India's DPDP Act: Rights and Duties of a Data Principal

Sameer Ahirrao -

The Digital Personal Data Protection Act (DPDPA) in India establishes guidelines for safeguarding the privacy of individuals' personal data. This law grants individuals, known as data principals, specific rights regarding their data, which organizations, known as data fiduciaries, are obligated to respect. Failure to comply with these obligations can result in penalties for data fiduciaries.

In this article, we examine the rights and safeguards provided to data principals under the India's DPDP Act, a significant legislation that is transforming the data privacy landscape in India. Additionally, we explore strategies for businesses to fulfill requests and adhere to legal obligations under this law.

What are the DPDPA data principal rights?

Data principals, often referred to as data subjects or users, are individuals whose personal information is being collected and processed by an organization known as the data fiduciary.

The DPDP Act grants data principals the following rights:

  • Right to Access Personal Data: Data principals can access their personal data held by data fiduciaries, knowing its source, purpose, and who it's shared with. For instance, if only email addresses are processed, the data fiduciary must explain why, how they obtained them, and with whom they're shared.
  • Right to Correct their Personal Data: Data principals can request corrections to inaccurate or incomplete personal data. For example, if someone changes their last name, they have the right to update their data accordingly.
  • Right to Erasure: Data principals can ask for the deletion of their personal data if it's no longer necessary or if they withdraw consent. However, one of these conditions must be met to exercise this right.
  • Right to restrict the processing of their personal data: Data principals can limit the processing of their personal data in certain situations. For instance, they can unsubscribe from email lists to restrict further email communication.
  • Right to data portability. Data principals can obtain a copy of their personal data in a readable format and transfer it elsewhere, like moving health records from one doctor to another.
  • Right to object to the processing of their personal data: Data principals can object to the processing of their personal data for certain purposes, such as direct marketing or automated decision-making.
  • Right to withdraw consent: Data principals can withdraw consent for the processing of their personal data at any time. Consent managers like Secure Privacy offer preference centers for users to exercise this right.

These are the rights granted by India’s DPDP Act. But how can data principals exercise those rights in practice?

What are the methods for data subjects to enforce their rights according to the DPDPA?

Data principals can exercise their rights under the DPDPA by following these steps:

  • Submit a Request: The data principal sends a written request to the data fiduciary, clearly stating which right they want to exercise.
  • Response Time: The data fiduciary must respond within 30 days, although this might vary depending on the request's complexity.
  • Action Taken: The data fiduciary provides the requested information or takes the necessary action, unless there's a valid reason for refusal.
  • Explanation for Refusal: If the request is denied, the data fiduciary must give a written explanation for the refusal.
  • Complaint to the Data Protection Board: If unsatisfied, data principals can file a complaint with the Data Protection Board of India. Penalties for violations can reach up to INR 50 crore, depending on the severity of the violation.

What does the 2023 India Digital Personal Data Protection Act (DPDPA) entail, and does it affect my business?

The India Digital Personal Data Protection Act (DPDPA) 2023 marks the country's first comprehensive data protection regulation. It emphasizes fairness, transparency, and accountability, introducing new duties and rights unprecedented in India.

The DPDPA applies to all organizations handling personal data in India, regardless of their size or location. Even organizations outside India dealing with the data of Indian residents are bound by this law.

Key responsibilities for businesses include:

  • Cookie Consent: Obtaining consent for using cookies.
  • Privacy Notice: Providing users with a privacy notice.
  • International Data Transfers: Ensuring legality of international data transfers.
  • Data Processor Compliance: Ensuring compliance of data processors with the law.
  • Respecting Data Principal Rights: Honoring the rights of data principals.
  • Data Protection Officer: Appointing a Data Protection Officer for certain companies.
  • Data Breach Notification: Notifying data breaches promptly.

Under the new Digital Personal Data Protection Act, how to comply with Data Privacy Requests?

Setting up an internal procedure for handling requests is essential. It doesn't need to be complicated, but having a designated person to receive and respond to requests, trained in data principal rights and the DPDPA, is beneficial.

Honoring requests isn't difficult and fosters trust with customers through transparency. Responding to requests isn't optional—it's a duty. However, fulfilling this duty benefits your organization more than it burdens it, so ensure your procedures are in order and streamline the process.

If your organization requires expert assistance to understand these privacy regulations, remember that Ardent privacy is here for you. Our Privacy experts provide the guidance you seek. You can contact us at advisor@ardentsec.com

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.