Data Privacy Rights Under the DPDP Act 2023 — What Indian Citizens Should Know

This article is for educational and legal awareness purposes only. It does not constitute legal advice or solicitation. Please consult a qualified advocate for advice on specific legal matters.

Introduction

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) — the DPDP Act — is India’s first comprehensive statute on digital personal data processing, enacted in response to Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. The Digital Personal Data Protection Rules, 2025 were notified by the Ministry of Electronics and Information Technology on 14 November 2025, operationalising the Act in three phases (Phase 1 effective from notification; Phase 2 one year later; Phase 3 eighteen months later, by approximately mid-May 2027). This article outlines the rights of a Data Principal (access, correction/erasure, grievance redressal, nomination), the obligations on Data Fiduciaries, the heightened protections for children’s data, and the Data Protection Board of India as the primary enforcement authority.

Constitutional Background — Puttaswamy

In Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, a nine-Judge Bench of the Supreme Court held that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution. The Court recognised informational privacy as an integral facet of the right to privacy and held that any restriction must satisfy the tests of legality, necessity, proportionality, and procedural safeguards. The DPDP Act is the legislative response to Puttaswamy’s direction that Parliament enact a robust data protection framework.

Scope and Application — Section 3

The DPDP Act applies to:

The processing of digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitised subsequently.
The processing of digital personal data outside the territory of India if such processing is in connection with any activity related to offering of goods or services to Data Principals within India.

The Act does not apply to:

Personal data processed by an individual for any personal or domestic purpose.
Personal data that is made or caused to be made publicly available by the Data Principal to whom it relates, or by any other person under a legal obligation.

Key Definitions — Section 2

Data Principal — the individual to whom the personal data relates. Where the individual is a child (below 18) or a person with disability who has a lawful guardian, the parent or lawful guardian is included.
Data Fiduciary — any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data.
Data Processor — any person who processes personal data on behalf of a Data Fiduciary.
Personal data — any data about an individual who is identifiable by or in relation to such data.
Processing — a wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, indexing, disclosure, dissemination, restriction, erasure, and destruction.

Grounds for Processing — Sections 4 to 7

A Data Fiduciary may process the personal data of a Data Principal only:

For a lawful purpose; and
Either:
- On the basis of the consent of the Data Principal (Section 6); or
- For certain legitimate uses specified in Section 7.

Consent must be:

Free — given voluntarily, without coercion.
Specific — to the purpose for which the data is processed.
Informed — preceded by a clear notice describing the personal data, the purpose, and the manner of exercise of rights.
Unconditional — not bundled with unrelated terms.
Unambiguous — through a clear affirmative action.

A request for consent must be in clear and plain language, with the option to access the request in English or any of the languages specified in the Eighth Schedule to the Constitution.

The Data Principal has the right to withdraw consent at any time, with ease comparable to that with which consent was given. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Legitimate Uses — Section 7

Section 7 lists specific situations where personal data may be processed without consent, including:

Where the Data Principal has voluntarily provided personal data for a specified purpose and has not indicated otherwise (for example, sharing a phone number during a transaction);
For the performance of any function of the State under any law, or for the provision of subsidy, benefit, service, certificate, licence, or permit;
For compliance with any judgment, decree, or order issued under any law;
For responding to a medical emergency involving a threat to life or immediate threat to health;
For taking measures to provide medical treatment or health services during an epidemic, outbreak of disease, or any other threat to public health;
For taking measures to ensure safety during disaster or breakdown of public order;
For purposes of employment, including safeguarding the employer from loss or liability;
Where processing is necessary for mergers and acquisitions, subject to approval of the competent authority.

Notice — Section 5

Before or at the time of requesting consent, a Data Fiduciary must give a clear notice to the Data Principal containing:

An itemised description of the personal data and the purpose for which it is to be processed;
The manner in which the Data Principal may exercise the rights under Sections 11 to 14;
The manner in which the Data Principal may make a complaint to the Data Protection Board.

For data collected before the Act came into force, the Data Fiduciary must, as soon as it is reasonably practicable, give a similar notice — including a description of past data and information about ongoing processing.

