BACK TO DPDP ACT
DPDP Act 2023

Section 27

Complaint before the Board

THE STATUTE

Original Text

(1) A Data Principal who is aggrieved by any act or omission of a Data Fiduciary or Consent Manager, contrary to the provisions of this Act, shall, before making a complaint to the Board, first refer the matter to the Data Fiduciary or Consent Manager concerned. (2) Where the matter referred to under sub-section (1) is not resolved to the satisfaction of the Data Principal within such period as may be prescribed, the Data Principal may make a complaint to the Board in the prescribed manner. (3) On receipt of a complaint under sub-section (2), the Board may, after such preliminary examination as it deems necessary, proceed to conduct an inquiry.

Simplified

Section 27 is the gateway provision for Data Principal access to the Data Protection Board — it establishes the complaint procedure and the mandatory pre-condition of first using the Data Fiduciary's internal grievance mechanism. The two-tier escalation is explicit: Step 1 — refer the matter to the Data Fiduciary or Consent Manager. This is the Section 13 grievance mechanism. The DPDP Rules will specify a waiting period after which, if not resolved satisfactorily, the Data Principal can escalate. Step 2 — if unresolved within the prescribed period, file a complaint with the Board in the prescribed manner. The Board then conducts a preliminary examination before deciding whether to launch a full inquiry under Section 28. The preliminary examination is an important filter: it allows the Board to weed out clearly frivolous or vexatious complaints (against which Section 15's duty not to file frivolous complaints provides a penalty backstop), and to assess whether the complaint discloses a prima facie contravention worth investigating. This prevents the Board from being overwhelmed by every minor grievance. The complaint procedure will be conducted through the Board's digital office (Section 18(5)) — online filing, electronic acknowledgment, and digital proceedings. The DPDP Rules will specify the form and contents of a complaint, the evidence to be provided, and the timeline for the Board's preliminary examination. Importantly, the complaint must be by the aggrieved Data Principal themselves — third-party complaints (NGOs filing on behalf of affected individuals, representative complaints) are not provided for in the Act, though the Rules may address this.

Common Queries

No. Section 27(1) requires you to first refer the matter to the Data Fiduciary or Consent Manager. Only if it is unresolved within the prescribed period can you file a complaint with the Board.
The DPDP Rules will specify the waiting period. It is expected to be a matter of days or weeks — consistent with the Act's goal of timely resolution.
The Act as drafted provides for complaints by the aggrieved Data Principal. Representative or class complaints are not expressly provided for in Section 27, but the DPDP Rules may address this gap.
Before launching a full formal inquiry, the Board may assess whether the complaint is admissible, non-frivolous, and discloses a prima facie contravention. The Board can reject clearly untenable complaints at this stage.

Legal Context

The two-tier complaint model mirrors the consumer protection framework under the Consumer Protection Act 2019 and the banking ombudsman scheme — exhaust internal mechanisms first, then escalate to the regulator. This is designed to reduce the regulatory burden while ensuring Data Principals have a meaningful escalation option when internal mechanisms fail.

Key Rules & Provisions

Mandatory internal grievance mechanism first — Board is second tier only.

Preliminary examination by Board before full inquiry — filters frivolous complaints.

Digital filing through Board's online office — accessible without physical visit.

No representative complaint provision — each aggrieved Data Principal must file individually.

Related Case Laws

National Insurance Co. Ltd. v. Hindustan Safety Glassworks Ltd. (2017)

(2017) 13 SCC 775
RELEVANCE

The Supreme Court's emphasis that mandatory pre-litigation grievance exhaustion requirements must be clearly prescribed and not used as a barrier to justice informs the Section 27 framework — the internal grievance mechanism requirement is a structured filter, not a mechanism to deny Data Principals access to the Board.