As India steps into the era of data protection and privacy, the introduction of the Digital Personal Data Protection Act (DPDPA), 2023, stands as a landmark move to grant individuals control over their personal data in a digitally connected society. While organizations must align themselves with compliance and governance structures, the true essence of DPDPA lies in its empowerment of the individual—referred to as the Data Principal.
This blog dives deep into the rights granted to Data Principals under the DPDPA, with a sharp focus on the rights to Access, Correction, and Erasure. These rights are not just legal constructs; they are tools that give people control, autonomy, and dignity in the digital world.
Who is a Data Principal?
In DPDPA parlance, a Data Principal is any individual to whom personal data pertains. This could be:
- A student sharing academic records with an edtech platform.
- A customer using a digital wallet.
- A jobseeker uploading a resume on a recruitment portal.
On the other side of the relationship is the Data Fiduciary, the entity (organization or individual) that determines the purpose and means of processing personal data.
DPDPA is structured around safeguarding the rights of Data Principals while ensuring that Data Fiduciaries collect and process information lawfully, fairly, and transparently.
Why Are These Rights Important?
Digital ecosystems collect vast amounts of personal information: from your biometric data and financial records to your search behavior and location history. Without control mechanisms in place, this data can be:
- Misused for profiling or surveillance.
- Shared or sold without knowledge.
- Stored indefinitely, posing long-term risks.
The DPDPA seeks to flip this power dynamic by establishing clear rights for individuals and responsibilities for data handlers.
Let’s now explore the three fundamental rights: Access, Correction, and Erasure, and how they work in real life.
1. Right to Access: Know Your Data
What It Means:
The Right to Access empowers individuals to know:
- What data is being collected.
- Why it’s being collected.
- With whom it’s being shared.
- How long it will be retained.
- What processing activities are taking place.
This right creates transparency between the user and the service provider.
Real-World Application:
Imagine Priya, a freelance graphic designer, uses a design collaboration platform. Over time, she shares documents, personal contact details, and client names.
Now, Priya is curious about how her data is being stored or shared. She files a data access request via the platform’s privacy dashboard.
The platform responds with:
- A copy of all personal data stored.
- Metadata like login times and shared files.
- A list of third-party services (analytics, cloud storage) that accessed her data.
- Retention periods and data processing rationale.
Thanks to DPDPA, Priya now has a clear picture of her digital footprint—and can decide what to do next.
How to Exercise This Right:
- Look for a Privacy Center or “Data Access Request” link on the organization’s website or app.
- Submit a written or digital request under your DPDPA rights.
- Organizations must respond within a reasonable time, typically 15–30 days.
2. Right to Correction: Fix Inaccuracies
What It Means:
The Right to Correction allows individuals to:
- Correct inaccurate or outdated personal data.
- Complete any incomplete data entries.
In the digital space, where services depend heavily on user profiles, even a small error (like a wrong date of birth) can result in service denial or misinformation.
Real-World Application:
Ravi is an IT professional using a job portal. One day, he notices that his name is incorrectly listed as “Ravy.” As minor as it sounds, this typo could affect job opportunities or verification processes.
He contacts the portal’s Grievance Officer and requests the correction. The platform:
- Verifies the request.
- Updates its records.
- Sends confirmation once the correction is completed.
Such user-driven updates not only improve data accuracy but also protect users from unintended errors in service delivery or identity validation.
Best Practices for the Public:
- Regularly review personal information stored in online services.
- Use correction forms or helpdesk options to update records.
- Keep documentation ready (ID proofs, address evidence) when needed for verification.
3. Right to Erasure: The Right to Be Forgotten
What It Means:
The Right to Erasure (also known as the “Right to Be Forgotten”) gives individuals the power to request:
- Deletion of personal data that is no longer necessary.
- Erasure if data was collected without proper consent.
- Data removal upon consent withdrawal.
This is critical in reducing one’s digital footprint, especially in sensitive contexts like health, relationships, or location-based services.
Real-World Application:
Ananya, a student, installs a mobile app that offers mood tracking. A year later, she no longer uses the app and grows concerned about her emotional health data being stored indefinitely.
She submits a consent withdrawal request and invokes her right to erasure.
The app responds by:
- Deleting her account.
- Removing historical data from its servers.
- Notifying third parties (like cloud vendors) to delete her shared data.
Thanks to the DPDPA, Ananya regains control over sensitive information that could otherwise have lingered in the digital ecosystem.
Where Erasure Might Be Denied:
- If data is needed to comply with a legal obligation (e.g., tax records).
- If deletion compromises ongoing contractual obligations.
- If the request is manifestly unfounded, excessive, or repetitive.
Even so, fiduciaries must provide valid justification if they deny the erasure request.
The Right to Redress: When Rights Are Ignored
If an organization fails to honor access, correction, or erasure requests—or does so unjustifiably—you can escalate the matter by:
- Contacting the company’s Grievance Officer (mandatory under DPDPA).
- Filing a complaint with the Data Protection Board of India, which has adjudicatory powers.
- Seeking legal redress in extreme cases, including compensation for harm caused due to negligence.
Public Empowerment: How You Can Use These Rights
These rights are not reserved for tech experts. Every Indian citizen can (and should) use them.
Use Cases:
| Scenario | Right Used | Outcome |
|---|---|---|
| You suspect a travel site is sharing your browsing history | Right to Access | You get a full report and take action |
| A delivery app stores your old address and keeps sending items there | Right to Correction | You update the address and fix the delivery issue |
| You delete your social media profile and want all data removed | Right to Erasure | Platform removes personal data permanently |
Responsibilities of Data Fiduciaries
To support these rights, organizations must:
- Set up mechanisms (privacy dashboards, helpdesks).
- Authenticate requests securely.
- Keep record trails of how data rights were handled.
- Train employees to handle data-related requests respectfully and efficiently.
Final Thoughts: Power in the Hands of the People
The DPDPA’s focus on individual rights marks a shift from data exploitation to data empowerment. For the first time in India’s legal framework, personal data is treated as a digital extension of the self, deserving of protection, accuracy, and respect.
As a Citizen:
- Know your rights.
- Question how your data is being used.
- Exercise your rights without hesitation.
As an Organization:
- Build consent and access mechanisms from day one.
- See compliance not as a burden, but as a bridge to digital trust.
The future of data is not just about protection—it’s about participation, empowerment, and respect.
