Table of Contents

Module 02 — Data principal rights + Fiduciary obligations

DPDP Act 2023 + Rules 2026 Crash Course Module 02

Goal: Map every right + obligation to a practical action.

Rights of data principals (§11-§14)

  1. §11 — Right to information about processing (similar to GDPR Art. 15)
  2. §12 — Right to correction + erasure (similar to Art. 16-17, but with limits)
  3. §13 — Right to grievance redressal — file with Fiduciary first; escalate to DPB
  4. §14 — Right to nominate — appoint another individual to exercise rights upon death/incapacity

Notably absent: data portability, right to object to processing (compared to GDPR).

Obligations of fiduciaries (§8)

Every Fiduciary must:

  1. Process for lawful purpose only
  2. Implement reasonable security safeguards
  3. Notify the DPB + affected data principals of breaches
  4. Erase data when purpose is fulfilled (and inform Processors)
  5. Publish business contact for grievance officer

Significant Data Fiduciary additional obligations

SDFs (notified by Government):

  1. Appoint Data Protection Officer (DPO) based in India
  2. Conduct Data Protection Impact Assessment (DPIA) for high-risk processing
  3. Conduct periodic audits by independent Data Auditors

Likely SDFs: large e-commerce, healthcare aggregators, banking, telco.

Children's data (§9)

  1. Verifiable parental consent required for processing children's data (<18)
  2. Cannot do tracking, behavioural monitoring, targeted advertising at children
  3. Cannot cause harm to children
  4. DPB can exempt platforms that demonstrate verifiable safe processing

Cross-border transfer (§16)

Default: data can flow to any country EXCEPT those notified as restricted by Central Government.

This is more permissive than GDPR's adequacy decisions. The restricted list (when notified) becomes the bottleneck.

✅ Quiz

Quiz available from your course dashboard.

Next

Last reviewed: 24 April 2026.

, ,