With India’s Digital Personal Data Protection Act (DPDPA) 2025, a new era has begun — one where the Data Principal (that’s you, the individual) finally has legally enforceable rights over their own personal information.
For years, Indians handed over phone numbers, Aadhaar details, health data, and even biometric scans with minimal visibility into how that data was used, shared, or misused. Now, the DPDPA 2025 gives you clear, actionable powers to take control.
But knowing your rights on paper isn’t enough — you must know how to use them effectively. As a cybersecurity and privacy expert, let’s break down:
✅ What rights you actually have as a Data Principal
✅ How you can exercise them step-by-step
✅ Practical examples of where to start
✅ Common pitfalls and how to avoid them
This is your guide to turning the DPDPA’s promises into real-world privacy protection.
First, What Are Your Data Principal Rights?
Under the DPDPA 2025, every Indian citizen is recognized as a Data Principal — the rightful owner of their personal data. You now have the legal right to:
1️⃣ Access: Know what data an organization has about you, why they have it, and who they share it with.
2️⃣ Correction: Demand that incorrect or outdated data be updated.
3️⃣ Erasure: Request deletion of data when it’s no longer needed or when you withdraw consent.
4️⃣ Grievance Redressal: File complaints if your data rights are violated.
5️⃣ Nominate a Representative: Designate someone to exercise your rights on your behalf if you’re unable to do so.
Let’s Bring This to Life with an Example
Suppose you sign up for a loyalty card at a grocery chain. Later, you realize they keep spamming you with marketing calls and texts.
Under DPDPA:
✅ You can request a copy of what data they have on you.
✅ You can withdraw your consent for marketing.
✅ You can ask them to delete your contact details if they no longer need it.
✅ If they refuse or ignore you, you can escalate it to the Data Protection Board of India.
How to Exercise Your Rights: A Step-by-Step
1️⃣ Understand What Data They Hold
Most companies now provide privacy policies and dashboards. Look for sections like:
-
“Manage My Data”
-
“Download My Data”
-
“Privacy Center”
Use these tools to see:
-
What personal info they have.
-
What purposes it’s used for.
-
Which third parties it’s shared with.
2️⃣ Make a Clear Request
If you want to correct or delete data, submit a written request — ideally through email or the company’s designated portal.
Good requests are:
✅ Specific: “Please delete my phone number and purchase history from your marketing database.”
✅ Refer to your right: “Under the DPDPA 2025, I request deletion of my personal data.”
3️⃣ Keep Records
Always keep:
-
A copy of your request.
-
Any acknowledgment or ticket number they provide.
-
Follow-up emails or replies.
This is your proof if you need to escalate.
4️⃣ Follow Timelines
The DPDPA says companies must respond within a reasonable time — usually within 30 days. If they ignore you or delay without reason, you can:
-
File a complaint with their internal grievance officer.
-
Escalate to the Data Protection Board of India (DPBI).
Example: Withdrawing Consent
You signed up for a newsletter but now want out. Look for an “unsubscribe” link in the email or the app’s privacy settings. If they keep sending emails, write to their Data Protection Officer (DPO) to withdraw consent.
If that still fails, you have the legal right to complain to the DPBI — and they can fine the company up to ₹150 crore.
What About Biometric or Sensitive Data?
Let’s say a gym uses your fingerprint for access. You stop your membership. You can request deletion of your biometric record — they can’t keep it just for convenience.
Using Your Right to Correction
Suppose an insurance app has an old address on file — which could cause problems for claims or communication.
✅ Send a correction request with updated proof (like a new utility bill).
✅ They must update it promptly.
✅ They must also pass the corrected data to third parties they shared it with.
Nominate Someone to Act for You
Elderly citizens, people with disabilities, or children can nominate a trusted person to exercise their rights.
Example: A parent can request deletion of a child’s data from an EdTech app that no longer needs it.
Grievance Redressal: What If They Still Don’t Listen?
If a company denies your request unfairly or drags its feet:
1️⃣ Escalate to the company’s grievance officer — details must be in their privacy policy.
2️⃣ If that fails, file a formal complaint with the Data Protection Board of India.
3️⃣ The DPBI will investigate and can order the company to comply — plus impose fines if needed.
How the Public Can Use This
Here’s how to build good privacy habits:
✅ Always read the consent notice before clicking “I Agree.”
✅ Use privacy dashboards to control what you share.
✅ Be clear when withdrawing consent — don’t just uninstall an app; tell them to delete your account.
✅ File complaints if your rights are ignored — it makes the whole system stronger.
Example: Everyday Scenario
You use a shopping app that suddenly shares your number with a partner brand. You start getting calls from that partner — which you never consented to.
✅ Use your Right to Access: Ask how your data was shared.
✅ If it was unlawful, withdraw consent and request deletion.
✅ If they refuse, escalate. This is exactly what the DPDPA was designed to fix.
Challenges to Watch Out For
❌ Some companies might hide behind vague language or make the process complicated — don’t be discouraged.
❌ Many small businesses are still learning the law — they might need a push.
❌ Keep an eye on timelines — delays should be challenged.
What Organizations Must Do
On the flip side, businesses must:
-
Appoint a Data Protection Officer (DPO) to handle these requests.
-
Provide clear, simple ways for people to exercise rights — not hide them behind confusing menus.
-
Have the technical ability to actually correct or delete data everywhere it’s stored — live systems, backups, partners.
Failing to do so risks huge fines and reputational damage.
Conclusion
The DPDPA 2025 flips the script: your data is not theirs to keep forever — it’s yours to control. The law gives every Indian citizen the right to see, fix, delete, and control how their personal information is used.
For organizations, this means transparency, better data practices, and clear communication. For the public, it means more power — but only if you use it.
Read the fine print. Use privacy tools. Demand accountability. The more we exercise these rights, the more organizations will respect them. And that’s how India’s digital privacy culture grows — not just in law, but in everyday life.
