📱Test our Android app — free beta!Join Beta GroupYou'll receive the install link by email after joining.

Differences

This shows you the differences between two versions of the page.


dpdp-right-to-erasure-correction-personal-data-2025 [2026/07/10 20:46] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +{{htmlmetatags>metatag-description=(Yes, India has a legal right to erase your personal data under the DPDP Act 2023, but enforcement starts 13 May 2027. Here is what you can do today.)&metatag-keywords=(right to erase personal data India, DPDP Act 2023 Section 12, data correction erasure, DPDP Rules 2025)&metatag-robots=(index,follow)&metatag-og:title=(Your Right to Erase Personal Data in India 2026)&metatag-og:description=(Yes, India has a legal right to erase your personal data under the DPDP Act 2023, but enforcement starts 13 May 2027. Here is what you can do today.)&metatag-og:type=(article)}}
  
 +===== Your Right to Erase Personal Data in India: 2026 Guide =====
 +
 +Yes, India now has a written law that lets you ask any company to correct or delete the personal data it holds about you. That right sits in Section 12 of the Digital Personal Data Protection Act, 2023. But there is an honest catch you must understand: the rules that let you actually enforce this right only start working on 13 May 2027. So this guide does two things. It shows you what you can do today to get your data deleted, and it shows you the new right and the exact date it switches on.
 +
 +==== TODAY vs from 13 May 2027: at a glance ====
 +
 +The table below is the heart of this article. The left column is what you can use right now. The right column is the new statutory machinery and its commencement date.
 +
 +^ What you can do TODAY ^ What changes FROM 13 May 2027 ^
 +| Write to the company grievance officer and ask for deletion or correction | A formal statutory right to correction, completion, updating and erasure under DPDP Act 2023 Section 12 |
 +| Use the platform's own account-deletion and data-download tools | The Data Fiduciary must act on your request through the process set in the DPDP Rules 2025 |
 +| Rely on the older IT Act 2000 and the SPDI Rules 2011 for sensitive personal data | A Data Protection Board you can escalate to when a company ignores you |
 +| No fixed legal timeline that you can enforce through a regulator | Enforcement machinery, namely Rules 3, 5 to 16, 22 and 23, becomes operative on 13 May 2027 |
 +| Outcome depends on the company's own policy and goodwill | Outcome backed by statute, with defined exceptions for lawful retention |
 +
 +The plain takeaway: the right exists in law now, but the system to enforce it against a company that refuses you is not yet switched on. Until 13 May 2027, you use the company's own channels and the older IT law.
 +
 +==== What Section 12 actually says ====
 +
 +Under the DPDP Act 2023, you are the Data Principal, which simply means the person the data is about. Any company, app or platform that decides how your data is used is the Data Fiduciary.
 +
 +Section 12 gives you the right to ask a Data Fiduciary to:
 +
 +  * Correct inaccurate or misleading personal data
 +  * Complete data that is incomplete
 +  * Update data that is out of date
 +  * Erase your personal data
 +
 +On erasure, the law is specific. When you request it, the Data Fiduciary must erase your personal data, unless keeping it is necessary for the specified purpose for which it was collected, or for compliance with any law in force. That exception matters and is explained further below.
 +
 +==== The two triggers for erasure ====
 +
 +Your right to erasure is not a free-floating button. Under the DPDP Act 2023 it is tied to two situations:
 +
 +  - **You withdraw your consent.** If a company was holding your data because you agreed, and you take that agreement back, the basis for holding it falls away.
 +  - **The purpose has ended.** If the reason your data was collected is over, the company no longer has a live purpose to keep it.
 +
 +When either trigger applies, the erasure right under Section 12 is engaged.
 +
 +==== The exception you must expect: lawful retention ====
 +
 +A company can lawfully refuse to delete in two cases. First, where retention is still necessary for the specified purpose for which the data was collected. Second, where any law in force requires the data to be kept.
 +
 +This is why your bank, your tax records or your employer may not wipe everything on request. Financial, tax and similar records are often retained because another law requires it. This is not the company being difficult. It is the express exception written into the DPDP Act 2023. Expect it, and ask the company to delete everything that does not fall under a genuine legal-retention duty.
