Section 13 DPDPA

Right of grievance redressal.


13.(1) A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.

(2) The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries.

(3) The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board.

Applicable DPDP Rule 2025

Rule 13: Rights of Data Principals

Section 14 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 13 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 13 of the Digital Personal Data Protection Act (DPDPA), 2023 (India) establishes a framework for Data Principals to seek timely and effective resolution of grievances arising from the processing of their personal data. This right to grievance redressal is fundamental to ensuring that Data Principals are not left powerless in the face of data misuse, non-compliance, or infringements of their data protection rights. By providing a legal avenue to raise complaints and secure remedies, Section 13 strengthens trust and accountability in the digital ecosystem.

Key Provisions of Section 13

1. Right to Lodge a Complaint with the Data Fiduciary

Under Section 13, if a Data Principal believes that a Data Fiduciary or a Data Processor has violated their rights under the Act—such as failing to protect their data, not honoring a request for correction or erasure, or misusing their personal information—they can initially approach the Data Fiduciary’s designated grievance redressal mechanism.

2. Internal Grievance Redressal Mechanism

The Act requires Data Fiduciaries to establish and maintain an efficient, fair, and prompt internal grievance handling mechanism. This ensures that complaints are addressed at the source before escalating to external authorities. The process should be:

  • Accessible: The complaint submission process should be user-friendly and clear.
  • Timely: The Data Fiduciary should resolve the grievance within a reasonable period prescribed by rules.
  • Transparent: Data Principals should be informed about the status and outcome of their complaints.

3. Escalation to the Data Protection Board

If a Data Principal is dissatisfied with the resolution provided by the Data Fiduciary—or if the grievance remains unaddressed within the stipulated time—they can escalate their complaint to the Data Protection Board of India. The Board acts as an independent adjudicatory body with the authority to investigate complaints, issue orders, and impose penalties where warranted.

4. Remedies and Enforcement

The Data Protection Board’s decisions can include:

  • Directives to Comply: Ordering the Data Fiduciary to correct processing activities, update or delete personal data, or improve security measures.
  • Monetary Penalties: In cases of serious non-compliance, the Board can impose significant fines, deterring lax data governance.

These remedies ensure that the right to grievance redressal is not merely symbolic but backed by enforceable consequences.

5. No Retaliation Against Complainants

Although not explicitly stated in Section 13, the spirit of the law suggests that Data Principals who seek redressal should not face retaliation for raising grievances. Protecting complainants encourages individuals to exercise their rights without fear.

Legal Interpretation

Empowerment of Data Principals:
Section 13 ensures that Data Principals are not left helpless if their privacy rights are violated. By mandating a grievance redressal mechanism, it empowers individuals to hold Data Fiduciaries accountable.

Enhancing Accountability and Compliance:
Knowing that their actions are subject to complaint and review, Data Fiduciaries are more likely to invest in proactive compliance. The possibility of formal grievances and potential penalties encourages adherence to data protection obligations.

Alignment with International Standards:
Many international data protection frameworks (e.g., GDPR) require effective redress mechanisms. Section 13’s provisions align India’s law with these global norms, fostering trust in transnational data flows.

Fostering a Culture of Transparency:
The obligation to provide timely and transparent resolutions fosters a culture of openness. As Data Principals gain confidence in these remedies, trust in digital services grows, strengthening the data protection ecosystem.

Illustrations

1. Social Media Platform – Unresolved Data Request

Scenario:
A user requested correction of their personal details on a social media platform but received no response for weeks.

Application:
The user files a grievance through the platform’s complaint portal. The grievance officer reviews the complaint and ensures the correction request is processed promptly. If the platform fails to act, the user can escalate the matter to the Data Protection Board, potentially resulting in penalties or orders for compliance.

2. E-Commerce Service – Unauthorized Data Sharing

Scenario:
A customer learns that an online retailer shared their purchase history with a third-party marketer without proper consent.

Application:
The customer lodges a complaint with the retailer’s grievance mechanism. The retailer investigates and confirms the violation, ceases the unauthorized sharing, and puts stricter controls in place. If the customer remains dissatisfied, they can approach the Data Protection Board for further enforcement.

3. Banking Services – Data Breach Notification

Scenario:
A bank customer feels the bank’s notification about a data breach affecting their account details was unclear and delayed.

Application:
The customer files a grievance with the bank’s officer. The bank provides a clearer explanation, mitigation steps, and preventive measures. If the response still falls short of the DPDPA standards, the customer can escalate to the Data Protection Board, which could impose corrective measures or fines.

Significance and Broader Impact

Strengthening the Data Protection Regime:
The right to grievance redressal makes data protection a lived reality rather than a mere concept. It ensures that statutory rights are backed by enforcement and remedies.

Deterrence Against Non-Compliance:
The possibility of formal complaints and penalties deters Data Fiduciaries from negligent data handling. Over time, this raises data protection standards industry-wide.

Building Public Confidence:
Reliable channels to address grievances increase public trust in digital services. This trust encourages innovation, growth, and more robust participation in the digital economy, benefiting both consumers and businesses.

Conclusion

Section 13 of the DPDPA, 2023, ensures that Data Principals have a clear pathway to seek redressal when their data rights are violated. By establishing internal grievance mechanisms and an avenue to escalate disputes to the Data Protection Board, the Act bolsters accountability and fairness. Ultimately, the right to grievance redressal nurtures a balanced digital environment where individuals can safeguard their privacy, enforce their rights, and trust the integrity of data handling practices.

© 2024 Advocate (Dr.) Prashant Mali