DPDP Act: Rights and Duties of Data Principals (Employees, Customers and Others)

This topic explains that under the DPDP Act, a Data Principal can seek confirmation of whether their personal data is being processed and obtain a summary of the personal data and processing activities, including details of Data Fiduciaries and Data Processors with whom the data has been shared. It uses...

This topic explains that under the DPDP Act, a Data Principal can seek confirmation of whether their personal data is being processed and obtain a summary of the personal data and processing activities, including details of Data Fiduciaries and Data Processors with whom the data has been shared. It uses examples where employees, customers or candidates ask what information the organisation holds about them. The topic clarifies that front-line staff should not improvise detailed responses but should log the request using designated channels so that the appropriate team can gather, verify and respond within set timelines. It highlights the need to verify identity before disclosing data, to avoid social engineering or unauthorised disclosure. The topic also covers common mistakes, such as ignoring informal requests, providing partial information or sharing information through insecure channels. Learners gain confidence in recognising access requests and triggering the correct internal workflow.

Show more

This topic covers the relatively new concept of nomination in data protection, where a Data Principal can designate another person to exercise rights under the DPDP Act in the event of their death or incapacity. It explains, using simple examples, how this may work for employees or customers and what...

This topic covers the relatively new concept of nomination in data protection, where a Data Principal can designate another person to exercise rights under the DPDP Act in the event of their death or incapacity. It explains, using simple examples, how this may work for employees or customers and what documentation might be required. The topic also outlines the duties imposed on Data Principals, such as not filing frivolous complaints, providing authentic information and complying with applicable laws while exercising their rights. Learners understand that while individuals have strong rights, these come with responsibilities to act honestly and reasonably. The topic clarifies how front-line staff should handle communications from nominees and what verification steps are typically needed before acting on such requests.

Show more

This topic brings together the various rights and shows how they appear in real interactions. It covers typical scenarios such as a customer asking to see or delete their account data, an employee requesting a copy of their HR file, or a former employee alleging misuse of their personal information....

This topic brings together the various rights and shows how they appear in real interactions. It covers typical scenarios such as a customer asking to see or delete their account data, an employee requesting a copy of their HR file, or a former employee alleging misuse of their personal information. The topic stresses the importance of verifying identity, not disclosing data to unauthorised persons, and avoiding casual promises or informal responses that may later be seen as admissions. It walks through the internal steps employees should follow: capturing the essence of the request, tagging it correctly (access, correction, erasure, grievance), logging it in the appropriate system and informing the Data Principal of expected timelines and points of contact. Examples of good and poor responses are contrasted to reinforce compliant behaviour and respectful communication.

Show more

This topic sets out the Data Principal’s rights to have inaccurate, incomplete or outdated personal data corrected, completed or updated, as well as the right to request erasure of data that is no longer necessary for the stated purpose or where consent has been withdrawn. Practical examples include employees asking...

This topic sets out the Data Principal’s rights to have inaccurate, incomplete or outdated personal data corrected, completed or updated, as well as the right to request erasure of data that is no longer necessary for the stated purpose or where consent has been withdrawn. Practical examples include employees asking HR to correct bank details, address or emergency contacts, customers seeking to update contact preferences, or individuals asking for account deletion. The topic clarifies that while certain data must be retained for legal or contractual reasons, other data should be erased or anonymised once it is no longer required. It explains the need to propagate corrections or deletions to relevant systems and contracted processors. Learners are guided to capture such requests in official systems rather than treating them casually, and to avoid promising immediate deletion without verifying legal retention obligations.

Show more

This topic explains that Data Principals have the right to an effective grievance redressal mechanism provided by the Data Fiduciary or, where applicable, a Consent Manager. It describes, in non-technical terms, what constitutes a grievance related to personal data, giving examples such as improper use of data, denial of rights...

This topic explains that Data Principals have the right to an effective grievance redressal mechanism provided by the Data Fiduciary or, where applicable, a Consent Manager. It describes, in non-technical terms, what constitutes a grievance related to personal data, giving examples such as improper use of data, denial of rights requests, data leaks, or disrespectful handling of privacy concerns. The topic outlines the organisation’s duty to publish contact details and processes for raising grievances and to provide responses within prescribed timelines. It stresses that any employee who receives a complaint, whether formal or informal, should treat it seriously, record it appropriately and route it to the designated team, rather than dismissing or ignoring it. The possibility of escalation to the Data Protection Board of India is mentioned to emphasise the seriousness of non-response. Learners are encouraged to see themselves as part of an early-warning system that can surface privacy issues before they escalate into regulatory action.

Show more