Q1 - What happens if a company ignores a Data Principal’s request for erasure or correction?
Under the Digital Personal Data Protection Act, 2023 (DPDPA), every Data Principal (the individual whose data is being processed) has a legal right to request correction, completion, updating, or erasure of their personal data. If a company — also known as a Data Fiduciary — ignores, delays, or refuses such a request without valid justification, it is considered a breach of its statutory obligation under Section 12 and may face investigation and monetary penalties imposed by the Data Protection Board of India.
1. The Right of Correction and Erasure
Section 12(1) —
A Data Principal shall have the right to correction, completion, updating, and erasure of her personal data for which she has previously given consent.
Section 12(2) —
The Data Fiduciary shall, on receipt of such a request, correct, complete, update, or erase the personal data as soon as may be practicable, unless retention is necessary for compliance with law or lawful purpose.
This means the company cannot simply ignore such a request.
It must either:
- Act on the request and confirm completion, or
- Provide a reasonable legal justification (for example, data retention required by tax or banking laws).
2. Escalation and Complaint Path
If the company fails to respond:
- The Data Principal may file a complaint with the Grievance Officer designated by the company under Section 13(1).
- If the issue remains unresolved, the Data Principal can escalate the complaint to the Data Protection Board of India under Section 28(1).
- The Board may initiate an inquiry under Section 27, summoning records and explanations from the company.
3. Possible Consequences and Penalties
If the Board finds that the company failed to act on the Data Principal’s request or violated its obligations under Section 12, it can impose penalties under Section 33(1) read with the Schedule.
| Violation | Relevant Section | Maximum Penalty |
|---|---|---|
| Failure to fulfill obligations regarding correction/erasure | Section 12 | Up to ₹50 crore |
In addition to monetary penalties, the Board may:
- Direct the company to immediately correct or erase the data.
- Issue a compliance order or warning.
- Consider repeated non-compliance as an aggravating factor in future inquiries.
4. Legitimate Exceptions
The company may legally refuse or delay erasure if:
- The data must be retained to comply with another law (e.g., income-tax records, KYC data).
- The request conflicts with public interest, law enforcement, or legal obligations.
However, even in such cases, the company must communicate the reason for refusal transparently to the Data Principal.
A fitness-tracking start-up continues to store a user’s health data even after the user requests deletion. The user files a complaint to the company’s grievance officer but receives no response for 30 days. She then escalates the case to the Data Protection Board, which orders the company to delete the data and imposes a ₹25-crore penalty for failing to act on the erasure request and violating Section 12.
5. Summary
Ignoring a Data Principal’s request for correction or erasure:
- Violates Section 12 of the DPDPA.
- Can trigger Board inquiry under Sections 27–28.
- May result in fines up to ₹50 crore.
- Damages trust and exposes the company to reputational risk.
Referenced Provisions:
- Section 12(1)–(2) – Right to correction, completion, updating, and erasure.
- Section 13(1) – Grievance-redressal mechanism.
- Section 27–28 – Inquiry and enforcement by the Data Protection Board.
- Section 33(1) & Schedule (Entry 7) – Monetary penalties for non-compliance.