Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Data Principal Rights Requirements

  • All Blogs
  • Digital Personal Data Act, 2023
  • Data Principal Rights Requirements
  • 17 July 2026 by
    Data Principal Rights Requirements
    CKonnect

    The following is the complete analysis of DPDP Final Rules, 2025, notify by Ministry of Electronics and Information Technology, here is the complete documentation of Data Principal Rights requirements.

    (A). Rights request submission channels

    Excreted from rule 3 (c)-(ii-iii) and rule 14 (5)

    Channels For Submitting Rights Requests

     Website request portal

    Mobile app request flow

    Consent Manager platform (if using one)

    Other communication means, if specified (e.g., email, helpdesk form)

    Channel disclosure must include: Exact link or navigation path.

    Acceptable Identifiers (Rule 14.5):

    • Customer identification file number
    • Customer acquisition form number
    • Application reference number
    • Enrolment ID
    • Email address
    • Mobile number
    • Licence number

    (B). Identity/authentication requirements

    Extracted from Rule 14(1)(b) and general authentication

    Data Fiduciary may require: Username, account ID, customer ID, mobile number, email etc. (defined as “identifier”)

    DPDP Rules 2025 Final

    • Login through existing user account
    • OTP verification to registered email/mobile
    • Additional particulars as per terms of service

    Core principle: Authentication requirements must be published upfront and proportionate only sufficient to verify identity.

    (C). Verification process

    Data Fiduciaries must verify Data Principal identity using:​

    • Registered identifiers (email, mobile, customer ID)
    • User account credentials
    • Particulars specified in terms of service
    • Cross-referencing against registered Data Principal information

    Verification for Nominated Representatives (Rule 14.4):

    Data Principals may nominate one or more individuals to exercise rights on their behalf. This requires:​

    • Compliance with Data Fiduciary's terms of service
    • Adherence to applicable law requirements
    • Provision of means and particulars specified by the Data Fiduciary

    (D). Timelines for responding

    Activity

    Timeline

    Rule Reference

    Response to DSR

    Maximum 90 days

    Rule 14.3

    Personal data retention

    Minimum 1 year from processing

    Rule 8.3

    Erasure notice

    Minimum 48 hours before erasure

    Rule 8.2

    Board inquiry

    6 months (extendable by 3 months)

    Rule 19.9

    Consent Manager records

    Minimum 7 years

    First Schedule, Part B

    Class-specific retention

    3 years from last interaction

    Third Schedule

    Breach notification to Board

    Within 72 hours of awareness

    Rule 7.2

     

    (E). When a request may be rejected

    DF may reject if:

    1. Identity cannot be verified (Rule 14(1)(b) basis).
    2. Request is manifestly unfounded or excessive (Act principle).
    3. Retention is legally required:

      • Under Rule 8(3) logs must be retained for one year.
      • Any other legal requirement supersedes erasure.
    4. Processing is under exemption (State functions, research, children-related exemptions).
    5. Data not reasonably retrievable or no longer in possession.

     DF must still:

    • Provide reasons in plain language.
    • Guide the Data Principal on grievance escalation.

    (F). Obligatory record-keeping requirements

    aken from Rules 6, 7, 8, 14, First Schedule (Consent Manager).

    ✔ Data Fiduciary must maintain:

    1. Logs & traffic data for minimum 1 year → Rule 6(1)(e), Rule 8(3)

    DPDP Rules 2025 Final

    1. Records of all personal data processing events (minimum 1 year).
    2. Records of breach notifications issued to Data Principals & Board → Rule 7(2)(vi).

    DPDP Rules 2025 Final

    1. Record of grievances handled, response times, and actions taken (Rule 14(3) requires a functioning grievance system).
    2. DSR records – although not explicitly called “DSR log”, it is implied under accountability + reasonable security safeguards.

    Consent Manager (if used) must retain records for 7 years: Rule First Schedule Part B(4)(c)

     

    (G). Escalation process to Data Protection Board

    Excreted from Rule 14(3), Rule 3(c)(iii), Rule 19(9), Rule 22(1), Rule 22(3)

    If a Data Principal is not satisfied, there is a multi-step escalation path.

