Data Principal Rights: Access, Correction, Erasure, and Grievance

Section 11 gives you the right to go back to any organisation you previously gave consent to and ask: what data do you have on me, and what are you doing with it? This right applies specifically to Data Fiduciaries to whom you have given consent — it is not a general right to query any organisation.

When you exercise this right, the Data Fiduciary must provide three categories of information. First, a summary of the personal data being processed and the processing activities undertaken with it. Second, the identities of all other Data Fiduciaries and Data Processors with whom your data has been shared, along with a description of what data was shared with each. Third, any other information about your personal data and its processing that may be prescribed by rules.

For example, if you signed up for a food delivery app and consented to it collecting your location data, order history, and payment details, you can ask the app to tell you exactly what data it holds about you, what it is doing with that data, and which third parties — such as payment processors, delivery partners, or analytics companies — have received any of it.

There is one exception. The obligation to disclose the identities of other Data Fiduciaries and Data Processors does not apply where data was shared with another Data Fiduciary that is authorised by law to obtain the data for the prevention, detection, investigation, or prosecution of offences, or for dealing with cyber incidents. In other words, if your data was shared with a law enforcement agency under a legal mandate, the original Data Fiduciary is not required to tell you about that specific sharing.

Rule 14 adds practical requirements for how this right is exercised. The Data Fiduciary and any Consent Manager must publish on their website or app the means through which a Data Principal can make requests, along with the identifiers required. An "identifier" can be a customer ID, application reference number, enrolment ID, email address, mobile number, or licence number — whatever the organisation uses to look you up in its systems.

Section 12 gives you the right to request four specific actions on the personal data you previously consented to being processed: correction of inaccurate or misleading data, completion of incomplete data, updating of data that is no longer current, and erasure of data you want deleted.

The correction right is straightforward. If a Data Fiduciary holds data about you that is wrong or misleading, you can ask them to fix it. If data is incomplete — for example, your address is partially recorded — you can ask them to complete it. If your phone number or employer has changed, you can ask them to update it.

Erasure works differently. When you request erasure, the Data Fiduciary must delete your data unless retention is necessary for the specified purpose for which you originally consented to processing, or unless another law requires the data to be retained. For instance, a financial services company may be required under anti-money laundering regulations to retain your records for a certain number of years, even if you ask for deletion.

Consider a practical example. You signed up for an e-commerce platform five years ago. You no longer use it, and you want your data removed. You can submit an erasure request. The platform must comply — unless it has a legal obligation to retain your data (such as tax records) or the data is still needed for a purpose you consented to that has not yet been fulfilled.

Rule 14 governs the procedure. Data Fiduciaries must publish on their website or app the means for making correction and erasure requests, along with the required identifiers. Grievance redressal timelines must also be published, with a reasonable period not exceeding 90 days for a response. Additionally, a Data Principal may nominate individuals to exercise these rights on their behalf.

Section 13 establishes a right to grievance redressal. Every Data Principal has the right to readily available means of registering a grievance with a Data Fiduciary or Consent Manager. This is not a vague promise — the Act requires that the mechanism be readily available, meaning it must be easy to find and easy to use.

Once a grievance is filed, the Data Fiduciary or Consent Manager must respond within a prescribed period. Rule 14 sets this period at a reasonable timeframe not exceeding 90 days. The exact number of days may vary by organisation, but 90 days is the outer limit.

There is an important procedural requirement: a Data Principal must exhaust the grievance mechanism of the Data Fiduciary or Consent Manager before approaching the Data Protection Board. You cannot skip the internal process and go directly to the Board. This is designed to give organisations a chance to resolve issues before regulatory intervention.

In practice, this means that if you believe a food delivery app is not complying with your data correction request, your first step is to use the app's grievance mechanism. If they do not respond, or if their response is unsatisfactory, you then have the right to escalate the matter to the Data Protection Board.

Rule 14 requires that the grievance redressal timelines be published on the Data Fiduciary's website or app, so you know upfront how long the process should take.

Section 14 addresses what happens to your data rights when you can no longer exercise them yourself. Every Data Principal has the right to nominate any individual who, in the event of the Data Principal's death or incapacity, can step in and exercise the Data Principal's rights under the Act.

"Incapacity" is defined as the inability to exercise rights due to unsoundness of mind or infirmity of body. This covers situations such as a serious illness that leaves a person unable to manage their own affairs, or a mental health condition that prevents informed decision-making.

The nominee does not need to be a family member. The Act says "any individual" — this gives the Data Principal full flexibility to choose a trusted person.

This provision matters because personal data does not disappear when someone dies or becomes incapacitated. Without a nominated person, there would be no one authorised to request information about the data, correct it, or ask for its deletion. The nominee steps into the Data Principal's shoes for all rights under the Act.

Rule 14 supports this by allowing the nomination process to be carried out through the means published by the Data Fiduciary on its website or app, using the same identifier-based system used for other rights requests.

Section 15 is one of the most distinctive features of the DPDP Act. Most data protection laws around the world — including the GDPR, CCPA, and LGPD — treat individuals purely as rights-holders. The DPDP Act takes a different approach: it also assigns duties to the Data Principal.

There are five duties. First, you must comply with all applicable laws while exercising your rights under the Act. Your data protection rights do not override other legal obligations.

Second, you must not impersonate another person while providing personal data to a Data Fiduciary. If you pretend to be someone else when signing up for a service or submitting a form, you are in breach of this duty.

Third, you must not suppress any material information when providing personal data for the purpose of obtaining a government-issued document. This covers applications for unique identification numbers (such as Aadhaar), proof of identity, proof of address, and similar documents. For example, if you are applying for a passport and deliberately withhold information that is relevant to your application, you are in breach.

Fourth, you must not register a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board. This duty is designed to prevent the misuse of grievance mechanisms — using them as a tool for harassment or to waste an organisation's resources.

Fifth, when exercising the right to correction or erasure under Section 12, you must furnish only verifiably authentic information. If you submit a correction request with false information, you are in breach of this duty.

Breach of any of these duties can attract a penalty of up to ten thousand rupees under the Act. While this amount may seem modest, the existence of duties on individuals is itself significant — it establishes the principle that data protection is a two-way relationship between organisations and individuals.