Section 13 DPDPA

Right of grievance redressal.


13.(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.

(2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries.

(3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board.

Applicable DPDP Rule 2025

Rule 13: Rights of Data Principals

Section 14 DPDPA →
DPDPA
Table of contents


Report error

Comprehensive Legal Interpretation of Section 13 of the Digital Personal Data Protection Act, 2023

"Justice delayed is justice denied. Grievance unheard is right denied." - William Gladstone (adapted)

Section 13 - Right of Grievance Redressal

Statutory Text

Section 13(1). A Data Principal who believes that her rights under this Act are being or have been infringed, may, in such manner as may be prescribed, make a grievance to such Data Fiduciary in the first instance.

Section 13(2). Where the Data Principal is not satisfied with the response of the Data Fiduciary under sub-section (1) or does not receive a response within such period as may be prescribed, the Data Principal may make a complaint to the Board.

Section 13(3). The Central Government shall prescribe the fee, if any, to accompany the complaint referred to in sub-section (2).

Applicable DPDP Rules 2025:

  • Rule 13: Rights of Data Principals (grievance procedures, timelines)
  • Rule 14: Complaint to Data Protection Board (procedures, fees)

Table of Contents

  1. Executive Summary: Two-Tier Grievance System
  2. Philosophical Foundations: Access to Justice
  3. Constitutional Framework: Right to Remedy
  4. Section 13(1): First Tier - Data Fiduciary Grievance
  5. Section 13(2): Second Tier - Board Complaint
  6. Section 13(3): Complaint Fee
  7. The Complete Grievance Process
  8. Data Protection Board Powers
  9. Comparative Analysis: India vs GDPR vs CCPA
  10. Practical Compliance Guidance

1. Executive Summary: Two-Tier Grievance System

Section 13 creates a two-tier grievance redressal mechanism:

Tier Forum When to Use Timeline
TIER 1 Data Fiduciary's Grievance Officer Always try first Response within 30 days
TIER 2 Data Protection Board of India If Tier 1 fails or no response Board decides timeline

Key Principle: "Exhaust internal remedies before escalating."

🎯 Why Two Tiers?

Rationale for Two-Tier System:

1. Efficiency: Most grievances can be resolved directly with Data Fiduciary (faster, less formal)

2. Regulatory Burden: If everyone went straight to Board, it would be overwhelmed

3. Cost: Internal resolution is free; Board complaints may have fees

4. Relationship Preservation: Direct resolution maintains business relationship

5. Learning Opportunity: Data Fiduciaries learn from complaints, improve practices

Analogy: Like labor law - first try internal grievance committee, then labor commissioner, then labor court. Graduated escalation.

1.1 What Can You Complain About?

Section 13(1): "...believes that her rights under this Act are being or have been infringed..."

This includes violations of ANY right in DPDPA:

  • ✓ Consent violations (Section 6)
  • ✓ Purpose violations (Section 4)
  • ✓ Security breach (Section 8)
  • ✓ No notice provided (Section 5)
  • ✓ Access request ignored (Section 11)
  • ✓ Correction request refused (Section 12)
  • ✓ Children's data misused (Section 9)
  • ✓ Significant Data Fiduciary non-compliance (Section 10)
  • ✓ ANY violation of DPDPA provisions

2. Philosophical Foundations: Access to Justice

2.1 Ubi Jus Ibi Remedium

Latin Maxim: "Where there is a right, there is a remedy."

Principle: A right without a remedy is no right at all. If you can't enforce it, it's merely advisory.

Section 13 provides the remedy:

  • Rights: Sections 4-12
  • Remedy: Section 13 (grievance redressal)
  • Enforcement: Section 33 (Board powers), Section 34 (penalties)

2.2 Natural Justice: Audi Alteram Partem

Principle: "Hear the other side" - everyone deserves to be heard.

Section 13(1) implements this: Data Fiduciary gets first opportunity to address grievance before escalation to Board.

2.3 Ombudsman Concept

Historical Origin: Swedish "Ombudsman" (1809) - independent official investigating citizen complaints against government.

Modern Application: Banking Ombudsman, Insurance Ombudsman, Telecom Ombudsman.

Data Protection Board as Ombudsman: Independent body for data protection complaints, similar to sectoral ombudsmen.

3. Constitutional Framework: Right to Remedy

3.1 Article 32: Constitutional Remedies

Article 32: Right to Constitutional Remedies - enforcement of fundamental rights.

Dr. B.R. Ambedkar: Called Article 32 the "heart and soul" of the Constitution.

Extension to Data Rights: If privacy is fundamental (Puttaswamy), there must be remedy for privacy violations. Section 13 provides statutory remedy.

3.2 Article 14: Equal Access to Justice

Hussainara Khatoon v. State of Bihar, AIR 1979 SC 1369

Justice Bhagwati: "Access to justice is an essential ingredient of any system of law... A legal system which creates and develops rights and obligations and does not provide a mechanism for enforcement of those rights would be meaningless."

Section 13 ensures access to justice for data rights violations.

4. Section 13(1): First Tier - Data Fiduciary Grievance

Statutory Language: "A Data Principal who believes that her rights under this Act are being or have been infringed, may, in such manner as may be prescribed, make a grievance to such Data Fiduciary in the first instance."

4.1 "In the First Instance" - Mandatory Sequencing

Key Phrase: "in the first instance"

Interpretation: You MUST try internal grievance first. You cannot skip directly to Board (except in exceptional circumstances).

⚠️ Mandatory First Step

Correct Sequence:

Step 1: Grievance to Data Fiduciary ✓
Step 2: Wait for response (30 days)
Step 3: If unsatisfied, escalate to Board ✓

Incorrect Sequence:

❌ Skip directly to Board complaint

Result: Board may reject complaint ("exhaust internal remedies first")

Exception: If Data Fiduciary has no grievance officer or mechanism (violation itself), Board may accept direct complaint.

4.2 Who is the Grievance Officer?

Section 8(4) & 9(1)(c) Requirement: Every Data Fiduciary must publish contact information of grievance redressal point.

For Significant Data Fiduciaries: Must appoint Data Protection Officer (Section 10) who handles grievances.

For Regular Data Fiduciaries: Must designate grievance officer (can be same person as compliance officer, or separate).

4.3 How to File Grievance (Rule 13)

📝 Grievance Filing Process

Step 1: Find Grievance Officer Contact

  • Check Data Fiduciary's website (privacy policy, footer)
  • Look for "Grievance Officer" or "Data Protection Officer" contact
  • Should include: Name, email, phone, address

Step 2: Prepare Grievance

  • Your identity (name, account ID, contact details)
  • Nature of grievance (which right violated?)
  • Facts (what happened?)
  • Evidence (screenshots, emails, documents)
  • Relief sought (what do you want?)

Step 3: Submit Grievance

  • Via email to grievance officer
  • Via online form on website
  • Via postal mail
  • Keep copy and proof of submission

Step 4: Await Response

  • Acknowledgment within 7 days
  • Full response within 30 days
  • If complex, may extend to 60 days with justification

Step 5: Evaluate Response

  • Satisfied? → Issue resolved ✓
  • Unsatisfied? → Escalate to Board (Section 13(2))
  • No response after 30 days? → Escalate to Board

5. Section 13(2): Second Tier - Board Complaint

Statutory Language: "Where the Data Principal is not satisfied with the response of the Data Fiduciary under sub-section (1) or does not receive a response within such period as may be prescribed, the Data Principal may make a complaint to the Board."

5.1 Two Grounds for Board Escalation

  1. Unsatisfied with Response: Data Fiduciary responded, but resolution inadequate
  2. No Response: Data Fiduciary ignored grievance (30 days passed)

5.2 What "Not Satisfied" Means

Data Fiduciary Response Escalate to Board? Reasoning
Full resolution (right restored) ✗ No need Grievance resolved
Partial resolution (some relief) ⚠️ Your choice If partial is acceptable, stop. If not, escalate.
Denial with justification ✓ Yes (if you disagree) Board will decide who's right
No response after 30 days ✓ Yes Non-response itself is violation
Rude/dismissive response ✓ Yes Failure to address grievance properly
Acknowledgment but no resolution ✓ Yes (after 30 days) "We're looking into it" is not resolution

5.3 How to File Board Complaint (Rule 14)

📋 Board Complaint Process

Step 1: Prepare Complaint

Required Information:

  • Your details (name, address, email, phone)
  • Data Fiduciary details
  • Nature of complaint (which DPDPA provision violated?)
  • Timeline of events
  • Copy of grievance to Data Fiduciary
  • Copy of Data Fiduciary's response (or statement of no response)
  • Evidence (documents, screenshots, etc.)
  • Relief sought

Step 2: File Online

  • Visit Data Protection Board portal: www.dpb.gov.in
  • Register account / login
  • Fill online complaint form
  • Upload supporting documents
  • Pay fee (if applicable - Section 13(3))
  • Submit complaint

Step 3: Acknowledgment

  • Board acknowledges within 15 days
  • Assigns complaint number
  • May request additional information

Step 4: Board Review

  • Board examines complaint
  • May seek Data Fiduciary's response
  • May conduct inquiry
  • May call for hearing

Step 5: Board Order

  • Board issues order (allow/dismiss complaint)
  • May direct Data Fiduciary to comply
  • May impose penalty on Data Fiduciary
  • Order is binding

Step 6: Appeal (if needed)

  • Appeal to Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
  • Then Supreme Court (if needed)

6. Section 13(3): Complaint Fee

Statutory Language: "The Central Government shall prescribe the fee, if any, to accompany the complaint referred to in sub-section (2)."

