Data Principal
The individual to whom personal data relates — equivalent to a 'Data Subject' under the GDPR, but with the term 'Principal' reflecting agency and ownership over one's data.
Full Definition
Section 2(l) of the DPDP Act 2023 defines 'Data Principal' as the individual to whom the personal data relates. The term 'Principal' is purposeful — the Puttaswamy (2017) judgment framed privacy as a fundamental right, and the 'Principal' designation connotes the individual's primary ownership of and authority over their personal data. Core rights of a Data Principal include: right to access information about processing (Section 11), right to correction and erasure (Section 12), right to grievance redressal (Section 13), and the unique right to nominate a person to exercise rights in the event of death or incapacity (Section 14). In case of minors (under 18), rights are exercised by their parent or legal guardian.
In Indian Law
DPDP Act 2023, Section 2(l). Rights are in Sections 11–14. The DPDP Act sets the age of consent at 18 (higher than GDPR's default of 16) — children's data requires verifiable parental consent. Data Fiduciaries are prohibited from processing children's data for behavioural tracking or targeted advertising, and may not provide services that are likely to cause detrimental effects on the child's wellbeing.
Related Legal Sections
Frequently Asked Questions
What rights does a Data Principal have under the DPDP Act?
A Data Principal has four core rights: (1) right to access information about how their data is being processed; (2) right to correction, completion, updating, or erasure of personal data; (3) right to grievance redressal via the Data Fiduciary's grievance mechanism and escalation to the Data Protection Board; and (4) right to nominate another person to exercise these rights in case of death or incapacity.
Does the DPDP Act give Data Principals a right to data portability?
No. Unlike the GDPR (Article 20), the DPDP Act 2023 does not include a right to data portability. This is one of the notable gaps compared to GDPR.