dpdpact.co.in

This website belongs to KavachOne Solutions Pvt. Ltd., having its corporate office located in Noida, India.
image 1 removebg preview
Menu
Linkedin X-twitter Facebook
kavachone logo removebg preview
Menu
Data Principal Rights Under DPDP Act India: Complete Guide 2025 | KavachOne
👤 Individual Privacy Rights

Data Principal Rights
Under India's
DPDP Act

India's DPDP Act 2023 gives every individual — every data principal — seven powerful rights over their personal data. As a Data Fiduciary, you must have systems to receive, verify, and fulfil these rights requests. Failure to do so risks penalties up to ₹150 crore and direct DPB intervention.

👤 Build Your Rights Portal See All 7 Rights ↓
⚖️ DPDP Rights Overview
7 Rights
📄 Right to Access §11
✏️ Right to Correction §12
🗑️ Right to Erasure §12
📦 Right to Portability §12
🚫 Right to Withdraw Consent §6(6)
👨‍👩‍👧 Right to Nomination §14
⚖️ Right to Grievance Redressal §13
7DPDP Data Principal Rights
30 DaysMaximum Response Deadline
₹150 CrMax Penalty for Rights Violations
FreeRights Requests Must Be Fulfilled at No Cost
AllApplies to Every Data Fiduciary
All 7 Rights

The Seven Data Principal Rights
Under India's DPDP Act

Sections §11 through §14 of the DPDP Act grant every data principal — every individual whose personal data is processed — seven enforceable rights against every Data Fiduciary.

§11 — Right 1
📄 Right to Access Information

Every data principal has the right to obtain a summary of their personal data being processed by a Data Fiduciary — including the categories of data held, the purposes for which it is processed, and any third parties it has been shared with.

⏱ Within 30 days ₹150 Cr if refused
How to fulfil
  • Verify the data principal's identity against your records
  • Query ROPA for all entries containing their personal data
  • Generate a data summary report from Privacy Suite
  • Deliver securely in machine-readable format within 30 days
§12 — Right 2
✏️ Right to Correction & Completion

Every data principal has the right to correct inaccurate or misleading personal data and to complete incomplete personal data held by the Data Fiduciary. This includes correcting data across all systems, processors, and third parties it has been shared with.

⏱ Within 30 days ₹150 Cr if refused
How to fulfil
  • Receive and validate the correction request and evidence provided
  • Update data across all internal systems containing the record
  • Notify all processors and third parties of the correction
  • Confirm completion to the data principal with evidence
§12 — Right 3
🗑️ Right to Erasure

Every data principal has the right to have their personal data erased — when it is no longer necessary for the purpose for which it was collected, or when they withdraw consent and there is no overriding legal ground for continued processing. Erasure must extend to all processors and shared parties.

⏱ Within 30 days ₹150 Cr if refused ⚠ Exceptions apply
How to fulfil
  • Verify request and assess whether any legal exemption applies
  • Use ROPA to locate all data stores containing the record
  • Execute deletion across all systems and databases
  • Instruct all processors to delete — require deletion certificates
  • Confirm erasure to the principal with documented evidence
§12 — Right 4
📦 Right to Data Portability

Every data principal has the right to receive a copy of their personal data in a structured, commonly used, machine-readable format — and to transmit that data to another Data Fiduciary where technically feasible. This enables individuals to switch service providers without losing their data history.

⏱ Within 30 days ₹150 Cr if refused
How to fulfil
  • Compile the data principal's personal data from all relevant systems
  • Export in JSON, CSV, or XML format — structured and readable
  • Deliver securely via encrypted download link or secure portal
  • If transmit-to-third-party is requested, confirm feasibility and execute
§6(6) — Right 5
🚫 Right to Withdraw Consent

Every data principal has the right to withdraw consent at any time — without any detriment to them. Withdrawal must be as easy as the original grant. Upon withdrawal, processing for that purpose must cease and the data must be erased unless another legal basis applies.

⏱ Immediate cessation ₹200 Cr if ignored
How to fulfil
  • Provide one-click withdrawal in ConsentiQo dashboard
  • Immediately cease all processing for the withdrawn purpose
  • Trigger erasure workflow unless legal basis exists for retention
  • Update consent audit log — DPB-admissible record maintained
§14 — Right 6
👨‍👩‍👧 Right to Nominate

Every data principal has the right to nominate another individual to exercise their DPDP rights on their behalf in the event of their death or incapacity. This is a unique DPDP provision — creating a digital succession right for personal data. Data Fiduciaries must honour nominations registered with them.

