What duties do I have as a data principal?

What the Law Says

The Digital Personal Data Protection Act, 2023 (DPDP Act) defines your role and responsibilities as a 'data principal' — the person to whom personal data relates. While the law primarily grants rights, it also imposes limited but important duties on you when interacting with data fiduciaries.

You must provide accurate and complete personal data when requested by a data fiduciary — especially where such data is necessary for legal compliance, service delivery, or verification.

You are expected to cooperate in identity verification processes (e.g., OTP, document upload) and promptly notify the data fiduciary of any inaccuracies or changes affecting your data.

If you exercise rights like correction or erasure, you must do so in good faith — false or frivolous requests may be declined or subject to reasonable verification.

You must not impersonate others or submit fraudulent data — doing so may attract penalties under other laws (e.g., IPC or IT Act), though the DPDP Act itself does not prescribe penalties for data principals’ misconduct.

Statutory Text

A data principal shall, while providing personal data to a data fiduciary, ensure that such data is accurate and complete in relation to the purpose for which it is being provided.

— Digital Personal Data Protection Act, 2023, s. 9(1) — Duties of data principal

Statutory Text

Where a data principal makes a request to a data fiduciary for correction or erasure of personal data, the data fiduciary may require the data principal to verify their identity.

— Digital Personal Data Protection Act, 2023, s. 10(3) — Right to correction and erasure

Statutory Text

Every data fiduciary shall appoint a grievance officer… who shall redress grievances within a period of seven days, or within such extended period not exceeding three days…

— Digital Personal Data Protection Act, 2023, s. 8 — Obligations of data fiduciaries

Sources