Step 06 - Handling Data Principal Rights Requests
One of the central features of the Digital Personal Data Protection Act (DPDPA), 2023 is that it empowers individuals, known as Data Principals, with enforceable rights over their personal data. Organizations (Data Fiduciaries) must be prepared to receive, process, and respond to these requests in a structured and timely manner.
This step is about building a practical process for handling rights requests relating to access, correction, erasure, and consent withdrawal.
1. Right to Access
Every individual has the right to know what personal data is being processed, why it is being used, and with whom it has been shared.
- Organizations must set up a channel (such as a web portal, email ID, or app feature) for individuals to request this information.
- The response must be clear and in simple language, not hidden in technical reports.
- Records of access requests and responses should be maintained for audit purposes.
A customer of an insurance company asks for details of all the medical records the insurer has stored. The company must provide a copy of that data and explain its purpose (e.g., claims verification).
2. Right to Correction
If the data is inaccurate, incomplete, or outdated, the Data Principal has the right to request correction.
- Organizations must verify the request and update records promptly.
- The individual should be notified once the correction is completed.
An employee finds that their pharmaceutical company’s HR system still lists an old bank account for salary transfer. On request, HR must correct the details and confirm the change.
3. Right to Erasure
If the purpose for which data was collected has been fulfilled, or if consent has been withdrawn, the Data Principal can demand that the data be deleted.
- Exceptions apply where retention is required by law (e.g., tax, SEBI, IRDAI rules).
- The erasure process must include permanent deletion from systems and backups.
A user deletes their social media account and requests complete erasure of their photos and messages. The platform must remove the data, except where retention is required for legal disputes or regulatory purposes.
4. Right to Withdraw Consent
Consent must be as easy to withdraw as it was to give. Organizations must provide a frictionless process for this.
- Withdrawal should immediately stop the processing of that personal data for the specified purpose.
- Records of withdrawal must be maintained to demonstrate compliance.
A customer of an e-commerce platform withdraws consent to receive promotional emails. The company must ensure that the customer is removed from all marketing lists without delay.
5. Setting Up Internal Processes
To comply with these rights, organizations should:
- Create a dedicated contact point (Grievance Officer or DPO).
- Establish a workflow for logging, verifying, and responding to requests.
- Train employees, especially customer-facing teams, to recognize and route requests correctly.
- Use technology (like automated dashboards or CRM integrations) to track and respond within deadlines.
Rights requests are not just a formality; they are a test of accountability. How quickly and fairly an organization responds shows whether it respects individual privacy. Mishandling requests can lead to complaints, regulatory investigations, and penalties under the DPDPA.