Introduction

The Digital Personal Data Protection Act (DPDPA) 2023, which is being implemented operationally in 2025, marks a new era of data privacy regulation in India. The law aims to protect the personal data of individuals, known under the Act as Data Principals, by granting them specific rights over their own information.

These rights are designed to ensure that individuals maintain control, transparency, and autonomy over how their data is collected, used, stored, and shared. One of the key pillars of the DPDPA is the empowerment of Data Principals to access, correct, erase, and manage their personal data held by organizations (called Data Fiduciaries).

Understanding these rights is essential for both individuals and businesses to remain compliant and trustworthy.

Who is a Data Principal?

Under DPDPA 2025, a Data Principal is the individual to whom the personal data relates. In case of a child (under 18 years) or a person with disability, their parent or lawful guardian is considered the Data Principal.

Key Rights of Data Principals

DPDPA provides several specific rights to Data Principals. These include:

1. Right to Access Personal Data

Data Principals have the right to:

• Obtain a summary of their personal data being processed by a Data Fiduciary

• Know the processing purposes

• Understand the categories of data being processed

• Know with whom their data has been shared

• View the duration of data storage

• Know about the source of the data, if it was not directly collected from the Data Principal

This right allows individuals to be fully informed about what data organizations hold and how it’s being used.

Example: A customer using a mobile wallet service can request to know what personal and transactional data the company stores, whether it is shared with third-party marketing partners, and for how long it will be retained.

2. Right to Correction and Erasure

This is one of the most powerful rights granted under the DPDPA.

Right to Correction:
Data Principals have the right to correct inaccurate or misleading personal data about them that is held by a Data Fiduciary.

This includes:

• Fixing incorrect name, address, date of birth, contact information, etc.

• Updating out-of-date information

• Removing irrelevant or false data

Right to Erasure:
Data Principals can request the erasure (deletion) of their personal data that:

• Is no longer necessary for the purpose it was collected

• Was collected based on consent which has now been withdrawn

• Is being processed unlawfully

• Must be erased to comply with legal obligations

However, the right to erasure is subject to the fiduciary’s legal obligations. If the data must be retained for legal, regulatory, or contractual obligations, the organization may reject the request but must provide a valid justification.

Example:
If an individual has closed their online shopping account and withdrawn consent, they can request the company to delete their personal data (name, email, payment details, etc.). However, the company may retain order-related records for tax or warranty reasons, with clear justification.

3. Right to Grievance Redressal

Every Data Principal has the right to lodge a complaint with the concerned Data Fiduciary if:

• Their data has been misused

• Their correction or erasure request was denied without proper reason

• They experienced delay in access or action

Fiduciaries must provide a mechanism to handle grievances and respond within a reasonable time (notified by rules).

If unsatisfied, the Data Principal may appeal to the Data Protection Board of India, which will act as a quasi-judicial body.

Example: A user requests an app company to correct their gender and mobile number. The company ignores the request. The user can escalate the complaint to the Data Protection Board if no resolution is offered.

4. Right to Nominate

In case a Data Principal becomes incapacitated or dies, they have the right to nominate another person who can exercise their data rights on their behalf.

This is especially important for:

• Digital legacy management

• Managing health records

• Financial accounts after death

Example: A person can nominate their spouse to manage or delete their digital accounts in the event of their death.

5. Right to Withdraw Consent

Where data is collected based on consent, the Data Principal has the right to:

• Withdraw consent at any time

• Ensure that such withdrawal is as easy as giving consent

Upon withdrawal, the Data Fiduciary must stop processing the relevant data unless legally required to retain it.

Example: A user who signed up for a newsletter can withdraw consent and expect the company to stop sending marketing emails and delete their related records.

6. Right to Be Informed

This is a foundational right, enabling all other rights. Data Principals must be:

• Clearly informed before data is collected

• Told about purposes of processing

• Made aware of their rights under DPDPA

The information must be provided in clear, simple, and multiple languages (as applicable).

Example: A food delivery app must notify users during sign-up that their data may be used for location tracking, order fulfillment, and targeted ads. The user must be able to understand this information easily.

How Can Data Principals Exercise Their Rights?

Under the DPDPA, organizations (Data Fiduciaries) must:

• Create easy-to-use tools or platforms for data access, correction, and erasure

• Offer digital mechanisms, such as account settings or online forms, to raise requests

• Respond within timelines to be notified by the government

• Provide reasons in writing if any request is denied

• Record and monitor how these requests are handled

For greater control, individuals may also use Consent Managers, authorized intermediaries who help Data Principals manage and track consents across multiple services.

Responsibilities of Data Fiduciaries

To support Data Principal rights, every Data Fiduciary must:

• Maintain records of user consents and requests

• Enable correction and deletion tools

• Establish grievance redressal systems

• Verify identity before processing such requests to prevent fraud

• Retain only necessary data for as long as required

• Appoint a Data Protection Officer (DPO) if they are classified as Significant Data Fiduciaries

Limitations and Conditions

While the rights of Data Principals are broad, some limitations apply:

• Data cannot be deleted if required for legal obligations, e.g., tax, criminal investigations, medical records

• Correction or deletion may be denied if the identity of the requester cannot be verified

• Requests that are frivolous, repetitive, or excessive may be rejected

Penalties for Non-Compliance

Failure to honor these rights can lead to heavy penalties:

• Up to ₹200 crore for failure to implement safeguards or respond to legitimate requests

• Organizations may also face loss of reputation, legal cases, and cancellation of licenses in some sectors

Conclusion

DPDPA 2025 empowers Indian citizens with comprehensive rights over their personal data, bringing India closer to international data protection standards. The rights to access, correction, erasure, nomination, grievance redressal, and consent withdrawal create a strong legal framework where the individual—not the organization—is in control of personal information.

Businesses and platforms must redesign their systems, customer service processes, and data architectures to meet these obligations and enable real-time response to Data Principal requests. For individuals, these rights mark a turning point toward greater digital empowerment and privacy in India’s growing digital economy.