

Under the DPDP Act, every individual whose data you hold, whether a customer, employee, student, or patient, is a Data Principal with legally enforceable rights. These data principal rights are not optional courtesies: your business, as the Data Fiduciary, must have working processes to honour every one of them.
Interestingly, the Act also puts duties on individuals, with a ₹10,000 fine for false or frivolous complaints, something GDPR does not do. Here is what both sides of that equation look like.
No cost. No obligation. Get your compliance gap report.
A summary of the personal data you hold about them, plus a list of everyone it has been shared with.
Fixing inaccurate data, completing incomplete data, and updating outdated records on request.
Deletion of their data once the purpose is served or consent is withdrawn, across your systems and your vendors'.
A response and resolution within 90 days. They must use your grievance process before escalating to the Data Protection Board.
Naming a representative who can exercise their rights in case of death or incapacity.
Anytime, and withdrawal must be as easy as giving consent. See how this ties into DPDP consent management.
Rights come with responsibilities. The Act requires individuals to:
A false or frivolous complaint can attract a fine of ₹10,000. This protects businesses from abuse of the complaint system, but only if you keep proper records that show you did things right.
Honouring these rights takes working workflows, not good intentions. You need:
Building these rights-request workflows is a standard part of DPDP implementation, and something we set up for clients regularly.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building rights and grievance workflows takes time, part of the 2-6 months a full compliance setup needs.
Rights are one chapter of the Act. Our main guide covers consent, penalties, breach reporting, deadlines, and how to get compliant.
Learn Everything About DPDP ComplianceSix rights: access to a summary of their data and who it is shared with, correction, erasure, grievance redressal within 90 days, nomination of a representative in case of death or incapacity, and consent withdrawal anytime.
Yes. They must not impersonate anyone, must not give false information, and must not file frivolous complaints. A false or frivolous complaint can attract a ₹10,000 fine.
Within 90 days. Individuals must exhaust your grievance process before they can escalate a complaint to the Data Protection Board of India, so a working grievance workflow is your first line of defence.
With working workflows: a published contact point, requester verification, processes to compile summaries and correct or erase records across all systems and vendors, and a tracked grievance queue with a 90-day guarantee. Good intentions without systems will not satisfy the Board.
If a customer asked for their data summary or deletion tomorrow, would your systems cope? Our free audit tells you.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.