Know Your Power: Understanding Your Rights as a Data Principal Under India's DPDPA

India’s Digital Personal Data Protection Act, 2023 (DPDPA) is a landmark piece of legislation that doesn’t just impose obligations on businesses; it fundamentally empowers you, the individual, or ‘Data Principal’, by granting specific rights over your personal data. Understanding these rights is crucial for navigating the digital world, enabling you to know how your data is being used and to exercise meaningful control over it. Businesses, termed ‘Data Fiduciaries’, are legally bound to facilitate these rights.

This guide will walk you through your key rights under the DPDPA, what you can demand, and how to ensure your personal data is handled responsibly.

Who is a Data Principal?

Under the DPDPA, you are a Data Principal if an organisation processes digital personal data that relates to you. This broad definition encompasses a wide range of individuals, including:

• Customers of businesses
• Employees of organisations
• Users of mobile applications and websites
• Website visitors

It’s important to note that if you are under 18 years of age (a child) or a person with a disability who has a lawful guardian, your rights as a Data Principal are typically exercised by your parent or lawful guardian, respectively.

Your Key Rights Under DPDPA

The DPDPA outlines several important rights granted to Data Principals. Let’s explore each one:

1. Right to Access Information

This right empowers you to obtain clarity from a Data Fiduciary about the personal data they hold concerning you.

What it means

You can request specific information from any Data Fiduciary to whom you’ve given consent for processing your data, or to whom you’ve voluntarily provided data under the ‘Legitimate Uses’ provision.

What you can demand

Upon request, a Data Fiduciary must provide:

• A summary of the personal data that is being processed
• Details about the processing activities, including how your data is being used
• The identities of all other Data Fiduciaries and Data Processors with whom your data has been shared, along with a description of the data shared with them
• Any other related information as may be prescribed by future rules

Limitation

This right to access information does not apply if your data was processed under other ‘Legitimate Uses’ (such as for employment purposes, legal compliance, or emergencies). Additionally, information regarding the identities of other Data Fiduciaries or Data Processors may be withheld if sharing such identities would compromise lawful investigations.

2. Right to Correction and Erasure

If you discover that personal data held by a Data Fiduciary is inaccurate, incomplete, or outdated, you have the right to have it rectified or deleted. This right primarily applies where processing is based on your consent or your voluntary provision of data.

What you can demand

• Correction: Request the Data Fiduciary to fix inaccurate or misleading personal data
• Completion: Ask for incomplete personal data to be completed
• Updating: Ensure outdated information is updated to reflect the current status
• Erasure: Request the deletion of your personal data

Limitation

A Data Fiduciary must erase your data upon request unless retaining it is necessary for the specific purpose for which it was collected, or if retention is required for compliance with any law currently in force.

3. Right to Grievance Redressal

The DPDPA ensures that you have accessible channels to voice concerns or complaints regarding how your data is handled.

What it means

You have the right to easily accessible ways to complain to a Data Fiduciary or a Consent Manager about any issues concerning their obligations or the exercise of your rights under the DPDPA.

How it works

Data Fiduciaries are mandated to provide a grievance redressal mechanism and must respond to your grievances within a prescribed timeframe (to be detailed in the DPDP Rules). Crucially, you must use this channel first before escalating your complaint to the Data Protection Board (DPB).

4. Right to Nominate

A unique feature of the Indian DPDPA is the right to nominate another individual to exercise your rights on your behalf.

What it means

You can nominate another person who, in the event of your death or incapacity (due to unsoundness of mind or body), can exercise your rights under the DPDPA.

How it works

The exact manner of nomination will be detailed in the forthcoming DPDP Rules. Data Fiduciaries will be required to provide a mechanism for you to make such nominations.

Important Considerations for Data Principals

While the DPDPA grants you significant rights, there are also some important points to keep in mind:

Exercising Your Rights

Data Fiduciaries are required to publish details on how you can make requests to exercise your rights (as per Draft DPDP Rules). Generally, you will need to follow the specific process they have established.

Your Duties

With rights come responsibilities. As a Data Principal, you have certain duties:

• You must not provide false information when requesting correction or erasure of your data
• You must not file frivolous or vexatious complaints
• You must not impersonate another person when providing personal data or exercising rights

Failing to adhere to these duties can lead to penalties of up to ₹10,000.

Scope Limitations on Rights

As highlighted earlier, the rights to access, correction, and erasure primarily apply when the processing of your data is based on your explicit consent or your voluntary provision of data for a specific purpose. If data is processed under other ‘Legitimate Uses’ (like employment or legal compliance), these rights may be limited.

What if Your Rights Aren’t Respected?

The DPDPA provides a clear path for recourse:

1. First, use the Data Fiduciary’s grievance redressal mechanism. This is a mandatory first step.
2. If you are unsatisfied with their response, or if they do not respond within the prescribed timeline, you can then file a complaint with the Data Protection Board of India (DPB).
3. The DPB has the power to investigate complaints and impose penalties on non-compliant Data Fiduciaries.

Conclusion: Empowering You in the Digital Age

The DPDPA significantly strengthens your control over your digital personal data. By understanding your rights to access, correct, erase, seek redressal, and nominate, you can take proactive steps to ensure your data is handled responsibly. Don’t hesitate to use the grievance mechanisms provided by businesses. Your awareness and proactive engagement play a vital role in shaping a more accountable and privacy-respecting digital landscape in India.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.