 +
 +==== How to send a deletion request TODAY ====
 +
 +You do not have to wait for 2027 to act. Most large platforms already have a grievance officer and an in-app delete option. Here is a clean, polite request you can adapt and send by email to the company's grievance officer.
 +
 +> Subject: Request to delete and correct my personal data
 +>
 +> To the Grievance Officer,
 +>
 +> My name is Dr. Shrawan Kumar Pathak. I am a user of your service, registered with the email and mobile number on file.
 +>
 +> I withdraw my consent to the further processing of my personal data and request that you erase the personal data you hold about me, except any data you are legally required to retain.
 +>
 +> Please also correct the following inaccurate detail in my account: [state the wrong field and the correct value].
 +>
 +> Kindly confirm in writing within a reasonable time what has been deleted, what has been corrected, and what you are retaining and under which law.
 +>
 +> Yours faithfully,
 +> Dr. Shrawan Kumar Pathak
 +
 +Keep a copy of the email. If the company ignores you, escalate inside the company first, and remember that for sensitive personal data the IT Act 2000 and the SPDI Rules 2011 still apply today. If you are unsure which authority oversees a particular sector, see [[https://righttoinformation.wiki/which-regulator-to-complain-to-india-sebi-rbi-irdai-trai-dgca-hub|which regulator to complain to]].
 +
 +==== What changes on 13 May 2027 ====
 +
 +The DPDP Rules 2025 were notified on 13 November 2025 through Gazette G.S.R. 846(E) by the Ministry of Electronics and Information Technology, known as MeitY. But the rules do not all start on the same day. They are phased.
 +
 +  * Some governance rules, namely Rules 1, 2 and 17 to 21, and the Data Protection Board provisions, started on 13 November 2025.
 +  * Consent-manager registration, which is Rule 4, starts on 13 November 2026.
 +  * The citizen-facing machinery for exercising your correction and erasure rights, namely Rules 3, 5 to 16, 22 and 23, becomes operative on 13 May 2027, eighteen months after notification.
 +
 +So from 13 May 2027 you should be able to use a published, statute-backed process to make a request, and to escalate to the Data Protection Board if a company does not act. Until that date, the right is on the books, but the enforcement route through the Board is not yet live for these provisions. Treat 13 May 2027 as the day the teeth arrive.
 +
 +This is a genuine new citizen power, in the same family of accountability rights as the [[https://righttoinformation.wiki/act|RTI Act 2005]] that lets you demand information from the government. For a wider view of how to assert your rights against institutions, see [[https://righttoinformation.wiki/book|The RTI Playbook]]. If you also need to file an RTI to a public authority on a related issue, the [[https://righttoinformation.wiki/tools/ai-rti-draft-app.html|AI RTI Drafter]] can help you write it.
 +
 +==== FAQ ====
 +
 +==== Can I force a company to delete my data right now in 2026? ====
 +
 +Not through the DPDP enforcement system, because that machinery starts on 13 May 2027. Today you can ask the company through its grievance officer and in-app tools, and rely on the IT Act 2000 and the SPDI Rules 2011 for sensitive personal data. The statutory right under Section 12 exists, but its enforcement route is not yet switched on.
 +
 +==== What is the difference between the right existing and it being enforceable? ====
 +
 +The right to correction and erasure is written into the DPDP Act 2023 Section 12, so it exists in law. Enforceable means there is a working process and a body to escalate to. For these rights, that process, set by Rules 3, 5 to 16, 22 and 23 of the DPDP Rules 2025, becomes operative only on 13 May 2027.
 +
 +==== When exactly do my data deletion rights become operative? ====
 +
 +13 May 2027. The DPDP Rules 2025 were notified on 13 November 2025 by MeitY through Gazette G.S.R. 846(E), and the citizen-rights rules start eighteen months later, on 13 May 2027.
 +
 +==== Can a company refuse to delete my data? ====
 +
 +Yes, in two cases. If retention is still necessary for the specified purpose for which the data was collected, or if another law in force requires the data to be kept. This is an express exception in the DPDP Act 2023. Records like tax and financial data are commonly retained for this reason.