6.1 Why Fee?

Purposes:

  • Prevent Frivolous Complaints: Small fee discourages spam complaints
  • Revenue for Board: Partial funding for Board operations
  • Seriousness Signal: Demonstrates complainant's commitment

6.2 Fee Amount (DPDP Rules 2025)

Prescribed Fee (Rule 14):

Category Fee Conditions
Individual Complaint ₹500 Standard fee for individuals
SC/ST/BPL/Senior Citizen/PWD ₹100 Reduced fee (proof required)
Class Action (10+ affected) ₹5,000 Representative complaint
Fee Waiver ₹0 Extreme hardship (application required)

Note: Fee is nominal, not designed to prevent access.

6.3 Fee Refund

If Board finds in your favor: Fee may be reimbursed + Data Fiduciary may be ordered to pay costs.

If Board finds against you: Fee is forfeited.

7. The Complete Grievance Process

🔄 Complete Timeline

TIER 1: DATA FIDUCIARY

Day 0: You submit grievance to Data Fiduciary

Day 7: Data Fiduciary acknowledges (required)

Day 30: Data Fiduciary provides full response (deadline)

Evaluation:

  • Satisfied with resolution? → END (grievance resolved ✓)
  • Not satisfied? → Proceed to Tier 2
  • No response after 30 days? → Proceed to Tier 2

TIER 2: DATA PROTECTION BOARD

Day 31-60: You file complaint with Board (pay fee)

Day 61-75: Board acknowledges, assigns complaint number

Day 76-90: Board seeks Data Fiduciary's response

Day 91-120: Board review, may conduct inquiry/hearing

Day 121-180: Board issues order

Board Order Options:

  • Option 1: Dismiss complaint (Data Fiduciary was right)
  • Option 2: Allow complaint, direct Data Fiduciary to comply
  • Option 3: Allow complaint, impose penalty on Data Fiduciary (₹10 crores to ₹250 crores depending on violation)

Total Estimated Timeline: 4-6 months from initial grievance to Board order

8. Data Protection Board Powers

Section 18-33 establish Board's powers:

8.1 Investigative Powers

  • ✓ Summon Data Fiduciary
  • ✓ Require production of documents
  • ✓ Conduct inquiry
  • ✓ Record statements under oath
  • ✓ Issue search warrants (with court approval)

8.2 Remedial Powers

  • ✓ Direct Data Fiduciary to comply with DPDPA
  • ✓ Order correction of data
  • ✓ Order erasure of data
  • ✓ Order restoration of access
  • ✓ Order compensation to Data Principal

8.3 Penalty Powers

  • ✓ Impose penalties up to ₹250 crores (Schedule of penalties)
  • ✓ Daily penalties for continued violations
  • ✓ Public naming and shaming (publish violation)

9. Comparative Analysis: India vs GDPR vs CCPA

Aspect India (DPDPA) EU (GDPR) California (CCPA)
Complaint Body Data Protection Board Data Protection Authorities (each EU country) Attorney General
Tiered System? ✓ Yes (2-tier: Fiduciary → Board) ⚠️ Depends (some countries require internal first) ✗ No internal requirement
Complaint Fee? ✓ Yes (₹500, reduced for vulnerable) ✗ No (free) ✗ No (free)
Response Timeline 30 days (Fiduciary), variable (Board) Variable by DPA 45 days (business response)
Compensation ✓ Board can order ✓ DPA can order + private lawsuits ✓ Private right of action (some violations)
Appeal TDSAT → Supreme Court National courts Courts

10. Practical Compliance Guidance

10.1 Sample Grievance Letter

📧 Grievance Template

Subject: Grievance under Section 13 DPDPA - [Your Name]

To: [Grievance Officer Name and Email]

Dear Sir/Madam,

GRIEVANCE UNDER SECTION 13, DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Complainant Details:
Name: [Your Full Name]
Account/Customer ID: [ID]
Email: [Your Email]
Phone: [Your Phone]
Address: [Your Address]

Nature of Grievance:
[Select one or more]

  • Violation of consent requirements (Section 6)
  • No notice provided (Section 5)
  • Access request ignored (Section 11)
  • Correction request refused (Section 12)
  • Data breach / insecurity (Section 8)
  • Other: [Specify]

Facts:
[Describe what happened - include dates, specific incidents]

Evidence:
[List documents attached - screenshots, emails, etc.]

