Skip to main content

Rule 13: Rights of Data Principals

Statutory Text — Rule 13:Rights of Data Principals. (click to expand)

(1) For enabling Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on its website or app, or both, as the case may be, —
(a) the details of the means using which a Data Principal may make a request for the exercise of such rights; and
(b) the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.

(2) To exercise the rights of the Data Principal under the Act to access information about personal data and its erasure, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights.

(3) Every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance-redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures.

(4) To exercise the rights of the Data Principal under the Act to nominate, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such right.

(5) In this rule, the expression “identifier” shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification.

Rule 13 brings the Data Principal’s rights to life by defining how individuals can contact organisations, verify their identity, raise concerns, and nominate successors for data control. It ensures that digital citizens can communicate with clarity, dignity, and confidence — and that every Data Fiduciary treats those interactions with respect and care.

1. Publishing Simple and Accessible Channels

Each organisation must clearly publish, on its website or mobile app, the method by which users can submit privacy requests and the information needed for identification. This means the process should not be hidden in fine print or require legal expertise.

The published channels might include:

  • A dedicated privacy-rights portal where individuals can request data access or deletion;
  • A verified email address such as privacy@companyname.in; or
  • A Consent Manager dashboard integrated with the platform.

The identifiers requested (like a customer ID or application reference number) should be limited to what is reasonably necessary to confirm identity, never excessive.

Example – Fintech Platform

A fintech app lists a visible “Manage My Data” option in its profile settings.
Users can click to access or erase data and are asked only for their registered mobile number and one OTP for verification — no unnecessary documents.
This polite, transparent approach strengthens user trust and fulfils the rule’s intent.

2. Exercising the Right to Access and Erasure

Rule 13(2) allows individuals to directly contact the same Data Fiduciary that originally obtained their consent. The organisation must design an easy-to-follow process where users can:

  • View what data is stored about them,
  • Request deletion of data no longer required, or
  • Withdraw previously given consent.

The tone of all communication must remain professional and empathetic — privacy requests should never be treated as a nuisance or security risk.

Example – Healthcare Network

A patient uses a hospital’s online portal to request deletion of her tele-consultation recordings after treatment is complete.
The hospital acknowledges the request within 24 hours, verifies her identity through the registered phone number, and deletes the records within seven days while keeping anonymised billing data for statutory purposes. This shows polite engagement and lawful balance.

3. Publishing Grievance-Handling Timelines

Every Data Fiduciary and Consent Manager must disclose how quickly grievances will be resolved and ensure that their system can actually meet that commitment. This timeframe could vary — for example, 7 days for password-reset issues, 15 days for data-access requests, or 30 days for deletion confirmation.

The organisation must also implement monitoring mechanisms to ensure timely responses. Automated tracking, escalation alerts, and monthly reports to the DPO are considered good practice.

Example – Telecom Operator

A telecom company’s privacy page clearly mentions: “All data-related grievances are acknowledged within 24 hours and resolved within 15 days.” Its CRM automatically escalates delayed tickets to the DPO for review. Such clarity reassures users that their concerns are being taken seriously.

4. Right to Nominate

This clause introduces a compassionate safeguard — allowing individuals to nominate one or more persons who can exercise their data rights if the individual passes away or becomes incapacitated. The nomination process must be clearly explained in the organisation’s terms of service and privacy notice.

Verification of the nominee’s identity and relationship should be done courteously, using minimal documentation and respecting emotional sensitivity.

Example – Social-Media Platform

A social-media platform lets users nominate a “Legacy Contact” through account settings.
If the user passes away, the contact can request memorialisation or deletion of the profile after submitting basic verification.
The process is designed to be empathetic, not bureaucratic.

5. Importance of Identifiers

The term identifier covers any number, code, or reference used to uniquely link a Data Principal to her records — such as a customer ID, enrolment number, or licence key. However, organisations must ensure these identifiers are securely stored, hashed where possible, and not reused across unrelated systems to prevent profiling or accidental disclosure.

6. Practical Implementation Guidance

  • User Interface Design: Privacy-rights links should be easy to find and accessible on both desktop and mobile devices.
  • Acknowledgement Protocol: Every rights-request should trigger an automated polite acknowledgement with a unique tracking ID.
  • Tone of Communication: Templates should use friendly yet formal language — e.g., “Thank you for writing to us about your data-privacy preferences” rather than “Your ticket has been received.”
  • Audit Trail: Maintain logs of all user requests, identity verifications, and responses for a minimum of one year to demonstrate compliance.
  • Training: Customer-service teams should receive periodic training to handle privacy queries sensitively and accurately.

Rule 13 transforms the legal concept of “rights of Data Principals” into an actionable, humane practice. By publishing clear contact channels, responding promptly, and maintaining a polite, transparent tone, organisations not only meet compliance requirements but also show genuine respect for the people whose data they hold.