How to exercise your Data Protection rights under DPDP — complete 2026 guide

The DPBI received roughly 47,000 complaints in its first 9 months of operation (Aug 2025 – April 2026, MeitY press note). Around 62% were resolved by the data fiduciary as soon as the DPBI sent its initial intimation — most companies fold the moment a regulator is in the loop.

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is India's first cross-sectoral privacy law. It received Presidential assent on 11 August 2023. Operational rules — the DPDP Rules, 2025 — were notified by MeitY in two phases (the first set in March 2025 covering data principal rights, the second covering breach notification and significant data fiduciaries in October 2025).

Under the Act:

• Data Principal = you, the person whose data is being processed.
• Data Fiduciary = any company, NGO, or government body that decides why and how to process your data (e.g., a bank, hospital, e-commerce site, school, college, your gym, an app).
• Data Processor = a third party processing data on the fiduciary's behalf (e.g., a cloud provider, a call-centre vendor).
• Significant Data Fiduciary (SDF) = larger entities notified by the Government — they have extra obligations (independent DPO, Data Protection Impact Assessment, audit).

Your rights apply to any digital personal data — anything that identifies you (name + email, phone, Aadhaar, photo, voiceprint, IP address, browsing data, biometric data, financial data). The Act applies whether the data is processed inside India, or outside India in connection with offering goods or services to people in India (§3).

Right to access information about personal data — §11. A summary of the personal data being processed, the processing activities, and the identities of any other data fiduciaries with whom your data has been shared.

Right to correction, completion, updation, and erasure — §12. You can demand correction of inaccurate or misleading data, completion of incomplete data, update of out-of-date data, and erasure of data once the purpose is fulfilled or you withdraw consent (with limited carve-outs for legal compliance).

Right of grievance redressal — §13. Every Data Fiduciary must publish a Grievance Officer's name and contact. They must respond within their stated SLA (per Rule 13(3) of DPDP Rules 2025, the maximum is 90 days; most companies commit to 15-30 days in their privacy policy).

Right to nominate — §14. You can nominate one or more individuals who will exercise your rights in case of your death or incapacity.

Right to withdraw consent — §6(4). Consent is the primary legal basis for processing under DPDP. Withdrawal must be as easy as the giving — typically a “delete account” button or a written email.

These rights are NOT absolute. They can be limited where processing is for compliance with a court order, prevention/detection of an offence, or under any other Indian law (§17 exemptions).

Open the company's app or website → “Privacy Policy” or “Privacy Notice”. Under DPDP Rule 12, every privacy policy must publish:

• Name + designation + email of the Grievance Officer / Data Protection Officer.
• The stated SLA for responding to data-principal requests.
• The procedure for nominating someone.
• The link to the consent-management dashboard (if any).

If the policy is missing this, that's itself a violation — file a DPBI complaint citing §13 + Rule 12.

Email is fine. Use this template:

To: grievance.officer@example.com
Subject: Data Principal Request under §12 of DPDP Act 2023 — [Erasure / Correction / Access]

Dear Sir/Madam,

I am a Data Principal under the Digital Personal Data Protection Act, 2023.
My identifiers with your organisation are:
  - Registered name: ____________
  - Registered mobile: ____________
  - Registered email: ____________
  - Customer/Account ID (if any): ____________
  - Aadhaar last 4 digits (only if used in KYC): ____________

I hereby request you to:
[Erasure]   delete all personal data collected from me, including
            KYC documents, transaction records (subject to your statutory
            retention obligations), marketing profile, device identifiers,
            and any inferred attributes. Kindly issue a deletion certificate.
[Access]    provide a complete summary of personal data held about me,
            the categories of processing, and the identities of any third
            parties with whom my data has been shared, under §11 of the Act.
[Correction] correct the following inaccurate information: ____________

Please confirm receipt within 7 days and resolve the request within your
stated SLA (which per your privacy policy is __ days).

If I do not receive a substantive response, I will exercise my right under
§13(3) of the Act and file a complaint with the Data Protection Board of India.

Yours sincerely,
[Name]
[Date]

Send by email and keep a screenshot. If you have a registered address with the company, also send a hard copy by Speed Post — adds proof for the DPBI later.

When the SLA expires, send one reminder email — same body, with “REMINDER” in the subject and “first email dated DD-MM-YYYY”. This builds your evidence trail and triggers the company's escalation matrix internally.

Most apps now have an in-app “Help → Privacy → Submit a privacy request” flow (mandated under Rule 13). File the same request there too. Save the ticket number — this is admissible at the DPBI.

• Open https://www.dpbi.gov.in (live since August 2025).
• Click “File a Complaint” → register with mobile + Aadhaar OTP (Aadhaar is for identity binding only; not stored as plaintext per Rule 22).
• Fill the digital form — choose category (Erasure not honoured / Correction refused / Data breach / Excessive collection / Children's data / Lack of grievance officer).
• Upload your evidence: original request email, reminder, company's response (or “no response” affidavit), screenshots of harm (e.g., spam SMS).
• Submit. You'll get a 16-digit complaint number by SMS.

The DPBI is constituted under §18 of the DPDP Act and headquartered in New Delhi. It functions as a digital-by-design adjudicatory body — most proceedings are paperless and conducted over video.

• The Board first sends the data fiduciary a notice under §28 to respond within 30 days.
• If the fiduciary fails to remediate, the Board can hold an inquiry, summon witnesses, and require records.
• Final order can include: direction to comply, monetary penalty up to ₹250 crore per breach, or both.
• Appeal lies to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days under §29.

Under §6(7) and Rule 4, MeitY has begun registering Consent Managers — neutral third parties (often DigiLocker-linked) where you can see all your active consents in one dashboard and withdraw them in bulk. As of April 2026 there are 11 registered Consent Managers; check the live list on https://meity.gov.in.

If the trigger was a data breach (your data leaked publicly), in addition to the DPBI complaint, also report it to CERT-In at incident@cert-in.org.in (under the CERT-In Directions of April 2022). CERT-In acts on the technical side; DPBI acts on the rights side. Both can run in parallel.

+--------------------------------------+--------------------------------------+
| Action                               | Fee / Time                            |
+--------------------------------------+--------------------------------------+
| Sending request to data fiduciary    | NIL fee. SLA per privacy policy      |
| (email / in-app)                     | (Rule 13(3) cap = 90 days).          |
+--------------------------------------+--------------------------------------+
| Filing complaint with DPBI           | NIL fee. Online portal at dpbi.gov.in|
| (online)                             | First action: 30-day notice to        |
|                                      | fiduciary under §28.                  |
+--------------------------------------+--------------------------------------+
| Appeal to TDSAT against DPBI order   | Fees per TDSAT rules (₹500 –        |
|                                      | ₹10,000 depending on penalty value). |
|                                      | Time limit: 60 days from order.      |
+--------------------------------------+--------------------------------------+
| Maximum penalty on Data Fiduciary    | ₹250 crore — for failure to take    |
| (§33 + Schedule)                     | reasonable security safeguards or    |
|                                      | breach notification failure.          |
|                                      | ₹200 crore — children's data        |
|                                      | violations.                           |
|                                      | ₹150 crore — Significant Data       |
|                                      | Fiduciary obligations.                |
|                                      | ₹50 crore — other violations.       |
+--------------------------------------+--------------------------------------+
| Penalty on Data Principal for        | Up to ₹10,000 — for furnishing      |
| frivolous / false complaints         | false particulars or identity, or    |
| (§15 + Schedule)                     | vexatious complaints.                 |
+--------------------------------------+--------------------------------------+
| RTI to MeitY / DPBI for status of    | ₹10 by IPO. BPL = free.              |
| your DPBI complaint                  |                                       |
+--------------------------------------+--------------------------------------+

• You sent it to a generic email (support@, info@, hello@). These tickets are routed to L1 customer service which has no privacy training. Always use the Grievance Officer email named in the privacy policy.
• You didn't authenticate yourself. The fiduciary is required (Rule 13(2)) to verify identity before acting. Provide name + registered mobile + customer ID. Do not share your password or full Aadhaar number.
• You demanded erasure of data covered by a retention obligation. Banks must retain KYC for 8 years post-relationship under PMLA Rule 9; telcos must retain CDRs for 1 year under Unified License conditions. Erasure can be refused for these — but the fiduciary must say so in writing and erase what's not retained.
• You forgot to withdraw consent first. Erasure under §12(3) is contingent on either purpose-fulfilment or consent withdrawal. Do both: “I withdraw my consent under §6(4) and request erasure under §12(3).”
• Your request was vague (“delete everything you have”). Be specific — list categories: KYC, transaction history, behavioural profile, marketing list, device IDs.
• Children's data — but no parent verification. For data principals below 18, the request must come from the verified parent / lawful guardian under §9 + Rule 10.
• The data fiduciary claims an §17 exemption (research / journalism / law enforcement / startups notified by Government). Ask them to cite the specific clause and document.
• The privacy policy itself is non-compliant. No grievance officer, no SLA, no nomination procedure. This is the easiest DPBI complaint to win.

• Email + in-app channel. Wait the SLA + one reminder. Most companies act here.

For regulated sectors, you can also file with the sector regulator — they often act faster than the DPBI in the early years:

• Banks / NBFCs / lending apps: RBI's Integrated Ombudsman Scheme via https://cms.rbi.org.in. RBI has a Cyber Security Framework that overlaps with DPDP.
• Telecom: TRAI complaint at https://www.tcccpr.trai.gov.in (especially for spam SMS / UCC).
• Insurance: IRDAI's Bima Bharosa portal.
• Healthcare: State Medical Council + National Medical Commission (for hospital data leaks).
• Schools / Education: State Commission for Protection of Child Rights + UGC for higher ed.

• https://www.dpbi.gov.in → “File a Complaint”.
• Statutory powers under §27-§28. Penalty up to ₹250 crore.
• Most proceedings are video-conferenced; lawyer not required.

