Fingerprint Scanners

Right to Access Personal Data under the DPDPA, 2023 – The Indian Data Protection Law

Author: Advocate (Dr.) Prashant Mali Published: December 2, 2024

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email

comprehensive framework for safeguarding personal data in India. Among the rights granted to individuals, the Right to Access Personal Data under Section 11 is pivotal. It empowers individuals, referred to as data principals, to demand transparency regarding their personal data from organizations (data fiduciaries). Here’s a detailed overview of this crucial right and its implications.

Scope of the Right to Access

Under Section 11 of the DPDPA, the data principal has the authority to request the following from an organization:

1. Summary of Personal Data and Processing Activities:

A detailed summary of the personal data processed by the organization and the specific activities undertaken.

2. Information About Third Parties:

The identities of all third parties (including data processors and data fiduciaries) with whom the personal data has been shared, along with a description of the shared data.

3. Additional Information:

Any further details as prescribed by the Central Government through subsequent rules and regulations.

Responding to Access Requests

Organizations must establish robust mechanisms to handle access requests effectively. Key considerations include:

1. Data Discovery:

Conduct manual or automated audits to locate personal data across applications and databases.

2. Data Protection Impact Assessments (DPIA):

Perform DPIAs to understand the purpose and methods of personal data processing, including its internal and cross-border flow.

3. Records of Processing Activities (RoPA):

Maintain department-wise documentation to specify processing purposes and legal grounds for handling personal data.

4. Identity Verification:

Prior to sharing data, organizations must verify the data principal’s identity using unique identifiers (e.g., email ID, Aadhaar, PAN, or phone number). Requests can be denied if the identity is unverified. For minors or individuals with disabilities, identity verification of parents, guardians, or nominees is required.


Conditions for Exercising the Right

The right to access can only be exercised when:
• Personal data has been processed based on consent obtained from the data principal.
• The data principal voluntarily provided their data for a specific purpose.

In the absence of these scenarios, organizations are not obligated to fulfill access requests.

Linking the Right to Other Rights

The Right to Access serves as a gateway for exercising other rights provided under the DPDPA. For example:
• After accessing their data, the data principal may request corrections, updates, or deletion.
• The data principal may withdraw consent for further processing upon understanding the purpose of data usage.

Conclusion

As the DPDPA aims to strengthen individual rights, organizations must proactively design mechanisms to manage these rights effectively. Facilitating the Right to Access Personal Data not only ensures compliance with the law but also builds trust among stakeholders. Businesses that prioritize transparency and accountability will gain a competitive edge in today’s data-driven environment. In summary, the Right to Access is more than a legal obligation—it’s a step toward fostering a robust culture of data protection and trust in India. Organizations should act now to adapt their systems to uphold this right seamlessly, avoiding penalties and enhancing their reputation