Your Rights and Duties as a Data Principal
- Shreya Gupta
- 23 hours ago
- 8 min read

The DPDP Rules are no longer on the horizon - they’re about to land.
In our recent emailers in the Inbox Series, we explored the obligations of Data Fiduciaries (“DF”) and the role of Data Processors under the Digital Personal Data Protection Act, 2023 (the “Act”). Together, they form the backbone of how organizations are expected to manage personal data responsibly.
Unlike many global privacy laws that use the term “Data Subject,” the DPDP Act uses the term “Data Principal.” This choice of wording is meant to highlight the leading role of individuals in the Indian framework. Rather than being seen as passive “subjects” whose data is merely collected, individuals are recognised as principals, the ones who hold the primary rights over their personal data and whose consent and choices guide its use.
Now it’s time to turn the lens on you, as an individual i.e., the Data Principal (“DP”).Whether you are a customer, employee, student, or citizen, the Act gives you clear rights to control how your personal data is used, while also expecting you to exercise certain duties responsibly.
In this explainer series, we continue answering foundational questions under the Act, to help you understand the law and navigate it with clarity and confidence.
Today’s Focus: Your Rights and Duties as a DP
The Act grants individuals a clear set of rights over their digital personal data while also placing certain duties to ensure responsible personal data sharing and use.
Below, we have put together, a simplified FAQ that answers some key questions you may have as a DP to help you understand how to take charge of your personal data in a digital-first world.
Who is a DP under the Act?
A DP is any individual whose digital personal data is collected or processed by a DF or a Data Processor on a DF’s behalf. This includes anyone using mobile applications, websites, digital services, or other online interfaces or submitting their personal data such as names, contact details, financial information, or other identification details for the purpose of accessing, registering, or availing such services.
Note: The digital personal data will also include any personal data that is collected manually and digitised at a later stage. Additionally, any other information that, on its own or in combination with other data, can be used to identify an individual.
What all data is protected under the Act?
The Act applies to “digital personal data” i.e., any personal data collected or stored electronically and includes any personal data digitised from physical forms. Personal data means any information that can identify a DP, directly or indirectly. Examples include, direct identifiers and indirect identifiers, like your name, phone number, or Aadhaar number, location data, IP address, or device ID.
Even data that cannot identify a Data Principal on its own but becomes identifiable when combined with other information is treated as personal data. For example, an IP address by itself may not reveal an individual’s identity, but when linked with login details or browsing history, it can uniquely identify the person.
Does the Act protect DPs if an offshore DF is processing their data?
Yes. The Act has extraterritorial application, meaning it applies to offshore DFs such as foreign companies, online platforms, etc. offering goods or services to a DPs within India. A DP’s rights under the Act remain enforceable against a DFs, regardless of the DF’s location.
When can someone collect and use a DP’s personal data?
Personal data can be collected or processed only for a lawful purpose with a DP’s explicit and informed consent or for certain legitimate uses i.e., certain specific grounds as listed down in the Act and further detailed in our response to question No. 8 below.
What is considered a valid “consent” of DP under the Act?
For consent to be valid under the Act, it must be free, specific, informed, unambiguous, and unconditional. The DP must give a clear, explicit, and affirmative indication of consent, agreeing to the processing of their personal data for a defined purpose, and only to the extent of personal data necessary for fulfilling that purpose.
Note: DPs also have an option to access such consent request in English or any of the 22 (twenty-two) languages specified in the Eighth Schedule to the Constitution of India.
Can a DP refuse to share her data?
Yes. A DP may refuse to provide any personal data to a DF. However, it may be noted here that a DF may not be able to provide their goods and services without having necessary personal data from a DP. For example, without a postal address, a DF might not be able to deliver goods or without name and phone number, a DF might not be able to authenticate your registered account with them. Therefore, even though a DP can refuse to share their personal data, it is recommended to only refuse collection and processing of non-essential personal data which does not form part of the core function of the goods and services being availed. For example, sharing your Aadhaar number when signing up for a food delivery app, where only your name, phone number, and delivery address are necessary.
What information must a DF provide to a DP before collecting their personal data?
Before requesting DP’s consent to process their personal data, a DF must provide the DP with a clear and easy to understand notice. This notice must be in plain language and accessible in English or any of the 22 (twenty-two) languages listed in the Constitution of India.
The notice must include:
An itemised description of the personal data being collected and the purpose for which it will be processed;
Instructions on how the DP can exercise her rights, including withdrawing consent and accessing grievance redressal mechanisms; and
Guidance on how to file a complaint with the Data Protection Board (“DPB”), if needed.
