Section 11 of the Digital Personal Data Protection Act, 2023
Data Subject Access Request, Access to personal data, Data Fiduciary, Data Principal
The Digital Personal Data Protection Act of 2023, (DPDP Act) establishes a framework for the handling of personal data in India. One of the core components of the DPDP Act is the rights and duties of the Data Principal and the Data Fiduciary.
Chapter III of the DPDP Act outlines the rights and duties of the Data Principal. These rights are designed to empower individuals and give them control over their personal data. Section 11 of the DPDP Act provides for the right to access information about the personal data of the Data Principal.
As per Section 11(1) of the DPDP Act, the Data Principal possesses the right to request from the Data Fiduciary, to whom prior consent was granted, information pertaining to the processing of their personal data. Such requests shall be made in the prescribed manner as stipulated within the Digital Personal Data Protection Rules, 2025 (DPDP Rules).
Details that can be obtained upon request:
- Under Section11(1)(a) of the DPDP Act: A comprehensive summary of the personal data processed by the Data Fiduciary and the processing activities conducted in relation to said data can be requested.
- Pursuant to Section 11(1)(b) of the DPDP Act: The identification of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a detailed description of the shared data can be sought.
- According to Section 11(1)(c) of the DPDP Act: Any additional information pertaining to the personal data of the Data Principal and its processing can be requested.
According to Section 11(2) of the DPDP Act, the disclosure of personal data by a Data Fiduciary to another Data Fiduciary, legally authorized to receive such data, upon written request, is permissible for the purposes of prevention, detection, or investigation of offenses or cyber incidents, as well as for the prosecution or punishment of offenses.
In such an instance, the identity and description of personal data shared with the said Data Fiduciary shall not be disclosed to the Data Principal exercising its right under Section 11(1)(b) of the DPDP Act.
As per Rule 13 of the DPDP Rules, to facilitate the exercise of rights under the Digital Personal Data Protection Act, Data Fiduciaries and the Consent Manager, are required to publish the following information on their website or application, or both:
- A detailed description of the grievance redressal mechanism through which Data Principals may submit a request via the website or application.
- Specification of any necessary information, such as usernames or other identification data, needed to authenticate the Data Principal according to the terms of service published on the website or application.
Pursuant to Rule 13(5) of the DPDP Act, an "identifier" is defined as any series of characters designated by the Data Fiduciary to uniquely identify a Data Principal. This may include, but is not limited to, a customer identification file number, customer acquisition form number, application reference number, enrollment ID, or license number, provided such identifier facilitates the aforementioned identification.
Section 11 of the Digital Personal Data Protection Act, 2023 (DPDP Act) grants Data Principals the right to access information regarding the processing of their personal data by Data Fiduciaries. This includes requesting a summary of processed data, identification of shared data recipients, and any additional relevant information. However, certain requests may be denied under specific circumstances, such as when disclosure would impede investigations or prosecutions. Data Fiduciaries are required to provide a clear process for submitting data requests through their websites or applications, including authentication requirements.
Get Started with Data> Nuance
Reach out to Data> Nuance to ensure compliance with the provisions of the DPDPA and ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!