Summary

  • The Right to Information Access allows data principals to know what personal data is being processed, how it is being used, and which third parties it is shared with.
  • The Right to Correction and Erasure gives data principals the ability to request corrections to inaccurate or outdated data, as well as request the deletion of data that is no longer necessary.
  • The Right to Grievance Redressal ensures that data principals can raise complaints about how their personal data is being handled and expect timely resolutions from data fiduciaries.
  • The Right to Nominate allows data principals to designate a trusted individual to manage their personal data in case of death or incapacity.
  • Businesses must maintain data inventories and create clear request channels to fulfill data access, correction, and erasure requests in compliance with the DPDP Act.
  • Managing user rights requests requires robust systems for identity verification, data mapping, and seamless coordination with third-party processors to ensure timely compliance.
  • Businesses must establish secure, user-friendly channels for submitting data-related requests and grievances, aligning with the timelines mandated by the DPDP Act.
Close Button
BlogArrowLegal ExplainersArrow
Rights of Data Principal

Rights of Data Principals under the DPDP Act and Rules

Amala Maria George

Legal Counsel
December 24, 2025
Download Blog as PDF
Content
Introduction
What are 7 data principal rights under DPDP Act?
What does DPDP Act requires data fiduciaries to do?
Changes data fiduciary need to do in backend
How will Consentin help in managing data principal rights?

Summary

  • The Right to Information Access allows data principals to know what personal data is being processed, how it is being used, and which third parties it is shared with.
  • The Right to Correction and Erasure gives data principals the ability to request corrections to inaccurate or outdated data, as well as request the deletion of data that is no longer necessary.
  • The Right to Grievance Redressal ensures that data principals can raise complaints about how their personal data is being handled and expect timely resolutions from data fiduciaries.
  • The Right to Nominate allows data principals to designate a trusted individual to manage their personal data in case of death or incapacity.
  • Businesses must maintain data inventories and create clear request channels to fulfill data access, correction, and erasure requests in compliance with the DPDP Act.
  • Managing user rights requests requires robust systems for identity verification, data mapping, and seamless coordination with third-party processors to ensure timely compliance.
  • Businesses must establish secure, user-friendly channels for submitting data-related requests and grievances, aligning with the timelines mandated by the DPDP Act.

Summary

  • The Right to Information Access allows data principals to know what personal data is being processed, how it is being used, and which third parties it is shared with.
  • The Right to Correction and Erasure gives data principals the ability to request corrections to inaccurate or outdated data, as well as request the deletion of data that is no longer necessary.
  • The Right to Grievance Redressal ensures that data principals can raise complaints about how their personal data is being handled and expect timely resolutions from data fiduciaries.
  • The Right to Nominate allows data principals to designate a trusted individual to manage their personal data in case of death or incapacity.
  • Businesses must maintain data inventories and create clear request channels to fulfill data access, correction, and erasure requests in compliance with the DPDP Act.
  • Managing user rights requests requires robust systems for identity verification, data mapping, and seamless coordination with third-party processors to ensure timely compliance.
  • Businesses must establish secure, user-friendly channels for submitting data-related requests and grievances, aligning with the timelines mandated by the DPDP Act.

The Digital Personal Data Protection Act, 2023 and the DPDP Rules are finally here. Businesses now have a clear deadline to ensure compliance with the requirements of the new law. 

Obligations for businesses under the DPDP Act all centre around the “Data Principal” (in simple terms - your customer). 

The DPDP Act gives Data Principals (aka your customer) more control over their data and a pathway to enforce their rights over their data.

The obligation to facilitate these rights - known as “Data Principal Rights” mostly lies with you, the business (or as the DPDP Act calls you - the Data Fiduciary). 

This has serious implications for your systems and processes - including downstream data and third party vendors you use. 

This article tells you:

  • What are all the Data Principal Rights under the DPDP Act
  • What your obligations are for each right
  • What product and process changes you will need to make in order to comply 

What are the 7 Data Principal rights under the DPDP Act?

Data Principal Right Explanation of the Right Practical Effect for Businesses
Right to Access A Data Principal can ask the Businesses: what personal data is held, why it was collected, what processing has been done, with whom it has been shared, and how long it will be retained. A business must be able to pull a complete summary for an individual across all their systems and databases-CRM, ticketing, analytics, third-party SaaS, etc.
Right to Update Data Principals can now ask for correction, updation or completion of any inaccurate or incomplete personal data held by Businesses. Businesses need to have processes to update all records, sync changes to backend systems, and share the updated data to all downstream data processors or vendors.
Right to Withdraw Consent Where processing is based on consent, it must be revocable as easily as it was given. Businesses will need to have easy to spot, easy to use consent preference centers or privacy management options that disable processing and trigger workflows to downstream systems and processors/ vendors so that processing stops across all touchpoints.
Right to Erasure Data Principals may request the deletion of their personal data. This deletion request will need to be honored if the data is no longer necessary for the purpose it was collected. Businesses must map retention timelines and have it ready for each data category and ensure deletion or suppression through internal systems, backups, and third-party processors. Erasure must be confirmed to the Data Principal.
Right to Nominate A Data Principal can nominate someone to exercise rights on their behalf in case of death or incapacity. Systems must allow nomination and recognition of a nominee when they make future rights requests.
Right to Raise a Grievance Data Principals can lodge grievances regarding data processing or rights handling. Businesses must provide details of how to raise grievances/ reach out to DPO, and have a ticketing system or functioning process to ensure grievances are responded within 90 days.
Right to Access Consent Notice in Scheduled Languages Data Principal can now ask for the consent notices to be made available to them in any scheduled Indian language. Businesses must maintain translated versions of their consent notices and display or deliver them depending on the language preference of the user.