⏱ On application Unique to DPDP
How to fulfil
  • Provide a secure nomination registration form or portal
  • Verify and store nominee details against the data principal's account
  • On death/incapacity: verify nominee identity and relationship
  • Grant nominee access to exercise rights on principal's behalf
§13 — Right 7
⚖️ Right to Grievance Redressal

Every data principal has the right to an effective grievance redressal mechanism — the right to complain to the Data Fiduciary and receive a response. If unsatisfied, they can escalate to the Data Protection Board (DPB). Data Fiduciaries must publish contact details for their Grievance Officer (or DPO for SDFs) and respond to complaints within 30 days.

Obligations on Data Fiduciaries
  • Publish DPO / Grievance Officer name and contact details on your website and in your privacy notice
  • Acknowledge all grievance submissions within 48 hours
  • Provide a substantive written response within 30 days
  • Maintain a grievance register — log every complaint and its resolution
  • If the data principal escalates to DPB, cooperate fully with DPB investigation
Response Requirements

Data Fiduciary Response Obligations
for Each Right

Precise timelines, actions, and penalties for every data principal right — know exactly what is required before a request arrives.

Right DPDP Section Response Deadline Required Action Max Penalty if Refused
Access to personal data summary §11 30 Days Provide written summary of data held, purposes, and third-party disclosures ₹150 Crore
Correction of inaccurate data §12 30 Days Update data across all systems and notify all processors of correction ₹150 Crore
Completion of incomplete data §12 30 Days Complete the record and update all processors accordingly ₹150 Crore
Erasure of personal data §12 30 Days Delete from all systems; instruct all processors; provide deletion certificate ₹150 Crore
Data portability / export §12 30 Days Provide structured, machine-readable export of data; transmit if requested ₹150 Crore
Consent withdrawal §6(6) Immediate Cease processing for withdrawn purpose; trigger erasure unless legal basis applies ₹200 Crore
Nominee registration §14 30 Days Register nominee; on death/incapacity grant nominee rights access ₹150 Crore
Grievance redressal §13 30 Days Acknowledge within 48 hrs; substantive written response within 30 days ₹50 Crore
DSAR Workflow

How to Handle a DSAR Request — Step by Step

A Data Subject Access Request (DSAR) under the DPDP Act must follow a structured process to ensure timely, accurate, and documented fulfilment. Here is the complete workflow.

📬
Intake
Request received via Rights Portal, email, or registered contact. Logged in DSAR register with timestamp.
Day 0
🔐
Verify Identity
Verify the requester's identity to prevent fraudulent DSARs. Proportionate verification — don't request more than needed.
Day 1–3
🔍
Locate & Compile
Query all systems in ROPA. PII Scanner assists in locating records. Compile responsive data across all sources.
Day 3–20
⚖️
Review & Redact
Review compiled data for exemptions, redact third-party personal data, and obtain DPO sign-off on the response.
Day 20–27
📤
Respond & Log
Deliver response via secure portal. Log outcome in DSAR register — DPB-admissible evidence of timely compliance.
By Day 30
Organisational Readiness

Are You Ready to Fulfil Rights Requests?

Before a DSAR arrives, these 18 organisational prerequisites must be in place. Most organisations discover significant gaps when they check for the first time.

🚪
Rights Intake Channel
  • Dedicated DSAR email address published
  • Rights portal linked from privacy notice
  • Paper/phone requests process documented
  • Request logging and timestamp system live
🔐
Identity Verification
  • Proportionate ID verification process defined
  • Fraudulent DSAR detection protocols in place
  • Verification timeout and re-attempt rules set
  • Verification steps documented for DPB audit
🗺️
Complete ROPA for Data Location
  • All personal data stores documented in ROPA
  • PII Scanner reconciled with ROPA entries
  • Search procedures for each data store defined
  • Third-party data request process established
⏱️
30-Day Deadline Tracking
  • DSAR deadline auto-calculated from receipt date
  • Escalation alerts at Day 20, 25, 28
  • Extension process (rare) documented
  • DPO notified of all open DSARs over Day 15
🗄️
DSAR Register & Audit Log
  • Every DSAR logged with receipt timestamp
  • Response type, date, and outcome recorded
  • Full DPB-admissible evidence trail maintained
  • Annual DSAR trends report for management
🤝
Processor Coordination
  • All DPAs include rights request cooperation clauses
  • Vendor DSAR response SLA agreed (5 business days)
  • Erasure instruction process for all processors
  • Vendor deletion certificate process established
KavachOne Rights Portal

Automate Every Rights Request with KavachOne's Rights Portal

KavachOne's Rights Portal gives your data principals a branded self-service experience for all 7 DPDP rights — while automating intake, routing, deadline tracking, and fulfilment workflows behind the scenes.

