What are the rights of a Data Principal under DPDPA?

Viewed 83
data-principal-rights data-principal dpdpa

As a user what are some of the rights which I could learn or remember under DPDPA

Vipul M95
1 Answers

The Digital Personal Data Protection Act (DPDPA), 2023 in India grants several rights to Data Principals (individuals whose data is processed). Below is a detailed explanation of these rights, structured for clarity:

1. Right to Access Information (Section 11)

  • What it entails:
    • Data Principals can request confirmation from Data Fiduciaries (entities processing data) about whether their personal data is being processed.
    • They are entitled to a summary of the processed data, including:
      • Categories of data collected.
      • Purpose of processing.
      • Recipients or third parties with whom data is shared.
  • How to exercise: Submit a written request to the Data Fiduciary.
  • Limitations: May be restricted for legal or security reasons (e.g., national security, public order).

2. Right to Correction and Erasure (Section 12)

  • Correction:
    • Data Principals can request correction of inaccurate or incomplete data.
    • Data Fiduciaries must update the data and notify third parties if necessary.
  • Erasure:
    • Data can be deleted when:
      • The purpose of processing is fulfilled.
      • Consent is withdrawn (unless retention is required by law).
  • How to exercise: Submit a request to the Data Fiduciary, which must act within a specified timeframe (e.g., 30 days).

3. Right to Grievance Redressal (Section 13)

  • Mechanism:
    • Data Fiduciaries must appoint a grievance officer to address complaints.
    • Data Principals can escalate unresolved issues to the Data Protection Board of India (DPBI).
  • Timeline: Data Fiduciaries must acknowledge complaints within 7 days and resolve them within 30 days.

4. Right to Nominate (Section 15)

  • Nomination:
    • Data Principals can appoint a legal representative to exercise their data rights in case of death or incapacity.
  • Process: Submit nomination details to the Data Fiduciary, which must honor the request after verification.
  • Withdrawal Process:
    • Consent can be withdrawn as easily as it was given.
    • Data Fiduciaries must cease processing and delete data unless required by law (e.g., tax records).
  • Implications: Withdrawal does not affect processing done prior to consent withdrawal.

6. Right to Information (via Notice, Section 5)

  • Obligation on Data Fiduciary:
    • Data Principals must be informed in clear language about:
      • Purpose of data collection.
      • Categories of personal data processed.
      • How to exercise rights (e.g., contact details of grievance officer).
    • This information is typically provided through a privacy notice.

Key Limitations on Rights

  • Rights may be restricted for:
    • National security, public order, or legal proceedings.
    • Compliance with court orders or legal obligations.
    • Situations where requests are frivolous or impossible to fulfill.

Responsibilities of Data Principals

  • Provide accurate data and avoid frivolous complaints.
  • Notify the Data Fiduciary of corrections if they shared data with other entities.

Conclusion

The DPDPA 2023 empowers Data Principals with control over their personal data while balancing practical and legal constraints. While it omits certain GDPR rights (e.g., data portability), it introduces unique provisions like the right to nominate. Compliance obligations on Data Fiduciaries ensure these rights are actionable within defined timelines and processes. For specific cases, consulting the DPDPA text or legal experts is advisable.

Adnan Qasim26
Related Questions
How does the Miety Consent Artifact Framework facilitate the right to erasure (right to be forgotten) under DPDPA when consent is withdrawn?
What are the rights of a Data Principal under DPDPA?
1 answers