Understanding Your Rights Under the 2023 Digital Personal Data Protection Act
- Divi Anand
- Jun 5
- 2 min read
The DPDP Act isn't just a compliance checklist for companies. It quietly handed you something most people haven't opened yet.
When India passed the Digital Personal Data Protection Act in 2023, most of the coverage zeroed in on what businesses need to do. Consent frameworks. Data audits. Penalty clauses. All of that is real and important. But buried in that same law is a set of rights that belong to you, me, and every person whose data gets collected by anyone in this country.
These rights don't activate automatically. You have to know they exist and ask for them. That's the part nobody is talking about loudly enough.
Under the DPDP Act, you are referred to as a "Data Principal." Sounds technical, but it simply means: the person the data is about. You. And here is what you are legally entitled to.
Your eight rights:
01 Right to access
You can ask any company, app, or platform what personal data they hold on you, why they are using it, and who they have shared it with. That bank, that food delivery app, that hospital portal. You can simply ask and they are required to tell you.
02 Right to correction
If any data they have about you is wrong or outdated, you can ask them to fix it. Wrong address on record, an old employer's details, a misspelled name, you don't have to live with their errors.
03 Right to erasure
Once a company no longer needs your data for the purpose they collected it, you can ask them to delete it. Closed an account three years ago? That data should not still be sitting on their servers.
04 Right to restriction
You can limit how your data gets used. Not comfortable with your email being used for marketing campaigns even though you shared it for order updates? You can restrict that specific use.
05 Right to withdraw consent
Consent is not a one-time thing. You gave permission once, but you can take it back at any time. The process to withdraw should be as easy as the process to give it in the first place.
06 Right to object
If a company is using your data for profiling or automated decisions, say, an algorithm rejecting your loan application without any human review, you can object and request human intervention.
07 Right to grievance redressal
If you suspect something is wrong, your data was leaked, sold, or misused, you can file a formal complaint with the company's designated Data Protection Officer. They are obligated to respond.
This one surprises most people. You can appoint someone, a family member, a trusted person, to exercise all of these rights on your behalf if you are unable to do so yourself. Travelling, ill, or simply unavailable. Your nominee steps in.
The law exists. The rights are real. The question is whether enough people will actually use them to make companies take notice. Start small. Next time you get a promotional email from a brand you never signed up with, don't just hit unsubscribe. Ask them what data they hold on you and where they got it from. That is your right now.
