DPDP Grievance Redressal Mechanism

The 90-day complaint system every Indian business must publish and run under the DPDP Act 2023
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

What Is the DPDP Grievance Redressal Mechanism?

Under the DPDP Act, 2023, every business that handles personal data must give people a way to complain, and actually fix the problem. That is the DPDP grievance redressal mechanism: a published grievance contact, a working complaint channel, and a duty to respond and resolve within 90 days.

The right to grievance redressal is one of the data principal rights, sitting alongside access, correction, erasure, consent withdrawal, and nomination. And there is a twist that makes it even more important: before anyone can complain about you to the Data Protection Board of India, they must first exhaust your grievance route. Your mechanism is the gatekeeper, and if it works well, most issues never reach the regulator.

If it does not exist, or does not work, that itself is a violation. This page explains the requirements and how to set up a grievance workflow that runs smoothly.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Grievance Redressal Requirements at a Glance

RequirementWhat It Means for Your Business
Published grievance contactYour privacy notice must name a grievance contact and how to reach it, not a hidden email address buried in your T&C
90-day resolution timelineEvery grievance must be responded to and resolved within 90 days of receipt
Exhaust before the BoardUsers must go through your grievance route first, before complaining to the Data Protection Board of India
Part of data principal rightsGrievance redressal is a legal right, so ignoring a complaint is itself a DPDP violation
Board complaint procedure in the noticeYour plain-language privacy notice must explain how users can complain to the Board after exhausting your route

Remember that data principals have duties too: filing a false or frivolous complaint can cost the complainant up to ₹10,000. But that is no shield for a business with a broken complaint inbox, the burden of running a real mechanism sits squarely on you.

How to Set Up a Working Grievance Workflow

A grievance mechanism is not a mailbox, it is a process. Here are the pieces that make the 90-day clock manageable.

1. Intake Channel

Set up a dedicated email, web form, or portal for grievances, and publish it in your privacy notice. Every complaint should land in one place, not in random inboxes.

2. Ticketing & Tracking

Log every grievance with a ticket number, date received, and status. The 90-day clock starts at receipt, so you need to see exactly where every case stands.

3. Escalation Rules

Define who handles a grievance first, who it escalates to when it stalls, and at what day-count. Cases that sit unowned are the ones that blow the deadline.

4. Response Templates

Prepare templates for acknowledgment, requests for more information, and resolution. Consistent, plain-language replies save time and reduce escalations to the Board.

5. Records & Evidence

Keep records of every grievance, every reply, and every resolution date. If a complaint does reach the Board, your paper trail is what proves you honoured the right.

6. Test It End to End

A mechanism that has never been tested will fail on its first real complaint. Our free audit checks your grievance setup along with the rest of your DPDP posture.

Book Free Audit

Why Your Grievance Route Is Your First Line of Defence

Because users must exhaust your grievance mechanism first, every complaint that reaches the Data Protection Board of India is, by definition, one your business failed to resolve. The Board is active since November 2025, runs a digital complaints portal, and can impose penalties of up to ₹50 crore for general violations, with higher tiers for security and breach failures.

A fast, well-documented grievance process does two things at once: it keeps regulators out of your inbox, and it builds trust with customers who see their concerns handled properly. It also connects to your other DPDP workflows, a grievance is often really an access, correction, or erasure request in disguise, so the same tracking system should feed your retention and erasure processes and your security safeguards.

The Grievance Clock Is Already Ticking

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and rights-request and grievance workflows are a core part of it.

Check My Grievance Setup Free

Want the Complete DPDP Picture?

Grievance redressal is one of several user rights you must support. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

Learn Everything About DPDP Compliance

DPDP Grievance Redressal: Frequently Asked Questions

How fast must a grievance be resolved under the DPDP Act?

Within 90 days. Your grievance contact must be published in your privacy notice, and your workflow needs to track every complaint from intake to resolution within that window.

Would Your Grievance Process Survive a Real Complaint?

Our free audit reviews your grievance contact, workflow, and records against the DPDP requirements, with a gap report and fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.