Understanding Data Principal Rights Under DPDPA, 2023 and Draft DPDP Rules, 2025

Introduction:

Data protection laws worldwide empower individuals, referred to as ‘Data Subjects’ under the GDPR or ‘Data Principals’ under India’s Digital Personal Data Protection Act (DPDPA), 2023, with a range of significant privacy rights. These rights are designed to ensure individuals maintain control over their personal data shared with organizations for accessing services. By exercising these rights, individuals can demand transparency, accountability, and fairness in how their data is collected, processed, and shared—safeguarding their privacy, preventing misuse, and fostering trust in the digital ecosystem.

India’s Digital Personal Data Protection Act (DPDP), 2023 recognizes the importance of these rights, granting Data Principals the power to oversee and manage how their data is processed. To facilitate the practical implementation of these rights, the Ministry of Electronics and Information Technology (MeitY) has published the draft of Digital Personal Data Protection Rules, 2025 (DPDP Rules). Released for public consultation on January 3, 2025, these draft rules outline the processes and mechanisms by which Data Principals can exercise their rights effectively.

This blog explores the rights granted under the DPDP Act, delves into the key provisions of the draft DPDP Rules, and examines how these frameworks empower Data Principals to protect their data in a digitally-driven world.

Overview of Data Principal Rights under the DPDP Act:

According to Justice Sri Krishna Committee Report, in order to establish a strong data protection law, it is crucial to empower Data Principals to enforce their rights against the concerned data fiduciaries. These rights are founded on innovative principles such as self-determination, autonomy, transparency, and accountability. This approach aligns with the concept of Data Principals having sovereign control over their personal information.

Chapter III of the DPDPA (Sections 11 to 14) provides several rights to the data principal. These rights include the Right to access information about personal data, the Right to correction and erasure of personal data, the Right of grievance redressal, and the Right to nominate. Therefore, the Act promotes transparency, accountability, and self-determination while ensuring that Data Principals can actively manage their personal information and address any concerns or issues that may arise during its processing. In the following sub-section, we will briefly discuss the rights of the data principals in the Act.

• Right to Access Information: Section 11 ofthe DPDP Act empowers Data Principals with the right to access detailed information about their personal data. They can request a summary of the personal data being processed, details of the processing activities, and the identity of data processors and fiduciaries involved. Additionally, other prescribed information related to the processing of their data can also be requested. However, this right has certain limitations, particularly in cases where data sharing is legally authorized for purposes such as preventing or prosecuting cyber offenses.

• Right to Correction and Erasure: Section 12 provides that Data Fiduciaries are obligated to act on requests from Data Principals to correct inaccurate or misleading data, update or complete incomplete data, or erase personal data, unless retention is mandated by law. This right ensures that Data Principals can maintain accurate and up-to-date personal information and safeguards against the misuse of obsolete or incorrect data.

• Right to Grievance Redressal: Section 13 of the DPDP Act ensures that Data Principals have access to effective grievance redressal mechanisms provided by Data Fiduciaries or Consent Managers. These mechanisms address issues related to the processing of personal data or the exercise of Data Principals’ rights under the Act. Data Fiduciaries or Consent Managers are required to respond to grievances within a prescribed timeframe, ensuring timely resolution. Importantly, the Act mandates that Data Principals must exhaust these redressal opportunities before escalating their complaints to the Data Protection Board, promoting an efficient and structured approach to resolving disputes.

• Right to Nominate: Section 14 of the DPDP Act grants Data Principals the right to nominate another individual who, in the event of the Data Principal’s death or incapacity, can exercise their rights under the Act. The nomination process will be prescribed by rules. The term “incapacity” refers to the inability of the Data Principal to exercise their rights due to unsoundness of mind or physical infirmity. This provision ensures that Data Principals’ rights are protected and can be exercised even in situations where they are unable to do so themselves.

These rights, as outlined in the DPDP Act, collectively empower Data Principals to maintain control over their personal data, enhance transparency in data processing, and ensure accountability in the evolving landscape of digital privacy.

Draft DPDP Rules, 2025: Operationalizing Data Principal Rights:

To enable Data Principals to exercise their rights, the draft DPDP Rules provide further clarity. Rule 13 of the draft DPDP Rules outlines measures for both Data Fiduciaries and Consent Managers to follow in order to facilitate Data Principals’ exercise of their rights.

