Rights of a Data Principal Under the DPDP Act

Published on : 28 Sep 2023


Rights of a Data Principal Under the DPDP Act

With the advent of the Digital Personal Data Protection Act (DPDP Act) in 2023, India has taken a significant step towards safeguarding the rights of individuals, termed as ‘Data Principals’, over their personal data. 

This blog post aims to shed light on the rights and protections offered to Data Principals under the DPDP Act, a landmark legislation that is reshaping the landscape of data privacy in India. So, let’s embark on this journey to understand your rights as a Data Principal under the DPDP Act. 

Who is a Data Principal in the DPDP Act?

The term ‘Data Principal’ refers to the individual whose personal data is being discussed. Now, this individual could be anyone, but there are a couple of special cases to consider:

  • If the individual is a child, then the ‘Data Principal’ also includes the child’s parents or their lawful guardian.
  • If the individual has a disability, then the ‘Data Principal’ includes their lawful guardian who is acting on their behalf.

Moving forward, we are now prepared to explore the rights and duties of data principals, and how these can enhance your online privacy.

Rights and Duties of a Data Principal in DPDP Act

  • Right to Access Information: (Section 11, DPDP Act)

Imagine you’ve shared your personal data with an organization (let’s call them the Data Fiduciary). Now, you’re curious about what they’re doing with your data. 

Under Section 11(1)(a) of the DPDP Act, you have the right to request a summary of your personal data that the Data Fiduciary is processing and the manner in which they are doing it. To exercise this right, you can submit a written request to the Data Fiduciary, who is then obligated to provide you with the requested information in a timely manner.

But the Act doesn’t stop there. As per Section 11(1)(b), you also have the right to know who else your data has been shared with. This could include other Data Fiduciaries or Data Processors. Upon request, the Data Fiduciary should provide you with a list of these entities and a description of the data they’ve shared.

Under Section 11(1)(c), you can request any other information related to your personal data and its processing. This ensures that you have a comprehensive understanding of how your personal data is being used.

However, there is an exception. 

As per Section 11(2), if your data was shared with another Data Fiduciary who is legally authorized to obtain such data for the purpose of preventing, detecting, or investigating offenses or cyber incidents, or for the prosecution or punishment of offenses, then some of these rights might not apply. 

This exception is applicable only in very specific circumstances.

  • Right to Correction and Erasure of Personal Data: (Section 12, DPDP Act)

As a Data Principal, the DPDP Act grants you the right to request the Data Fiduciary to correct any data that’s inaccurate or misleading, complete any data that’s incomplete, and update any data that’s outdated (Section 12(1), DPDP Act)

To exercise these rights, you can submit a written request to the Data Fiduciary, specifying the changes you want to make. The Data Fiduciary is then obligated to review your request and make the necessary changes in a timely manner.

Furthermore, if you want your data erased, you can make a similar request to the Data Fiduciary. They are obliged to erase your data unless they need to keep it for a specific purpose or to comply with the law (Section 12(2), DPDP Act). 

It’s important to note that the erasure of data is subject to certain conditions and exceptions, which will be outlined in the rules of the Act.

However, before you can approach the Data Protection Board with your grievance, you need to exhaust these redressal opportunities first. This provision is designed to ensure that minor issues can be resolved effectively at the initial level without having to involve higher authorities (Section 12(3), DPDP Act).

  • Right to Grievance Redressal: (Section 13, DPDP Act)

As a Data Principal, the DPDP Act grants you the right to a readily accessible means of grievance redressal provided by the Data Fiduciary or Consent Manager. 

This implies that if you have any issues or concerns about how your personal data is being processed, you have the right to raise a grievance (Section 13(1), DPDP Act).

What’s more, the Data Fiduciary or Consent Manager is obligated to respond to your grievances within a prescribed timeframe (Section 13(2), DPDP Act). This ensures that your concerns are addressed promptly and effectively.

It’s important to note that before you approach the Data Protection Board with your grievance, you need to exhaust this redressal opportunity first. 

This provision is designed to ensure that minor issues can be resolved effectively at the initial level without having to involve higher authorities (Section 13(3), DPDP Act).

  • Right to Nominate: (Section 14, DPDP Act)

As a Data Principal, the DPDP Act empowers you with the right to nominate another individual who can exercise your rights on your behalf in the event of your death or incapacity. 

This ensures that your rights related to your personal data remain protected, even if you’re not able to exercise them yourself (Section 14 of 2, DPDP Act). 

The term ‘incapacity’ in this context refers to an inability to exercise your rights due to conditions such as unsoundness of mind or physical infirmity (Section 14 of 2, DPDP Act)

These legal terms broadly encompass situations where an individual might be unable to make informed decisions or take actions due to mental health conditions or physical disabilities.

The specific process for nomination will be outlined in the rules of the Act. While the details of this process are beyond the scope of this discussion, it is designed to ensure that your personal data rights are upheld under all circumstances. Rest assured, the DPDP Act provides robust safeguards for your personal data rights.

  • Duties of a Data Principal: (Section 15, DPDP Act)

While the DPDP Act empowers you with numerous rights concerning your personal data, it also expects you to exercise certain responsibilities. Here are the five key duties you need to keep in mind:

  1. Comply with Laws: As you exercise your rights under the DPDP Act, it’s crucial that you also comply with all other applicable laws (Section 15(1)(a), DPDP Act).
  2.  No Impersonation: Impersonating someone else when providing your personal data is strictly prohibited. Always ensure that the personal data you provide is genuinely yours (Section 15(1)(b), DPDP Act).
  3. No Suppression of Information: When providing your personal data for purposes such as unique identifiers, documents, or proof of identity or address, it’s important to provide complete and accurate information. Any omission of crucial details could be considered as suppression of information (Section 15(1)(c), DPDP Act).
  4. No False Complaints: Any grievances or complaints you register should be genuine. Filing false or frivolous complaints is not only unproductive but also against the provisions of the DPDP Act (Section 15(1)(d), DPDP Act).
  5. Provide Authentic Information: When exercising your right to correction or erasure, ensure that the information you provide is authentic and verifiable. Providing false information is not only unethical but also against the law (Section 15(1)(e), DPDP Act).

Also Read:Navigating the Penalties for Non-Compliance With the DPDP Act

Conclusion:

To summarize, the Digital Personal Data Protection Act, 2023, provides Data Principals with significant rights such as access to information, correction, erasure, and grievance redressal. It also allows them to nominate representatives in the event of incapacity or death. Furthermore, the Act imposes duties on Data Principlas to ensure transparency and authenticity in their interactions with Data Fiduciaries. This legislation is a crucial step in India’s evolving data privacy landscape, underlining the rights of Data Principals in Sections 11-14 and promoting transparency and accountability. The rights guaranteed to Data Principals under this Act are pivotal in maintaining online privacy and data protection.

 

Disclaimer: The DPDP Act is a new piece of legislation that is set to be implemented in the upcoming year. As such, there are ongoing debates and potential shortcomings associated with this Act. The advice provided in this blog post is based on the current provisions of the DPDP Act. Therefore, we strongly recommend visiting the official Ministry of Electronics and Information Technology (MeitY) website to read the full document of the DPDP Act 2023 for the most accurate and up-to-date information.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.