DPDP Act 2023

Section 11

Right to Access Information About Personal Data

THE STATUTE

Original Text

(1) A Data Principal shall have the right to obtain from the Data Fiduciary — (a) a summary of personal data being processed by the Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by the Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed. (2) A Data Principal may request, in such manner as may be prescribed, the information referred to in sub-section (1) and every Data Fiduciary shall provide such information to the Data Principal.

Simplified

Section 11 establishes the right to access — the fundamental data subject right that underlies all other rights. Without knowing what data a Data Fiduciary holds and how it is being used, a Data Principal cannot meaningfully exercise their rights to correction, erasure, or withdrawal of consent. Section 11 has three components. First, a summary of data and processing activities: the Data Fiduciary must provide a clear account of what personal data it holds about the Data Principal and what it does with that data — the categories of processing, the purposes, and the legal basis. This is not a requirement to produce every record in its raw form; a 'summary' is specifically what is required, which allows the Data Fiduciary to present the information in a structured, comprehensible way rather than a data dump. Second, identities of third-party Data Fiduciaries and Data Processors: if the Data Fiduciary has shared the Data Principal's personal data with other entities — advertising partners, analytics providers, affiliates, government authorities — it must disclose the identity of those entities and describe what data was shared. This is the supply-chain transparency obligation: it prevents data sharing from being a black box. Third, any other information as may be prescribed: the DPDP Rules may add further disclosure requirements as implementation experience reveals gaps. Comparison with GDPR: GDPR's right of access (Article 15) goes further — it requires providing a copy of the actual personal data, not just a summary. The DPDP Act's 'summary' approach is less burdensome for Data Fiduciaries but gives Data Principals less granular visibility. The timeline for responding to access requests will be specified in the DPDP Rules — expected to align with international standards of 30 days with a possible extension.

Common Queries

Section 11 provides for a 'summary' of personal data and processing activities — not a copy of all raw data. This is less comprehensive than GDPR's right of access (Article 15), which requires an actual copy. What the summary must include in practice will be specified by DPDP Rules.

The Act does not expressly permit fees for access requests. The DPDP Rules may address this. Under GDPR as a comparator, the first copy of information must be provided free of charge. Data Fiduciaries should assume access requests must be answered without charge until Rules specify otherwise.

Section 11(1)(b) requires disclosure of identities of all Data Fiduciaries and Processors with whom personal data has been shared, along with a description of the data. This does include advertising partners and analytics providers — companies with long chains of data sharing will need detailed disclosure registers to fulfil this obligation.

The DPDP Rules will specify the response timeline. Until notified, Data Fiduciaries should use a reasonable standard — 30 days is a common international benchmark. The request must be made in the prescribed manner, which will also be set out in the Rules.

Legal Context

The right to access was absent from the IT Act's SPDI Rules 2011. The Srikrishna Committee's 2018 report and the 2019 Personal Data Protection Bill both included access rights. The DPDP Act's 'summary' formulation is less comprehensive than GDPR's right to receive a copy of data, reflecting a deliberate policy choice to balance transparency against operational burden on Data Fiduciaries.

Key Rules & Provisions

First statutory right to access personal data in India — no equivalent under IT Act SPDI Rules.

'Summary' of data and processing — not a copy of raw data (less comprehensive than GDPR).

Third-party sharing disclosure — Data Principals can learn who else has their data.

DPDP Rules to specify additional information and request procedures.

Related Case Laws

Rajagopal v. State of Tamil Nadu (1994)

(1994) 6 SCC 632

RELEVANCE

The Supreme Court held that an individual has the right to know and control their own personal information — a pre-Puttaswamy articulation of the right of access. Section 11's right to obtain a summary of one's personal data is the statutory operationalisation of this recognised right of informational access.

Privacy Protocol Info

OffenceFailure to provide requested personal data information to a Data Principal

PunishmentPenalty up to ₹150 crore (Data Protection Board)

Triable ByData Protection Board of India

Cross-References

12 : Right to Correction and Erasure 13 : Right to Grievance Redressal 6 : Consent 8 : General Obligations of Data Fiduciary