Right to Correction and Erasure
Plain English Translation
Under Section 12 of the Act, you must provide users with the ability to fix mistakes in their data and the power to delete it entirely when it is no longer needed. This right to correction and erasure means if a user updates their address or withdraws consent, you must update your records and permanently remove their information from your systems. This obligation extends beyond your own databases; you are required to trigger the erasure of third-party shared data by instructing your vendors to delete their copies as well. Think of it as a digital shredder that you must operate whenever a user asks to be forgotten or when the business purpose for holding their data expires.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Process correction and deletion requests manually via support tickets.
- Directly update SQL records to fix inaccuracies.
- Manually log deletions in a spreadsheet.
Required Actions (scaleup)
- Build a user-facing 'Edit Profile' and 'Delete Account' feature.
- Automate the validation of updating personal data inputs.
- Implement soft-delete with a scheduled hard-delete job.
Required Actions (enterprise)
- Deploy a centralized Data Subject Rights (DSR) automation platform.
- Real-time synchronization of data updates across distributed systems.
- Cryptographic erasure (crypto-shredding) for backups and archived data.
Under Section 12(2), a Data Principal can request the Data Fiduciary to correct inaccurate or misleading data, complete incomplete data, and update their personal data.
Section 12(3) grants the Data Principal the right to request the erasure of their personal data, which the Data Fiduciary must fulfill unless retention is necessary for the purpose or law.
A user can request erasure at any time. The Fiduciary must comply unless the data is still needed for the specified purpose (Section 8(7)) or required by law.
Yes, Section 8(7)(b) mandates the Data Fiduciary to cause its Data Processors to erase any personal data made available to them for processing.
While Section 12(3) does not specify a timeline, Section 13(2) regarding grievance redressal implies a response within a prescribed period, likely not exceeding 90 days.
Yes, but only if retention is necessary for the specified purpose or for compliance with any law for the time being in force (Section 12(3)).
DPDP's right to erasure is broader as it is an absolute right subject only to purpose fulfillment and legal compliance, whereas GDPR lists specific grounds (like unlawful processing) for erasure.
Failure to erase data as required by Section 8(7) or honor rights under Section 12 can attract penalties up to INR 500 million (50 crore) for breach of provisions.
"A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force."
"A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data."
"A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
