Data Principal Rights Under DPDP

The 6 rights your customers now hold, and what your business must do about them
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Data Principal Rights Under the DPDP Act: What Your Customers Can Now Demand

Under the DPDP Act, every individual whose data you hold, whether a customer, employee, student, or patient, is a Data Principal with legally enforceable rights. These data principal rights are not optional courtesies: your business, as the Data Fiduciary, must have working processes to honour every one of them.

Interestingly, the Act also puts duties on individuals, with a ₹10,000 fine for false or frivolous complaints, something GDPR does not do. Here is what both sides of that equation look like.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

The 6 Data Principal Rights

1. Right to Access

A summary of the personal data you hold about them, plus a list of everyone it has been shared with.

2. Right to Correction

Fixing inaccurate data, completing incomplete data, and updating outdated records on request.

3. Right to Erasure

Deletion of their data once the purpose is served or consent is withdrawn, across your systems and your vendors'.

4. Right to Grievance Redressal

A response and resolution within 90 days. They must use your grievance process before escalating to the Data Protection Board.

5. Right to Nominate

Naming a representative who can exercise their rights in case of death or incapacity.

6. Right to Withdraw Consent

Anytime, and withdrawal must be as easy as giving consent. See how this ties into DPDP consent management.

Duties of Data Principals

Rights come with responsibilities. The Act requires individuals to:

  • Not impersonate another person when providing data
  • Not suppress or give false information
  • Not file false or frivolous complaints or grievances

A false or frivolous complaint can attract a fine of ₹10,000. This protects businesses from abuse of the complaint system, but only if you keep proper records that show you did things right.

How Your Business Must Handle Requests

Honouring these rights takes working workflows, not good intentions. You need:

  • A published grievance contact your customers can find
  • A way to verify who is making the request
  • Processes to compile data summaries and fix or erase records, including at your vendors
  • A tracked grievance queue that guarantees resolution within 90 days
  • Records proving every request was handled properly

Building these rights-request workflows is a standard part of DPDP implementation, and something we set up for clients regularly.

Rights Requests Will Start Coming

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Building rights and grievance workflows takes time, part of the 2-6 months a full compliance setup needs.

Want the Complete DPDP Picture?

Rights are one chapter of the Act. Our main guide covers consent, penalties, breach reporting, deadlines, and how to get compliant.

Learn Everything About DPDP Compliance

Data Principal Rights: Frequently Asked Questions

What rights do Data Principals have under the DPDP Act?

Six rights: access to a summary of their data and who it is shared with, correction, erasure, grievance redressal within 90 days, nomination of a representative in case of death or incapacity, and consent withdrawal anytime.

Could You Honour a Rights Request Today?

If a customer asked for their data summary or deletion tomorrow, would your systems cope? Our free audit tells you.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.