Please click here to download the Prism as a PDF.
Rights and duties of data principals under the Digital Personal Data Protection Act, 2023
The crux of the Digital Personal Data Protection Act, 2023 (“DPDPA”) is empowering individuals to assert control over their personal data. While the DPDPA is crafted to empower data principals, it also recognizes that individuals hold certain duties to ensure the smooth and responsible processing of their personal data.
In the fifth edition of the Prism series, we explore the rights and duties of data principals under DPDPA and how these provisions stand against global data protection laws like the General Data Protection Regulation (“GDPR”) in Europe, California Consumer Privacy Act (“CCPA”) and Singapore’s Personal Data Protection Act (“PDPA”).
Rights of data principals
DPDPA establishes several key rights for data principals, giving them greater control over how their personal data is processed.
- Right to access information: Data principals have the right to be informed by the data fiduciary, about the purposes for which their data is being processed.
- The right to access information does not extend to the sharing of personal data in response to a request made by a data fiduciary for the purposes of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.
- The right to access information is available only to those who have given consent for the processing of their personal data or volunteered their data.
- Right to correction and erasure: DPDPA gives data principals the right to request corrections of any inaccurate or incomplete personal data. This right ensures that personal data remains accurate, relevant, and up to date. If the data is no longer necessary for the purposes for which it was collected, the data principal can request its erasure. Additionally, it is incumbent upon the data fiduciary to inform any associated data processor of such correction or erasure, thereby ensuring that the necessary changes are implemented across the processing chain.
- Unlike GDPR, which establishes a ‘right to be forgotten’ that allows individuals to request the deletion of personal data made public, compelling data controllers to ensure its removal from public access as well as from third-party entities, such as search engines, DPDPA does not explicitly provide for this right.
- The right to correction and erasure of personal data is available only to those who have given consent for the processing of their personal data or volunteered their data.
- The rules will prescribe the manner in which the data principal will make their request to the data fiduciary for erasure of their personal data.
- Fulfilling the right to correct or erase personal data requires the data principal to submit verifiable information. This protects against fraudulent changes and ensures the accuracy of the data retained by fiduciaries.
- While the data principal has several rights under DPDPA, exercising these rights must be done in accordance with existing laws. For instance, the data principal cannot ask for the erasure of data that a company is legally required to retain, such as for compliance with tax regulations or other statutory obligations.
- Right to grievance redressal: DPDPA empowers data principals to have recourse to a mechanism to address any grievances related to data processing.
- The Board, as defined in DPDPA, will be an independent regulatory authority established to oversee the implementation of data protection laws in India. It will be responsible for addressing complaints, adjudicating disputes, and ensuring compliance with the DPDPA’s provisions.
- The rules will prescribe the time period within which the data fiduciary or consent manager would need to respond to any grievances.
- Right to nominate: DPDPA allows a data principal to nominate another person to exercise their rights in case of death or incapacity. This ensures continuity in protecting personal data even when a data principal is no longer able to do so.
- The expression ‘incapacity’ means inability to exercise the rights of the data principal under the provisions of DPDPA or the rules made thereunder due to unsoundness of mind or infirmity of body.
- The manner in which the data principal will nominate any other individual will be prescribed by the rules.
Duties of data principals: responsibility matters
The DPDPA recognizes the importance of preventing frivolous complaints by data principals. To achieve this, data principals are assigned specific duties that ensure responsible use of their rights within the data processing framework.
In order to secure the right to fair grievance redressal, the duty of the data principal is to submit only legitimate complaints. Misuse of the system by filing false complaints can result in warnings or penalties from the Board.
Comparison with Global Data Protection Laws
The rights and duties of data principals under DPDPA align with global data protection standards but feature some differences in scope and application. Here’s a comparative analysis with the GDPR (European Union), CCPA (California), and PDPA (Singapore):
| Concept | DPDPA | GDPR | CCPA | PDPA |
| Right to access information about personal data | Data principals have the right to access their personal data, processing purposes, and details of entities with whom data is shared. | Data subjects have the right to access their personal data, the purposes of processing, and any recipients of the data. | Consumers can request access to the categories and specific pieces of personal information collected. | Individuals have the right to request access to their personal data held by organizations, including processing purposes. |
| Right to correction and erasure of personal data | Individuals have the right to correction, completion, updating and erasure of their personal data for processing, the consent for which is previously given. | Data subjects have the right to rectify inaccurate data and request erasure under specific conditions for example, where the personal data is no longer necessary, or the data subject withdraws consent or objects to the processing. | Consumers can request the correction of inaccurate data and the deletion of personal data under certain conditions for example, when the transaction for which data was collected has lapsed, or where there is a legal obligation to delete the data. | Individuals have the right to request the correction of inaccurate data and the deletion of data when it is no longer necessary. |
| Right of grievance redressal | Data principals can file complaints with the grievance officer and upon exhaustion, approach the data protection officer in case of violations of their rights. | Data subjects can lodge complaints with the supervisory authority, specifically the member state of their residence, if their rights have been violated. They may also seek private remedies through the courts. | Consumers have the right to seek grievance redressal through the California attorney general for violations of their privacy rights, and they can also bring civil actions in case of data security breaches that violate their rights. | Individuals can file complaints with the personal data protection commission for violations of their rights. |
| Right to nominate | Data principals can nominate another person to exercise the rights in case of incapacity or death. | Data subjects can appoint a representative to exercise the rights on their behalf. | No direct provision for nominating a representative to exercise rights in the event of incapacity or death. | No specific provision for nomination, though rights can generally be exercised by legal guardians or representatives. |
| Other rights | No explicit provisions for:
· data portability; · objection to automated processing and profiling; · restriction of processing; and · right to be forgotten. |
Also includes rights to:
· data portability; · object to automated individual decision making, including profiling and processing for direct marketing; · restriction of processing; and · be forgotten. |
Consumers can:
· Opt-out of data sales; and · Request data in a portable format. |
Includes rights to:
· Data portability; · Objection to processing; and · Restriction of processing when consent is withdrawn. |
| Duties of the data principal | · Refrain from impersonating other individuals.
· Ensure full disclosure of material information. · Avoid filing false or frivolous complaints. · Provide accurate and verifiable information. · Comply with all applicable laws. |
· Provide accurate and up to date data information.
· Provide necessary verifiable information when making data access or rectification request. · Provide information without causing undue delays. · Refrain from making unfounded or excessive requests when exercising rights. |
· Provide accurate and truthful information.
· Refrain from making excessive requests for access or deletion. · Verify the identity before submitting requests for access or deletion. |
· Provide accurate and complete personal data.
· Avoid making frivolous or vexatious access or correction requests. · Comply with legal obligations when exercising right to access or correct personal data. |
This Prism has been prepared by:
Akshaya Suresh |
Aravindini Magesh |
Drishya Kamath |
For more details, please contact [email protected].
