India's Digital Personal Data Protection Act, 2023 was passed to strengthen the existing light-touch framework for digital personal data protection and to introduce a modern architecture for individual data rights. However, businesses endured two years of uncertainty while awaiting operational clarity promised in set rules to be issued under the parent law.

For many organizations, the lack of rules during this period meant that internal programs aimed at ensuring data principals' rights remained unimplemented. Much of this confusion arose from operational questions: how timelines would be defined; how to reconcile conflicting obligations, such as retention requirements with erasure requests; and how duties imposed on data principals would interact with their rights. 

With the notification of the Digital Personal Data Protection Rules, 2025 in November, these questions now have partial clarity. For instance, the rules provide guidance on automated response handling but remain silent on conflicting stakeholder claims or on when a data fiduciary may invoke a data principal's statutory duties to refuse a request. 

An important detail is the phased implementation timeline: Operational requirements related to data principal rights will take effect in May 2027, giving businesses time to design workflows, map data, build audit trails, and re-evaluate vendor obligations to ensure these rights are enforced throughout the ecosystem.

The law offers four broad rights to data principals — individuals to whom personal data relates — while assigning data fiduciaries, who determine the purposes and means of processing personal data, the primary responsibility for compliance and for upholding these rights.

The right to access information about personal data

The data protection framework permits a data principal to request specific information from a data fiduciary, including a summary of the personal data being processed, and the the processing activities undertaken. Additionally, the data principal can ask for the details of any shared personal data and the identities of all third parties with whom the data fiduciary has shared the data.

Though the current rules do not specify additional information categories, India's government retains the power to prescribe further information that data fiduciaries will be obligated to share with data principals when they exercise their access rights.

The ability to exercise an access right under the law is narrowly structured. A data principal can only exercise this right if a data fiduciary relies on their consent or the voluntary provision of personal data as a legal basis for processing personal data.

While consent is the primary legal basis for processing personal data under the law and most businesses rely on it for day-to-day data processing, the DPDPA also provides additional grounds for processing. For instance, data fiduciaries may process personal data for employment purposes or to comply with judgments, decrees and court orders. In cases where consent is not the grounds for processing personal data, data principals will have no access rights, thereby limiting the usefulness of this right.

The framework also exempts data fiduciaries from compliance when processing personal data that may be transferred to other data fiduciaries, including the government and state agencies, for purposes relating to the prevention, detection or investigation of offenses or cybersecurity incidents. From an EU-India and U.K.-India data-transfer perspective, data principals will not be notified of or have the legal right to confirm that their personal data is subject to interception or is being transferred to government bodies. This limits their ability to challenge such interception or access, raising concerns about the effectiveness of grievance redressal in India and creating tensions with EU and U.K. data protection standards. Effectively, data transfers to India remain challenging and will continue to require additional safeguards.

The right to correction, completion and erasure of personal data

Data principals have the right to correct inaccurate or misleading personal data, complete any missing information, and update personal data processed by data fiduciaries. Data fiduciaries have an obligation to ensure the personal data they process is complete, accurate, and consistent whenever they choose to use personal data to make decisions about data principals or otherwise share personal data with third-party data fiduciaries.

Data principals also have the right to seek the erasure of their personal data. In such instances and in cases where data principals withdraw consent initially provided for the processing of their personal data, data fiduciaries will be obliged to erase such personal data unless retention is necessary for the specified purpose for which it was processed or for compliance with applicable laws.

Data fiduciaries have a three-fold responsibility. First, data fiduciaries must employ systems that support data accuracy principles, such as offering data principals verification mechanisms to recheck and confirm datasets sourced directly from individuals. Second, they must use technical tools that enable effective correction, completion, updating, or erasure of personal data. These tools should enable data fiduciaries to ensure that any parties with whom personal data has been shared also comply with such requests. Finally, data fiduciaries must evolve complex data-retention strategies that can demonstrate adequate justifications for data retention.

As with the right to access information about personal data, the rights to correction and erasure of personal data only apply if a data fiduciary relies on consent or the voluntary provision of personal data as a basis for processing. In practice, this limitation operates differently from the restriction placed on access rights. Data fiduciaries are required to ensure accuracy while processing personal data when making decisions that impact data principals or when sharing it with other fiduciaries. However, restricted access rights may make it harder from them to achieve this accuracy. Businesses should, as a best practice, create a framework that accounts for the practical risks posed by such a narrow right. 

