Data Principal Rights Overview

DPDPA's rights framework is more streamlined than GDPR's comprehensive catalogue, but it establishes essential mechanisms for empowering Data Principals.

Section 11 gives the right to access information about processing. Data Principals can request a summary of personal data processed, processing purposes, and categories of third parties their data has been shared with.

Section 12 establishes correction and erasure rights. People can fix inaccurate data and request deletion when the processing purpose has been fulfilled. Unlike GDPR's "right to be forgotten," DPDPA's erasure right is tied to purpose fulfilment rather than broader objection grounds. Section 13 mandates grievance redressal mechanisms within Data Fiduciary organisations, creating internal accountability before matters escalate to the regulator.

Section 14 introduces something distinctive in data protection law: the right to nominate another individual to exercise Data Principal rights in case of death or incapacity.

This provision addresses the increasingly important question of digital asset succession and what happens to data after someone passes away. The nominated individual can exercise the Data Principal's rights, though how this interacts with estate laws and family dynamics needs careful consideration.

For organisations, this creates verification obligations. You need to ensure rights requests from nominees are legitimate while avoiding delays that frustrate the provision's protective purpose. The DPDP Rules set out procedures for registering nominations and verifying nominees, adding operational complexity to rights fulfilment processes.