Your Rights · Section 11
Find out exactly what a company holds on you
The DPDP Act 2023 gives every Data Principal the right to demand three things from a Data Fiduciary: a summary of the personal data they hold about you, the processing they are doing with it, and the names of every other party they shared it with. Here is the free template, the response window, and what to do if the answer comes back thin.
The law in one paragraph
What Section 11 actually entitles you to
Section 11(1) lets you ask any Data Fiduciary processing your data for three things: (a) a summary of the personal data being processed and the processing activities,(b) the identities of all other Data Fiduciaries and Data Processors with whom your data has been shared, with the categories shared, and (c) any other prescribed information.
“Summary” is the operative word — Section 11 does not, on its own, entitle you to a copy of every file. In practice most companies hand you both. If they don’t and you want the underlying data to verify it, the easiest follow-up is a Section 12 correction request — you cannot correct what you cannot see, so they have to share it.
Copy, paste, send
The Section 11 request email
Subject: Access request under Section 11 of the DPDP Act, 2023
To the Grievance Officer / Data Protection Officer,
[Company name]
I am a Data Principal under the Digital Personal Data Protection Act, 2023.
Please provide, under Section 11, the following in respect of personal data
you hold about me:
1. A summary of the personal data being processed about me, including
the categories of data and the specific data elements held.
2. A summary of the processing activities undertaken on that data —
purposes, automated decisions, profiling, model training, advertising.
3. The identities of every other Data Fiduciary or Data Processor with
whom my personal data has been shared, the categories of data shared
with each, and the purpose for which it was shared.
Please link this to my account using:
• Registered email: [your email]
• Registered phone: [+91 ...]
• Account / customer ID: [if known]
I expect a substantive response within 30 days, with an acknowledgement
sooner. If verification of identity is required, please use a reply to
this email address or a one-time code to the registered phone — both of
which confirm I control the account.
Sincerely,
[Your full name]
[Date]
Send it from the email address the company has on file. Keep the sent mail and any acknowledgement — they are your timestamp for the 30-day response window.
What a good response looks like
Three things to check when the reply lands
Check 1
Specific data fields
Not just “your contact details” — they should list the actual fields they hold: name, mobile, address, IDs, payment methods, behavioural tags, inferred segments.
Check 2
Real processing purposes
“To improve our services” is not a purpose — it is filler. Watch for: profiling, ad targeting, score modelling, sharing with affiliates, training AI/ML.
Check 3
Named third parties
A list of categories (“analytics providers”) is not enough. They should name each provider, what was shared, and why. This is the most-skipped item.
Common questions
FAQ
How long do they have to send it back?
The Rules expect a substantive response within 30 days, with an acknowledgement of receipt much sooner. A company that needs more time must explain why and give you a date.
Can they charge me?
No. A normal access request is free. Only repeat or “manifestly unfounded” requests can attract a fee, and even then they must justify it in writing.
What if they ask me to prove my identity?
They can — and should — verify it is really you. Reasonable proof: a reply from the registered email on file, or a one-time code to the registered phone. They cannot demand a notarised ID or a video KYC just to release information about you.
What if the response is missing things?
Reply pointing to the specific gap (“you listed processors but not the actual personal data fields”). If still incomplete, that is grounds for a Section 13 grievance and then a DPB complaint.
Will I get the actual files (PDFs, photos, scans)?
Section 11 entitles you to a “summary” — the categories of data and processing. Many companies will also share the underlying files on request. If they refuse, you can add a Section 12 correction/erasure request — they will usually share the data once they realise you intend to verify it.