Separately, the law remains silent on whether personal data can be retained after exercising the right to erasure for the purpose of establishing, exercising, or defending legal claims. It is not uncommon for organizations to maintain a dispute-readiness practice that preserves data related to customer complaints, contractual disputes, regulatory inquiries or reasonably anticipated claims.

Considering the risk of enforcement actions, the lack of explicit guidance on post-erasure retention rights leaves businesses to develop internal retention policies. Processes should include segregating storage environments from active commercial processing, mapping retention periods against limitation periods to address litigation risk, applying data minimization principles, and implementing access control mechanisms.

The right of grievance redressal

Data principals have the right of grievance redressal in relation to a business's processing of their personal data. From an enforcement perspective, aggrieved data principals will be required to exhaust all grievance redressal processes before approaching the Data Protection Board of India, an adjudicating body established under the law, to file complaints.

Data fiduciaries, therefore, have an opportunity to create effective and tiered redressal mechanisms. As part of this process, such entities will be required to appoint grievance-redressal officers to handle front-end relationships with aggrieved individuals and to adopt internal standard operating procedures for resolution, escalation and workflows.

For most categories of data fiduciaries, the law does not prescribe minimum qualification or experience criteria for grievance redressal officers. In practice, legal, compliance or privacy personnel are likely to assume these roles and require internal teams to develop defensible processes in the absence of formalized professional benchmarks. However, significant data fiduciaries must appoint a data protection officer. These officers must be based in India and report directly to the board of directors or an equivalent governing body. Any governance structure ought to account for these criteria.

The right to nominate

Data principals have the right to nominate other individuals to act on their behalf in the event of their death or incapacity. An incapacity can include any unsoundness of mind or body. The law does not permit an individual to exercise rights on behalf of another individual in any case other than death or incapacity.

The right to withdraw consent

Where consent is the legal basis for processing personal data, the right to withdraw consent must be provided to data principals. Consent-withdrawal processes should be as straightforward as the mechanisms used to obtain consent from data principals.

The privacy notice accompanying consent requests must also inform data principals of the manner in which they can withdraw consent. Upon withdrawal of consent, all data processing must cease, unless processing is permitted on another legal basis under the data protection framework or under another law.

The law is also clear that the data principal must bear any consequences resulting from the withdrawal of consent, indicating businesses may stop offering goods and services to individuals once consent is withdrawn. However, the legalities of this defense remain untested.

Children's data

When an individual is under 18-years-old, a reference to a data principal includes the parent or legal guardian. Processing a child's personal data requires prior, verifiable parental consent. The law provides broad methods for verification, including reliance on prior identity verification undertaken by a parent or on government-recognized digital identity repositories. This design applies horizontally across sectors as the framework does not introduce any targeting thresholds based on whether a service is specifically aimed at children. As a result, even businesses that do not actively cater to minors are required to factor children's data into their compliance models.

Organizations will need to develop internal rules for verifying parental identity and authority, managing situations in which both parents seek to exercise their rights, and resolving conflicting instructions — for instance, in cases involving separated or divorced parents or cross-border custody arrangements. Since individuals under 18 do not have the legal capacity to enter into a contract, businesses may find merit in implementing parental instructions in relation to rights-requests over a child's instructions.

Given the scale at which data protection rights requests are likely to be processed, organizations may have to consider automated rights-management infrastructures rather than manual review. This may involve tagging child-linked user accounts at onboarding, routing requests through specialized verification and approval layers, and incorporating context-sensitive decision logic that evaluates the likely impact of a request on the child's interests. For example, the deletion of personal data from general-purpose platforms may align with the framework's protective intent whereas the deletion from education or classroom platforms could impair authentication, access or participation.

To prevent outcomes that are operationally or functionally adverse to children, any requests that pose risks should be automatically flagged for human review instead of being mechanically executed.

