If a business in India collects your personal data — your name, phone, address, payments — India's Digital Personal Data Protection Act 2023 gives you real, enforceable rights over that data: the right to see it, correct it, delete it, and complain when it's mishandled. This guide explains those rights in plain language, how to actually use them, and the few responsibilities the law asks of you in return. (In the law's own terms, you are the "Data Principal" — see the plain-English box below.)
In plain English
- You (the user / customer) = a "Data Principal"
- The business holding your data = a "Data Fiduciary"
- Your rights over your data = Sections 11–14 of the DPDP Act
- Your duties as a user = Section 15 of the DPDP Act
- The complaints regulator = the Data Protection Board (DPB)
Quick Answer: What Rights Do You Have as a User?
As a user, you have four rights under the DPDP Act 2023: the right to access information about your personal data (Section 11), the right to correction and erasure (Section 12), the right to grievance redressal (Section 13), and the right to nominate someone to exercise these rights on your behalf (Section 14). Separately, you can withdraw consent at any time under Section 6(4). In return, Section 15 places five duties on you — including not impersonating others and giving authentic information.
Your Four Rights as a User (Sections 11–14)
| Right | Section | What it lets you do |
|---|---|---|
| Access information | Section 11 | Ask a business for a summary of the personal data it holds about you and how it's being processed, plus the identities of every other Data Fiduciary and Data Processor it has shared your data with |
| Correction & erasure | Section 12 | Have your data corrected, completed, updated, or erased |
| Grievance redressal | Section 13 | Use the business's or Consent Manager's complaint mechanism — which must respond within a published period — before escalating to the Data Protection Board |
| Nominate | Section 14 | Name one or more people to exercise your rights if you die or become incapacitated |
Right 1 — Right to Access Information (Section 11)
On request, a Data Fiduciary must give you: a summary of the personal data it is processing and the processing activities it has undertaken; and the identities of all other Data Fiduciaries and Data Processors with whom your data has been shared, along with a description of what was shared. This right applies to data processed on the basis of your consent (and certain legitimate uses). It's the foundation of transparency — you can't correct or delete what you don't know a business holds.
Right 2 — Right to Correction and Erasure (Section 12)
Section 12 gives you the right to correction, completion, updating and erasure of the personal data you previously consented to a business processing. If a business is holding an old address, a misspelt name, or data it no longer needs, you can require it to fix or delete that data — subject to any legal obligation the business has to retain certain records (for example, tax records).
Right 3 — Right of Grievance Redressal (Section 13)
You have the right to a readily available means of grievance redressal provided by the Data Fiduciary or its Consent Manager. The Act states they "shall respond to any grievances… within such period as may be prescribed." Importantly, Section 13(3) requires you to exhaust this grievance mechanism before approaching the Data Protection Board — so always raise it with the business first and keep a record.
Right 4 — Right to Nominate (Section 14)
Section 14 lets you nominate one or more individuals to exercise your rights under the Act in the event of your death or incapacity. This is especially relevant for accounts holding sensitive financial or health data — it ensures someone you trust can access, correct, or close them.
What About Withdrawing Consent?
Withdrawing consent is often mistaken for a "fifth right," but it actually sits in the consent provisions, not Chapter III. Under Section 6(4), you may withdraw your consent at any time, and the Act requires that withdrawing be "comparable to the ease with which such consent was given" (Section 6(5) makes clear that withdrawal doesn't undo processing already carried out lawfully). So if you opted in with one tap, the business must let you opt out just as easily.
How to Exercise Your Rights (The Practical Steps)
The DPDP Rules 2025 (Rule 14, "Rights of Data Principals") set out how this works in practice. A business must prominently publish on its website or app the means for you to make a request, and the identifier it needs to recognise you (for example, your registered email, mobile number, or a customer/enrolment number). It must also publish, and stick to, the period within which it will respond.
- Find the request channel. Look for a "Privacy", "Your Data", or "Data Request" link on the website, app, or privacy notice.
- Identify yourself. Provide the identifier the business specifies so it can locate your records.
- State the right you're exercising. Access, correction, erasure, or a grievance — be specific.
- Keep a record. Note the date you submitted the request; the business must respond within its published timeline.
- Escalate only after exhausting the grievance route. If unresolved, you can then approach the Data Protection Board (Section 13(3)).
Run a business and need to handle these requests from the other side? See our guide for businesses on customer rights and building a DSR process.
Your Duties as a Data Principal (Section 15)
Rights come with responsibilities. Section 15 lists five duties every Data Principal must perform:
| # | Duty (Section 15) |
|---|---|
| 15(a) | Comply with all applicable laws while exercising your rights under the Act |
| 15(b) | Do not impersonate another person while providing your personal data for a specified purpose |
| 15(c) | Do not suppress any material information while providing personal data for any document, unique identifier, proof of identity, or proof of address issued by the State |
| 15(d) | Do not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board |
| 15(e) | Furnish only information that is verifiably authentic when exercising the right to correction or erasure |
In short: give correct, genuine information, don't pretend to be someone else, and don't abuse the complaint system.
Is There a Penalty If a Data Principal Breaks These Duties?
Yes — but it's modest. The Schedule to the Act (referenced in Section 33) sets a penalty of up to ₹10,000 for a Data Principal who breaches the duties in Section 15. This is the lowest tier in the entire penalty schedule (business-side penalties run from ₹50 Crore to ₹250 Crore), reflecting that the Act's weight falls overwhelmingly on businesses, not individuals.
Why These Rights Matter
The DPDP Act reframes your personal data as something that belongs to you and is merely entrusted to a business — which is exactly why the word "fiduciary" is used for the business that holds it. Knowing your four rights (and how to exercise them) turns the Act from an abstract law into a practical tool you can use whenever a company mishandles your data.
If you run a business rather than just use one, the mirror image of this guide is our explainer on your responsibilities as a business — what the law requires of the organisations (the "Data Fiduciaries") holding all this data.
References & Sources
- Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Chapter III, Sections 11–15; Section 6; the Schedule).
- The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — Rule 14, "Rights of Data Principals."
- India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.
This article is general information about the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Section and rule references are cited from the official text; always confirm against the current notified version for your specific situation.