What Are The Data Principal Rights Under The DPDP Act?

Discover the rights granted to Data Principals under the DPDP Act 2023 to help you navigate through a secure and transparent digital landscape.

One of the significant milestones we witnessed in 2023 was the enactment of the DPDP Act, crafted to give individuals or Data Principals more control over their shared, used, and stored personal data.

Under the legal framework, organizations are mandated to maintain transparency, provide access, and ensure robust security measures in handling personal data. Failure to comply with these responsibilities may result in hefty penalties.

In this blog, we delve into the rights granted to Data Principals by the DPDP Act, as highlighted in Sections 11-14 of the DPDP Act.

Rights Of Data Principals Under The DPDP Act

Take a look at all your rights that fall under the DPDP Act. These rights let you take control of your personal information and protect it.

1. Right To Access Information About Personal Data

Let’s say you want to understand what an organization is doing with the data you have shared with them. You now have the Right to Access Information as outlined in the Digital Personal Data Protection Act 2023. This provision grants Data Principals (people whose data is processed by companies) the ability to request specific details about the processing of their personal data.

Under Section 11(1)(c), you can even gain a comprehensive understanding of how your data is being used and processed. This allows you to request any other information related to your personal data.

But there is an exception as stated in Section 11(2). This is when the data has been shared with another Data Fiduciary who is legally authorized to acquire such data for specific purposes like preventing, detecting, or investigating cybercrime, or for the prosecution or punishment of offences. In these specific circumstances, some of the rights mentioned in Sections 11(1)(a), 11(1)(b), and 11(1)(c) may not be fully enforceable.

It’s important to note that the exception is applicable only under specific circumstances, primarily related to cybersecurity and legal investigations.

This exception ensures a balance between individual data rights and the broader objectives of preventing and prosecuting cyber incidents or offences.

2. Right To Correction And Erasure of Personal Data

Under Section 12 (1) of the DPDP Act, you have the right to make any corrections to the data if it is false, inaccurate, incomplete, misleading, or needs an update. To do this, you will have to submit a written request to the Data Fiduciary, specifying the necessary changes. The Data Fiduciary is required to promptly evaluate your correction request and implement the required changes.

Section 12(2) also offers you the right to erase data. You, as a Data Principal, have the right to request the erasure of your personal data. The Data Fiduciary is obliged to fulfil this request unless there are specific reasons to retain the data, such as for a particular purpose or to comply with legal requirements.

While the Act provides the right to erasure, it acknowledges that certain conditions and exceptions may apply. These conditions and exceptions will be specified in the rules associated with the Act, providing a structure for when erasure may not be feasible or permissible.