Right to Access Information
Plain English Translation
Under Section 11(1) of the Act, individuals have the legal right to access personal data India standards protect. This means a Data Principal can ask you for a summary of the personal data you hold about them, the processing activities you have undertaken, and the identities of any other Data Fiduciaries or Data Processors with whom you have shared their information. To comply, you must establish a clear DPDP data subject access request process that allows users to easily exercise these data principal rights India without jumping through hurdles. This transparency is key to accessing personal data under DPDP and maintaining user trust.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a simple email channel (privacy@) for receiving access requests.
- Manually query the database to compile a summary of user data.
- Maintain a static list of vendors to share upon request.
Required Actions (scaleup)
- Implement a web form for submitting access requests.
- Automate the retrieval of basic profile data and processing summaries.
- Track request status in a ticketing system (Jira/Zendesk).
Required Actions (enterprise)
- Deploy a fully automated self-service Privacy Center.
- Real-time integration with vendor management systems to populate data sharing details.
- Automated identity verification before releasing sensitive data summaries.
Under Section 11(1), they can access a summary of personal data being processed, a summary of processing activities, the identities of all other Data Fiduciaries and Processors with whom data has been shared, and a description of that shared data.
You must establish a mechanism for DPs to make a request in the manner prescribed. Once received, verify the identity of the user and provide the requested summaries and sharing details.
The Act states requests are made in a manner 'as may be prescribed'. While specific access timelines await rules, grievance redressal timelines are expected to be a maximum of 90 days.
The Act is currently silent on fees. Unlike GDPR which explicitly mandates free requests (mostly), the DPDP Act does not explicitly authorize or prohibit charging a fee, but rules may clarify this.
The Act requires providing a 'summary' of data and activities. The specific format (e.g., machine-readable) is not mandated in the Act text but may be defined in future rules.
The Act grants the right to access where consent was previously given. It does not explicitly list refusal grounds like 'manifestly unfounded' found in GDPR, but Section 15 prohibits DPs from registering false or frivolous grievances.
Yes, Section 11(1) applies to Data Fiduciaries to whom the Data Principal has 'previously given consent', implying it covers data collected prior to the Act's commencement.
Breach in observance of obligations in relation to Data Principal rights under the Act can attract penalties up to INR 50 crore under the Schedule for breach of any other provision.
"The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