If the DP had given her consent prior to the commencement of the Act, the DF must still provide the DP with this notice as soon as reasonably practicable.
When can a DF process a DP’s personal data without their consent?
Under the Act, a DF may process a DP’s personal data without obtaining their explicit and informed consent on certain grounds, such as:
The specific purpose for which the DP has voluntarily provided her personal data to the DF, and in respect of which she has not indicated any objection to the use of her personal data.
To fulfil any legal obligation under applicable laws in India, including disclosure of information to the Government or any of its authorities.
To comply with any judgment, order, or legal requirement issued under Indian law, or for claims of a contractual or civil nature under applicable laws outside India.
To respond to a medical emergency involving a threat to the life or immediate health of the DP or any other individual.
To provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or other public health threats.
To ensure safety or provide assistance and services to individuals during a disaster or any breakdown of public order.
For employment purposes, or to protect the employer from loss or liability, or provision of any service or benefit requested by a DP who is an employee.
What are the key rights available to a DP under the Act?
The Act confers certain rights to the DP. These rights are available to the DP in respect of any processing of their personal data. These rights are mentioned below –
Right to access a summary of personal data which is being processed, the processing activities undertaken by that DF, identities of all other DFs and Data Processors with whom the personal data has been shared, and right to access any other information as may be prescribed by the Central Government.
Right to correction, completion, updation and erasure of personal data.
Right of grievance redressal with DF.
Right to nominate any other individual who shall exercise the rights of a DP in the event of death/incapacity of such a DP.
Right to withdraw consent at any point with the ease of doing so being comparable to the ease with which such consent was given.
Right to make a complaint to the DPB.
How does the Act protect children’s personal data?
If a DP is a child, i.e., under 18 (eighteen) years of age, the Act requires that their personal data only be processed after obtaining verifiable consent from the parents or lawful guardian. Further, as per the Act, the DF must ensure that the personal data of children is not processed in any way that could be detrimental to their well-being and ensure that children’s behaviour is not monitored and targeted advertising directed at children is not undertaken.
How does the Act protect personal data of persons with disabilities.
If a DP is a person with disability, the Act requires that their personal data only be processed after obtaining verifiable consent from their lawful guardian.
What can a DP do if they have a grievance about how their personal data is being processed?
If a DF has a grievance regarding the processing of their personal data or wishes to exercise their rights under the Act, they must first file the grievance with the concerned DF. To enable this, DF are required to have a grievance redressal mechanism in place and may designate an authorized person/ grievance officer/Data Protection Officer (as applicable) to handle such complaints. If the DP is not satisfied with the response, or if the grievance is not resolved within the prescribed time, they may then escalate the matter to the DPB.
What are the duties of a DP under the Act?
Along with rights, the Act also places certain duties on DPs to ensure responsible use of personal data rights. A DP is required to:
Comply with all applicable laws while exercising rights under the Act.
Not impersonate another person when sharing their personal data.
Not hide or suppress important information when providing personal data for official documents such as ID proofs, address proofs, or government-issued identifiers.
Avoid filing false or frivolous complaints or grievances with a DF or the DPB.
Provide only authentic and verifiable information when asking for correction or erasure of their personal data.
These duties ensure that DPs exercise their rights fairly, responsibly, and without causing harm or misuse.
What happens if a DP does not follow their duties under the Act?
If a DP fails to observe their duties under the Act, such as impersonating another person, providing false information, or filing frivolous complaints, they may face a financial penalty. The Act allows for a fine of up to ₹10,000 for such breaches.
How should a DP prepare for the Act as an individual?
As a DP, it is important to recognise the value of personal data in today’s digital age and to take proactive steps to safeguard it. Preparing for the Act begins with understanding the rights available under it and knowing how to exercise them effectively. Equally important is being aware of the duties placed on DPs and ensuring strict compliance with them. It is also recommended that DPs carefully review the privacy notices provided by Data Fiduciaries before sharing their personal data, so that they can make informed choices and disclose only the information that is strictly necessary for the intended purpose. Individuals should remain mindful of the kind of personal data they share online or offline ensuring that it is accurate, authentic, and updated as needed. Further, DPs must familiarise themselves with the grievance redressal mechanisms available to them in case their rights under the Act are violated.
For any queries regarding implementation of the Act, any further question, feedback or to set up a call, please write to us at shreya.gupta@chandhiok.com and tmt@chandhiok.com.
Comments