    1. Grievance with Fiduciary: The Data Principal should first use the grievance redressal system published by the Data Fiduciary or Consent Manager.
    2. Complaint to the Board: The initial notice from the Data Fiduciary must include information on how a Data Principal can "make a complaint to the Board".
    3. Board Inquiry: The Board conducts an inquiry into the complaint, which must be completed within six months (with a possible three-month extension).
    4. Appeal to Tribunal: If any person is "aggrieved by an order or direction of the Board," they have the right to file an appeal before the Appellate Tribunal

     

     

     

    Step-by-Step DSR Workflow

    Phase 1: Pre-Request Preparation

    Step 1: Data Fiduciary Setup

    • Prominently publish on website/app:

      • Means for submitting rights requests
      • Required identifiers/particulars for authentication
      • Business contact information (DPO or designated person)
      • Grievance redressal system details
      • Link/means to make complaint to the Board

    Step 2: Data Principal Preparation

    • Identify the Data Fiduciary to whom consent was given
    • Gather required identifiers (email, mobile, customer ID, etc.)
    • Access user account or registered communication mode

    Phase 2: Request Submission

    Step 3: Data Principal Submits Request

    • Choose submission channel (user account, registered email/mobile, other published means)
    • Provide required identifiers/particulars
    • Specify the right being exercised (access, correction, erasure, grievance redressal, nomination, withdrawal of consent)

    Step 4: Request Receipt

    • Data Fiduciary receives the request
    • System logs the request with timestamp
    • Acknowledgment sent to Data Principal (best practice)

    Phase 3: Verification & Authentication

    Step 5: Identity Verification

    • Data Fiduciary verifies identity using registered identifiers
    • Cross-checks against registered Data Principal information

    Step 6: Authentication Decision

    • If verified → Proceed to processing
    • If not verified → Follow rejection process

    Phase 4: Request Processing

    Step 7: Request Analysis

    • Determine nature of request
    • Check for legal obligations preventing compliance
    • Verify if minimum retention period applies
    • Assess conflicts with other legal requirements

    Step 8: Data Retrieval/Action

    Based on request type:

    • Access Request: Retrieve all personal data, compile processing information
    • Correction Request: Identify inaccurate data, implement corrections, update systems
    • Erasure Request: Verify eligibility, execute erasure if compliant
    • Grievance: Route to grievance redressal system, investigate
    • Nomination: Verify nominated individual, update records

    Phase 5: Response Preparation

    Step 9: Compile Response

    • Prepare response in clear, concise manner
    • Include business contact information, actions taken, explanations, escalation options

    Step 10: Quality Check

    • Ensure completeness and accuracy
    • Confirm compliance with 90-day timeline

    Phase 6: Response Delivery

    Step 11: Send Response

    • Deliver through user account or registered communication mode
    • Include follow-up contact information
    • Log response with timestamp

    Step 12: Record Response

    • Update internal logs
    • Document actions taken
    • Maintain records per retention requirements (minimum 1 year)

    Timeline Checkpoint: Within 90 days from request receipt​

    Phase 7: Rejection Process (if applicable)

    Step 13: Grounds Assessment

    • Identity/authentication failure
    • Legal obligation requires data retention
    • Minimum 1-year retention period not elapsed
    • Retention required for Seventh Schedule purposes

    Step 14: Rejection Notice

    • Provide clear explanation with legal basis
    • Inform about escalation options
    • Include DPO/designated person contact information

    Phase 8: Escalation (if Data Principal not satisfied)

    Step 15: Complaint to Data Protection Board

    • File complaint using Board-specified means
    • Provide details of Data Fiduciary, request nature, response, dissatisfaction reason

    Step 16: Board Inquiry Process

    • Timeline: 6 months (extendable by 3-month periods)​
    • Board investigates, summons persons, calls for information
    • Uses techno-legal measures (digital proceedings)

    Step 17: Board Decision

    • Board issues order/direction
    • Communicated to both parties
    • Data Fiduciary must comply

    Step 18: Appeal to Appellate Tribunal

    • Either party may appeal Board decision
    • File in digital form with applicable fee
    • Tribunal conducts proceedings and issues final decision

    Phase 9: Continuous Monitoring

    Step 19: Ongoing Compliance

    • Monitor grievance redressal effectiveness
    • Implement technical and organisational measures
    • Maintain records per retention requirements

    Step 20: Periodic Review

    • Review DSR processes regularly
    • Update submission channels as needed
    • Train staff on DSR handling
    • Audit compliance with 90-day timeline

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Cross-Border Transfers
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies