DSAR Requirements Under the DPDP Act 2023 (India)

Data Principal Rights

Under the DPDP Act 2023, individuals (called Data Principals) can exercise the following rights against any entity processing their digital personal data (called a Data Fiduciary):

• Right to access information (Section 11): Data Principals can request a summary of the personal data being processed about them, the processing activities being carried out, the identities of all Data Fiduciaries and Data Processors with whom their data has been shared, and any other information prescribed in the rules
• Right to correction and erasure (Section 12): Data Principals can request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of personal data that is no longer necessary for the purpose for which it was collected
• Right to grievance redressal (Section 13): Data Principals have the right to raise grievances with the Data Fiduciary. If the Data Fiduciary fails to respond or the response is unsatisfactory, the Data Principal may file a complaint with the Data Protection Board of India
• Right to nominate (Section 14): Data Principals can nominate another individual to exercise their rights in the event of their death or incapacity — a provision unique to Indian data protection law

Unlike the GDPR, the DPDP Act does not include a standalone right to data portability or a right to object to processing. The right to erasure is also framed more narrowly — it applies when the data is no longer necessary for the stated purpose, rather than as a broad "right to be forgotten."

Consent Framework

The DPDP Act uses notice and consent as the primary lawful basis for processing digital personal data:

• Before collecting personal data, a Data Fiduciary must provide a clear notice in plain language describing what data is being collected and the specific purpose of processing
• Consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action
• Consent must be limited to the data necessary for the stated purpose — blanket or bundled consent is not valid
• Data Principals have the right to withdraw consent at any time, and the process for withdrawal must be as easy as the process for giving consent
• Upon withdrawal, the Data Fiduciary must cease processing and erase the data (unless retention is required by law)

The Act also recognizes certain legitimate uses that do not require explicit consent (Section 7), including:

• Compliance with any law, court order, or government directive
• Medical emergencies or threats to public health
• Employment-related processing (reasonable purposes related to recruitment, termination, attendance, etc.)
• Processing in the public interest (such as merging or splitting of companies, or insolvency proceedings)
• Processing for purposes related to the security and integrity of the state

These legitimate uses are narrower than the "legitimate interest" basis under the GDPR and are specifically enumerated in the Act rather than left to a balancing test.

Response Deadline

The DPDP Rules 2025 establish a grievance resolution framework under which Data Fiduciaries must respond to Data Principal requests. The Rules require Data Fiduciaries to provide simple, digital-first channels (portals, apps, or email) to receive requests, verify the requester's identity, and respond — including reasons if a request is rejected.

The timeline for resolving Data Principal grievances under the Rules is up to 90 days. This is significantly longer than the 30-day standard under GDPR, PIPEDA, and most other international privacy frameworks. Organizations handling requests from Data Principals in India alongside requests under other jurisdictions should build internal processes that can accommodate both timelines.

Note that the substantive compliance obligations related to Data Principal rights (including the infrastructure for receiving and responding to access, correction, and erasure requests) become mandatory on May 13, 2027 under the phased implementation schedule.

Identity Verification

The DPDP Act requires that Data Fiduciaries verify the identity of the Data Principal before acting on an access, correction, or erasure request. The Act does not prescribe a specific verification method, and the DPDP Rules 2025 leave the approach largely to the Data Fiduciary's discretion.

In practice, Data Fiduciaries should adopt verification measures that are:

• Proportionate to the sensitivity of the data involved
• Consistent with the manner in which the Data Principal's identity was originally established (for example, if the relationship was established through Aadhaar-based verification, a similar standard may be appropriate)
• Not so burdensome as to effectively discourage Data Principals from exercising their rights

India's digital identity infrastructure — including Aadhaar and DigiLocker — may play a significant role in how identity verification is standardized under the rules.

Significant Data Fiduciary

The DPDP Act introduces the concept of a Significant Data Fiduciary (SDF) — a category of Data Fiduciary subject to enhanced obligations. The Central Government will designate SDFs based on factors including:

• The volume and sensitivity of personal data processed
• Risk to the rights of Data Principals
• Potential impact on the sovereignty and integrity of India
• Risk to electoral democracy
• Security of the state
• Public order

Once designated, a Significant Data Fiduciary must:

• Appoint a Data Protection Officer (DPO) who is based in India and serves as the point of contact for the Data Protection Board and for Data Principals
• Appoint an independent data auditor to evaluate compliance with the Act
• Conduct periodic Data Protection Impact Assessments (DPIAs)
• Comply with any additional obligations prescribed in the rules

The specific designation criteria and thresholds are expected to be clarified as the phased implementation progresses. Organizations that process large volumes of personal data in India should anticipate potential designation and begin building compliance infrastructure accordingly.

Consent Manager

The DPDP Act introduces the concept of a Consent Manager — a registered intermediary that enables Data Principals to give, manage, review, and withdraw consent through a single accessible platform. Key features:

• Consent Managers must be registered with the Data Protection Board and meet prescribed technical, financial, and operational standards
• They act as a single point of contact for Data Principals to manage their consent preferences across multiple Data Fiduciaries
• Consent Managers are accountable to the Data Principal and must act in their interest
• They are treated as Data Fiduciaries in their own right for the purposes of the Act, meaning they are subject to the same obligations regarding data protection

The registration process for Consent Managers opens in November 2026 under the phased implementation schedule. Technical standards and operational requirements are set out in the DPDP Rules 2025. This concept is novel in global data protection law and is intended to address the practical difficulty individuals face in tracking and managing consent across dozens of services.

Penalties

The DPDP Act establishes significant financial penalties for non-compliance. The Schedule to the Act prescribes maximum penalties for specific categories of violation:

| Violation | Maximum Penalty | |-----------|----------------| | Failure to implement reasonable security safeguards to prevent a personal data breach | INR 250 crore (approx. USD 30 million) | | Failure to notify the DPB and affected Data Principals of a personal data breach | INR 200 crore (approx. USD 24 million) | | Non-fulfillment of obligations related to children's data | INR 200 crore (approx. USD 24 million) | | Non-fulfillment of additional obligations by Significant Data Fiduciaries | INR 150 crore (approx. USD 18 million) | | Non-compliance with other provisions of the Act | INR 50 crore (approx. USD 6 million) |

Key enforcement details:

• No cure period — the Act does not provide a grace period to remedy violations before penalties are imposed
• No private right of action — Data Principals cannot sue Data Fiduciaries directly for damages. Enforcement is exclusively through the Data Protection Board of India
• No revenue-based threshold — penalties are fixed amounts, not tied to the organization's annual revenue (unlike GDPR)
• The DPB may impose penalties after conducting an inquiry, considering the nature, gravity, and duration of the breach, and whether the Data Fiduciary took steps to mitigate the impact
• Penalties can be imposed for each instance of non-compliance

The Data Protection Board of India (DPB) is the sole enforcement body. It will adjudicate complaints filed by Data Principals, conduct inquiries, and impose penalties. Appeals from DPB decisions will be heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Duties of Data Principals

Unusually among global privacy laws, the DPDP Act also imposes duties on Data Principals (Section 15):

• Data Principals must not file false or frivolous complaints or grievances with a Data Fiduciary or the DPB
• Data Principals must not furnish false or misleading information when exercising their rights
• Data Principals must not impersonate another person when providing personal data
• Data Principals must comply with applicable laws when exercising their rights

Violation of these duties can result in a penalty of up to INR 10,000 against the Data Principal. This is a notable departure from other privacy frameworks and introduces a degree of reciprocal obligation.

Exemptions

The DPDP Act provides broad exemptions from its provisions in certain circumstances:

• State security: The Central Government can exempt any government agency from the Act's provisions in the interest of national security, sovereignty, public order, or friendly relations with foreign states
• Research and statistics: Processing for research, archiving, or statistical purposes may be exempted
• Startups: The government may notify exemptions for certain categories of startups (criteria not yet defined)
• Publicly available data: Personal data that has been made publicly available by the Data Principal themselves, or by any person under a legal obligation, is exempt
• Legal proceedings: Personal data processed in connection with legal claims or enforcement is exempt

These exemptions — particularly the broad national security exemption — have been the subject of significant public debate.

Who This Applies To

The DPDP Act applies to the processing of digital personal data within India, regardless of whether the Data Fiduciary is based in India. It also applies to processing outside India if it relates to offering goods or services to individuals in India.

• There is no revenue threshold — unlike the CCPA, applicability is not tied to the size of the organization
• There is no employee count minimum — any organization processing digital personal data is subject to the Act
• The Act applies to both automated and non-automated processing of digital personal data (data that is digital in origin or has been digitized)
• Government entities are subject to the Act, though they may be granted broad exemptions by the Central Government

For the full India data protection overview, see the India jurisdiction guide.

Related Guides

• India Privacy Laws Overview — overview of India's data protection framework
• How to Respond to a DSAR — step-by-step response process
• DSAR Response Deadlines — deadline comparison across jurisdictions
• DSAR Identity Verification — verification methods
• DSAR Exemptions — when you can refuse a request
• What Is a DSAR? — fundamentals of data subject access requests
• Employee DSARs — handling access requests from employees