top of page
Search

Rights of Data Principals Under the DPDP Act – A Comprehensive Guide

Introduction


In today’s digital age, personal data is one of the most valuable assets. With increased online transactions, social media presence, and data-driven services, individuals are generating vast amounts of personal information. However, with this growing digital footprint comes the risk of data misuse, privacy violations, and security breaches. Recognizing these concerns, the Indian government enacted the Digital Personal Data Protection Act (DPDP Act), 2023 to regulate the collection, processing, and storage of personal data.


At the heart of this legislation is the concept of Data Principals—individuals whose personal data is being processed. The DPDP Act grants Data Principals several rights, empowering them to control how their personal information is used. This blog provides a detailed breakdown of these rights, their legal interpretations, real-world implications, and how individuals can exercise them effectively.


Who is a Data Principal?


A Data Principal refers to any individual whose personal data is collected, processed, or stored by an entity, known as a Data Fiduciary. Simply put, if a company or organization collects your personal data—whether through websites, apps, or other digital services—you are the Data Principal.

Understanding your rights under the DPDP Act is essential to ensuring your personal information is handled responsibly and legally.


Key Rights of Data Principals Under the DPDP Act

The DPDP Act provides Data Principals with a set of rights designed to protect their personal data and privacy. These rights include:


1. Right to Consent & Withdrawal of Consent


Legal Interpretation:

The DPDP Act mandates that personal data cannot be processed without the Data Principal’s free, informed, specific, and unambiguous consent. Individuals also have the right to withdraw consent at any time.

Practical Implications:

  • Users must be provided with clear, accessible information before giving consent.

  • Consent cannot be assumed or hidden in lengthy terms and conditions.

  • Withdrawing consent must be as easy as giving it.

  • Organizations failing to comply can face penalties under the law.


In the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the Supreme Court of India held that the Right to Privacy is a fundamental right under Article 21 of the Constitution. This case laid the foundation for stringent data protection laws, emphasizing that consent should be freely given and revocable.


2. Right to Access Information


Legal Interpretation:

Data Principals have the right to request details about:

  • What personal data is being collected.

  • How and why it is being processed.

  • Whether it has been shared with third parties.

Practical Implications:

  • Companies must provide this information in a structured, commonly used format.

  • This enhances transparency and builds trust between users and businesses.


A report by the Internet Freedom Foundation (2023) highlighted that over 60% of Indian users were unaware of how their personal data was being processed by major online platforms. The DPDP Act aims to bridge this information gap by ensuring transparency.


3. Right to Correction & Erasure


Legal Interpretation:

Data Principals can request:

  • Correction of inaccurate or outdated personal data.

  • Erasure of personal data when it is no longer necessary for the purpose for which it was collected.

Practical Implications:

  • Users can ensure their data is always accurate.

  • Companies must provide mechanisms for easy correction or deletion.

  • Exceptions may apply in cases of legal or contractual obligations.


In Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (2014), the European Court of Justice ruled in favor of the Right to Be Forgotten, allowing individuals to request the removal of outdated or irrelevant data. This ruling has influenced global data protection frameworks, including India’s DPDP Act.


4. Right to Grievance Redressal


Legal Interpretation:

If a Data Principal’s rights are violated, they can:

  • File a complaint with the Data Fiduciary.

  • Escalate the issue to the Data Protection Board of India if unsatisfied with the response.

Practical Implications:

  • Companies must set up internal grievance redressal mechanisms.

  • Users have a legal pathway to challenge data misuse.


According to a 2023 report by the Ministry of Electronics and Information Technology (MeitY), 80% of consumer complaints related to data privacy remain unresolved due to lack of a structured grievance redressal system. The DPDP Act introduces a mandatory grievance resolution framework to address this gap.


5. Right to Nominate a Legal Heir


Legal Interpretation:

Data Principals can nominate a person to exercise their rights in case of incapacity or death.

Practical Implications:

  • Ensures continuity of digital assets and data.

  • Reduces complexities in handling personal data after a person’s demise.


A 2019 study by the Internet and Mobile Association of India (IAMAI) found that only 10% of Indian users had nominated heirs for their digital accounts, leading to legal complications in accessing deceased individuals’ data. The DPDP Act provides clarity on this issue by enabling formal nomination rights.


Limitations & Exceptions to These Rights


While the DPDP Act empowers individuals, there are exceptions where rights may not be applicable, such as:

  • Government exemptions: Certain agencies may collect and process data without consent for national security, law enforcement, or public interest.

  • Processing of children’s data: Special rules apply to safeguard minors.

  • Public interest considerations: Some data may be retained for research, statistical analysis, or legal compliance.

Practical Implications for Individuals & Businesses


  • For Individuals:

    • Stay informed about data rights.

    • Regularly review privacy settings and exercise rights when necessary.

  • For Businesses:

    • Ensure compliance with consent and data protection laws.

    • Establish clear privacy policies and grievance redressal mechanisms.


Conclusion


The DPDP Act marks a significant step toward strengthening data privacy in India. By understanding and exercising their rights, Data Principals can ensure their personal data is handled responsibly. At the same time, businesses must adapt to these new regulations to maintain transparency and compliance.


With data privacy becoming a critical issue globally, staying aware of your rights is no longer optional—it’s essential. As India moves forward in its digital transformation journey, laws like the DPDP Act will play a crucial role in shaping a more secure and privacy-focused online ecosystem.

Comments

BharatLaw.AI is revolutionising the way lawyers research cases. We have built a fantastic platform that can help you save up to 90% of your time in your research. Signup is free, and we have a free forever plan that you can use to organise your research. Give it a try.

bottom of page