BACK TO DPDP ACT
DPDP Act 2023

Section 13

Right to Grievance Redressal

THE STATUTE

Original Text

(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by the Data Fiduciary or Consent Manager in relation to any act or omission of a Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act. (2) Any Data Fiduciary or Consent Manager shall, as may be prescribed, provide an effective mechanism for redressal of grievances of Data Principals. (3) A Data Principal may make a complaint to the Board in the manner as may be prescribed, if she is not satisfied with the redressal provided under sub-section (2).

Simplified

Section 13 establishes the grievance redressal architecture for Data Principal complaints — the escalation ladder from Data Fiduciary to Board. The first tier is the Data Fiduciary's own internal mechanism: every Data Fiduciary and Consent Manager must provide a readily available, effective grievance mechanism for Data Principals to raise concerns about any violation of the Act or their rights. The DPDP Rules will specify what makes a mechanism adequate — expected to include: a designated contact point, prescribed response timelines (likely aligned with consumer protection standards), and records of grievances and resolutions. This internal mechanism must be 'readily available' — not buried in fine print, not requiring elaborate procedures to access, and genuinely effective at resolving complaints rather than being a formal compliance box-tick. The second tier is the Data Protection Board: if the Data Principal is dissatisfied with the Data Fiduciary's response, they can escalate to the Board under Section 13(3). The Board then has jurisdiction to investigate and impose penalties under Sections 27–33. The escalation model — internal → Board → High Court — mirrors the tiered dispute resolution used in consumer protection (internal complaint → Consumer Forum → NCDRC) and financial services (internal redressal → Ombudsman → Tribunal). For Consent Managers, the grievance mechanism is particularly important because they are the interface between Data Principals and multiple Data Fiduciaries — a complaint about consent withdrawal or management will often first hit the Consent Manager rather than the underlying Data Fiduciary.

Common Queries

Not directly. Section 13(3) requires the Data Principal to first use the Data Fiduciary's grievance mechanism and be dissatisfied with the outcome before approaching the Board. The Board is the second tier of the escalation process.
The DPDP Rules will specify details, but at minimum: a designated contact point (email, portal, or phone), a reasonable response timeline, acknowledgment of complaints, and a meaningful resolution process. The mechanism must be 'readily available' — easy to find and use.
The Board can conduct an inquiry under Section 28, call for information, impose financial penalties under Section 33 (up to ₹150 crore for general obligation failures), and direct remediation.
Yes. Section 13(1) explicitly applies to both Data Fiduciaries and Consent Managers. A Consent Manager must have its own grievance mechanism for complaints about how it handles consent on behalf of Data Principals.

Legal Context

Under the SPDI Rules 2011, there was a grievance officer requirement for companies collecting sensitive personal data, but it was widely unenforced and the contact information was rarely accessible. Section 13 strengthens this by making the mechanism a Data Principal right (not just a compliance obligation), by linking it to the Board's complaint jurisdiction, and by providing penalties for inadequate mechanisms.

Key Rules & Provisions

Grievance redressal is a Data Principal right — not just a Data Fiduciary obligation.

Consent Managers are also subject to the grievance mechanism requirement.

Two-tier escalation: Data Fiduciary → Board — with Board jurisdiction contingent on internal mechanism first.

DPDP Rules to specify what constitutes an 'effective' mechanism.

Related Case Laws

Lucknow Development Authority v. M.K. Gupta (1994)

(1994) 1 SCC 243
RELEVANCE

The Supreme Court's landmark consumer law ruling that grievance redressal mechanisms must be effective and accessible — not merely nominal — informs the interpretation of Section 13's grievance mechanism obligation. A Data Fiduciary's grievance mechanism must provide genuine, timely redress, not a procedural barrier to escalation.