Yes, India now has a written law that lets you ask any company to correct or delete the personal data it holds about you. That right sits in Section 12 of the Digital Personal Data Protection Act, 2023. But there is an honest catch you must understand: the rules that let you actually enforce this right only start working on 13 May 2027. So this guide does two things. It shows you what you can do today to get your data deleted, and it shows you the new right and the exact date it switches on.
The table below is the heart of this article. The left column is what you can use right now. The right column is the new statutory machinery and its commencement date.
| What you can do TODAY | What changes FROM 13 May 2027 |
|---|---|
| Write to the company grievance officer and ask for deletion or correction | A formal statutory right to correction, completion, updating and erasure under DPDP Act 2023 Section 12 |
| Use the platform's own account-deletion and data-download tools | The Data Fiduciary must act on your request through the process set in the DPDP Rules 2025 |
| Rely on the older IT Act 2000 and the SPDI Rules 2011 for sensitive personal data | A Data Protection Board you can escalate to when a company ignores you |
| No fixed legal timeline that you can enforce through a regulator | Enforcement machinery, namely Rules 3, 5 to 16, 22 and 23, becomes operative on 13 May 2027 |
| Outcome depends on the company's own policy and goodwill | Outcome backed by statute, with defined exceptions for lawful retention |
The plain takeaway: the right exists in law now, but the system to enforce it against a company that refuses you is not yet switched on. Until 13 May 2027, you use the company's own channels and the older IT law.
Under the DPDP Act 2023, you are the Data Principal, which simply means the person the data is about. Any company, app or platform that decides how your data is used is the Data Fiduciary.
Section 12 gives you the right to ask a Data Fiduciary to:
On erasure, the law is specific. When you request it, the Data Fiduciary must erase your personal data, unless keeping it is necessary for the specified purpose for which it was collected, or for compliance with any law in force. That exception matters and is explained further below.
Your right to erasure is not a free-floating button. Under the DPDP Act 2023 it is tied to two situations:
When either trigger applies, the erasure right under Section 12 is engaged.
A company can lawfully refuse to delete in two cases. First, where retention is still necessary for the specified purpose for which the data was collected. Second, where any law in force requires the data to be kept.
This is why your bank, your tax records or your employer may not wipe everything on request. Financial, tax and similar records are often retained because another law requires it. This is not the company being difficult. It is the express exception written into the DPDP Act 2023. Expect it, and ask the company to delete everything that does not fall under a genuine legal-retention duty.
You do not have to wait for 2027 to act. Most large platforms already have a grievance officer and an in-app delete option. Here is a clean, polite request you can adapt and send by email to the company's grievance officer.
Subject: Request to delete and correct my personal data
To the Grievance Officer,
My name is Dr. Shrawan Kumar Pathak. I am a user of your service, registered with the email and mobile number on file.
I withdraw my consent to the further processing of my personal data and request that you erase the personal data you hold about me, except any data you are legally required to retain.
Please also correct the following inaccurate detail in my account: [state the wrong field and the correct value].
Kindly confirm in writing within a reasonable time what has been deleted, what has been corrected, and what you are retaining and under which law.
Yours faithfully,
Dr. Shrawan Kumar Pathak
Keep a copy of the email. If the company ignores you, escalate inside the company first, and remember that for sensitive personal data the IT Act 2000 and the SPDI Rules 2011 still apply today. If you are unsure which authority oversees a particular sector, see which regulator to complain to.
The DPDP Rules 2025 were notified on 13 November 2025 through Gazette G.S.R. 846(E) by the Ministry of Electronics and Information Technology, known as MeitY. But the rules do not all start on the same day. They are phased.
So from 13 May 2027 you should be able to use a published, statute-backed process to make a request, and to escalate to the Data Protection Board if a company does not act. Until that date, the right is on the books, but the enforcement route through the Board is not yet live for these provisions. Treat 13 May 2027 as the day the teeth arrive.
This is a genuine new citizen power, in the same family of accountability rights as the RTI Act 2005 that lets you demand information from the government. For a wider view of how to assert your rights against institutions, see The RTI Playbook. If you also need to file an RTI to a public authority on a related issue, the AI RTI Drafter can help you write it.
Not through the DPDP enforcement system, because that machinery starts on 13 May 2027. Today you can ask the company through its grievance officer and in-app tools, and rely on the IT Act 2000 and the SPDI Rules 2011 for sensitive personal data. The statutory right under Section 12 exists, but its enforcement route is not yet switched on.
The right to correction and erasure is written into the DPDP Act 2023 Section 12, so it exists in law. Enforceable means there is a working process and a body to escalate to. For these rights, that process, set by Rules 3, 5 to 16, 22 and 23 of the DPDP Rules 2025, becomes operative only on 13 May 2027.
13 May 2027. The DPDP Rules 2025 were notified on 13 November 2025 by MeitY through Gazette G.S.R. 846(E), and the citizen-rights rules start eighteen months later, on 13 May 2027.
Yes, in two cases. If retention is still necessary for the specified purpose for which the data was collected, or if another law in force requires the data to be kept. This is an express exception in the DPDP Act 2023. Records like tax and financial data are commonly retained for this reason.
Withdrawal of consent is one of the two triggers for erasure under the DPDP Act 2023, the other being that the purpose has ended. Even then, the company may keep data it is legally required to retain. So withdrawal starts the process but does not always wipe everything.
From 13 May 2027 you will be able to escalate to the Data Protection Board once the relevant rules are operative. Today, escalate within the company first, keep written records, and use the IT Act 2000 and SPDI Rules 2011 framework for sensitive personal data.