Rule 9: Contact Information for Queries about Processing
Rule 9 ensures that individuals always know whom to contact if they have questions or concerns about how their personal data is being used. Transparency is not just about publishing a notice; it also requires giving people a clear channel of communication.
Under this rule:
- Every Data Fiduciary must provide the name and contact details of the person who can answer queries related to data processing.
- If the organization has appointed a Data Protection Officer (DPO), then the DPO’s contact details must be included.
- If no DPO has been appointed, the contact details of another responsible officer or the Grievance Officer must be provided.
- The information must be displayed in an easily accessible manner, such as on the company’s website, mobile application, or in the privacy notice.
Without providing accessible contact details, individuals have no way to exercise their rights effectively — making this obligation a cornerstone of compliance.
Example Scenarios
A crypto trading platform like ABC Exchange must publish the email address and phone number of its DPO so that a trader named Govind can ask whether his KYC details are being shared with third parties.
A social media platform like XYZ Connect must allow users such as Krishna to easily reach its grievance officer through the app if they want their old posts or personal details erased.
The intent of Rule 9 is to remove barriers between individuals and organizations. Instead of leaving people confused about where to complain, the law mandates a direct and accountable point of contact. This not only improves user trust but also helps organizations respond to concerns before they escalate into regulatory complaints.