Data Principal Rights Under DPDP Act: What Your Customers Can Demand

/ Data Privacy Law / By

Until recently, an Indian customer who wanted to know what data a company held on her had little real recourse. The Digital Personal Data Protection Act, 2023 changes that. The Act gives every “data principal” — your user, employee, or customer — a clear bundle of rights, and it places the burden of honouring those rights squarely on you, the data fiduciary.

For startup founders, this is more than a legal formality. The first time a user emails you saying “Please delete all my data” or “Send me a copy of everything you hold on me,” your team needs to know exactly what to do, by when, and through which channel. Here is what your customers can demand — and how to be ready.

Right to Information About Personal Data

Under Section 11 of the Act, a data principal who has previously given consent has the right to obtain from the data fiduciary:

  • A summary of the personal data being processed and the processing activities undertaken.
  • The identities of all other data fiduciaries and data processors with whom the personal data has been shared, along with a description of the data shared.
  • Any other information related to her personal data and its processing, as may be prescribed.

In practice, this means a SaaS startup must be able to generate a user-readable report on demand, sourced from systems that are often distributed across the product database, analytics tools, CRM, and support helpdesk.

Right to Correction and Erasure

Section 12 grants a data principal the right to ask for correction, completion, updating, and erasure of her personal data. The fiduciary must:

  • Correct inaccurate or misleading personal data.
  • Complete incomplete data.
  • Update data that is out of date.
  • Erase personal data that is no longer necessary for the purpose for which it was processed, unless retention is required by law.

Erasure deserves special attention. Many startups hold years of dormant user data in production databases, backups, log archives, and third-party tools. A request to erase must reach all of these systems — not just the primary user table.

Right of Grievance Redressal

Section 13 entitles every data principal to a “readily available means of grievance redressal.” The fiduciary (or its consent manager) must respond to the grievance within a period that will be prescribed in the rules — likely a short, defined window.

The data principal must exhaust the fiduciary’s grievance process before approaching the Data Protection Board. This makes your internal grievance process the first line of defence; weak handling here can quickly escalate into a Board complaint.

  • Designate a grievance officer: name a real person, publish her email and contact details on your website, and ensure she has authority to coordinate with engineering, legal, and customer support.
  • Set internal SLAs: aim well below any prescribed timeline. A 7-day target is a sensible default until the rules clarify the period.
  • Maintain a register: log every grievance, the action taken, and the outcome. This will be your evidence in any inquiry.

Right to Nominate

Section 14 introduces a uniquely Indian provision: a data principal may nominate any other individual to exercise her rights in the event of her death or incapacity. This is a thoughtful piece of drafting that aligns with how Indian families manage personal affairs.

For a startup, this means your account-management settings should include a nomination flow. When a user dies, you must be prepared to interact with the nominee — not the legal heir or a family member without standing — to honour outstanding rights.

Duties of the Data Principal

Rights come with responsibilities. Section 15 obliges data principals to:

  • Comply with applicable laws while exercising their rights.
  • Refrain from impersonating another person while providing personal data.
  • Not suppress material information when providing personal data for a document or identifier.
  • Not register false or frivolous grievances or complaints.
  • Furnish only verifiably authentic information when seeking correction or erasure.

A startup may, in genuine cases, push back on frivolous or vexatious requests, though it should do so carefully and document its reasons.

How Should Startups Build a Response Mechanism?

A data-rights program is part legal, part engineering, part operations. A practical blueprint:

  • 1. Build a unified user-data API. A single internal endpoint that, given a verified user ID, can fetch, export, correct, or erase data across systems. Without this plumbing, every request becomes a fire drill.
  • 2. Authenticate the requester. Confirm the request comes from the actual data principal (or her nominee/guardian). Identity verification protects you from impersonation and fraud.
  • 3. Define a workflow. A ticketing pipeline — intake, verification, action, response, closure — with named owners at each step.
  • 4. Train support and engineering. Front-line teams must recognise a rights request even if the user does not use the legal vocabulary. “Please delete my account” is an erasure request.
  • 5. Document everything. Keep audit logs and evidence of each step taken; in a Board inquiry, you will be asked to produce them.
  • 6. Communicate clearly. Use plain English. Confirm receipt, give realistic timelines, and explain any limited exceptions (e.g., legally required retention).

Common Mistakes to Avoid

  • Treating account deletion as merely “deactivation” — leaving live data behind in databases.
  • Forgetting to propagate erasure requests to processors and sub-processors.
  • Hiding the grievance officer’s contact details deep inside terms or behind a helpdesk wall.
  • Asking for excessive identity verification that frustrates the rights process.
  • Failing to keep evidence of when and how requests were handled.

Conclusion: Rights Are a Trust Signal

Honoured well, data-principal rights become a powerful trust signal. Startups that respond quickly, transparently, and respectfully build loyal users and resilient brands. Those who treat rights as friction — or worse, as a problem to ignore — invite both customer churn and regulatory action.

Need help building a data-rights playbook tailored to your product? Get in touch for a workflow design, grievance-officer template, and DPDP-aligned response policy.