🎨
Brandable Self-Service Portal
Fully customisable portal branded with your logo, colours, and domain — giving data principals a seamless, professional experience aligned with your product.
Automated DSAR Routing & Tracking
Every request is automatically classified by right type, routed to the responsible team, and tracked against the 30-day deadline — with escalation alerts at configurable thresholds.
🔗
ROPA-Integrated Data Compilation
Access and portability requests trigger automatic data compilation queries across all ROPA-documented data stores — dramatically reducing manual effort per DSAR.
📋
DPB-Ready DSAR Audit Log
Every DSAR — request, verification, response, outcome — is automatically logged in a tamper-evident audit trail, ready to produce to the Data Protection Board at any time.
🍃
ConsentiQo Consent Withdrawal Integration
Consent withdrawal requests flow directly from the Rights Portal into ConsentiQo — instantly updating consent records, ceasing processing, and triggering erasure workflows.
👤 See the Rights Portal Demo
privacy.yourcompany.com/rights
Your Privacy Rights Portal
Manage your personal data — access, correct, erase, or export
📄 Access my data
✏️ Correct my data
🗑️ Delete my data
📦 Download my data
🚫 Withdraw consent
👨‍👩‍👧 Add a nominee
⚖️ Submit a grievance

Build Your DPDP-Compliant
Rights Fulfilment Programme

KavachOne's Rights Portal and Privacy Suite give your data principals a seamless rights experience — while automating every DSAR intake, verification, routing, and deadline workflow behind the scenes, integrated with your ROPA and ConsentiQo.

👤 Build Your Rights Portal Explore ConsentiQo →
FAQs

Common Questions About Data Principal Rights

Can a Data Fiduciary charge a fee to respond to DSAR requests?
No. The DPDP Act requires Data Fiduciaries to respond to DSAR requests at no cost to the data principal. Charging a fee — or making the rights request process deliberately cumbersome — may itself constitute a violation of the Act's accountability provisions. The only exception anticipated is where a data principal makes manifestly unfounded, excessive, or repetitive requests — in which case the Data Fiduciary may request guidance from the DPB on how to proceed.
Are there grounds to refuse a right to erasure request?
Yes, the DPDP Act provides limited grounds on which erasure may be deferred or refused — primarily where continued processing is required to comply with a legal obligation (e.g. tax record retention requirements), to perform a contract with the data principal, or where the processing is covered under a Legitimate Use basis that overrides the erasure request. Any refusal must be documented in writing, communicated to the data principal with reasons, and the data principal informed of their right to escalate to the DPB.
What happens if a data principal escalates to the DPB after we respond?
If a data principal escalates a grievance to the Data Protection Board — either because their request was refused, ignored, or inadequately handled — the DPB will notify the Data Fiduciary and initiate an inquiry. The Data Fiduciary must produce evidence of its DSAR response process, the specific response given, and the legal basis for any refusal. This is why maintaining a DPB-admissible DSAR register and complete documentation of every response is critical — it is your first line of defence in a DPB proceeding.
How does the Right to Nomination work in practice?
The Right to Nomination (§14) is unique to India's DPDP Act. In practice, it works like a digital power of attorney for personal data — the data principal registers a nominee (name, contact, relationship) during their lifetime. On the data principal's death or verified incapacity, the nominee can approach the Data Fiduciary to exercise all rights on behalf of the deceased or incapacitated principal — including accessing, correcting, or erasing their data. Data Fiduciaries must establish a process for verifying nominee identity and the death/incapacity of the original principal.
Can data principals exercise rights over data processed under Legitimate Use (not consent)?
Yes — most data principal rights under the DPDP Act apply regardless of whether processing is based on consent or Legitimate Use. The Right to Access, Correction, Portability, and Grievance Redressal apply to all processing. The Right to Erasure and Right to Withdraw Consent apply most directly to consent-based processing, but data principals can still request erasure of Legitimate Use data — the Data Fiduciary must then assess whether a legal exemption applies and respond accordingly.
Data Principal Rights India DPDP Act Rights Right to Access India DPDP Right to Erasure India Right to Correction DPDP DSAR India DPDP Data Subject Rights India Right to Nomination DPDP Consent Withdrawal DPDP Data Portability India KavachOne Rights Portal DPDP Grievance Redressal ConsentiQo DPDP Compliance 2025 DPDP Act 2023