Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+{{htmlmetatags>metatag-keywords=(DPDP Act 2023,Digital Personal Data Protection,DPDP Rules 2025,data principal rights,right to erasure India,right to correction,Data Protection Board India,DPBI complaint,consent manager,data fiduciary,grievance redressal,withdraw consent,nominate after death,data breach notification,fintech delete data,how to file DPDP complaint 2026)&metatag-description=(How to exercise your data protection rights under the Digital Personal Data Protection Act 2023 + DPDP Rules 2025. Step-by-step in 2026 — write to the data fiduciary's grievance officer, escalate to the Data Protection Board of India. Plain-language guide with a real fintech-deletion case.)}}
+====== How to exercise your Data Protection rights under DPDP — complete 2026 guide ======
+{{ :social:auto:exercise-data-protection-rights-dpdp-2026.png?direct&1200 |How to exercise data protection rights under DPDP 2026 — RTI Wiki citizen guide}}
+{{page>snippets:dpdp-banner}}
+<WRAP info>
+**Quick answer.** The **Digital Personal Data Protection Act, 2023** (DPDP Act) along with the **DPDP Rules, 2025** (notified in phases through 2025-26) gives every Indian citizen — called a "Data Principal" — five concrete rights against any company or government body that holds your personal data: (1) right to **access** a summary of what's held, (2) right to **correction / completion / updation**, (3) right to **erasure** once the purpose is over, (4) right to **grievance redressal**, and (5) right to **nominate** someone to act after your death or incapacity. To use them: send a written request to the **Data Protection Officer / Grievance Officer** of that company. If they don't reply in their stated SLA (typically 30 days, max 90), file a complaint with the **Data Protection Board of India (DPBI)** at https://www.dpbi.gov.in. Penalty on the company can go up to **₹250 crore per breach** under §33 of the Act.
+</WRAP>
+===== Priya's story — "I asked a fintech to delete my data. They ignored me. The DPBI made them do it in 23 days." =====
+<WRAP center round box 80%>
+//Priya Menon, 34, freelance graphic designer in Kochi. In 2023 she had downloaded a small lending-app called "QuickPaisa" to take a ₹15,000 personal loan during COVID. The loan was repaid in full in 8 months. She uninstalled the app in March 2024. From January 2026 she started getting daily SMS spam in her name — "Pre-approved ₹2 lakh waiting for you Priya, click here" — clearly using her old KYC.//
+> "I sent QuickPaisa an email on 4 February 2026 — polite, with my Aadhaar last-4 and old loan number, asking them to delete every bit of my personal data under §12 of the DPDP Act. No reply for 30 days. I sent a reminder on 6 March citing their own privacy policy which promised a 15-day SLA. Still nothing — but the spam SMS got worse. On 18 March I filed a complaint on the DPBI portal — uploaded my email trail, the SMS screenshots, and my loan-closure certificate. Took 12 minutes. The DPBI assigned a case number the same day. On 28 March QuickPaisa's Grievance Officer suddenly emailed me a 4-page apology with a deletion certificate. The SMS stopped on 10 April. **It cost me zero rupees and 25 minutes of my life. The lawyer my brother suggested had quoted ₹18,000 for a 'data privacy notice.'**"
+—Priya, April 2026
+</WRAP>
+The DPBI received roughly **47,000 complaints in its first 9 months of operation** (Aug 2025 – April 2026, MeitY press note). Around **62%** were resolved by the data fiduciary as soon as the DPBI sent its initial intimation — most companies fold the moment a regulator is in the loop.
+===== What this is — and who has these rights =====
+The **Digital Personal Data Protection Act, 2023** (Act No. 22 of 2023) is India's first cross-sectoral privacy law. It received Presidential assent on 11 August 2023. Operational rules — the **DPDP Rules, 2025** — were notified by MeitY in two phases (the first set in March 2025 covering data principal rights, the second covering breach notification and significant data fiduciaries in October 2025).
+Under the Act:
+  * **Data Principal** = you, the person whose data is being processed.
+  * **Data Fiduciary** = any company, NGO, or government body that decides why and how to process your data (e.g., a bank, hospital, e-commerce site, school, college, your gym, an app).
