Rule 9: Contact Information of Person to Answer Questions About Processing.
Statutory Text — Rule 9:Contact information of person to answer questions about processing. (click to expand)
Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data.
Rule 9 emphasises transparency and accountability by requiring every organisation that processes personal data to maintain an accessible point of contact — typically the Data Protection Officer (DPO) or a designated representative.
The rule ensures that Data Principals (individuals) can easily reach out to ask how their data is being processed, stored, or shared, and receive timely and clear responses.
1. Public Disclosure Requirement
The Data Fiduciary must prominently publish the contact details of its DPO or authorised contact person on its official website, mobile application, or user portal. This information must be easy to locate — typically placed in the Privacy Policy, Contact Us, or Data Protection / Legal section of the site.
For mobile applications, the contact details should be visible within the app’s settings or privacy section, not hidden behind multiple layers or external links.
Acceptable formats include:
- A dedicated email address such as privacy@[companyname].com or dpo@[companyname].in
There is a high likelihood that spammers will target a common address like dpo@companyname.in. Therefore, it is recommended to create a slightly different variation - such as dpofficer@companyname.in, dataprotect@companyname.in, dpo_company@companyname.in, or similar - to reduce spam risk while still keeping the address easily identifiable for users.
- A web form for privacy requests linked from the privacy notice
- A phone number for urgent data-protection queries
The contact must represent the organisation’s data-protection function, not a generic customer-support line.
2. Inclusion in Rights-Exercise Communications
Whenever a Data Principal exercises her rights (for example, requests data access, correction, or erasure), the organisation’s response must explicitly mention the DPO or responsible contact person’s business information. This ensures that individuals know who is accountable and can escalate concerns if necessary.
A compliant response might end with:
“If you have further questions about how your personal data is processed, you may contact our Data Protection Officer at dpo@[companyname].in.”
3. Applicability and Accountability
Every Data Fiduciary, regardless of size or sector, is expected to maintain a clearly identifiable human point of contact for matters relating to personal data processing. This requirement applies even if the organisation is not formally mandated to appoint a Data Protection Officer (DPO) under the Act. In such cases, the organisation must designate a Responsible Privacy Officer or Representative to handle privacy-related inquiries and rights requests from Data Principals.
This individual must have:
- Operational awareness of how personal data is collected, used, stored, and shared across the organisation.
- Access authority to coordinate with IT, legal, or compliance teams to verify facts before responding.
- Training in data-protection principles, incident handling, and communication under DPDPA.
The person’s role is not merely administrative — they act as the voice of accountability for the organisation’s data practices. When a Data Principal submits a query (e.g., “Where is my data stored?” or “Why do you retain this document?”), the contact person must be able to respond accurately, referencing lawful grounds and retention policies.
For large or cross-border Data Fiduciaries, a formally appointed Data Protection Officer (DPO) becomes mandatory. The DPO functions as the single point of contact between the organisation, Data Principals, and the Data Protection Board of India (DPBI).
This ensures a consistent channel for:
- Responding to user inquiries about processing;
- Handling regulatory notices, breach communications, or investigation requests; and
- Submitting compliance reports or audit responses.
In multinational contexts, where processing occurs both in India and overseas, the DPO should be located in India or have an authorised local representative reachable within Indian jurisdiction. The contact details of this person must be identical across all user-facing platforms, privacy notices, and filings to avoid confusion or perceived opacity.
Effective accountability means that users always know who is responsible and regulators can reach the right person quickly — reinforcing the DPDPA’s focus on transparency and trust.
Free Template: Sample DPO / Privacy Contact Disclosure Block
Data Protection and Privacy Contact
In accordance with Rule 9 of the Digital Personal Data Protection Rules, 2025, the following contact person has been designated to address any questions, requests, or concerns relating to the processing of your personal data by [Organisation Name].
Data Protection Officer (DPO)
Name: [Full Name of DPO or Appointed Representative]
Designation: [e.g., Data Protection Officer / Privacy Compliance Officer]
Email: [privacy@[companyname].in]
Phone (Business Hours): [+91-XXXXXXXXXX]
Address: [Registered Office or Corporate Office Address]
Working Hours: [e.g., Monday–Friday, 9:00 AM – 6:00 PM IST]
If your organisation does not require a formal DPO, the below authorised contact is responsible for addressing all data-protection-related inquiries:
Authorised Privacy Contact
Name: [Full Name]
Email: [privacy.support@[companyname].in]
Phone: [Insert Number]
All communications received at this address will be acknowledged within [X business days] and addressed in line with applicable data-protection requirements under the Digital Personal Data Protection Act, 2023, and associated Rules, 2025.
If you have previously contacted us and have not received a satisfactory response, you may escalate the matter by writing to:
The Data Protection Board of India (DPBI) — [Official contact details once published].
This disclosure is made in compliance with Rule 9 of the Digital Personal Data Protection Rules, 2025.
4. Industry Examples
The DPO’s business email is displayed prominently in the mobile app’s Profile → Privacy Settings section and linked from all system-generated account emails. This ensures customers can easily contact the privacy team without navigating external pages.
Hospitals and diagnostic portals include the Data Protection Officer’s contact details within their Patient Rights and Consent Information pages. The DPO’s email and phone number are also printed on lab reports and discharge summaries for transparency.
A crypto exchange designates its FIU-IND Compliance Officer as the official contact for data-protection matters. The officer’s email and support handle are published on the Compliance & Privacy page of the website and mobile app.
Citizen-service portals list a Data Governance Officer or Nodal Officer as the authorised contact for privacy inquiries. The contact details are displayed on the portal’s Privacy and Terms section as well as in acknowledgment emails sent after a grievance or data-access request.
Where required, a physical form should also be provided at branch locations for individuals who visit in person to request a change, deletion, or raise any privacy-related query about their personal data.
These physical forms must also be properly logged, tracked, and processed to ensure that the requested modifications or erasures are completed within the applicable timelines.
5. Common Mistakes to Avoid
- Publishing a generic helpdesk email with no specific privacy function.
- Providing contact information that is inactive or unmonitored.
- Using non-business emails (e.g., Gmail, Yahoo) — official domain-based addresses are required.
- Failing to include the contact details in written responses to data-rights requests.
Each of these practices weakens accountability and may be deemed non-compliance during audits.
Ensure your privacy contact details are placed in at least two locations: the privacy policy footer and your data-rights response templates.
Securze helps organisations set up dedicated DPO mailboxes, privacy request workflows, and response-tracking dashboards for compliance with Rule 9.
Learn more.
Summary
Rule 9 reinforces the DPDPA’s core value of user transparency.
By mandating public, accessible, and responsive privacy contact information, it ensures that Data Principals always know who to reach and that the organisation’s accountability is not just theoretical, but practical and verifiable.