Rights of Individuals (Data Principals)

Chapter IV of the DPDPA grants individuals significant rights over their personal data. These are not aspirational principles — they are enforceable legal rights. A person who believes their rights have been ignored can file a complaint directly with the Data Protection Board. Businesses that have no process to receive and respond to these requests are exposed from day one.

The Four Core Rights

1. Right to Access Information (Section 11)

A Data Principal can request information about:

• Whether their personal data is being processed by you
• What categories of personal data are being processed
• For what purposes the data is being processed
• Who the data is being shared with (third parties, processors, affiliates)

Business implication: You need to be able to respond to these requests with accurate, specific information. This requires knowing where all personal data is stored, what it is used for, and who can access it. If you cannot answer these questions about your own data, you have a data mapping problem that must be fixed before rights requests begin arriving.

2. Right to Correction and Erasure (Section 12)

A Data Principal can request:

• Correction of inaccurate or misleading personal data
• Completion of incomplete data
• Updating of data that has become outdated
• Erasure of data that is no longer necessary for the purpose it was collected, or where consent has been withdrawn

Business implication: You must be able to locate all instances of an individual's personal data across your systems — including CRM, email history, backups, and third-party tools — and correct or delete it as requested. This sounds straightforward but is operationally complex if data is fragmented across multiple tools and stored informally.

3. Right to Grievance Redressal (Section 13)

If a Data Principal believes their rights have been violated, their data has been handled improperly, or a request was not addressed, they can:

• Raise a complaint with the Data Fiduciary's designated grievance contact
• If unresolved or unsatisfied with the response, escalate to the Data Protection Board

Business implication: You must designate a contact point for data-related grievances — an email address, a web form, or a phone number. This contact must be published prominently in your Privacy Notice and ideally in your website footer and any data collection points. Failure to provide a grievance channel or to respond is itself a compliance gap that can result in a Board complaint.

4. Right of Nomination (Section 14)

Individuals can nominate another person to exercise their data rights on their behalf in the event of death or incapacity. The nominated person can then make access, correction, erasure, or grievance requests as if they were the Data Principal.

Business implication: Your rights request process must include a mechanism for receiving and validating nominations — for example, through a signed form or notarised document. This is a less common scenario but must be accounted for in your process design.

Why These Rights Matter for Businesses

Rights obligations are not just about individual data subjects. They have systemic implications:

• They require data mapping — you cannot respond to an access request if you do not know where the data is
• They require clean records — corrections require knowing which records are authoritative
• They require deletion workflows — erasure requests must propagate to backups, archives, and third-party processors
• They require vendor co-operation — if data is held by a processor (e.g., your CRM vendor), they must support your ability to fulfil requests

A business that has never mapped its data flows will struggle to respond to even a basic access request.

How Must Businesses Respond?

• Verify identity — Confirm the requester is the actual person whose data is being requested (to prevent unauthorised disclosures). A simple verification step — such as confirming an email address or requesting a government ID for sensitive requests — is sufficient.
• Locate the data — Identify all instances across your systems, including third-party tools, archived databases, and cloud storage.
• Respond within the prescribed period — Exact timelines will be specified in Rules. Treat it as a business SLA — acknowledge requests within 24–48 hours and aim to resolve within 30 days.
• Document the response — Keep records of every request received, the action taken, and the date of response. This is your compliance evidence.
• Handle refusals carefully — If you have a lawful reason to retain data (active contract, legal obligation, regulatory requirement), you can decline the erasure request but must communicate the specific reason and inform the individual of their right to escalate.

Common Scenarios

Scenario 1 — Ex-employee requests deletion of all records

You can retain records required by law (e.g., PF, tax records) but should delete records no longer needed (e.g., interview notes, informal communications). Communicate what you retained and why.

Scenario 2 — Prospect asks what data you hold

You must provide a clear summary of their data across all your systems. If you cannot do this, your data mapping is insufficient.

Scenario 3 — Customer asks to correct their address in your CRM

Update the record, propagate to any systems that have a copy (e.g., marketing tools, delivery integrations), and confirm the correction to the requester.

Scenario 4 — Individual withdraws marketing consent and requests erasure of all marketing data

Remove from all marketing lists, delete marketing profile data not required for other purposes, and confirm the action taken.

Building a Rights Request Process

Every business should have a basic process in place before rights requests arrive. Minimum requirements:

• Designate a contact — Create a dedicated email (e.g., privacy@yourdomain.com) or web form for rights requests
• Publish it prominently — In your Privacy Notice, website footer, and any data collection pages
• Set up an internal workflow — Define who receives requests, who processes them, and what the escalation path is
• Define response timelines — Set internal SLAs aligned to the prescribed period once notified
• Keep an audit log — Record every request, the action taken, and the date of completion

The cost of building this process is low. The cost of ignoring it — a Board complaint and potential penalty — is not.