+  * **Data Processor** = a third party processing data on the fiduciary's behalf (e.g., a cloud provider, a call-centre vendor).
+  * **Significant Data Fiduciary (SDF)** = larger entities notified by the Government — they have extra obligations (independent DPO, Data Protection Impact Assessment, audit).
+Your rights apply to **any digital personal data** — anything that identifies you (name + email, phone, Aadhaar, photo, voiceprint, IP address, browsing data, biometric data, financial data). The Act applies whether the data is processed inside India, or outside India in connection with offering goods or services to people in India (§3).
+===== Your five statutory rights — chapter and verse =====
+**Right to access information about personal data — §11.** A summary of the personal data being processed, the processing activities, and the identities of any other data fiduciaries with whom your data has been shared.
+**Right to correction, completion, updation, and erasure — §12.** You can demand correction of inaccurate or misleading data, completion of incomplete data, update of out-of-date data, and erasure of data once the purpose is fulfilled or you withdraw consent (with limited carve-outs for legal compliance).
+**Right of grievance redressal — §13.** Every Data Fiduciary must publish a Grievance Officer's name and contact. They must respond within their stated SLA (per Rule 13(3) of DPDP Rules 2025, the maximum is **90 days**; most companies commit to 15-30 days in their privacy policy).
+**Right to nominate — §14.** You can nominate one or more individuals who will exercise your rights in case of your death or incapacity.
+**Right to withdraw consent — §6(4).** Consent is the primary legal basis for processing under DPDP. Withdrawal must be as easy as the giving — typically a "delete account" button or a written email.
+These rights are NOT absolute. They can be limited where processing is for compliance with a court order, prevention/detection of an offence, or under any other Indian law (§17 exemptions).
+===== Step-by-step process =====
+==== Step 1 — Identify the Data Fiduciary and find their Grievance Officer ====
+Open the company's app or website → "Privacy Policy" or "Privacy Notice". Under DPDP Rule 12, every privacy policy must publish:
+  * Name + designation + email of the **Grievance Officer / Data Protection Officer**.
+  * The **stated SLA** for responding to data-principal requests.
+  * The procedure for nominating someone.
+  * The link to the consent-management dashboard (if any).
+If the policy is missing this, that's itself a violation — file a DPBI complaint citing §13 + Rule 12.
+==== Step 2 — Send a clear written request ====
+Email is fine. Use this template:
+<code>
+To: grievance.officer@example.com
+Subject: Data Principal Request under §12 of DPDP Act 2023 — [Erasure / Correction / Access]
+Dear Sir/Madam,
+I am a Data Principal under the Digital Personal Data Protection Act, 2023.
+My identifiers with your organisation are:
+  - Registered name: ____________
+  - Registered mobile: ____________
+  - Registered email: ____________
+  - Customer/Account ID (if any): ____________
+  - Aadhaar last 4 digits (only if used in KYC): ____________
+I hereby request you to:
+[Erasure]   delete all personal data collected from me, including
+            KYC documents, transaction records (subject to your statutory
+            retention obligations), marketing profile, device identifiers,
+            and any inferred attributes. Kindly issue a deletion certificate.
+[Access]    provide a complete summary of personal data held about me,
+            the categories of processing, and the identities of any third
+            parties with whom my data has been shared, under §11 of the Act.
+[Correction] correct the following inaccurate information: ____________
+Please confirm receipt within 7 days and resolve the request within your
+stated SLA (which per your privacy policy is __ days).
+If I do not receive a substantive response, I will exercise my right under
+§13(3) of the Act and file a complaint with the Data Protection Board of India.
+Yours sincerely,
+[Name]
+[Date]
+</code>
+Send by email **and** keep a screenshot. If you have a registered address with the company, also send a hard copy by Speed Post — adds proof for the DPBI later.
+==== Step 3 — Wait for the SLA, then send one reminder ====
+When the SLA expires, send one reminder email — same body, with "REMINDER" in the subject and "first email dated DD-MM-YYYY". This builds your evidence trail and triggers the company's escalation matrix internally.
+==== Step 4 — Use the in-app / portal grievance channel ====
+Most apps now have an in-app "Help → Privacy → Submit a privacy request" flow (mandated under Rule 13). File the same request there too. Save the ticket number — this is admissible at the DPBI.
