Skip to main content

Rights of Data Principals

The Digital Personal Data Protection Act (DPDPA), 2023 gives every individual, known as the Data Principal, a set of rights over their personal data. These rights ensure that people are not left powerless once their information is collected by a company, government body, or any other organization. Instead, they have the ability to control how their data is used, corrected, and even deleted.

  • Right to Access Information
    Every person has the right to know what personal data an organization holds about them and how it is being used. This includes knowing the purpose of collection, the categories of data stored, and whether the data has been shared with third parties.

    Example

    If a mobile wallet app has collected your contact details and transaction history, you have the right to request a copy of this information and understand why it is being used.

  • Right to Correction and Erasure
    If the personal data held is incorrect, incomplete, or outdated, the individual has the right to get it corrected. They also have the right to request deletion of data once it is no longer needed for the stated purpose.

    Example

    If a job portal continues to store your old address even after you updated it, you can ask them to correct it. If you close your account, you can request them to erase all your details.

  • Right to Withdraw Consent
    If a person has given consent for their data to be used, they can later decide to take it back. Organizations must provide an easy way to withdraw consent without creating obstacles.

    Example

    If you once agreed to receive promotional emails from an e-commerce site but no longer want them, you can withdraw consent, and the company must stop sending you those messages.

  • Right to Grievance Redressal
    Every individual has the right to raise complaints about misuse of their data or delays in fulfilling their requests. Organizations are required to set up grievance redressal systems and respond within defined timelines.

    Example

    If you report a data breach to your bank, they must acknowledge and address your complaint rather than ignoring it.

  • Right to Nominate
    The Act allows a person to nominate someone else to exercise their data rights in case of their death or incapacity. This ensures that personal data is not left unmanaged.

    Example

    If a person passes away, their nominee can ask a social media platform to delete the account or request access to certain information.

  • Special Protection for Children and Persons with Disabilities
    The law requires verifiable parental or guardian consent before processing the personal data of children or persons with disabilities. This ensures that vulnerable individuals are not exploited.

    Example

    An online gaming platform must obtain parental approval before creating an account for a child under 18.

These rights together create a balance of power. Organizations cannot treat personal data as their property; they must respect the choices and dignity of individuals. By exercising these rights, people gain more confidence to use digital services without fearing misuse of their information.