Operationalizing rights

The DPDPA and the DPDP Rules establish a limited procedural framework for exercising data principal rights. Organizations must prominently display the methods by which data principals can submit rights requests on their websites or apps and in their privacy notices. These methods ought to be supported by identifiers that permit the verification of an individual, such as customer numbers, email addresses or phone numbers. The law does not prescribe verification mechanisms, leaving businesses to decide what constitutes a fair balance between preventing impersonation and ensuring these mechanisms do not hinder the exercise of rights. Additionally, communication issued in response to rights requests must include the business contact information of the data protection officer — for significant data fiduciaries — or another individual capable of answering questions about data processing.

Grievance redressal forms an essential element of the operational framework. Organizations must establish processes capable of receiving and resolving grievances within 90 days. Businesses that do not currently maintain centralized grievance systems will need to create internal procedures that fit their operational models while meeting this timeline.

When operationalizing the right to nominate, data principals must be provided with the means and identifiers required to appoint individuals to act on their behalf in situations of death or incapacity. The law is silent on the evidentiary or verification standards that apply to nominees, permitting organizations to determine their own approaches.

Taken together, the legal framework establishes a baseline, albeit not a prescriptive one, that permits organizations to make practical and operational choices. These are consequently decisions that will need to balance legal compliance, internal system constraints, and sectoral risk considerations.

Exceptions

The law offers sweeping exceptions that may dilute a data principal's ability to effectively exercise their rights. Data principals have no rights over personal data they voluntarily made public or data processed for research, archival or statistical purposes, provided it is not used to make decisions about them. Therefore, data principals may find it almost impossible to exercise rights in respect to large-scale data mining and processing for the training of artificial intelligence systems and machine learning tools.

Employees will be unable to exercise rights against employers to seek information or the correction or erasure of their personal data. Most state-based processing is also exempt from the law.

Separately, the data protection framework applies extraterritorially. While a data fiduciary that undertakes any processing in India is subject to the law, certain exemptions apply to processing undertaken by companies based in India involving non-Indian data principals under contracts with non-Indian persons. Practically, these non-Indian data principals would be unable to exercise rights with regard to such Indian companies.

Additionally, data fiduciaries are under no obligation to recognize data principals' rights where the underlying processing is for:

• Enforcement of a legal right or claim.
• Prevention, detection, investigation or prosecution of any offense.
• Mergers, amalgamations or restructuring approved by relevant courts in India.
• Ascertaining financial information of individuals who are loan defaulters.

Data principal duties

In a first, data principals are subject to certain duties. For example, they are obligated to comply with the law, avoid impersonating other data principals, disclose all material information when providing personal information for government identifiers and other documents, refrain from registering false or frivolous complaints, and ensure that any information submitted for correction or erasure is verifiably authentic. This deterrence-based model differs structurally from many other data protection frameworks that permit organizations to assess whether rights requests are excessive and in such cases, deny their exercise. In both cases, the practical impact remains similar. Penalties for noncompliance include fines of up to INR10,000 (approximately USD100). It appears duties were imposed on data principals to mitigate vexatious complaints.

The way forward

Practically, the right to access operates as a foundational element of the rights framework. When organizations cannot reliably identify what personal data is processed, where it resides, or how it is shared, consistently implementing rights such as correction, updating and erasure becomes difficult.

At the same time, these downstream rights impose their own distinct operational burdens. Enabling access rights requires developing new, reliable data-discovery capabilities; correction, updating, and erasure rights require coordinated technical changes across systems. Organizations will need to reconcile legacy systems, maintain audit-ready data inventories, establish synchronization across internal platforms, and develop workflows that allow personal data to be surfaced, modified or erased where required.

Separately, adequate grievance redressal requires organizations to set up internal governance mechanisms, and nomination rights will require robust identity and authority verification. Grievance functions should be integrated into existing compliance or risk frameworks, supported by ticketing or case management systems, and periodically audited to ensure that outcomes are predictable, reasoned, and capable of being defended if reviewed by the DPBI. Nomination mechanisms must be designed to balance usability with safeguards against misuse. For most organizations, this will necessitate alignment between customer-facing teams, compliance functions and technical systems rather than treating nomination as a purely administrative formality.

Full series overview

The overview page for the full series can be accessed here.

• Scope, key definitions and lawful data processing
• Individual rights
• Obligations of data processing entities
• Enforcement and the Data Protection Board
• Cross-border data transfers
• Comparative analysis with the GDPR and other major data privacy laws
• Consent management
• Data audits for significant fiduciaries
• Data protection impact assessments
• Data breaches