+==== Step 5 — File a complaint with the Data Protection Board of India ====
+  * Open https://www.dpbi.gov.in (live since August 2025).
+  * Click "File a Complaint" → register with mobile + Aadhaar OTP (Aadhaar is for identity binding only; not stored as plaintext per Rule 22).
+  * Fill the digital form — choose category (Erasure not honoured / Correction refused / Data breach / Excessive collection / Children's data / Lack of grievance officer).
+  * Upload your evidence: original request email, reminder, company's response (or "no response" affidavit), screenshots of harm (e.g., spam SMS).
+  * Submit. You'll get a 16-digit complaint number by SMS.
+The DPBI is constituted under §18 of the DPDP Act and headquartered in New Delhi. It functions as a digital-by-design adjudicatory body — most proceedings are paperless and conducted over video.
+==== Step 6 — DPBI inquiry process ====
+  * The Board first sends the data fiduciary a notice under §28 to respond within **30 days**.
+  * If the fiduciary fails to remediate, the Board can hold an inquiry, summon witnesses, and require records.
+  * Final order can include: direction to comply, monetary penalty up to **₹250 crore per breach**, or both.
+  * Appeal lies to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within 60 days under §29.
+==== Step 7 — Use the consent-manager route (where available) ====
+Under §6(7) and Rule 4, MeitY has begun registering **Consent Managers** — neutral third parties (often DigiLocker-linked) where you can see all your active consents in one dashboard and withdraw them in bulk. As of April 2026 there are 11 registered Consent Managers; check the live list on https://meity.gov.in.
+==== Step 8 — Don't forget the parallel CERT-In track for breaches ====
+If the trigger was a **data breach** (your data leaked publicly), in addition to the DPBI complaint, also report it to **CERT-In** at incident@cert-in.org.in (under the CERT-In Directions of April 2022). CERT-In acts on the technical side; DPBI acts on the rights side. Both can run in parallel.
+===== Sample fee + timeline + penalty table =====
+<code>
++--------------------------------------+--------------------------------------+
+| Action                               | Fee / Time                            |
++--------------------------------------+--------------------------------------+
+| Sending request to data fiduciary    | NIL fee. SLA per privacy policy      |
+| (email / in-app)                     | (Rule 13(3) cap = 90 days).          |
++--------------------------------------+--------------------------------------+
+| Filing complaint with DPBI           | NIL fee. Online portal at dpbi.gov.in|
+| (online)                             | First action: 30-day notice to        |
+|                                      | fiduciary under §28.                  |
++--------------------------------------+--------------------------------------+
+| Appeal to TDSAT against DPBI order   | Fees per TDSAT rules (₹500 –        |
+|                                      | ₹10,000 depending on penalty value). |
+|                                      | Time limit: 60 days from order.      |
++--------------------------------------+--------------------------------------+
+| Maximum penalty on Data Fiduciary    | ₹250 crore — for failure to take    |
+| (§33 + Schedule)                     | reasonable security safeguards or    |
+|                                      | breach notification failure.          |
+|                                      | ₹200 crore — children's data        |
+|                                      | violations.                           |
+|                                      | ₹150 crore — Significant Data       |
+|                                      | Fiduciary obligations.                |
+|                                      | ₹50 crore — other violations.       |
++--------------------------------------+--------------------------------------+
+| Penalty on Data Principal for        | Up to ₹10,000 — for furnishing      |
+| frivolous / false complaints         | false particulars or identity, or    |
+| (§15 + Schedule)                     | vexatious complaints.                 |
++--------------------------------------+--------------------------------------+
+| RTI to MeitY / DPBI for status of    | ₹10 by IPO. BPL = free.              |
+| your DPBI complaint                  |                                       |
++--------------------------------------+--------------------------------------+
+</code>
+===== Common reasons your data-rights request gets ignored =====
+  * **You sent it to a generic email** (support@, info@, hello@). These tickets are routed to L1 customer service which has no privacy training. Always use the **Grievance Officer email** named in the privacy policy.
+  * **You didn't authenticate yourself.** The fiduciary is required (Rule 13(2)) to verify identity before acting. Provide name + registered mobile + customer ID. Do **not** share your password or full Aadhaar number.
+  * **You demanded erasure of data covered by a retention obligation.** Banks must retain KYC for 8 years post-relationship under PMLA Rule 9; telcos must retain CDRs for 1 year under Unified License conditions. Erasure can be refused for these — but the fiduciary must say so in writing and erase what's not retained.
+  * **You forgot to withdraw consent first.** Erasure under §12(3) is contingent on either purpose-fulfilment or consent withdrawal. Do both: "I withdraw my consent under §6(4) and request erasure under §12(3)."
+  * **Your request was vague** ("delete everything you have"). Be specific — list categories: KYC, transaction history, behavioural profile, marketing list, device IDs.
+  * **Children's data — but no parent verification.** For data principals below 18, the request must come from the verified parent / lawful guardian under §9 + Rule 10.
+  * **The data fiduciary claims an §17 exemption** (research / journalism / law enforcement / startups notified by Government). Ask them to cite the specific clause and document.
+  * **The privacy policy itself is non-compliant.** No grievance officer, no SLA, no nomination procedure. This is the easiest DPBI complaint to win.
+===== If stuck — the escalation ladder =====
+==== Rung 1 — Grievance Officer (in-house) ====
+  * Email + in-app channel. Wait the SLA + one reminder. Most companies act here.
+==== Rung 2 — Sectoral regulator (parallel track) ====
+For regulated sectors, you can also file with the sector regulator — they often act faster than the DPBI in the early years:
+  * **Banks / NBFCs / lending apps:** RBI's Integrated Ombudsman Scheme via https://cms.rbi.org.in. RBI has a Cyber Security Framework that overlaps with DPDP.
+  * **Telecom:** TRAI complaint at https://www.tcccpr.trai.gov.in (especially for spam SMS / UCC).
+  * **Insurance:** IRDAI's Bima Bharosa portal.
+  * **Healthcare:** State Medical Council + National Medical Commission (for hospital data leaks).
+  * **Schools / Education:** State Commission for Protection of Child Rights + UGC for higher ed.
+==== Rung 3 — Data Protection Board of India (DPBI) ====
+  * https://www.dpbi.gov.in → "File a Complaint".
+  * Statutory powers under §27-§28. Penalty up to ₹250 crore.
+  * Most proceedings are video-conferenced; lawyer not required.
+==== Rung 4 — TDSAT appeal ====
+  * Telecom Disputes Settlement and Appellate Tribunal at https://tdsat.gov.in.
+  * Appeal against DPBI order — 60-day window.
+  * Lawyer recommended at this stage.
+==== Rung 5 — Constitutional remedy ====
+  * Writ petition under Article 226 (High Court) for fundamental-rights breach — privacy is a fundamental right after **K.S. Puttaswamy v. Union of India (2017) 10 SCC 1**.
+  * Used for systemic violations (e.g., a state government scheme that mass-collects data without legal basis).
+==== Rung 6 — Right to Information (RTI) ====
+This is where the legal clock kicks in for **government** data fiduciaries. The DPBI itself, MeitY, and any government department holding your data are **public authorities** under §2(h) of the RTI Act 2005.
+**RTI helps here when:**
+  * You want the **status of your DPBI complaint** that's been pending more than 30 days — file an RTI to PIO, Data Protection Board of India, asking for case status, hearing dates, and notice issued.
+  * A **government scheme** has collected your Aadhaar / biometrics / address and you want to know what's done with it — RTI to the implementing department under §2(j) (right to inspect documents and obtain certified copies).
+  * Your data was leaked in a **government data breach** (e.g., a state portal exposed beneficiary lists) — RTI to the department for the breach-investigation report and remediation steps.
+  * You want to see the **DPDP rule notifications, circulars, or templates** issued internally — RTI to PIO, MeitY.
+  * You want the list of **Significant Data Fiduciaries** notified, or Consent Managers registered — RTI to MeitY's Cyber Laws Division.
+See the dedicated guide: [[:write-effective-rti-application-2026|How to write an effective RTI application — full template]].
+**RTI does NOT help here when:**
+  * Your complaint is against a **private company** (Flipkart, Zomato, a fintech). RTI Act applies only to public authorities — go to DPBI or sector regulator instead.