• Right to Access Information: Section 11 of the DPDPA gives Data Principals the right to access information. To support this, Rule 13(1) of the draft DPDP Rules requires Data Fiduciaries and Consent Managers (if involved) to publish clear instructions on their websites or apps about how Data Principals can exercise their rights under the Act. They must also provide certain specific details to individual, like a username or customer ID, to identify the Data Principal as per their terms of service. Rule 13(5) explains that an “identifier” is any unique number or code provided by the Data Fiduciary, such as a customer ID, enrolment number, or reference number. This system helps ensure Data Principals can easily and securely manage their personal data.

• Right to data deletion/erasure: For the Right to Access Information and Right to Erasure under Section 12 of the Act, Rule 13(2) establishes that Data Principals can request their data or its erasure from the Data Fiduciary with whom they have consented to process their personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights.

• Grievance Redressal: To support the Right to Grievance Redressal (as per Section 13 of the Act), Rule 13(3) provides that Data Fiduciaries and Consent Managers must disclose the timeframes for responding to grievances of Data Principal on their platforms. They are also required to implement adequate technical and organizational measures to ensure that grievances are addressed within the prescribed time, further promoting accountability and effective dispute resolution.

• Right to Nominate: Regarding the Right to Nominate (outlined in Section 14 of the Act), Rule 13(4) allows Data Principals to nominate one or more individuals to exercise their rights in the event of their death or incapacity. The means and requirements for making such nominations must also be provided by the Data Fiduciary according to their terms of service. 

Therefore, these provisions, when put into practice, further empower Data Principals by providing clear processes and accessible means for them to exercise their rights under the DPDP Act, while also holding Data Fiduciaries accountable for the timely and transparent handling of personal data.

Read More: Understanding Data Retention in Compliance with DPDPA and Draft DPDP Rules

Empowering Data Principals: What Lies Ahead for Organizations:

Though the DPDP Rules are still in draft form for public consultation, they provide clear guidance to organizations on how to get ready to comply with the DPDP Act, 2023 and avoid penalty. 

To stay compliant with the requirement of the law-

• Organizations must maintain transparency in collecting data by providing clear privacy policies on how the personal data of individuals is collected, used, and processed. This will not only help in avoiding penalty but also in gaining consumers’ trust.
• Organizations can begin with data mapping to help individuals exercise their privacy rights. By tracking and documenting the flow of personal data across systems, departments, and third-party vendors, organizations create transparency that enables quick and accurate responses to data principal queries about data types, processing purposes, and parties involved. Clear data mapping ensure that organizations can efficiently uphold data principals’ rights, such as access, rectification, and erasure, allowing individuals to exercise their rights effectively and with minimal delay.

• Organizations must develop modalities in place that allow the Data Principals to exercise their rights, like accessing, correcting, or deleting their data. One of the key responsibilities of organizations under the Act is the establishment of an effective grievance redressal mechanism. Data Principals must have access to an accessible and quick system for addressing any issues or complaints related to the processing of their data. Organizations need to establish clear timelines for responding to grievances and ensure that unresolved complaints are escalated appropriately, in line with the DPDP Act’s provisions.

• Organizations should focus on training employees on the requirements of the DPDP Act and data management processes. This will ensure that the staff is responsible in handling personal data. 

• Lastly, organizations should foster a culture of data protection across all their departments. Privacy should be considered at every step of data collection, processing, and storage. This proactive approach to data protection will not only ensure legal compliance but also enhance customer loyalty and reputation by showing a commitment to safeguarding personal data.

Conclusion:

As India moves towards stronger data protection with the DPDP Act and the draft DPDP Rules, organizations play a crucial role in empowering Data Principals by implementing transparent data practices, efficient systems for exercising rights, and robust grievance mechanisms. By proactively adopting these measures, organizations not only ensure compliance but also build trust with consumers, demonstrating their commitment to data protection and privacy. Embracing these guidelines will not only help organizations stay ahead of regulatory requirements but also strengthen relationships with customers in an increasingly data-driven world.

If you want to learn more about Rights and Duties of Data Principals Under the DPDPA, 2023, you can read our blog here.