Complaint Mechanism Notice
Plain English Translation
Under Section 5(1)(iii) of the Act, transparency goes beyond just listing what data you collect; you must clearly explain the complaint mechanism DPDP mandates. This means your privacy notice must explicitly inform the Data Principal of the DPDP grievance process, specifically detailing how they can escalate issues to the Data Protection Board of India if their concerns aren't resolved internally. It ensures users aren't just aware of their rights but also know the exact data protection board complaint procedure to seek a remedy.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Manually add a section to the Privacy Policy text stating users can complain to the Data Protection Board of India.
- Link to the Data Protection Board of India's official website (once available).
Required Actions (scaleup)
- Integrate DPDP act grievance redressal information into the consent management platform (CMP) templates.
- Use dynamic variables for Board contact details to allow easy updates across all notices.
Required Actions (enterprise)
- Automate the retrieval of data principal complaint rights text based on the user's region and language preferences.
- Implement real-time monitoring of regulatory updates to ensure the Board's contact mechanism is always current.
Section 5(1)(iii) mandates that the notice must inform the Data Principal of the manner in which they may make a complaint to the Data Protection Board of India, in such manner as may be prescribed.
The Data Protection Board of India operates as a digital office. Complaints regarding personal data breaches or breach of obligations can be made to the Data Protection Board of India in the form and manner prescribed, typically via an online mechanism.
The notice must specifically include the manner in which the Data Principal may exercise their rights and the manner in which they may make a complaint to the Data Protection Board of India.
A Data Principal can file a complaint with the Data Protection Board of India in respect of a personal data breach or a breach in observance of obligations by a Data Fiduciary or Consent Manager.
The Data Principal must first exhaust the opportunity of redressing their grievance with the Data Fiduciary (Section 13(3)). If unresolved, they may then approach the Data Protection Board of India.
The Act does not specify a fixed timeline for the Data Protection Board of India's resolution, but it requires the Data Fiduciary to respond to grievances within a prescribed period (typically 90 days) before the Data Protection Board of India is approached.
No, Section 13(3) explicitly states that a Data Principal shall exhaust the opportunity of redressing her grievance with the Data Fiduciary before approaching the Data Protection Board of India.
Complaints can be filed for a personal data breach or a breach in observance of obligations by a Data Fiduciary in relation to personal data or the exercise of Data Principal rights.
"Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— ... (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
