Explainer 6 min read · 19 January 2026

Customer Rights Under DPDP: What Your Customers Can Demand

The DPDP Act grants Indian customers specific rights over their personal data. Here's every right, what it means for businesses, and how to build a compliant DSR process.

The DPDP Act 2023 gives every Indian individual whose data you collect — your customers — a set of legal rights over that data. These are called Data Principal Rights. Understanding them is essential because failing to honour them carries penalties up to ₹50 Crore per violation.

Right 1: Right to Access Information (Section 11)

Any customer can ask you: "What personal data do you have about me?" You must respond with a summary of the personal data you hold and the processing activities you've undertaken with it.

What this means practically: You need to be able to search across all your systems (Shopify, CRM, email tool, spreadsheets) and produce a record of what data you hold for a specific customer. This is why data mapping — knowing where all your customer data lives — is a prerequisite for DPDP compliance.

Right 2: Right to Correction and Erasure (Section 12)

If a customer believes data you hold about them is inaccurate, they can ask you to correct it. If they want their data deleted — either because they're withdrawing consent or because the purpose of collection is fulfilled — they can demand erasure.

You must complete corrections and erasures within a reasonable time (the Rules will specify timelines). Crucially, you must also inform any Data Processors you've shared their data with — Razorpay, your shipping partner — to delete their records too.

Exceptions: You don't have to delete data you're legally required to keep — tax records under GST law, transaction records under banking regulations, etc. But you must be able to explain why you're retaining data despite an erasure request.

Right 3: Right to Grievance Redressal (Section 13)

Customers have the right to have grievances addressed by you before escalating to the Data Protection Board. You must provide a clear, accessible means for customers to raise data-related complaints — a dedicated email address, a form, or a portal.

If you fail to respond to a grievance satisfactorily, the customer can approach the Data Protection Board, which has powers to investigate and impose penalties.

Right 4: Right to Nominate (Section 14)

A Data Principal can nominate another person to exercise their data rights on their behalf in the event of death or incapacity. This is relevant for healthcare providers and financial institutions where individuals may become incapacitated.

What Is a Data Subject Request (DSR)?

A DSR (Data Subject Request) — sometimes called a DSAR — is any formal request from a customer to exercise one of the above rights. Your business must have a defined process for handling DSRs. The key elements:

  • Intake: A clear way for customers to submit requests (email, form, portal)
  • Verification: A process to verify the requester is who they say they are (you can't delete data based on an anonymous request)
  • Fulfillment: A process to retrieve, correct, or delete data across all systems
  • Timeline: A target response time (EasyDP defaults to 30 days)
  • Logging: A record that the request was received, processed, and completed

Building a Simple DSR Process

For small businesses, a minimal compliant DSR process looks like this:

  • Add a dedicated email address: privacy@yourbusiness.in or a form on your website
  • When a request arrives, verify identity (ask them to confirm their registered phone or email)
  • Check all your systems: Shopify/website, CRM, email lists, WhatsApp contacts, spreadsheets
  • For access requests: compile and send the data summary within 30 days
  • For erasure requests: delete from all systems and notify your processors within 30 days
  • Log each request: date received, type, identity verified, action taken, date completed

Obligations vs. Rights: The Balance

The DPDP Act also lists obligations for Data Principals — customers cannot provide false information, and they cannot use their data rights to obstruct lawful processing (e.g., deleting records they're legally required to keep). But in practice, the burden is overwhelmingly on the Data Fiduciary to build compliant processes.

How EasyDP Handles DSRs

EasyDP provides every business with a branded customer-facing portal where customers can view their data, request corrections, and submit erasure requests — in any Indian language. Every request is logged with a timestamp and escalation timer. If a request isn't responded to within your set timeline, EasyDP sends you an alert.

DSRData RightsDPDPCompliance

Check Your DPDP Compliance

Free 2-minute checker — get your specific obligations and penalty exposure.

Take the Free DPDP Checker → Get EasyDP Early Access

Related Articles

Explainer

What is the DPDP Act? A Plain English Guide for Indian Businesses

7 min read

 Explainer

What is a Data Fiduciary? (And Are You One?)

5 min read

 Explainer

DPDP vs GDPR: Key Differences Every Indian Business Must Know

8 min read
All Blog Posts