Obligations of a Data Fiduciary — Sections 8 to 10

A Data Fiduciary must:

Process personal data only for the purpose notified to the Data Principal;
Ensure the completeness, accuracy, and consistency of personal data used for decisions affecting the Data Principal;
Implement reasonable security safeguards to prevent personal data breach;
Notify the Data Protection Board and each affected Data Principal of any personal data breach in such form and manner as prescribed;
Erase personal data when the purpose for which it was collected is no longer served, or when the Data Principal withdraws consent, unless retention is required by law;
Ensure that any Data Processor engaged by it processes personal data only under a valid contract and in accordance with the Act;
Publish the contact details of a Data Protection Officer or a person designated to respond to communications from Data Principals.

Significant Data Fiduciaries — Section 10

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as volume and sensitivity of personal data processed, risk to the rights of Data Principals, risk to electoral democracy, security of the State, and public order. SDFs have additional obligations:

Appoint a Data Protection Officer based in India who reports to the Board of Directors or equivalent body;
Appoint an independent data auditor to carry out periodic data audits;
Conduct periodic Data Protection Impact Assessments.

Rights of the Data Principal — Sections 11 to 14

The DPDP Act confers four principal rights on the Data Principal:

1. Right to Access Information — Section 11

A Data Principal has the right to obtain from the Data Fiduciary:

A summary of personal data being processed and the processing activities undertaken;
The identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a description of the data shared;
Any other information related to the personal data and its processing.

2. Right to Correction and Erasure — Section 12

A Data Principal has the right to:

Request correction of inaccurate or misleading personal data;
Request completion of incomplete personal data;
Request updating of personal data;
Request erasure of personal data that is no longer necessary for the purpose for which it was processed, unless retention is required by law.

On receipt of such a request, the Data Fiduciary must take action within a reasonable time.

3. Right to Grievance Redressal — Section 13

A Data Principal has the right to have access to a readily available means of grievance redressal provided by the Data Fiduciary or Consent Manager. The Data Fiduciary must respond within the prescribed time. Only after exhausting this internal grievance mechanism may the Data Principal approach the Data Protection Board.

4. Right to Nominate — Section 14

A Data Principal has the right to nominate any other individual to exercise the rights conferred by the Act on behalf of the Data Principal in the event of the Data Principal’s death or incapacity.

Duties of the Data Principal — Section 15

The DPDP Act also imposes certain duties on a Data Principal, including the duty to:

Comply with the provisions of all applicable laws while exercising rights under the Act;
Not impersonate another person while providing personal data;
Not suppress any material information while providing personal data to a Data Fiduciary;
Not register a false or frivolous grievance or complaint;
Furnish only such information as is verifiably authentic.

Breach of these duties may attract a penalty of up to ten thousand rupees.

Children’s Data — Section 9

Where the personal data of a child or a person with disability is being processed:

The Data Fiduciary must obtain verifiable consent of the parent or lawful guardian.
A Data Fiduciary must not undertake processing that is likely to cause any detrimental effect on the well-being of a child.
A Data Fiduciary must not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.

The Central Government may notify exemptions for specified classes of Data Fiduciaries (such as those providing healthcare services or educational services) and may also notify a lower age threshold for specified purposes.

Cross-Border Transfer — Section 16

A Data Fiduciary may transfer personal data outside India to any country or territory other than a country or territory notified by the Central Government under restrictions. The Act adopts a “negative list” approach: transfers are permitted unless the destination is specifically restricted.

Where any other law of India provides for a higher degree of protection or restriction on cross-border transfer of personal data, that other law shall continue to apply.

Exemptions — Sections 17 and 18

Certain provisions of the Act do not apply in specified circumstances, including:

Processing for enforcement of any legal right or claim;
Processing by a court or tribunal in the exercise of judicial or quasi-judicial functions;
Processing in connection with the prevention, detection, investigation, or prosecution of any offence;
Processing of personal data of Data Principals outside India by an Indian entity under a contract with a non-Indian entity;
Processing for research, archiving, or statistical purposes subject to standards prescribed.

