DPDP Act: Analysing the Rights and Duties of Data Principals

The Digital Personal Data Protection (DPDP) Act was enacted in August 2023. This is India’s privacy law that aims to safeguard personal data and protect individuals’ rights, while also enabling lawful processing of data. The term “Data Principal” is used in the DPDP Act to refer to the individual to whom the personal data relates. The Act grants several rights to the data principal and defines some specific duties that need to be performed for maintaining privacy and accuracy of data.

In this article, we analyse some of the important aspects of the rights and duties of a data principal under the DPDP Act.

Rights of Data Principal

The DPDP Act confers certain rights on the Data Principal that pertain to the privacy of her personal data. They are as follows:

• Right to Access Information – A Data Principal can request information about her personal data being processed, including the data’s source, purpose and how it is being shared. She can also request details of the processing activities and the identity of data processors and fiduciaries involved.

• Right to Data Correction – A Data Principal can request the correction of inaccurate personal data, the completion of incomplete data and the updating of outdated data.                                                                                                           

• Right to Data Erasure – A Data Principal can request the erasure of her personal data, unless retention is necessary for legal reasons.

• Right to Data Portability – A Data Principal can request a copy of her data in a structured, commonly used, and machine-readable format and transfer it to another data fiduciary.

• Right to Restrict Processing – A Data Principal can restrict the processing of her data in certain instances, such as unsubscribing from a mailing list.

• Right to Object to Processing – A Data Principal can object to the processing of her personal data for certain purposes, such as direct marketing.

• Right to Withdraw Consent – A Data Principal can withdraw her consent to the processing of her personal data at any time through the consent manager.

• Right to Nominate – A Data Principal can nominate another individual to act on her behalf in exercising the rights in the event of her death or incapacity.

• Right to Grievance Redressal – A Data Principal can lodge a complaint with the data fiduciary or a consent manager regarding the non-fulfilment of data fiduciary’s obligations or the breach of data principal’s rights under the DPDP Act.

  
  

Duties of Data Principal

The DPDP Act specifies some duties for the Data Principal which are as follows:

• Compliance with Laws – A Data Principal needs to exercise her rights in accordance with all applicable laws and regulations. The exercise of rights should not violate other laws or other rights of individuals.

• Avoidance of Impersonation and Fraud – A Data Principal must not impersonate others or provide false information when interacting with data fiduciaries.

• Authenticity of Information – A Data Principal needs to provide accurate, complete and up-to-date information to data fiduciaries. This includes the avoidance of suppression of material information while furnishing personal data.

• Refraining from Frivolous Complaints – A Data Principal should avoid filing false or frivolous complaints regarding data processing activities. This would help data fiduciaries to focus on genuine concerns and resolve complaints efficiently.

• Verification of Information - When exercising rights such as data correction or erasure, a Data Principal needs to provide verifiable and authentic information. This would help ensure that the data being corrected or erased is genuinely related to the Data Principal and that no unauthorized changes are made.

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect, and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.