Rights of the Data Principal Under the Digital Personal Data Protection Act, 2023
Comprehensive guide to Data Principal rights including access, correction, erasure, grievance redressal, and nomination mechanisms under the DPDP Act.
The Digital Personal Data Protection Act (DPDP Act) provides for a comprehensive framework under Sections 11,12,13 and 14 which lay down the different rights of the Data Principles. These rights are a link to Article 21 of the Constitution of India as it safeguards their privacy and simultaneously empowers them with greater control over their personal data.
To find out more about your what all is a part of your sensitive personal data, read further at Understanding Sensitive Personal Data in India
The Right to Information Access (Section 11)
Section 11 of the DPDP Act provides for the right to access information about one's personal data. This right allows Data Principals to request and obtain the following information from the Data Fiduciary:
- 1. Information regarding the personal data being processed along with the summary of the processing activities.
- 2. The contact details and the identities of all other Data Fiduciaries and Data Processors with whom their data has been shared. They can also obtain a description of their data shared with such processors and Data Fiduciaries.
- 3. Any other information related to their personal data and its processing as may be prescribed in the rules
The right to information access ensures transparency as it ensures the Data Principals' visibility into how their data is being collected, used, and shared.
⚠️ Exception
However, no rights are available without exceptions. An exception to the right to information access is when the processing is authorised by the law enforcement agencies.
The Right to Correction and Erasure (Section 12)
Every Data Principal has the right to ensure that their personal data is accurate, complete and updated. Furthermore, they can also erase their data as provided under Section 12. Let us find out more about these rights.
Upon receiving a request from a Data Principal, Data Fiduciaries must:
Correct
Inaccurate or misleading personal data
Complete
Incomplete personal data
Update
Personal data as requested
The right to erasure (often called the "right to be forgotten") requires Data Fiduciaries to delete personal data. However, the data will be deleted only when the Data Principal requests the erasure of certain data. However, there are the following exceptions to this right. This means that the data may be retained by the Data Fiduciary in the following cases:
Exceptions to Right to Erasure:
- • Retention is necessary for the specified purpose for which consent was originally acquired.
- • Retention is required for complying with a law which is in force.
The Right to Grievance Redressal (Section 13)
Every Data Principle has the right to have accessible grievance redressal mechanism. This is provided for under Section 13 of the DPDP Act. In other words, whenever the rights of the Data Principals are violated by an act or omission on the part of the Data Fiduciary or the Consent Manager, they can approach the grievance redressal mechanism for dispute resolution.
Key Elements of Section 13:
- • The Data Fiduciaries and Consent Managers are required to provide the Data Principals with the "readily available means" for addressing grievances. The same is to be provided for in the consent notice.
- • They must respond to grievances within a prescribed time period.
- • Data Principals must exhaust this grievance mechanism before approaching the Data Protection Board.
This tiered approach encourages direct resolution between parties before escalating the issue to higher authorities. This enables faster and more efficient resolution of data-related disputes.
The Right to Nomination (Section 14)
The right provided for under Section 14 of the DPDP Act is unique in itself. The same has not been provided for in the GDPR, the golden law on data protection. Section 14 provides for the right to nominate another individual to exercise one's data rights in the event of death or incapacity of such a Data Principal. This right recognizes that data protection concerns extend beyond an individual's lifetime or periods of capacity, and thus upholds the dignity of a dead person.
🌟 Unique Feature
This right is unique to the DPDP Act and has not been provided for in the GDPR, making it a distinctive feature of India's data protection framework that recognizes the continuing importance of data rights even after death or incapacity.
Importance of these Rights
The right to information access, correction and erasure, nomination and grievance redressal mechanism together transforms the relationships an organisation shares with the Data Principals. It is a shift in the power dynamics from the organisations to the individuals. This is because of the following:
Increase in transparency
through information access rights
Enhanced accuracy
through correction rights
Gaining control
through erasure rights
Ensuring accountability
through grievance mechanisms
Extending protection
through nomination rights
Thus, these rights empower the Data Principles and lay down additional compliance obligations for the Data Fiduciaries.
Conclusion
The DPDP Act under Sections 11-14 of the DPDPA establishes a progressive framework that protects the rights of the Data Principals in light of Article 21 of the Indian Constitution. These rights highlight a shift in the control of data and processing of data from businesses to individuals.
As the digital economy continues to expand, these provisions will play a crucial role in building a more transparent, fair, and accountable data ecosystem in India.
Related Resources
Need Help Implementing Data Principal Rights?
Get expert guidance on establishing robust data subject rights management systems for your organization.