Part III: Rights and Duties of Data Principal

The Digital Personal Data Protection Act, 2023, transforms the role of the individual – the Data Principal – from a passive subject into an empowered rights-holder. These rights are legally enforceable and must be honoured by Data Fiduciaries within statutory timelines, generally ranging between 15–30 days. Together, they ensure transparency, accountability, and meaningful control over personal data.

A Data Principal may seek confirmation of whether their personal data is being processed, obtain a concise summary of the data held, and learn the identities (or categories) of third parties with whom the data has been shared. Refusal is permitted only where specific exemptions apply, such as during law enforcement investigations.

The Right to Access, while globally recognized. is actually quite contentious in that there is some confusion about what exactly constitutes "access." The CJEU in Case C-487/21 Österreichische Datenschutzbehörde and CRIF interprets Article 15(3) of the GDPR, which obligates the controller to provide a copy of the data undergoing processing upon the subject's request. The question was what would constitute a "copy" such that the data subject's right to access is fulfilled? Would a summary of the data being processed be adequate? The CJEU held that the data subject must be given a faithful and intelligible reproduction of all their personal data. This may include, to the extent that it is necessary to protect their rights and interests, copies of extracts from documents, entire documents or extracts from databases – making a summary inadequate under the GDPR. The usage of the word "summary," in the DPDPA could lead to a different implementation of the Right to Access in India.

Correction: Data Principals may require rectification of inaccurate, incomplete, outdated, or misleading personal data. Fiduciaries must ensure updates across all active systems. Supporting documents may be requested.

Erasure: Where the purpose of processing has been fulfilled or consent is withdrawn, Data Principals may demand erasure of personal data. Fiduciaries must delete or robustly anonymize such data, certifying completion to the Data Principal. Partial refusal is permissible only if retention is required under another law. Enforcement would have to be read with the Right to be Forgotten – introduced initially by the CJEU in the seminal Case C-131/12 Mario Costeja Gonzalez (known as the Google Spain case), which held that a search engine may be ordered to remove the links from search results upon request of a data subject with respect to publicly available data. In fact, while the GDPR was supposed to include a right to be forgotten, this was changed to a right to request erasure for a set of specific reasons.

In India, in cases such as SK v Union of India (2023) and Jorawar Singh Mundy v Union of India (2021), the Delhi High Court permitted the removal of search engine results and the redaction of accused persons' names from legal databases, reasoning that continuing to associate individuals with criminal accusations (despite acquittal) unfairly harmed their reputation and privacy. Yet, courts have been cautious not to extend this principle too far. For instance, in Vysakh K.G. v Union of India (2022), the Kerala High Court held that the right to be forgotten cannot override the principle of open justice or legislative prerogatives. Similarly, the Gujarat High Court in Dharamraj Bhanushankar Dave v State of Gujarat (2015) refused to interfere with the online publication of judgments, emphasizing that judicial records cannot be erased merely because they are unfavourable to a petitioner. This position has been reiterated in Karthick Theodre v Registrar General, Madras High Court (2021), where the court held that the sanctity of original judicial records cannot be altered except as prescribed by law. Although the Supreme Court stayed this order in July 2024, it limited judicial recognition of the right to be forgotten to requests involving the redaction of specific information, particularly in protecting victims and witnesses, and declined to allow sweeping erasures of criminal records.

Every Data Fiduciary must establish an accessible grievance redressal mechanism. Complaints must be acknowledged and resolved within prescribed timelines. If unresolved, the Data Principal may escalate the matter to the Data Protection Board of India (DPBI), creating a tiered system of accountability.

Uniquely, the Act allows a Data Principal to nominate another individual to exercise their rights in the event of death, unsoundness of mind, or physical infirmity. The nominee assumes the rights of the Data Principal upon producing proof of entitlement, and fiduciaries are required to record such nominations securely – the exact manner in which nominations are to happen will be notified by the Government.

Consent, once given, may be withdrawn at any time. Upon revocation, the Fiduciary and any associated processors must immediately cease processing the data, subject to the Data Principal bearing the consequences of such withdrawal. We have discussed this in detail under the section "consent."

Implicit in the consent framework is the right to be informed. Data Fiduciaries must provide Data Principals with clear notice at or before data collection, setting out the purpose, nature, and duration of processing.

For children (under 18), parents or guardians act as Data Principals. Their verifiable consent is required, and fiduciaries are prohibited from processing children's data in a manner detrimental to their well-being, including behavioural tracking and targeted advertising. Similar protections extend to persons with disabilities, whose guardians provide valid consent.

Unlike many data privacy laws, the DPDP Act expressly codifies duties for Data Principals under Section 15, ensuring that rights are exercised responsibly. These duties prevent abuse of the system and encourage balance in the data protection framework.

Failure to comply with these duties attracts a civil penalty of up to INR 10,000. While modest compared to the fines imposed on Fiduciaries (up to INR 250 crore) for dereliction of duty.