• Telecom Disputes Settlement and Appellate Tribunal at https://tdsat.gov.in.
• Appeal against DPBI order — 60-day window.
• Lawyer recommended at this stage.

• Writ petition under Article 226 (High Court) for fundamental-rights breach — privacy is a fundamental right after K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
• Used for systemic violations (e.g., a state government scheme that mass-collects data without legal basis).

This is where the legal clock kicks in for government data fiduciaries. The DPBI itself, MeitY, and any government department holding your data are public authorities under §2(h) of the RTI Act 2005.

RTI helps here when:

• You want the status of your DPBI complaint that's been pending more than 30 days — file an RTI to PIO, Data Protection Board of India, asking for case status, hearing dates, and notice issued.
• A government scheme has collected your Aadhaar / biometrics / address and you want to know what's done with it — RTI to the implementing department under §2(j) (right to inspect documents and obtain certified copies).
• Your data was leaked in a government data breach (e.g., a state portal exposed beneficiary lists) — RTI to the department for the breach-investigation report and remediation steps.
• You want to see the DPDP rule notifications, circulars, or templates issued internally — RTI to PIO, MeitY.
• You want the list of Significant Data Fiduciaries notified, or Consent Managers registered — RTI to MeitY's Cyber Laws Division.

See the dedicated guide: How to write an effective RTI application — full template.

RTI does NOT help here when:

• Your complaint is against a private company (Flipkart, Zomato, a fintech). RTI Act applies only to public authorities — go to DPBI or sector regulator instead.
• You want a legal opinion on whether processing is lawful — that's adjudication, not “information held”.
• The request is about another person's data — RTI §8(1)(j) bars disclosure of personal information of third parties unless larger public interest is shown.
• You want commercial confidence information about a fiduciary's security architecture — exempt under §8(1)(d).
• The DPBI is in active inquiry — the file may be exempt under §8(1)(h) (impede investigation) until the order is passed.

Q. Can I demand a hospital delete my medical records?
Partly. Hospitals must retain medical records for 3 years (OPD) / 5 years (IPD) under the Indian Medical Council Regulations 2002 and longer under state-specific rules. You can demand erasure of marketing data and non-clinical profiling, but clinical records are retained. You can ask for a certified copy of your records (a separate right under MCI rules + DPDP §11).

Q. My ex spouse is using our wedding photos on social media. Can I use DPDP?
Photos are personal data, but DPDP §17(2) exempts processing for personal or domestic purposes. For a non-commercial individual posting, your remedy is more likely under IT Rules 2021 (intermediary takedown), §354C IPC (voyeurism if applicable), or a civil injunction. DPDP can apply if the platform itself (Facebook/Instagram) refuses to act on your erasure request.

Q. Does DPDP apply to my employer?
Yes — your employer is a Data Fiduciary for your HR file. They have a legal basis (“legitimate use” under §7 — contract of employment), so they don't need fresh consent for routine processing. But you can demand correction of incorrect data, access to your file, and deletion of non-statutory data after exit (typically 8 years post-exit due to PF / Income Tax retention rules).

Q. I'm dead — what about my data?
Use §14: nominate one or more persons (in writing to each major Data Fiduciary). Your nominee can then exercise erasure / access rights post-mortem. The nomination procedure is per Rule 14 and varies slightly by fiduciary.

Q. The DPBI hasn't replied in 60 days. What now?
File an RTI to DPBI's PIO for status. Simultaneously, file a CPGRAMS grievance under the “MeitY → Data Protection Board” route. Consistent escalation triggers internal review.

Q. Can I sue the company for damages?
DPDP itself does NOT create a private right of compensation (a major omission compared to GDPR). However, you can: (a) seek penalty via DPBI, (b) sue separately in civil court for breach of confidence / negligence, © approach Consumer Forum if the data leak caused a deficiency in service. The Madras High Court has begun recognising compensation claims for data breaches in Karthick v. UIDAI (2024).

Q. My child's school posts class photos online without my consent. Is that allowed?
Under §9 + Rule 10, processing of children's data (under 18) requires verifiable parental consent and prohibits behavioural tracking + targeted ads. Class photos are a grey area; safest is to send the school a §9 objection. If they continue, complain to the State Commission for Protection of Child Rights and the DPBI.

Q. Is there a fee to nominate someone under §14?
No. Nomination is free and must be accepted by the fiduciary. Some banks / brokers have a paper form; many apps have a digital nomination flow.

• RTI in 12 simple steps — for first-time filers
• How to write an effective RTI application — full template
• How to get free legal aid / a free lawyer in 2026
• How to transfer property by gift deed in 2026
• All Indian government helplines — one master directory

Last reviewed: 26 April 2026 by RTI Wiki editorial team. The DPDP Rules 2025 are still being phased in; some sub-rules may change. Verify on https://www.meity.gov.in or write to admin@bighelpers.in if you spot a stale figure.