Your Data, Your Rights: Understanding the DPDP Act, 2023
Empowering Individuals and Protecting Privacy in the Digital Age
What are Data Principal Rights?
Data Principal Rights are the rights granted to individuals (referred to as “Data Principals”) to ensure they have control over the processing of their personal data. These rights are enshrined in laws such as the Digital Personal Data Protection Act (DPDPA) in India, Data Subject rights under GDPR in the EU, and similar data protection laws worldwide. They empower individuals to safeguard their privacy, maintain transparency, and hold organizations accountable for data processing activities.What is the DPDP Act, 2023?
The DPDP Act is India’s first comprehensive data protection law designed to safeguard personal data and ensure transparency in how it’s processed. It gives individuals (referred to as Data Principals) a set of rights to protect their privacy, while also outlining responsibilities for organizations (referred to as Data Fiduciaries) that handle personal data.
Here’s a closer look at the rights you have as a Data Principal under the DPDP Act: Scenario 1: You signed up for an online shopping platform and want to know what personal data they’ve collected about you. Action: You submit a request to the platform asking for a summary of your personal data, including your name, address, purchase history, and who has access to it. Outcome: The platform provides you with a detailed report of your data and explains how it’s being used. Scenario 2: Your bank collects your financial data, and you want to know how it’s being processed. Action: You request access to your financial data, including transaction history and credit score. Outcome: The bank shares a summary of your data and explains its purpose (e.g., for loan approvals or fraud detection). Scenario 1: You notice that your address on an e-commerce platform is outdated. Action: You request the platform to update your address to the correct one. Outcome: The platform updates your address in their database. Scenario 2: Your credit report contains an error in your employment history. Action: You contact the credit bureau to correct the inaccurate information. Outcome: The bureau updates your credit report with the correct details. Scenario 1: You closed your account on a social media platform and want your data deleted. Action: You request the platform to erase your personal data, including posts, messages, and profile information. Outcome: The platform deletes your data, except for what’s required for legal compliance. Scenario 2: A job portal still has your resume and personal details even though you’re no longer job hunting. Action: You request the portal to delete your resume and account information. Outcome: The portal removes your data from their system. Scenario 1: You no longer want to receive marketing emails from an online store. Action: You request the store to restrict the use of your data for marketing purposes. Outcome: The store stops sending you promotional emails but retains your data for order processing. Scenario 2: A fitness app is using your health data for research purposes without your consent. Action: You request the app to restrict the use of your health data for research. Outcome: The app stops using your data for research but continues to use it for providing fitness services. Scenario 1: A bank uses an algorithm to reject your loan application without human review. Action: You object to the automated decision-making and request a human review. Outcome: The bank reviews your application manually and approves your loan. Scenario 2: A social media platform uses your data to create a profile for targeted advertising. Action: You object to the profiling and request the platform to stop using your data for ads. Outcome: The platform stops using your data for targeted ads. Scenario: You previously consented to a newsletter from a travel website but no longer want to receive it. Action: You withdraw your consent for the newsletter. Outcome: The website stops sending you newsletters. Scenario: A mobile app collects your location data for personalized services, but you no longer want to share it. Action: You withdraw your consent for location tracking. Outcome: The app stops collecting your location data. Scenario: You suspect that a company is selling your personal data to third parties without your consent. Action: You file a grievance with the company’s data protection officer. Outcome: The company investigates your complaint and takes corrective action. Scenario: A healthcare provider accidentally shares your medical records with an unauthorized party. Action: You raise a grievance with the provider and request an explanation. Outcome: The provider apologizes, rectifies the breach, and ensures better data security. Scenario: You’re traveling abroad and want someone to manage your data rights in your absence. Action: You nominate a family member to exercise your data rights on your behalf. Outcome: Your nominee can now request access, correction, or erasure of your data. Scenario: You’re incapacitated due to illness and cannot manage your data rights. Action: You nominate a trusted friend to act on your behalf. Outcome: Your friend can raise grievances or withdraw consent on your behalf.
Your Rights Under the DPDP Act
Here’s a detailed breakdown of your rights as a Data Principal under the DPDP Act:
| Right | Description |
|---|---|
| Right to Access | You can request a summary of your personal data, the purpose of processing, and who has access to it. |
| Right to Correction | You can request corrections if your data is inaccurate or incomplete. |
| Right to Erasure | You can request the deletion of your personal data when it’s no longer necessary. |
| Right to Restriction | You can limit how your data is used, such as opting out of marketing communications. |
| Right to Object | You can object to how your data is used, especially for automated decision-making or profiling. |
| Right to Withdraw Consent | You can withdraw your consent for data processing at any time. |
| Right to Grievance Redressal | You can raise concerns about how your data is being handled. |
| Right to Nominate | You can nominate someone to exercise your rights if you’re unable to do so yourself. |
Why These Rights Matter
The DPDP Act isn’t just about protecting your data—it’s about giving you control and transparency. Here’s why these rights are a game-changer:
- Empowerment: You’re no longer in the dark about how your data is used.
- Trust: Businesses that comply with the DPDP Act build trust with their customers by being transparent and accountable.
- Privacy: Your personal information is safeguarded against misuse, ensuring your privacy is respected.
What This Means for Businesses
For businesses, the DPDP Act is a call to action to prioritize data protection. By complying with the law, organizations can:
- Build stronger customer relationships based on trust.
- Avoid hefty penalties for non-compliance.
- Streamline data processing practices to align with global standards.
Final Thoughts
The DPDP Act, 2023, is a significant step forward in protecting personal data in India. By understanding your rights as a Data Principal, you can take control of your digital footprint and ensure your privacy is respected.
For businesses, this is an opportunity to demonstrate accountability and build trust with customers. After all, in a world driven by data, transparency is the key to success.
References
Draft DPDP Rules: https://egazette.gov.in/(S(rszckzjqxkns41cjzagebonx))/ViewPDF.aspxDPDP Act 2023: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
Reaching Author : Email - info@cyberlawconsulting.com | Know more about the Author on www.prashantmali.com
SHARE : 
