Rights and Duties of a Data Principal Under the DPDP Act?

Sameer Ahirrao -

The Digital Personal Data Protection Act (DPDPA), 2023 lays down clear provisions to safeguard the privacy of individuals’ personal data in India. Under this law, Data Principals are granted specific rights over their personal data, and Data Fiduciaries have a legal duty to respect and uphold these rights and can attract significant fines in case of on-compliance.

This article examines the key rights and duties of data principals under the India's DPDPA and explains how this landmark legislation is shaping India’s data privacy landscape. It also highlights practical steps businesses can take to handle requests from data principals and meet their compliance obligations effectively.

Application of the Act

Subject to the provisions of this Act, it shall -

(a) apply to the processing of digital personal data within the territory of India where the personal data is collected–

  • (i) in digital form; or
  • (ii) in non-digital form and digitised subsequently;

(b) Apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India;

What are the Rights and Duties of Data Principals under the DPDPA, 2023?

Data Principals is an individual to whom the personal data relates and such individuals- include (i) a child ( below 18 years of age) (ii) a person with disability.

The DPDP Act grants data principals the following rights:

  • Right to access information about personal data: The Data Principal has the right to obtain a summary of personal data which is being processed and the processing activities; obtain the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared along with a description of the personal data; any other information related to the personal data of such Data Principal .
  • Right to correction and erasure of personal data: A Data Principal has the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent and mandates data Fiduciary to update, erase, correct the information.
  • Right of grievance redressal: A Data Principal has the right to have readily available means of grievance redressal which are to be provided by a Data Fiduciary or Consent Manager regarding the performance of its obligations with respect to the personal data .It should be the first step before approaching the Board.
  • Right to nominate: A Data Principal has the right to nominate any other individual who can exercise this right in the event of death or incapacity of the Data Principal. Incapacity means unsoundness of mind or infirmity of body.
  • Right to Withdraw Consent: Data Principals to withdraw consent at any time and Data Fiduciaries must cease processing of the data.

    • These are the rights granted to the Data Principal under India’s DPDP Act. But how can data principals exercise those rights in practice?

    Duties of Data Principals

    • A Data Principal must ensure not to impersonate another person while providing for their personal data for a specific purpose.
    • A Data Principal must be mindful of not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities
    • A Data Principal should not register a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board.
    • A Data Principal should always furnish information that is verifiably authentic, while exercising the right to correction or erasure.
    • A Data Principal must comply with the provisions of all applicable laws while exercising the rights under DPDPA,2023

    Obligations of a Data Fiduciary?

    “Data Fiduciary” means any person who alone or in conjunction with other persons determine the purpose and means of processing of personal data.

    The obligations of a Data Fiduciary under DPDPA, 2023 are:-

    • Obtain valid, free, informed, specific, and unambiguous consent from the Data Principal through a notice.
    • Ensure personal data is complete, accurate, and up to date.
    • Implement technical and organizational measures for data protection.
    • Apply reasonable security safeguards against data breaches or misuse.
    • Retain data only as long as necessary and delete it once the purpose is fulfilled.
    • Be accountable for compliance, including actions of engaged data processors.
    • Notify the Data Principal and the Data Protection Board of India in case of a data breach.
    • Obtain verifiable parental consent before processing personal data of children under 18.

    Additional obligations of a Significant Data Fiduciary?

    A signification data fiduciary is appointed by the central govt in certain cases and they have certain additional obligations as:-

    • Appoint a Data Protection Officer (DPO) based in India
    • The DPO serves as the primary contact for grievance redressal.
    • Appoint an independent data auditor to evaluate compliance with the Act.
    • Conduct periodic Data Protection Impact Assessments (DPIAs) covering- Purpose of data processing; Risks to Data Principals' rights; Risk management and mitigation
    • Carry out periodic audits to review data practices.

    About Ardent Privacy

    Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid data discovery of data assets and consent management with regional focus for global regulations.