Section 11 DPDPA

Right to access information about personal data.


11.(1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,—
(a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed.

(2) Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuantto a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences.

Applicable DPDP Rule 2025

Rule 13: Rights of Data Principals

Section 12 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 11 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 11 of the Digital Personal Data Protection Act, 2023 (India) confers upon Data Principals (individuals whose personal data is processed) a legally enforceable right to obtain information about their personal data held by Data Fiduciaries. It is often referred to as the “Right to Access Information” about one’s personal data. This right is pivotal to fostering transparency, accountability, and trust in the digital ecosystem, as it enables individuals to understand how and why their data is being processed.

Key Provisions of Section 11

  1. Confirmation of Processing:
    Under Section 11, the Data Principal has the right to obtain confirmation from a Data Fiduciary as to whether their personal data is being processed. This is a preliminary step that ensures the individual can ascertain if a particular entity holds and uses their personal information.
  2. Summary of Personal Data and Processing Activities:
    Beyond mere confirmation, the Data Principal can also seek a summary of the personal data being processed and the processing activities undertaken by the Data Fiduciary. This summary may include categories of personal data collected, the purposes for which it is being used, and whether it has been shared with third parties.
  3. Mode and Manner of Access:
    The Act generally expects that requests for access be made in a prescribed manner (details of which may be provided by subsequent rules or regulations). Data Fiduciaries are obliged to respond within a reasonable timeframe, and the information must be provided in a clear and intelligible format.
  4. No Excessive Charges and Easy Accessibility:
    To ensure that the right of access remains meaningful, the Act discourages imposing excessive charges or making the process overly cumbersome. Although some reasonable fee might be permissible, the goal is to keep this right accessible to all Data Principals, not just those who can afford high fees or navigate complex procedures.
  5. Relation to Other Rights:
    The right to access is foundational. By knowing what data is held and how it is used, a Data Principal can meaningfully exercise other rights, such as the right to correction (if the data is inaccurate), the right to erasure (if the data is no longer needed), or the right to grievance redressal if they suspect misuse.

Legal Interpretation

Transparency and Accountability:
Section 11 enshrines transparency as a legal obligation. Data Fiduciaries must be prepared to disclose the nature, scope, and rationale behind their data processing activities. Such transparency aligns with global data protection standards (such as the EU’s GDPR) and bolsters the accountability of Data Fiduciaries.

Empowerment of Data Principals:
Giving individuals the right to see “behind the curtain” of data processing empowers them. Once they know what data is collected, how it is categorized, and who might have access to it, Data Principals can make more informed decisions about continuing a service relationship, exercising other statutory rights, or seeking redress if violations occur.

Checks and Balances:
By mandating that Data Fiduciaries furnish this information, Section 11 creates a check on arbitrary or opaque data practices. It discourages unregulated data collection and encourages better data hygiene, as Data Fiduciaries know that any Data Principal can request details about their data processing.

Harmonization with International Norms:
The right to access personal data is a widely recognized principle in international data protection laws. Section 11’s provisions bring the Indian data protection regime in line with well-established global benchmarks, facilitating international trust and cooperation in the digital ecosystem.

Illustrations

1. Social Media Platform

Scenario:
A user of a popular social media platform is concerned about how the platform utilizes their personal data—such as their profile information, uploaded photos, and interaction history.

Application:
The user exercises their right under Section 11 by submitting a request through the platform’s designated data request portal. In response, the platform must provide:

  • Confirmation that it processes the user’s personal data (e.g., profile details, posts, liked content).
  • A summary of the types of personal data it holds (user profile info, behavioral data from browsing and clicking, advertising interactions) and the primary purposes (personalizing the feed, showing targeted advertisements, and recommending new contacts).

2. E-Commerce Website

Scenario:
A customer suspects that the online retailer they frequently shop at might be sharing their purchase history and personal details (like name, address, and phone number) with third-party marketers.

Application:
The customer requests access under Section 11. The retailer must confirm if it processes the customer’s personal data and provide a summary of:

  • The categories of data (contact information, purchase history, device information).
  • The processing activities (order fulfillment, product recommendations, marketing communications) and with whom (if any) the data is shared.

This transparency allows the customer to decide whether to continue shopping from that retailer or to lodge a complaint if unauthorized sharing is discovered.

3. Banking Services

Scenario:
A bank customer wants to know how their personal data (like financial history, demographic details, and credit score) is being used to determine loan eligibility and interest rates.

Application:
By submitting a Section 11 request, the customer obtains confirmation of data processing and a summary stating:

  • The categories of personal data used (credit history, income details, KYC documents).
  • The broad criteria or analytical models used in processing that data for creditworthiness assessment.

Equipped with this information, the customer can better understand the basis of the bank’s decisions and, if needed, challenge any inaccuracies.

Significance and Broader Impact

Building Trust:
Data Principals who know that they can inquire about and understand how their data is used are more likely to trust digital services and share data responsibly. This trust is vital for the growth of the digital economy.

Informed Consent and Control:
Access to information about personal data processing feeds into more informed consent. Individuals can choose whether to continue engaging with a service, withdraw consent, or seek rectification if they find discrepancies or misuses.

Promoting Good Data Governance:
The legal requirement to respond to access requests incentivizes Data Fiduciaries to maintain organized, easily retrievable records of processing activities, leading to better data governance and compliance readiness.

Conclusion

Section 11 of the DPDP Act, 2023, by granting Data Principals the right to access information about their personal data, lays the groundwork for a robust and transparent data protection regime. By empowering individuals with knowledge about what data is processed, why, and by whom, it aligns with international best practices, fosters trust, and ensures that the Indian digital landscape respects individual autonomy and accountability.

© 2024 Advocate (Dr.) Prashant Mali