Your Rights as a Data Principal under DPDPA 2023 — India

Researched by , Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: Digital Personal Data Protection Act, 2023, ss. 11–14, s. 6(4); Digital Personal Data Protection Rules, 2025

Sourced from Indian central (Union) law — Constitution of India, central Acts of Parliament, and Supreme Court decisions. State-level information reflects each state's own Acts and High Court rulings. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Indian Central Law

What is this right?

The DPDPA gives every Data Principal — that is, you, the individual whose personal data is being processed — five concrete enforceable rights against a Data Fiduciary (the company or person that determines purpose and means of processing).

  • Right to access (s. 11) — summary of personal data processed, processing activities, names of all other Fiduciaries / Processors with whom your data was shared.
  • Right to correction, completion, updation, and erasure (s. 12) — request that inaccurate data be corrected and that data no longer required for the original purpose be erased.
  • Right of grievance redressal (s. 13) — readily available means to file grievances with the Fiduciary; the Fiduciary must respond within a defined timeline.
  • Right to nominate (s. 14) — name another individual to exercise your rights in case of death or incapacity.
  • Withdrawal of consent (s. 6(4)) — withdraw consent at any time, as easily as it was given; processing must cease for that purpose.

Until full enforcement in 13 May 2027, you can already file complaints with the Data Protection Board of India for breach of Board-effective provisions.

When does it apply?

Applies to any Indian Data Principal whose digital personal data is processed.

  • Online and offline personal data digitised after collection.
  • Extra-territorial — applies to processing of Indian residents' data abroad if connected with offering goods or services to people in India.
  • Children's data (under 18) requires parental consent; cross-border restrictions notified separately.

What to Do to Exercise Your Data Rights in India

Use the structured rights system. Generic emails to support get ignored — a formal "DPDPA Rights Request" with the right cite works.

  • Find the Data Fiduciary's Data Protection Officer or Grievance Officer contact in their privacy policy.
  • Send a written request quoting DPDPA s. 11 / 12 / 13 / 14 as relevant.
  • Keep the email or registered-post receipt. Set a calendar reminder for the response deadline.
  • If the Fiduciary fails to respond, raise a grievance via their grievance officer. Only after that internal step can you escalate.
  • If still no response, file a complaint at the Data Protection Board of India.
  • For sensitive personal data (passwords, financial, health, biometrics) processed in violation of the SPDI Rules 2011, you can also seek compensation under IT Act s. 43A.

What should you NOT do?

  • Do not file with multiple regulators simultaneously. Pick the Data Protection Board or the Adjudicating Officer under IT Act s. 46 — not both for the same cause.
  • Do not assume the Fiduciary must respond instantly. Statutory timelines for Phase III (13 May 2027) compliance apply when full provisions are in force.
  • Do not pay any "DPDPA filing fee" to private agents claiming to file Rights Requests. The right itself is free.
  • Do not delete your evidence — emails, app notifications, screenshots — before resolution.

About Data Privacy & Digital Rights in India

India's data-protection regime entered force in phases starting 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act, 2023 (DPDPA). The Data Protection Board of India (DPB) is now operational; the Consent Manager Framework goes live 13 November 2026; full operational compliance — notice, consent, breach reporting, rights handling — by 13 May 2027. Until then, the Information Technology Act, 2000 and the SPDI Rules 2011 continue to govern cybercrime and remain the active route for offences against personal data. CERT-In directions (28 April 2022) require incident reporting within 6 hours for specified categories of cyber-incident. Sahyog portal (sahyog.mha.gov.in) is the unified portal for content takedown intimations under IT Act s. 79(3)(b) and rule-based blocking. For NCII (non-consensual intimate imagery), the IT Act s. 67/67A, BNS s. 79, and POCSO Act (for minors) apply.

Common Questions

What is the your rights as a data principal under dpdpa 2023 right in India?

The DPDPA gives every Data Principal — that is, you, the individual whose personal data is being processed — five concrete enforceable rights against a Data Fiduciary (the company or person that determines purpose and means of processing).Right to access (s. 11) — summary of personal data processed, processing activities, names of all other Fiduciaries / Processors with whom your data was shared.Right to correction, completion, updation, and erasure (s. 12) — request that inaccurate data be corrected and that data no longer required for the original purpose be erased.Right of grievance redress...

When does your rights as a data principal under dpdpa 2023 apply?

Applies to any Indian Data Principal whose digital personal data is processed.Online and offline personal data digitised after collection.Extra-territorial — applies to processing of Indian residents' data abroad if connected with offering goods or services to people in India.Children's data (under 18) requires parental consent; cross-border restrictions notified separately.

How do I exercise my data-access and erasure rights under India's DPDPA 2023?

Use the structured rights system. Generic emails to support get ignored — a formal "DPDPA Rights Request" with the right cite works.Find the Data Fiduciary's Data Protection Officer or Grievance Officer contact in their privacy policy.Send a written request quoting DPDPA s. 11 / 12 / 13 / 14 as relevant.Keep the email or registered-post receipt. Set a calendar reminder for the response deadline.If the Fiduciary fails to respond, raise a grievance via their grievance officer. Only after that internal step can you escalate.If still no response, file a complaint at the Data Protection B...

What mistakes should I avoid with your rights as a data principal under dpdpa 2023?

Do not file with multiple regulators simultaneously. Pick the Data Protection Board or the Adjudicating Officer under IT Act s. 46 — not both for the same cause.Do not assume the Fiduciary must respond instantly. Statutory timelines for Phase III (13 May 2027) compliance apply when full provisions are in force.Do not pay any "DPDPA filing fee" to private agents claiming to file Rights Requests. The right itself is free.Do not delete your evidence — emails, app notifications, screenshots — before resolution.

More in Data Privacy & Digital Rights

Reporting a Data Breach to CERT-In and the Data Protection BoardIndia runs two parallel breach-reporting regimes.CERT-In (Indian Computer Emergency Response Team) under MeitY enforces ...Read more →Non-Consensual Intimate Image Takedown in IndiaIf sexually explicit images or videos of you have been shared online without consent, India has a layered takedown syste...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission