DPDP Act 2023 · Sections 11–15 · Data Principal Rights
Data Principal
Rights
The DPDP Act 2023 empowers individuals (Data Principals) with fundamental rights over their personal data. Organizations must implement mechanisms to honor these rights.
Four enforceable rights — access, correction & erasure, grievance redressal, and nomination — with corresponding duties under Section 15.
DPDP Act 2023 · Chapter III, Sections 11–15 · Last reviewed June 2026
Direct Answer
What rights do data principals have?
Under the DPDP Act 2023, a data principal — the individual a piece of personal data is about — has four enforceable rights: the right to access information about their data (Section 11), to correction and erasure (Section 12), to grievance redressal (Section 13), and of nomination (Section 14), with corresponding duties under Section 15. Data fiduciaries must build accessible mechanisms to honour these rights and respond within the period prescribed by the MeitY DPDP Rules 2025.
Chapter III
Fundamental Rights
Right to Access Information
Data Principals have the right to obtain a summary of their personal data being processed and the processing activities.
Right to Correction and Erasure
Data Principals can request correction of inaccurate or misleading data, completion of incomplete data, updating of data, and erasure of data.
Right to Grievance Redressal
Data Principals have the right to readily available means of grievance redressal provided by the Data Fiduciary.
Right of Nomination
Data Principals can nominate another individual to exercise their rights in the event of their death or incapacity.
Section 15
Duties of the Data Principal
While Data Principals have rights, they also have corresponding duties to ensure responsible exercise of these rights.
At a Glance
Data Principal Rights at a Glance
The complete set of rights and duties under Chapter III of the DPDP Act 2023.
| Section | Right / duty | What it covers |
|---|---|---|
| Section 11 | Right to access information | A summary of personal data processed, the processing activities, and the identities of fiduciaries and processors with whom data is shared |
| Section 12 | Right to correction & erasure | Correct inaccurate or misleading data, complete or update data, and erase data no longer needed for its purpose |
| Section 13 | Right to grievance redressal | A readily available grievance mechanism with the data fiduciary before approaching the Board |
| Section 14 | Right of nomination | Nominate another individual to exercise rights in the event of death or incapacity |
| Section 15 | Duties of the data principal | Exercise rights lawfully — no impersonation, no false or frivolous complaints, no suppression of material information |
Frequently Asked Questions
Common questions on data principal rights, response timelines, and duties.
Who is a data principal under the DPDP Act?
A data principal is the individual to whom the personal data relates — the equivalent of a data subject under the GDPR. Where the individual is a child, the data principal includes the parent or lawful guardian; where the individual is a person with a disability, it includes their lawful guardian.
What rights do data principals have under the DPDP Act?
The DPDP Act 2023 gives data principals four rights: the right to access information about their personal data (Section 11), the right to correction and erasure (Section 12), the right to grievance redressal (Section 13), and the right of nomination (Section 14). Section 15 sets out corresponding duties, such as not filing false or frivolous complaints.
How quickly must a data fiduciary respond to a rights request?
A data fiduciary must respond within the time period prescribed by the DPDP Rules 2025 (Rule 14 addresses the timeframe for access, correction, and erasure requests). Organizations should build request-handling workflows with clear internal SLAs so they can meet the prescribed period and evidence compliance.
Does the DPDP Act include a right to data portability or to object?
No. Unlike the GDPR, the DPDP Act does not provide an explicit right to data portability, a right to object to processing, or rights against solely automated decision-making. Its rights set is narrower, centred on access, correction, erasure, grievance redressal, and nomination.
What is the right of nomination?
Section 14 lets a data principal nominate another individual to exercise their rights — for example, accessing, correcting, or erasing data — in the event of their death or incapacity. The nominee then steps into the data principal’s shoes for the nominated rights, following the process set out in the rules.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act and Rules 2025.
- DPDP compliance consulting in India — build compliant rights and grievance workflows.
- DPDP penalty calculator — quantify the cost of non-compliance.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreDPDP Consent Management
Lawful consent collection, withdrawal and record-keeping under the DPDP Act.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read moreDPDP Compliance Checklist
A step-by-step checklist for DPDP Act readiness.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours