration mechanisms and verify nominee identity before responding to posthumous or incapacity-triggered requests. Clear procedures prevent fraudulent nominee claims.