 +
 +==== Does withdrawing consent automatically erase my data? ====
 +
 +Withdrawal of consent is one of the two triggers for erasure under the DPDP Act 2023, the other being that the purpose has ended. Even then, the company may keep data it is legally required to retain. So withdrawal starts the process but does not always wipe everything.
 +
 +==== Who do I complain to if a company ignores my request? ====
 +
 +From 13 May 2027 you will be able to escalate to the Data Protection Board once the relevant rules are operative. Today, escalate within the company first, keep written records, and use the IT Act 2000 and SPDI Rules 2011 framework for sensitive personal data.
 +
 +==== Sources ====
 +
 +  * The Digital Personal Data Protection Act, 2023, Section 12, Ministry of Electronics and Information Technology (MeitY)
 +  * The Digital Personal Data Protection Rules, 2025, notified 13 November 2025 via Gazette G.S.R. 846(E), MeitY
 +  * Information Technology Act, 2000 and the IT (Reasonable Security Practices) SPDI Rules, 2011, MeitY
 +
 +==== Related on RTI Wiki ====
 +
 +  * [[https://righttoinformation.wiki/which-regulator-to-complain-to-india-sebi-rbi-irdai-trai-dgca-hub|Which regulator to complain to]]
 +  * [[https://righttoinformation.wiki/act|RTI Act 2005]]
 +  * [[https://righttoinformation.wiki/tools/ai-rti-draft-app.html|AI RTI Drafter]]
 +
 +===== Related reading =====
 +  * [[https://righttoinformation.wiki/dpdp-data-breach-72-hours-notification-rule-7|DPDP data breach 72-hour reporting rule]]
 +
 +
 +  * [[https://righttoinformation.wiki/right-to-be-forgotten-de-index-court-records-india|Right to be forgotten: remove old court records from Google]]
 +===== DPDP Act: Right to erasure and correction of personal data — how to exercise it? =====
 +
 +The Digital Personal Data Protection Act 2023 (DPDP Act) gives individuals rights over their personal data. Here is how to exercise the right to erasure and correction:
 +
 +  - **Step 1: What is the DPDP Act?** The DPDP Act 2023 is India's data protection law. It governs the processing of digital personal data and gives "Data Principals" (individuals) rights over their data. It applies to all processing of personal data within India, and to processing outside India that targets individuals in India.
 +  - **Step 2: Right to access information.** Under Section 11, a Data Principal can: (a) ask the Data Fiduciary (the entity processing data) for a summary of their personal data, (b) ask for the identities of other Data Fiduciaries with whom the data has been shared, (c) ask for the purpose of processing.
 +  - **Step 3: Right to correction and erasure.** Under Section 12, a Data Principal can: (a) ask for correction of inaccurate/misleading personal data, (b) ask for completion of incomplete personal data, (c) ask for updating of outdated personal data, (d) ask for erasure of personal data — BUT the Data Fiduciary can refuse if retention is required by law.
 +  - **Step 4: How to make a request.** (a) Submit a written request to the Data Fiduciary (the company/entity holding your data), (b) specify the data to be corrected/erased, (c) the Data Fiduciary must respond within a "reasonable time" (the rules may specify timelines).
 +  - **Step 5: Right to grievance redressal.** Under Section 13: (a) if the Data Fiduciary does not respond or refuses, the Data Principal can file a grievance with the Data Fiduciary's Grievance Officer, (b) the Grievance Officer must respond within 14 days.
 +  - **Step 6: Complaint to Data Protection Board.** Under Section 38: (a) if the grievance is not resolved, file a complaint with the Data Protection Board of India, (b) the Board can impose penalties up to Rs 250 crore per violation, (c) the Board can order the Data Fiduciary to comply with the Data Principal's request.
 +  - **Step 7: File RTI.** File RTI with the Ministry of Electronics and IT (MeitY) asking for: (a) the DPDP Rules notification status, (b) the Data Protection Board constitution, (c) the number of complaints filed, (d) the penalties imposed.
 +
 +See [[https://righttoinformation.wiki/used-phone-imei-check|IMEI Check Guide]] and [[https://righttoinformation.wiki/otp-bank-scam-how-to-report-cyber-fraud-1930|Cyber Fraud Guide]].
 +
 +{{tag>dpdp act 2023 right to erasure correction personal data data fiduciary data protection board grievance 2026}}