Yes, India now has a written law that lets you ask any company to correct or delete the personal data it holds about you. That right sits in Section 12 of the Digital Personal Data Protection Act, 2023. But there is an honest catch you must understand: the rules that let you actually enforce this right only start working on 13 May 2027. So this guide does two things. It shows you what you can do today to get your data deleted, and it shows you the new right and the exact date it switches on.

The table below is the heart of this article. The left column is what you can use right now. The right column is the new statutory machinery and its commencement date.

The plain takeaway: the right exists in law now, but the system to enforce it against a company that refuses you is not yet switched on. Until 13 May 2027, you use the company's own channels and the older IT law.

Under the DPDP Act 2023, you are the Data Principal, which simply means the person the data is about. Any company, app or platform that decides how your data is used is the Data Fiduciary.

Section 12 gives you the right to ask a Data Fiduciary to:

• Correct inaccurate or misleading personal data
• Complete data that is incomplete
• Update data that is out of date
• Erase your personal data

On erasure, the law is specific. When you request it, the Data Fiduciary must erase your personal data, unless keeping it is necessary for the specified purpose for which it was collected, or for compliance with any law in force. That exception matters and is explained further below.

Your right to erasure is not a free-floating button. Under the DPDP Act 2023 it is tied to two situations:

1. You withdraw your consent. If a company was holding your data because you agreed, and you take that agreement back, the basis for holding it falls away.
2. The purpose has ended. If the reason your data was collected is over, the company no longer has a live purpose to keep it.

When either trigger applies, the erasure right under Section 12 is engaged.

A company can lawfully refuse to delete in two cases. First, where retention is still necessary for the specified purpose for which the data was collected. Second, where any law in force requires the data to be kept.

This is why your bank, your tax records or your employer may not wipe everything on request. Financial, tax and similar records are often retained because another law requires it. This is not the company being difficult. It is the express exception written into the DPDP Act 2023. Expect it, and ask the company to delete everything that does not fall under a genuine legal-retention duty.

You do not have to wait for 2027 to act. Most large platforms already have a grievance officer and an in-app delete option. Here is a clean, polite request you can adapt and send by email to the company's grievance officer.

Subject: Request to delete and correct my personal data

To the Grievance Officer,

My name is Dr. Shrawan Kumar Pathak. I am a user of your service, registered with the email and mobile number on file.

I withdraw my consent to the further processing of my personal data and request that you erase the personal data you hold about me, except any data you are legally required to retain.

Please also correct the following inaccurate detail in my account: [state the wrong field and the correct value].

Kindly confirm in writing within a reasonable time what has been deleted, what has been corrected, and what you are retaining and under which law.

Yours faithfully,
Dr. Shrawan Kumar Pathak

Keep a copy of the email. If the company ignores you, escalate inside the company first, and remember that for sensitive personal data the IT Act 2000 and the SPDI Rules 2011 still apply today. If you are unsure which authority oversees a particular sector, see which regulator to complain to.

The DPDP Rules 2025 were notified on 13 November 2025 through Gazette G.S.R. 846(E) by the Ministry of Electronics and Information Technology, known as MeitY. But the rules do not all start on the same day. They are phased.

• Some governance rules, namely Rules 1, 2 and 17 to 21, and the Data Protection Board provisions, started on 13 November 2025.
• Consent-manager registration, which is Rule 4, starts on 13 November 2026.
• The citizen-facing machinery for exercising your correction and erasure rights, namely Rules 3, 5 to 16, 22 and 23, becomes operative on 13 May 2027, eighteen months after notification.

So from 13 May 2027 you should be able to use a published, statute-backed process to make a request, and to escalate to the Data Protection Board if a company does not act. Until that date, the right is on the books, but the enforcement route through the Board is not yet live for these provisions. Treat 13 May 2027 as the day the teeth arrive.

This is a genuine new citizen power, in the same family of accountability rights as the RTI Act 2005 that lets you demand information from the government. For a wider view of how to assert your rights against institutions, see The RTI Playbook. If you also need to file an RTI to a public authority on a related issue, the AI RTI Drafter can help you write it.

Not through the DPDP enforcement system, because that machinery starts on 13 May 2027. Today you can ask the company through its grievance officer and in-app tools, and rely on the IT Act 2000 and the SPDI Rules 2011 for sensitive personal data. The statutory right under Section 12 exists, but its enforcement route is not yet switched on.

The right to correction and erasure is written into the DPDP Act 2023 Section 12, so it exists in law. Enforceable means there is a working process and a body to escalate to. For these rights, that process, set by Rules 3, 5 to 16, 22 and 23 of the DPDP Rules 2025, becomes operative only on 13 May 2027.

13 May 2027. The DPDP Rules 2025 were notified on 13 November 2025 by MeitY through Gazette G.S.R. 846(E), and the citizen-rights rules start eighteen months later, on 13 May 2027.

Yes, in two cases. If retention is still necessary for the specified purpose for which the data was collected, or if another law in force requires the data to be kept. This is an express exception in the DPDP Act 2023. Records like tax and financial data are commonly retained for this reason.

Withdrawal of consent is one of the two triggers for erasure under the DPDP Act 2023, the other being that the purpose has ended. Even then, the company may keep data it is legally required to retain. So withdrawal starts the process but does not always wipe everything.

From 13 May 2027 you will be able to escalate to the Data Protection Board once the relevant rules are operative. Today, escalate within the company first, keep written records, and use the IT Act 2000 and SPDI Rules 2011 framework for sensitive personal data.

• The Digital Personal Data Protection Act, 2023, Section 12, Ministry of Electronics and Information Technology (MeitY)
• The Digital Personal Data Protection Rules, 2025, notified 13 November 2025 via Gazette G.S.R. 846(E), MeitY
• Information Technology Act, 2000 and the IT (Reasonable Security Practices) SPDI Rules, 2011, MeitY

• Which regulator to complain to
• RTI Act 2005
• AI RTI Drafter