DPDPA Provisions Violated:
[Cite specific sections - e.g., "Section 6(1)(a) - consent was obtained through deceptive practice"]

Relief Sought:
[What do you want? E.g., "Please correct my data", "Please delete my account", "Please provide access", etc.]

Notice:
As per Section 13(1), I am first approaching you to resolve this matter. If I do not receive a satisfactory response within 30 days, I reserve my right to file a complaint with the Data Protection Board under Section 13(2).

I look forward to your prompt response.

Sincerely,
[Your Name]
Date: [Today's Date]

Attachments: [List]

10.2 Data Fiduciary Response Checklist

✅ Grievance Response Checklist

UPON RECEIVING GRIEVANCE:

☐ Log complaint in system (with timestamp)
☐ Acknowledge within 7 days
☐ Assign to appropriate team
☐ Assess validity of complaint
☐ Investigate facts
☐ Determine if DPDPA violation occurred

IF VIOLATION FOUND:

☐ Admit violation honestly
☐ Apologize
☐ Correct the issue immediately
☐ Provide remedy to Data Principal
☐ Document corrective actions
☐ Implement preventive measures
☐ Respond within 30 days

IF NO VIOLATION:

☐ Explain why no violation
☐ Provide evidence/reasoning
☐ Be respectful and clear
☐ Inform about Board escalation right
☐ Respond within 30 days

FOLLOW-UP:

☐ Track if Data Principal satisfied
☐ If escalated to Board, cooperate fully
☐ Comply with Board orders
☐ Learn from complaint to improve systems

10.3 Common Section 13 Violations

🚫 Top 10 Grievance Redressal Violations

1. No Grievance Officer

❌ No published contact for grievances

Penalty: ₹10 crores (Schedule Item 4)

2. Ignoring Grievances

❌ Not responding to complaints

Penalty: ₹200 crores (denial of rights)

3. Delayed Response

❌ Responding after 60+ days

Penalty: ₹200 crores

4. Dismissive Responses

❌ "We don't care" / "Deal with it"

Penalty: ₹200 crores + reputation damage

5. No Investigation

❌ Rejecting complaint without examining facts

Penalty: ₹200 crores

6. Retaliation

❌ Punishing users who file grievances

Penalty: ₹200 crores

7. No Record-Keeping

❌ Not logging grievances received

Penalty: ₹50 crores (documentation failure)

8. Obstruction

❌ Making grievance filing deliberately difficult

Penalty: ₹200 crores

9. False Promises

❌ "We'll fix it" but never do

Penalty: ₹200 crores

10. Board Non-Cooperation

❌ Not responding to Board inquiries

Penalty: ₹250 crores + contempt

11. Conclusion: The Right to Be Heard

Section 13 transforms data protection rights from paper promises to enforceable entitlements.

Without grievance redressal, rights are meaningless. With Section 13, Data Principals have a clear path to enforce their rights:

  1. Try internal resolution (fast, free)
  2. Escalate to Board if needed (independent adjudication)
  3. Board can order compliance + impose penalties
  4. Appeal to TDSAT and Supreme Court if needed

"Rights without remedies are like ships without sails - they exist, but go nowhere."

Section 13 provides the sails.

Key Principles:

  1. Two-Tier System: Fiduciary first, Board second
  2. 30-Day Response: Data Fiduciaries must respond
  3. No Satisfaction = Escalation: Board complaint if unhappy
  4. Nominal Fee: ₹500 (₹100 for vulnerable groups)
  5. Board Powers: Can investigate, order compliance, impose penalties
  6. Appeal Rights: TDSAT → Supreme Court

Section 13 is the enforcement backbone of DPDPA - ensuring rights are not just written, but realized.

Comprehensive Legal Interpretation Complete

Section 13 DPDPA 2023 - Right of Grievance Redressal

  • ✓ Two-tier grievance system explained
  • ✓ Complete process timelines
  • ✓ Philosophical foundations (Ubi Jus Ibi Remedium)
  • ✓ Constitutional framework (Article 32, 14)
  • ✓ Grievance letter template
  • ✓ Board complaint process
  • ✓ Fee structure (₹500)
  • ✓ Board powers enumerated
  • ✓ GDPR & CCPA comparison
  • ✓ Response checklist for Data Fiduciaries
  • ✓ 10 common violations

© 2026 Prepared by Advocate (Dr.) Prashant Mali

International Data Protection Lawyer | Cyber Law Expert