For Data Principals · Free
Under the Digital Personal Data Protection Act 2023, every Indian whose personal data is collected — called a Data Principal — has five statutory rights. This is the plain-English guide to using them, with copy-paste templates for the four most common requests.
Section 6(4)–(6)
You can withdraw consent for any processing of your personal data at any time — and the law says it must be as easy as giving consent was.
How to withdraw →Section 11
Demand a summary of the personal data a company has about you, what they are doing with it, and the names of every other party they shared it with.
Request access →Section 12
If anything is wrong, out of date or no longer needed, you can ask for it to be corrected, completed, updated or erased — and they must comply.
Get it fixed →Section 14
Designate a person who can exercise these rights on your behalf if you die or become incapacitated. Most companies don’t volunteer this option — you can demand it.
Nominate now →Section 13 + Chapter VI
When a company doesn’t respond, doesn’t cooperate, or rejects a valid request, you can escalate to the Data Protection Board of India — and they can fine the company up to ₹250 crore.
How to escalate →The basics
The DPDP Act uses three job titles. You — the individual whose data is collected — are a Data Principal. The company that decides what to do with your data is a Data Fiduciary(everyone else calls this a “controller”). A company they hire to actually process the data is a Data Processor.
Almost every Indian-facing website, app, hospital, school, bank, insurer, shop, courier and government department is a Data Fiduciary when it comes to your personal data. Each of the five rights below applies to all of them.
The full Act is here: DPDP Act 2023 — plain-English guide.
Quick map
Step 1
Look on the company’s website — usually in the privacy policy or a “Contact us / Grievances” page. Section 8(9) requires every Data Fiduciary to publish one.
Step 2
Email is fine. Use one of our templates so nothing is missing — keep the original and the timestamp.
Step 3
The Rules set a reasonable response window — typically 30 days for access/correction/erasure and acknowledgement within 48 hours for withdrawal.
Step 4
No response, partial response, or refusal? File a complaint with the Data Protection Board →
Worth knowing
The DPDP Act doesn’t allow a fee for a normal access, correction, erasure or withdrawal request. Only “manifestly unfounded or excessive” repeated requests can be refused — and even then they have to explain why.
Section 15 says Data Principals should not impersonate someone else, suppress material information, or file frivolous complaints. Keep requests to your own data, and be specific — that’s all the law asks.
For a Data Principal under 18, parents or legal guardians exercise these rights on their behalf. Targeted advertising and behavioural tracking on children is banned outright by Section 9.
The Data Protection Board can fine a Data Fiduciary up to ₹250 crore per default for failing to handle these requests — making escalation a credible threat, not a paper one.
Take 2 minutes
If you stopped using a service or never agreed to marketing, withdraw consent and force them to stop. Comes with a 6-line template.
The strongest request you can make — combine with withdrawal of consent and they almost always have to erase.