Data Fiduciaries must ensure customers can raise a rights request

Rights are useless without a way to enforce them. 

The DPDP Act requires Data Fiduciaries to prominently inform customers:

  1. How they can raise a Rights Request.
  2. What details the customer will need to give when submitting the request e.g a username or any other identifier

This information should, ideally, be displayed in the consent collection notice/box itself and must be on the website or application as well.

What changes do Data Fiduciaries need to do in the back-end for Data Principal Rights?

There are 6 back-end things that you as a Data Fiduciary need to ensure to fulfil your DPR obligations under the DPDP Act.  

A. Maintain Records of Processing Activities (ROPA)

You must know what data you collect, where it flows, where it is stored, and whom you share it with. This information must be recorded in a visual map tied to a strong back-end information database. 

Without a ROPA, you will find it hard to respond and resolve rights requests within the mandated timeline. 

B. Maintain Documented Retention Timelines

Not all data can be deleted on request. Sectoral laws and regulations may require retention for a specific period. The DPDP Rules itself specify a minimum one year retention period and 3 year retention periods for certain types of businesses.

Having a documented data-wise retention schedule will help determine what can be erased in case of a Rights Request and what must be retained.

C. Build Systems for Rights Request Fulfilment

Rights-handling cannot be manual. You will need an end-to-end DPR fulfilment system:

  • A customer-friendly, easily accessible privacy center where customers can submit access, correction, withdrawal, and erasure requests,
  • a verification layer so that a third party cannot falsely raise a rights request on behalf of a customer 
  • a backend workflow engine that triggers internal deletion/ update/ retrieval when the request is raised
  • a ticketing system with response templates, internal owners and escalations that ensures responses are within the 90 day timeline.  

D. Ensure downstream syncing of Updates, Erasure and Withdrawal

You will need all systems where you store personal data to be synced to the status of consent.  If the user withdraws consent,  every internal system and third party vendor will need to be notified. You will then also need a proper confirmation that the data has, indeed, been deletewd from the downstream system.  

E. Maintain Translated Consent Notices

Businesses will need to ensure that the Consent Notice is made available in the language the customer understands. The DPDP envisages consent notices in 22 Indian languages. The easiest way to do this is to pre-bake consent notices in all languages and display a language toggle prominently in the consent notice itself.

F. Maintain auditable consent logs

All activities performed to the consent must be logged. A log of consent collection, log of consent storage, log of DPR request, log of processing of DPR.

These logs are vital to a)  respond clearly to your customers when they raise a request, and b) to demonstrate compliance in case of regulatory and DPB inspections. 

Use Consentin to help you manage Data Principal Rights

In this article we have mentioned all the backend changes you need to make to successfully discharge your DPR obligations under the DPDP Act.  You can use this information (and other information in our blog) to build your own internal DPDP compliance systems.

However, if you don’t want to build - but instead want to buy and implement a ready-to-use platform for DPDP compliance - we hope you consider our platform -  Consentin by Leegality. 

Consentin is a comprehensive platform that gives Indian businesses the ability to ensure DPDP compliance across their customer and vendor journeys in a fast, easy and secure way.

Consentin has everything you need all under one roof - fully compliant with the DPDP Act:

You can explore the platform here

Explore Leegality Consent Manager for your Business

Schedule a Demo Call

Related Articles

Legal Explainers

Penalties under the DPDP Act

Blog avatar image

Anahad Narain

Legal Explainers

What are the grounds for processing under the DPDP Act

Blog avatar image

Anahad Narain

Legal Explainers

The Applicability of the DPDP Act

Blog avatar image

Anahad Narain

Consentin Logo
Plot No. 444, Udyog Vihar Phase 3, Gurugram,
Haryana, 122008
For enquiries - enquiry@consent.in
For support - support@consent.in
About
Who are we?Contact UsCareersPrivacy centerCookie preferenceT&C
Products
Consent ManagementData Life Cycle ManagementCompliance & PrivacyThird Party Risk Management
Compliance Handbooks
Data Retention GuideCompliance ChecklistData Mapping GuideData Compliance GuideData Retention Guide
Industry Solutions
BFSIEcommerceTelemarketing
Resources
Consent FAQProduct FAQDPDP FAQBlogs
Quick links
Whats DPDP Act in IndiaGDPR vs DPDPDPDP draft rulesWhat is Cookie ConsentExemptions in DPDP ActPenalties in DPDP Act
Other Leegality Products
Document InfrastructureAadhaar eSigneSignDigital StampingNeSLElectronic Bank GuarenteesDeal Collaboration
2025 Copyright consent.in

Compliance Deadline:

0 weeks away