Rights of Individuals (Data Principals)

Chapter IV of the DPDPA grants individuals significant rights over their personal data. These are enforceable rights — businesses that ignore them face complaints to the Data Protection Board and potential penalties.

The Four Core Rights

1. Right to Access Information

A Data Principal can request information about:

• Whether their personal data is being processed by you
• What categories of personal data are being processed
• For what purposes the data is being processed
• Who the data is being shared with

Business implication: You need to be able to respond to these requests with accurate information. This requires knowing where all personal data is stored and for what purpose.

2. Right to Correction and Erasure

A Data Principal can request:

• Correction of inaccurate or incomplete personal data
• Completion of incomplete data (where appropriate)
• Erasure of data that is no longer necessary for the purpose it was collected, or where consent has been withdrawn

Business implication: You must be able to locate all instances of an individual's personal data across your systems (including backups and third-party tools) and correct or delete it as requested.

3. Right to Grievance Redressal

If a Data Principal believes their rights have been violated or your handling of their data was improper, they can raise a complaint with the designated Data Protection Officer or contact at your organisation.

If unresolved within the prescribed period, they can escalate to the Data Protection Board.

Business implication: You must designate a contact point (email, web form, or phone) for data-related grievances, publish it prominently, and have a process to respond within the prescribed timeframe.

4. Right of Nomination

Individuals can nominate another person to exercise these rights on their behalf in the event of death or incapacity.

How Must Businesses Respond?

• Verify identity — Confirm the requester is the person whose data is being requested
• Locate the data — Identify all instances across your systems
• Respond within prescribed period — Timelines will be specified in Rules
• Document the response — Keep records of requests received and actions taken
• Handle refusals carefully — If you cannot fulfil a request (e.g., legal hold), document and communicate the specific reason

What If You Receive a Request and Cannot Comply?

If you have a lawful reason to retain data (active contract, legal obligation, regulatory requirement), you can decline the deletion request but must:

• Communicate the specific reason for retaining the data
• Inform the individual of their right to escalate to the Data Protection Board

Building a Rights Request Process

• Create a dedicated email address or web form for rights requests
• Publish it in your Privacy Notice and website footer
• Set up an internal workflow to receive, verify, and process requests
• Define SLAs for response
• Keep an audit log of all requests and outcomes