

Under the DPDP Act, 2023, every business that handles personal data must give people a way to complain, and actually fix the problem. That is the DPDP grievance redressal mechanism: a published grievance contact, a working complaint channel, and a duty to respond and resolve within 90 days.
The right to grievance redressal is one of the data principal rights, sitting alongside access, correction, erasure, consent withdrawal, and nomination. And there is a twist that makes it even more important: before anyone can complain about you to the Data Protection Board of India, they must first exhaust your grievance route. Your mechanism is the gatekeeper, and if it works well, most issues never reach the regulator.
If it does not exist, or does not work, that itself is a violation. This page explains the requirements and how to set up a grievance workflow that runs smoothly.
No cost. No obligation. Get your compliance gap report.
| Requirement | What It Means for Your Business |
|---|---|
| Published grievance contact | Your privacy notice must name a grievance contact and how to reach it, not a hidden email address buried in your T&C |
| 90-day resolution timeline | Every grievance must be responded to and resolved within 90 days of receipt |
| Exhaust before the Board | Users must go through your grievance route first, before complaining to the Data Protection Board of India |
| Part of data principal rights | Grievance redressal is a legal right, so ignoring a complaint is itself a DPDP violation |
| Board complaint procedure in the notice | Your plain-language privacy notice must explain how users can complain to the Board after exhausting your route |
Remember that data principals have duties too: filing a false or frivolous complaint can cost the complainant up to ₹10,000. But that is no shield for a business with a broken complaint inbox, the burden of running a real mechanism sits squarely on you.
A grievance mechanism is not a mailbox, it is a process. Here are the pieces that make the 90-day clock manageable.
Set up a dedicated email, web form, or portal for grievances, and publish it in your privacy notice. Every complaint should land in one place, not in random inboxes.
Log every grievance with a ticket number, date received, and status. The 90-day clock starts at receipt, so you need to see exactly where every case stands.
Define who handles a grievance first, who it escalates to when it stalls, and at what day-count. Cases that sit unowned are the ones that blow the deadline.
Prepare templates for acknowledgment, requests for more information, and resolution. Consistent, plain-language replies save time and reduce escalations to the Board.
Keep records of every grievance, every reply, and every resolution date. If a complaint does reach the Board, your paper trail is what proves you honoured the right.
A mechanism that has never been tested will fail on its first real complaint. Our free audit checks your grievance setup along with the rest of your DPDP posture.
Book Free AuditBecause users must exhaust your grievance mechanism first, every complaint that reaches the Data Protection Board of India is, by definition, one your business failed to resolve. The Board is active since November 2025, runs a digital complaints portal, and can impose penalties of up to ₹50 crore for general violations, with higher tiers for security and breach failures.
A fast, well-documented grievance process does two things at once: it keeps regulators out of your inbox, and it builds trust with customers who see their concerns handled properly. It also connects to your other DPDP workflows, a grievance is often really an access, correction, or erasure request in disguise, so the same tracking system should feed your retention and erasure processes and your security safeguards.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and rights-request and grievance workflows are a core part of it.
Check My Grievance Setup FreeGrievance redressal is one of several user rights you must support. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
Learn Everything About DPDP ComplianceWithin 90 days. Your grievance contact must be published in your privacy notice, and your workflow needs to track every complaint from intake to resolution within that window.
No. A data principal must first exhaust your grievance redressal mechanism before escalating to the Data Protection Board of India. That makes your internal workflow the first line of defence, when it works, most issues never reach the regulator.
Yes. It sits alongside access, correction, erasure, consent withdrawal, and nomination as one of the data principal rights under the DPDP Act. Failing to honour it counts as a violation.
A published grievance contact, a clear intake channel, a ticketing or tracking system, escalation rules, response templates, and records of every grievance and its resolution, all designed to close each case within 90 days.
Our free audit reviews your grievance contact, workflow, and records against the DPDP requirements, with a gap report and fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.