BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) RIGHTS

Rule 11

Mechanism for Exercise of Rights by Data Principals

Practical Note

Rule 11 requires businesses to build a rights request mechanism — a user-facing system through which Data Principals can exercise access, correction, and erasure rights. This can be integrated into an existing customer portal, app settings, or built as a standalone DSR (Data Subject Request) management system. Response timelines and formats to be specified by DPBI. Businesses should begin building DSR infrastructure now.

THE STATUTE

Original Text

(1) A Data Fiduciary shall — (a) provide the Data Principal with a readily accessible means to exercise her rights under the Act, including through the website or application of the Data Fiduciary; (b) respond to a request from the Data Principal to exercise such rights within such period as the Board may specify; (c) provide the information requested in a clear, accessible form in such language that the Data Principal can understand.

Analysis & Details

Rule 11 requires Data Fiduciaries to build and maintain an accessible mechanism through which Data Principals can exercise their rights under the Act: (a) Right to access — to know what personal data is held and how it is being processed (Act Section 11); (b) Right to correction and erasure — to correct inaccurate data and request deletion (Act Section 12); (c) Right to grievance redressal — to file complaints and get responses (Act Section 13); (d) Right to nominate — to designate a representative for post-death data rights (Act Section 14). The mechanism must be 'readily accessible' — it cannot be buried in complex menus or hidden in privacy policies. Integration into a website or application dashboard is the expected approach. Responses must be provided within a DPBI-specified period (timelines not yet set — GDPR's 30-day standard is likely influential) and in a language the Data Principal can understand, in accessible format. The multi-language requirement — linked to Eighth Schedule languages as specified by the Central Government — is operationally challenging for businesses that currently operate only in English.

GDPR Parallel

Articles 12–22 (Data Subject Rights + Response Requirements)

IT Act Impact

Rule 11's rights mechanism is entirely new — the IT Act SPDI Rules had no individual data rights or request response mechanism. The right to access and correction are being created for the first time for Indian digital data subjects through DPDP.

Common Queries

Under DPDP Act Sections 11–14 (operationalised by Rule 11), Data Principals have four rights: (1) Right to Access — to know what personal data is held and how it is processed; (2) Right to Correction and Erasure — to correct inaccurate data and request deletion; (3) Right to Grievance Redressal — to file complaints with the Data Fiduciary and escalate to the DPBI; (4) Right to Nominate — to designate a representative to exercise data rights after death or incapacity. Note: DPDP does NOT include a right to data portability or a right to object to processing based on legitimate interests (both exist under GDPR).
The response timeline is not specified in the Rules — the Data Protection Board of India will specify timelines by notification. Based on GDPR's 30-day standard (extendable to 3 months for complex requests), a similar timeline is likely. Businesses should build systems capable of responding within 30 days. The DPBI is expected to issue guidelines on response timelines once operational.

Key Rules & Provisions

Readily accessible rights mechanism required — not buried in privacy policy.

Response timelines to be specified by DPBI (likely 30 days, modelled on GDPR).

Multi-language response requirement — Eighth Schedule languages as specified.

Accessible format for persons with disabilities.

Rights mechanism can be website, app, or dedicated portal.