Q5 - How quickly must companies respond to such requests?
The Digital Personal Data Protection Act, 2023 (DPDPA) requires companies (called Data Fiduciaries) to respond to all lawful requests made by Data Principals — such as requests for access, correction, erasure, or withdrawal of consent — “as soon as may be practicable.” While the Act does not specify an exact number of days, this phrase establishes a legal duty of promptness and reasonableness, meaning companies must act without undue delay and in good faith.
1. Legal Reference
Section 12(2) —
The Data Fiduciary shall, on receipt of a request from the Data Principal, correct, complete, update or erase personal data as soon as may be practicable, unless retention is necessary for compliance with any law.
Section 13(2) —
The Data Fiduciary shall establish an effective grievance redressal mechanism, and must respond to a Data Principal’s grievance within such period as may be prescribed by the rules (to be notified by the Central Government).
2. Expected Time Frame (Practical Interpretation)
Since the exact period will be prescribed in upcoming rules, most experts and policy drafts interpret “as soon as practicable” to mean:
| Request Type | Recommended Response Window (Best Practice) |
|---|---|
| Correction, updating, or erasure of data | Within 7–15 working days |
| Withdrawal of consent | Immediate or within 72 hours |
| Access to data or data-sharing summary | Within 7–15 working days |
| Grievance acknowledgment | Within 24–48 hours |
| Full grievance resolution | Within 30 days (or sooner, once prescribed) |
These timelines are aligned with industry standards and reflect the intent of Section 13(2) to ensure timely grievance handling.
3. Escalation If the Company Fails to Respond
If a company delays or ignores a request:
- The Data Principal may file a complaint with the company’s Grievance Officer.
- If no satisfactory action occurs within the prescribed time, the Data Principal may escalate the matter to the Data Protection Board of India under Section 28(1).
- The Board can then inquire, issue directions, or impose penalties for non-compliance.
4. Penalties for Delayed or Ignored Requests
Under Section 33(1) and the Schedule, failure to respond to Data Principal requests (for access, correction, or erasure) may attract a penalty of up to ₹50 crore, depending on the gravity, duration, and intent of the violation.
A social-media company receives a user’s request to delete their account data. The company neither responds nor acts for over a month. The user raises a grievance and later files a complaint with the Data Protection Board. After inquiry, the Board finds the delay unjustified and imposes a penalty of ₹15 crore for violation of Section 12(2) and Section 13(2).
5. Key Takeaway
Companies must:
- Acknowledge and act on requests quickly.
- Document response times for accountability.
- Resolve grievances promptly, as delays may be treated as non-compliance.
Acting “as soon as may be practicable” effectively means responding without unreasonable delay — demonstrating both procedural fairness and technical readiness.
Referenced Provisions:
- Section 12(2) – Obligation to act promptly on correction or erasure requests.
- Section 13(2) – Timely grievance-redressal requirement.
- Section 28(1) – Escalation to the Data Protection Board.
- Section 33(1) – Penalties for non-compliance.