November 5, 2023

India DPDP Act Data Principal Rights and Requests

Discover the pivotal rights granted to data principals under India's Digital Personal Data Protection Act (DPDPA) and the essential steps businesses need to take to comply with these provisions. Explore the procedures for exercising these rights, the legal duties for organizations, and guidelines for meeting compliance under the groundbreaking DPDPA legislation.

The Digital Personal Data Protection Act (DPDPA) is a privacy law in India that grants data principals data privacy rights that data fiduciaries must honor. Otherwise, data fiduciaries face penalties.

In this article, we explore the rights and protections offered to data principals under the DPDP Act, a landmark legislation that is reshaping the landscape of data privacy in India. We also delve into how businesses can comply with the requests and meet the legal requirements.  

What are the DPDPA data principal rights?

Data principals, called data subjects in many data protection laws or users in everyday language, are the persons whose personal information is being processed by the data fiduciary, which is the organization that collects and processes data.

The DPDP Act imposes the data principals rights as follows:

  • The right to access their personal data. Data principals have the right to access their personal data held by data fiduciaries, including the source of the data, the purpose for which it is being processed, and the categories of data recipients. If the data fiduciary processes only email addresses, they need to tell the user what email address they hold, why they process it, how they got it, and with whom they share the email address.
  • The right to correct their personal data. Data principals have the right to have their personal data corrected if it is inaccurate or incomplete. For example, a person who changes their last name has the right to have their personal data corrected to reflect such a change.
  • The right to erasure of their personal data. Data principals have the right to have their personal data erased if it is no longer necessary for the purpose for which it was collected or processed or if the data principal withdraws their consent. It is important to note that at least one of these two requirements must be met to exercise the right to delete.
  • The right to restrict the processing of their personal data. Data principals have the right to restrict the processing of their personal data in certain circumstances. For example, if you send cold emails to data principals, they can restrict the processing by unsubscribing from your list, and you must not send them any email communication anymore.
  • The right to data portability. Data principals have the right to obtain a copy of their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data fiduciary. Such as moving your health record from one doctor to another.
  • The right to object to the processing of their personal data. Data principals have the right to object to the processing of their personal data for certain purposes. This may include objecting to processing for direct marketing purposes or for automated decision-making.
  • The right to withdraw consent: Data principals have the right to withdraw their consent to the processing of their personal data at any time. Self-explanatory. Consent managers such as Secure Privacy will provide you with a preference center where users can exercise this right.

These are the rights granted by the new data protection law. But how can users exercise those rights in practice? 

How can data principals exercise their rights under the DPDPA?

There are a few steps involved in exercising a data principal right under the DPDP Act:

  1. The data principal submits a request to the data fiduciary. The request must be in written form. It must also be clear and specific, and it must state the right that the data principal wants to exercise.
  2. Timeframe for response. Data fiduciaries must respond to the data principal's request within 30 days. The timeframe may vary depending on the complexity of the request, but it should not surpass the general timeframe of 30 days upon receiving the request.
  3. Honoring the request. Data fiduciaries must provide the data principal with the information or take the action requested unless they have a lawful basis to refuse.
  4. Not honoring the request. If the data fiduciary refuses to comply with the data principal's request, they must provide the data principal with a written explanation of their reasons for refusal.
  5. Complains to the Data Protection Board. Data principals who are not satisfied with the data fiduciary's response can file a complaint with the Data Protection Board of India. If the Board finds a violation of the law, it may impose a penalty of up to INR 50 crore, depending on the nature of the violation.

What is the 2023 India Digital Personal Data Protection Act (DPDPA), and does it apply to my business?

The India Digital Personal Data Protection Act (DPDPA) 2023 is the first-ever comprehensive data protection regulation in the country. It relies on the principles of fairness, transparency, and accountability and imposes duties and grants rights that have not been seen in India before this Act.

Every organization processing personal data within India falls under the DPDPA's scope, irrespective of its size or geographical location. Organizations based outside India handling the data of Indian residents are also subject to this law.

Some of the most important duties for business include:

  • Collecting consent for the use of cookies
  • Provide users with a privacy notice 
  • Ensuring that international data transfers are lawful
  • Ensuring that the data processors are also compliant with the law
  • Honoring data principal rights
  • Appoint a Data Protection Officer, for some companies
  • Notify data breaches and others.

How do I comply with Data Privacy Requests under the new Digital Personal Data Protection Bill?

It is necessary to establish an internal procedure for receiving and responding to requests. It doesn't have to be a complex procedure, but it helps a lot if you know in advance who will receive the request and act on it. That person should be trained on data principal rights and the DPDPA in general.

Honoring the requests is not complex work, and it helps you build trust with your customers by being transparent with them. Responding to them is not a choice but a duty. However, this duty brings more good than harm to your organization, so make sure you have your procedures in place and streamline the process.

Start your Free Trial