BACK TO DPDP ACT
DPDP Act 2023

Section 12

Right to Correction, Completion, Updating and Erasure of Personal Data

THE STATUTE

Original Text

(1) A Data Principal shall have the right to — (a) correction of inaccurate or misleading personal data; (b) completion of incomplete personal data; (c) updating of personal data; and (d) erasure of personal data, the retention of which is no longer necessary for the purpose for which the personal data was processed or where consent for such processing has been withdrawn. (2) Upon receiving a request under sub-section (1), the Data Fiduciary shall, as may be prescribed, correct or complete or update or erase the personal data of such Data Principal and, where the personal data has been shared with another Data Fiduciary, intimate such other Data Fiduciary of the correction or completion or updating or erasure, as the case may be.

Simplified

Section 12 is the right to rectification and erasure — two of the most practically exercised data subject rights globally. It has two distinct but related components. The right to correction and updating covers four actions: correction of personal data that is inaccurate or misleading (wrong phone number, incorrect address, misspelled name); completion of personal data that is incomplete (a partial medical record, an incomplete KYC profile); updating of personal data that has become outdated (an old employer in a financial profile, an expired ID); and erasure of personal data where retention is no longer necessary for the original purpose or where the Data Principal has withdrawn consent. The erasure right under Section 12(1)(d) is the DPDP Act's 'right to be forgotten' — though it is not described as such in the Act. It is more limited than the GDPR's right to erasure (Article 17), which includes additional grounds such as unlawful processing and objection to processing. The DPDP Act's erasure right is triggered specifically when: (a) the data is no longer necessary for the purpose for which it was collected (purpose limitation), or (b) the Data Principal withdraws consent. Critically, Section 12 has a downstream obligation (Section 12(2)): when a Data Fiduciary corrects, updates, or erases data, it must also inform every other Data Fiduciary with whom it has shared that data. This cascade notification obligation prevents corrections from being siloed — if an address is corrected with the primary Fiduciary, affiliated Fiduciaries who were given the old address must also be updated. This is a significant operational requirement: Data Fiduciaries must maintain records of who they have shared data with (connected to the Section 11(1)(b) disclosure obligation) to fulfil the cascade notification. The balance between erasure rights and legitimate retention: Section 12 does not override lawful retention obligations. A Data Fiduciary required by law to retain certain records (bank KYC under RBI regulations, tax records under Income Tax Act, litigation holds) can invoke those legal obligations against an erasure request for data within the retention-mandated period.

Common Queries

Yes, if the data is no longer necessary for the purpose it was collected, or if you withdraw consent. However, if a law requires the company to retain your data (e.g., bank KYC records, tax documents), the company can lawfully refuse erasure for data within that retention period.
Under Section 12(2), yes — the Data Fiduciary that receives your correction request must inform every other Data Fiduciary with whom it shared your personal data. In practice, this cascade obligation requires companies to maintain detailed data-sharing registers.
Section 12(1)(d) is essentially the right to be forgotten codified in statute — but with specific triggers (no longer necessary or consent withdrawn). GDPR's right to erasure has additional grounds (unlawful processing, public interest objection). The DPDP Act's right is more narrowly scoped but covers the most commonly invoked use cases.
You can first use the Data Fiduciary's internal grievance mechanism under Section 13. If unsatisfied, you can escalate to the Data Protection Board. The Board can investigate and impose penalties up to ₹150 crore for unjustified refusals to honour correction or erasure requests.

Legal Context

The right to be forgotten had significant judicial history in India before the DPDP Act. The Supreme Court in Puttaswamy (2017) recognised informational self-determination as part of the right to privacy. Several High Courts had addressed the right to be forgotten in the context of court judgments being publicly accessible on databases like IndianKanoon. Section 12 codifies the erasure right for the first time in statute, replacing ad hoc judicial orders with a structured regulatory mechanism.

Key Rules & Provisions

First statutory erasure right in India — previously only judicial relief was available.

Cascade notification obligation — correction/erasure must be communicated to all downstream Data Fiduciaries.

Erasure triggered by end of purpose or consent withdrawal — more specific than GDPR's Article 17 grounds.

Completion and updating rights — not just correction of errors but also filling gaps and refreshing stale data.

Related Case Laws

Jorawer Singh Mundy v. Union of India (2021)

W.P.(C) 3918/2021 (Delhi HC)
RELEVANCE

Delhi High Court granted the 'right to be forgotten' directing removal of a court judgment from IndianKanoon — an early application of erasure-type relief that Section 12 now provides a statutory framework for.