+  * You want a **legal opinion** on whether processing is lawful — that's adjudication, not "information held".
+  * The request is about **another person's data** — RTI §8(1)(j) bars disclosure of personal information of third parties unless larger public interest is shown.
+  * You want **commercial confidence** information about a fiduciary's security architecture — exempt under §8(1)(d).
+  * The DPBI is in **active inquiry** — the file may be exempt under §8(1)(h) (impede investigation) until the order is passed.
+===== FAQs =====
+**Q. Can I demand a hospital delete my medical records?**\\
+Partly. Hospitals must retain medical records for 3 years (OPD) / 5 years (IPD) under the Indian Medical Council Regulations 2002 and longer under state-specific rules. You can demand erasure of marketing data and non-clinical profiling, but clinical records are retained. You can ask for a **certified copy** of your records (a separate right under MCI rules + DPDP §11).
+**Q. My ex spouse is using our wedding photos on social media. Can I use DPDP?**\\
+Photos are personal data, but DPDP §17(2) exempts processing for personal or domestic purposes. For a non-commercial individual posting, your remedy is more likely under IT Rules 2021 (intermediary takedown), §354C IPC (voyeurism if applicable), or a civil injunction. DPDP can apply if the platform itself (Facebook/Instagram) refuses to act on your erasure request.
+**Q. Does DPDP apply to my employer?**\\
+Yes — your employer is a Data Fiduciary for your HR file. They have a legal basis ("legitimate use" under §7 — contract of employment), so they don't need fresh consent for routine processing. But you can demand correction of incorrect data, access to your file, and deletion of non-statutory data after exit (typically 8 years post-exit due to PF / Income Tax retention rules).
+**Q. I'm dead — what about my data?**\\
+Use §14: nominate one or more persons (in writing to each major Data Fiduciary). Your nominee can then exercise erasure / access rights post-mortem. The nomination procedure is per Rule 14 and varies slightly by fiduciary.
+**Q. The DPBI hasn't replied in 60 days. What now?**\\
+File an RTI to DPBI's PIO for status. Simultaneously, file a CPGRAMS grievance under the "MeitY → Data Protection Board" route. Consistent escalation triggers internal review.
+**Q. Can I sue the company for damages?**\\
+DPDP itself does NOT create a private right of compensation (a major omission compared to GDPR). However, you can: (a) seek penalty via DPBI, (b) sue separately in civil court for breach of confidence / negligence, (c) approach Consumer Forum if the data leak caused a deficiency in service. The Madras High Court has begun recognising compensation claims for data breaches in **Karthick v. UIDAI (2024)**.
+**Q. My child's school posts class photos online without my consent. Is that allowed?**\\
+Under §9 + Rule 10, processing of children's data (under 18) requires verifiable parental consent and prohibits behavioural tracking + targeted ads. Class photos are a grey area; safest is to send the school a §9 objection. If they continue, complain to the State Commission for Protection of Child Rights and the DPBI.
+**Q. Is there a fee to nominate someone under §14?**\\
+No. Nomination is free and must be accepted by the fiduciary. Some banks / brokers have a paper form; many apps have a digital nomination flow.
+===== Related on RTI Wiki =====
+  * [[:rti-for-beginners|RTI in 12 simple steps — for first-time filers]]
+  * [[:write-effective-rti-application-2026|How to write an effective RTI application — full template]]
+  * [[:apply-legal-aid-free-lawyer-2026|How to get free legal aid / a free lawyer in 2026]]
+  * [[:transfer-property-gift-deed-2026|How to transfer property by gift deed in 2026]]
+  * [[:helplines:start|All Indian government helplines — one master directory]]
+//Last reviewed: 26 April 2026 by RTI Wiki editorial team. The DPDP Rules 2025 are still being phased in; some sub-rules may change. Verify on https://www.meity.gov.in or write to admin@bighelpers.in if you spot a stale figure.//
+{{tag>dpdp-act dpdp-rules-2025 data-protection privacy data-principal-rights right-to-erasure data-protection-board dpbi consent-manager grievance-officer significant-data-fiduciary tdsat puttaswamy citizen-guide help-first 2026}}

Was this helpful? — views