Publication of Business Contact Info
Plain English Translation
Under Section 8(9) of the Act, you cannot hide behind a faceless corporate entity. You are legally required to publish business contact information DPDP mandates, ensuring it is easily accessible to any user. This contact must belong to a Data Protection Officer (if applicable) or a specific person authorized to answer questions about data processing. This requirement establishes a direct data principal grievance channel, ensuring transparency in data processing and allowing users to easily exercise their rights or raise concerns without navigating a maze of automated support bots.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a generic alias (privacy@) and forward it to the CEO or Legal.
- Add the email address to the website footer.
- Manually reply to inquiries.
Required Actions (scaleup)
- Appoint a specific individual as the authorized contact.
- Publish their business contact details on a dedicated 'Contact Us' page.
- Track incoming requests in a spreadsheet.
Required Actions (enterprise)
- Deploy a dedicated Privacy Portal with dynamic FAQs and direct messaging to the DPO.
- Automated SLA tracking to ensure responses are sent within the prescribed period.
- Multi-language support for the contact page.
Section 8(9) requires publishing the business contact information. This typically includes an email address, phone number, or physical address where the officer can be reached.
It can be a Data Protection Officer (mandatory for Significant Data Fiduciaries) or any person able to answer questions raised by the Data Principal about the processing of their personal data.
The contact information must be published in the manner prescribed, which typically means prominently on the website, mobile application, and in the privacy notice itself.
While the Act says 'business contact information', using a generic alias like 'privacy@' is common practice, provided it is monitored by a person able to answer the questions.
The officer serves as the point of contact for the grievance redressal mechanism (Section 8(10)) and answers questions from Data Principals regarding their data processing (Section 8(9)).
You can use a Data Processor to assist, but Section 8(1) holds the Data Fiduciary responsible for compliance. The contact published must effectively represent the Fiduciary.
The Data Fiduciary must respond to grievances within the prescribed period. Analysis suggests a maximum timeline of 90 days from the date of receipt.
Failure to observe the provisions of the Act, such as Section 8(9), can attract penalties up to INR 50 crore under the general penalty clause for 'Breach of any other provision'.
"A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