The Central Government may, by notification, exempt any instrumentality of the State from any provisions of the Act on grounds of sovereignty and integrity of India, security of the State, friendly relations with foreign States, public order, or for preventing incitement to the commission of any cognizable offence.

Data Protection Board of India — Sections 18 to 26

The Act establishes the Data Protection Board of India as the regulatory authority. The Board is responsible for:

Inquiring into and adjudicating personal data breaches and complaints by Data Principals;
Issuing directions to Data Fiduciaries;
Imposing financial penalties for non-compliance.

A person aggrieved by a decision of the Board may file an appeal before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), within sixty days from the receipt of the decision.

Penalties — The Schedule

The Schedule to the DPDP Act lays down financial penalties for various contraventions, including:

Failure to take reasonable security safeguards to prevent personal data breach — penalty up to 250 crore rupees;
Failure to notify a personal data breach to the Board or affected Data Principal — penalty up to 200 crore rupees;
Breach of obligations relating to children — penalty up to 200 crore rupees;
Breach of additional obligations of Significant Data Fiduciaries — penalty up to 150 crore rupees;
Breach of duties by a Data Principal — penalty up to ten thousand rupees;
Breach of any other provision — penalty up to 50 crore rupees.

Penalties are imposed by the Board after an inquiry, taking into account factors such as the nature, gravity, and duration of the breach, the type and nature of personal data affected, repetition of breach, and the action taken by the Data Fiduciary to mitigate the breach.

Interaction with Other Laws

The DPDP Act does not displace existing laws. The Information Technology Act, 2000 — including Section 43A on compensation for failure to maintain reasonable security practices — continues to apply until Section 44(2) of the DPDP Act (which omits Section 43A and the SPDI Rules) is brought into force; per the November 2025 phased commencement notification, this is expected to take effect on approximately 13 May 2027. The Reserve Bank of India Act, 1934, the Telecom Regulatory Authority of India Act, 1997, sectoral regulations under SEBI and IRDAI, and the medical and health-data regulations of professional councils also continue to apply. Where there is a conflict, the DPDP Act provisions on personal data processing generally take precedence — subject to specific provisions in the relevant statute.

How a Data Principal Can Enforce Rights — Practical Steps

If a Data Principal believes that a Data Fiduciary has failed to comply with the Act, the practical steps are:

Identify the Data Fiduciary’s contact — the Data Protection Officer or designated person, whose details must be published by the Data Fiduciary.
Send a written request or grievance — exercising a right (access, correction, erasure, withdrawal of consent) or articulating the alleged non-compliance.
Allow a reasonable time for a response — failure to respond within a reasonable time itself constitutes a breach.
Lodge a complaint with the Data Protection Board if the internal grievance is not satisfactorily resolved.
Appeal to TDSAT if dissatisfied with the order of the Board.

Where the alleged contravention also amounts to an offence under the IT Act (for example, identity theft under Section 66C, or violation of privacy under Section 66E), a parallel complaint may be lodged at the National Cyber Crime Reporting Portal (cybercrime.gov.in) or by calling 1930.

Key Practical Takeaways

Most online services dealing with Indian residents are Data Fiduciaries under the DPDP Act; their obligations include providing clear notice, obtaining valid consent, securing the data, and honouring access and erasure requests.
A Data Principal’s principal rights are access, correction and erasure, grievance redressal, and nomination.
Consent must be freely given, specific, informed, unconditional, and unambiguous; it may be withdrawn at any time.
Children’s data has heightened protection — tracking, behavioural monitoring, and targeted advertising directed at children are prohibited.
The Data Protection Board is the primary forum for complaints; appeals lie to TDSAT.
Penalties for non-compliance can be substantial — up to 250 crore rupees for failure to maintain security safeguards.

Useful Resources

Disclaimer: The information provided on this website is for general legal awareness and educational purposes only. It does not constitute legal advice, advertisement, or solicitation. No reader should act or refrain from acting based on this information without seeking professional legal counsel. Advocate Akhil Singh and this website are not liable for any actions taken based on the content provided herein.