Skip to main content

Rule 13: Rights of Data Principals (Operational Details)

Rule 13 explains how the rights of individuals, known as Data Principals, are to be exercised in practice. While the Act already grants these rights, the Rule provides clarity on the process and obligations of organizations when such requests are made.

Under this rule:

  • A Data Principal may submit a request to access, correct, erase, or withdraw consent relating to their personal data. The request must be submitted to the Data Fiduciary through the channels specified in the notice or grievance redressal system.
  • The Data Fiduciary is required to acknowledge the request and act upon it within the time limits prescribed by the Act or Rules.
  • If the Data Fiduciary rejects a request, it must provide a clear explanation of the reasons for such rejection.
  • The Data Fiduciary must ensure that the process for submitting and tracking requests is simple and accessible, and not designed to discourage individuals from exercising their rights.
  • Records of requests received and actions taken must be maintained to demonstrate compliance in the event of an audit or inquiry by the Data Protection Board.
Critical Point

The process for exercising rights must always be simple, accessible, and fair. Complex or discouraging procedures would amount to non-compliance.

Example Scenarios

Example 1

A customer of an insurance company like ABC Life Insurance requests correction of his address in the company’s records. The insurer must update the records promptly and confirm the correction to the customer.

Example 2

A user of a social media platform requests deletion of old photos uploaded five years ago. The platform must remove the content unless it is required to retain it for legal reasons.

Example 3

An investor on a stock broking platform withdraws consent for the use of his personal data for marketing purposes. The broker must respect this withdrawal and stop sending promotional emails.

Rule 13 ensures that rights are not just theoretical but are backed by clear procedures. It empowers individuals to take control of their personal data while requiring organizations to demonstrate accountability in every interaction.