Data Principal Rights Under DPDP: The Complete Guide to All 5 Rights and How to Handle Them

Under the DPDP Act, 2023, every individual whose personal data is processed — called a “Data Principal” — has five specific rights. And unlike GDPR’s 30-day response window, Indian businesses must respond within 7 days.

That is not a typo. Seven calendar days. One of the tightest SLAs in global privacy law.

This guide covers all five rights in detail, explains how to build a DSR (Data Subject Request) handling workflow that meets the 7-day SLA, and includes ready-to-use templates for acknowledgement and response.

The 5 Data Principal Rights Under DPDP

The DPDP Act grants Data Principals the following rights against Data Fiduciaries (the businesses processing their data):

#	Right	DPDP Section	Summary
1	Right to Access	Section 11	Know what data is held and who it has been shared with
2	Right to Correction	Section 12	Get inaccurate or misleading data corrected
3	Right to Erasure	Section 13	Request deletion of personal data
4	Right to Grievance Redressal	Section 14	File complaints about how data is handled
5	Right to Nominate	Section 15	Appoint someone to exercise rights on their behalf

Let us examine each right, what it requires from your business, and where the common pitfalls lie.

Right 1: Right to Access (Section 11)

What the Data Principal Can Request

A Data Principal can request:

• A summary of their personal data being processed
• The processing activities performed on their data
• The identities of all Data Processors and third parties their data has been shared with
• Any other information as may be prescribed by rules

What You Must Provide

Your response must include:

1. Categories of personal data held: Names, email addresses, payment information, behavioral data, etc.
2. Processing purposes: Why you are processing each category
3. Data sharing details: Which third parties or processors have received the data
4. Retention information: How long you plan to retain each data category

What You Do NOT Need to Provide

The right to access under DPDP is narrower than GDPR’s. You provide a summary, not a full data export. There is no explicit requirement for data portability (the right to receive data in a machine-readable format for transfer to another service).

Common Pitfall

Many businesses have data scattered across multiple systems — CRM, analytics tools, email marketing platforms, payment processors. Without a centralized data map, responding to access requests within 7 days is nearly impossible. Build your data inventory before the first request arrives.

Right 2: Right to Correction (Section 12)

What the Data Principal Can Request

A Data Principal can ask you to:

• Correct personal data that is inaccurate
• Complete personal data that is incomplete
• Update personal data that is out of date
• Delete personal data that is misleading

What You Must Do

1. Verify the identity of the requester
2. Locate the data across all systems where it is stored
3. Make the correction in all instances — not just the primary database
4. Confirm the correction to the Data Principal within 7 days
5. If data was shared with third parties, notify them of the correction

Common Pitfall

Correcting data in your primary database but forgetting about copies in backups, analytics tools, exported CSVs, or third-party systems. Your correction process must cover all data replicas.

Right 3: Right to Erasure (Section 13)

What the Data Principal Can Request

A Data Principal can request that you erase all personal data that you are processing. Upon receiving an erasure request:

• You must delete the data from active systems
• You must ensure Data Processors you work with also delete the data
• You must delete the data even if the Data Principal originally consented to processing

When You Can Refuse Erasure

You can retain data if:

• Legal obligation: A law requires you to retain the data (e.g., tax records under the Income Tax Act, transaction records under the Companies Act)
• Court order: A court or tribunal has ordered data retention
• Contractual necessity: The data is needed to fulfill a contract that is still active

If you refuse, you must explain the reason to the Data Principal within the 7-day window.

The Consent Withdrawal Link

Erasure under DPDP is closely tied to consent withdrawal. When a Data Principal withdraws consent (Section 6(4)), the Data Fiduciary must erase the data unless one of the exceptions above applies. This makes consent withdrawal effectively an erasure trigger.

Common Pitfall

The biggest challenge is technical: actually deleting data from all systems. Soft deletes (marking records as inactive) may not satisfy the requirement. You need a process that covers:

• Primary databases
• Backup systems (with a defined timeline for backup purges)
• Analytics platforms
• Third-party processors
• Exported files and reports
• Email archives containing personal data

Right 4: Right to Grievance Redressal (Section 14)

What the Data Principal Can Do

If a Data Principal is unhappy with how you handle their data or respond to their rights requests, they can:

1. File a grievance with you (the Data Fiduciary) first
2. If unresolved, escalate to the Data Protection Board of India

What You Must Provide

• A clearly identified grievance mechanism (form, email, portal)
• A designated person to handle grievances (typically your Data Protection Officer or Grievance Officer)
• Response within 7 days of receiving the grievance
• Details of how to escalate to the Data Protection Board if unsatisfied

The Two-Tier System

DPDP creates a two-tier grievance system:

Tier 1: Internal Resolution The Data Principal files a complaint with your business. You must acknowledge receipt and provide a resolution within the prescribed timeline.

Tier 2: Data Protection Board If the Data Principal is not satisfied with your response (or receives no response), they can file a complaint with the DPB. The Board can then investigate, hold hearings, and impose penalties up to Rs 250 Crore.

Common Pitfall

Not having a visible, accessible grievance mechanism. If a Data Principal cannot find how to file a complaint, your first interaction with them may be a DPB notice. Your privacy policy, website footer, and app settings should all clearly link to your grievance process.

Right 5: Right to Nominate (Section 15)

What the Data Principal Can Do

A Data Principal can nominate another individual to exercise their rights in case of:

• Death of the Data Principal
• Incapacity (mental or physical inability to exercise rights)

What You Must Support

• Accept and record nomination requests from Data Principals
• Verify the identity of the nominated person when they exercise rights
• Allow the nominee to exercise all five rights on behalf of the Data Principal
• Maintain nomination records alongside consent records

How This Differs from GDPR

GDPR does not have an explicit nomination right. The closest equivalent is appointing a representative, which is handled differently across EU member states. DPDP’s nomination right is more structured and specific.

Common Pitfall

Ignoring this right entirely. Most businesses have not built nomination workflows because the concept feels edge-case. But the DPB can audit your systems, and “we did not build that feature” is not a valid excuse.

The 7-Day SLA: Why It Changes Everything

DPDP vs GDPR Response Timelines

Aspect	DPDP (India)	GDPR (EU)
Standard response time	7 days	30 days
Extension possible	Not explicitly provided	Up to 60 additional days for complex requests
Clock starts	Upon receipt of request	Upon receipt of request
Weekend/holidays	Calendar days	Calendar days
Penalty for late response	Up to Rs 50 Crore	Up to 4% of global annual turnover or EUR 20 million

Seven calendar days with no extension provision means:

• A request received on Monday must be resolved by the following Monday
• A request received on Friday before a long weekend must still be resolved within 7 days
• Complex requests (data spread across 20 systems) get the same timeline as simple ones

This SLA makes automation essential. Manual processes will fail at any meaningful request volume.

How to Set Up a DSR Handling Workflow

Step 1: Establish Intake Channels

Create clear, accessible channels for Data Principals to submit requests:

• Web form on your privacy page (recommended as primary channel)
• Dedicated email address (e.g., [email protected])
• In-app request option in user account settings
• Physical address for written requests (still required)

Every channel must capture:

• Requester name and contact information
• Type of right being exercised
• Specific details of the request
• Preferred response method

Step 2: Identity Verification

Before processing any request, verify the identity of the Data Principal. Methods include:

• OTP verification to registered mobile/email (fastest)
• Account login confirmation (for existing users)
• Government ID verification (for high-risk requests like erasure)

Keep verification proportionate. Do not demand a passport scan for a simple access request.

Step 3: Automated Triage and Assignment

Classify the request type and route it to the right handler:

Request Type	Complexity	Typical Handler
Access (summary)	Low-Medium	Automated system + review
Correction	Low	Data team + validation
Erasure	High	Data team + legal review
Grievance	Variable	Grievance officer
Nomination	Low	Data team + verification

Step 4: SLA Timer and Escalation

Start a 7-day countdown timer the moment a request is received (not when it is acknowledged or verified). Set up automated escalations:

Day	Action
Day 0	Request received, auto-acknowledgement sent, SLA timer starts
Day 1	Identity verification completed
Day 2	Request assigned to handler, data collection begins
Day 4	Internal review of response draft
Day 5	Alert: 2 days remaining, escalate if unresolved
Day 6	Warning: 1 day remaining, escalate to DPO
Day 7	Response sent to Data Principal, request closed

Step 5: Response and Record-Keeping

Send the response through the Data Principal’s preferred channel. Maintain records of:

• Original request (verbatim)
• Verification steps taken
• Actions performed
• Response sent
• Timestamp of closure
• Any exceptions or refusals (with reasons)

Retain these records for at least 7 years — they are your evidence during DPB audits.

Templates for Acknowledgement and Response

Acknowledgement Template (Send within 24 hours)

Subject: Acknowledgement of Your Data Request — [Request ID]

Dear [Name],

We have received your request to exercise your right to [access/correction/erasure/grievance/nomination] under the Digital Personal Data Protection Act, 2023.

Request details:
- Request ID: [auto-generated ID]
- Request type: [Right type]
- Date received: [Date]
- Expected response by: [Date + 7 days]

We are currently verifying your identity and processing your request. You will receive a detailed response within 7 days of receipt.

If you have questions about this request, contact our Data Protection Officer at [DPO email].

Regards,
[Company Name]
Data Protection Office

Access Request Response Template

Subject: Response to Your Data Access Request — [Request ID]

Dear [Name],

In response to your data access request (ID: [Request ID]), dated [Date], here is a summary of the personal data we process about you:

DATA CATEGORIES:
- Identity data: [Name, email, phone number]
- Transaction data: [Order history, payment records]
- Usage data: [Login activity, feature usage]
- Marketing data: [Consent preferences, communication history]

PROCESSING PURPOSES:
- Service delivery and account management
- Order fulfillment and customer support
- Marketing communications (with your consent)
- Legal and regulatory compliance

DATA SHARED WITH:
- [Payment Processor Name] — for payment processing
- [Cloud Provider Name] — for data hosting
- [Analytics Tool Name] — for service improvement

RETENTION PERIOD:
- Active data: Retained while your account is active
- Transaction records: 7 years (legal requirement)
- Marketing data: Until consent withdrawal

If any of this information is inaccurate or if you wish to exercise additional rights, please contact us at [privacy email].

Regards,
[Company Name]
Data Protection Office

Erasure Request Response Template

Subject: Confirmation of Data Erasure — [Request ID]

Dear [Name],

In response to your data erasure request (ID: [Request ID]), dated [Date], we confirm the following actions have been taken:

DATA DELETED:
- Account profile and identity data
- Marketing preferences and consent records
- Usage and behavioral data
- Communication history

DATA RETAINED (with legal basis):
- Transaction records: Retained for 7 years under [applicable law]
- Tax-related records: Retained as required by the Income Tax Act

THIRD-PARTY NOTIFICATION:
We have notified the following processors to delete your data:
- [Processor 1] — deletion confirmed on [date]
- [Processor 2] — deletion confirmed on [date]

Backup systems will be purged within [X] days as part of our standard backup rotation cycle.

If you have questions, contact our Data Protection Officer at [DPO email].

Regards,
[Company Name]
Data Protection Office

Grievance Response Template

Subject: Response to Your Grievance — [Grievance ID]

Dear [Name],

We have reviewed your grievance (ID: [Grievance ID]) regarding [summary of complaint], filed on [Date].

INVESTIGATION FINDINGS:
[Description of what was investigated and findings]

RESOLUTION:
[Description of actions taken to resolve the grievance]

If you are not satisfied with this resolution, you have the right to file a complaint with the Data Protection Board of India at [DPB contact details/website].

Regards,
[Company Name]
[Grievance Officer Name]
Data Protection Office

Duties of Data Principals

DPDP is not one-sided. Section 16 also imposes duties on Data Principals:

Duty	Description
Accurate information	Must not provide false or misleading personal data
No frivolous complaints	Must not file false or frivolous grievances with the DPB
No impersonation	Must not impersonate another person when providing data
Authentic documents	Must not suppress material information when exercising rights

If a Data Principal files a false or frivolous complaint, the DPB can impose a penalty of up to Rs 10,000 on the Data Principal.

This is worth noting in your grievance responses — but use it carefully. Citing Data Principal duties in a way that discourages legitimate complaints is a bad look and could attract DPB scrutiny.

Building Your DSR System: Build vs Buy

Build In-House

Pros:

• Full control over workflow and data flow
• Custom integration with your existing systems
• No recurring vendor fees

Cons:

• Significant development time (3-6 months minimum)
• Ongoing maintenance burden
• Must keep up with regulatory changes
• SLA tracking, escalation, and audit trails require careful engineering

Use a DSR Management Tool

Pros:

• Faster deployment (days, not months)
• Pre-built SLA tracking and escalation
• Audit-ready reporting out of the box
• Vendor handles regulatory updates

Cons:

• Recurring subscription cost
• Data flows through a third-party system
• Customization may be limited

For most businesses, a purpose-built tool pays for itself in avoided penalties and operational efficiency. The 7-day SLA alone makes manual spreadsheet-based tracking unviable.

How ZenoComply Handles Data Principal Rights

ZenoComply provides a complete DSR management module designed for DPDP’s 7-day SLA:

• Multi-channel intake: Web form, email, and API for receiving requests
• Automated identity verification: OTP and account-based verification
• SLA countdown timers: Automatic tracking from receipt to resolution
• Escalation alerts: Notifications at Day 5, Day 6, and Day 7
• Response templates: Pre-built templates for all five right types
• Audit trail: Every action logged with timestamps for DPB audits
• Third-party notification: Track processor deletion confirmations
• Analytics dashboard: Request volumes, response times, and compliance metrics

The system is designed to make the 7-day SLA manageable, even at scale.

---

Need to handle data principal rights requests within 7 days? ZenoComply provides automated DSR workflows with SLA tracking, escalation alerts, and audit-ready records — built specifically for DPDP compliance. Start your free trial today and be ready before the first request arrives.