For Legal Interpretation - Scroll Down

Rule 13 OF DPDP RULES 2025
Rights of Data Principals.

(1) For enabling Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on its website or app, or both, as the case may be, —
(a) the details of the means using which a Data Principal may make a request for the exercise of such rights; and
(b) the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.
(2) To exercise the rights of the Data Principal under the Act to access information about personal data and its erasure, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights.
(3) Every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in
responding within such period, implement appropriate technical and organisational measures.
(4) To exercise the rights of the Data Principal under the Act to nominate, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such right.
(5) In this rule, the expression “identifier” shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification.

Rule 14 →
DPDPA
Table of contents


Report error

Legal Interpretation of Rule 13 of DPDP Rules 2025: Rights of Data Principals

Putting Data Principals in Control

At its core, Rule 13 is all about empowerment. It ensures that individuals—referred to as Data Principals—retain control over their personal data. Think of it as giving the steering wheel of data privacy back to the user. This rule sets clear guidelines for Data Fiduciaries and Consent Managers, ensuring transparency, accessibility, and responsiveness.

1. Transparency Through Published Means

Under Rule 13(1), every Data Fiduciary and Consent Manager must publish on their website or app the specific means by which a Data Principal can make a request to exercise their rights. This ensures that users aren’t left guessing about how to reclaim control over their data.

For instance:

  • If you’re using a streaming service, the platform should provide a clear link or section where you can request data access or erasure.
  • Details such as your username or unique identifier—like an account number—may be required to verify your identity. This protects both you and the platform from unauthorized requests.

2. Exercising the Right to Access and Erasure

Under Rule 13(2), Data Principals have the right to access information about their personal data or request its erasure. This can be done by reaching out to the Data Fiduciary who initially processed the data. The rule also ensures that the means to make these requests are straightforward and clearly communicated.

Example:

Imagine you’ve previously consented to a food delivery app collecting your order history. Later, you decide you no longer want them to store this data. Rule 13 ensures that you can request its erasure easily, with the app providing a clear pathway to make this request.

3. Grievance Redressal Timelines

The rule doesn’t stop at transparency—it also mandates accountability. Rule 13(3) requires Data Fiduciaries and Consent Managers to:

  • Publish the timeline within which they will address grievances.
  • Implement technical and organizational measures to ensure these timelines are met.

Why does this matter? Because an effective grievance redressal system builds trust. If a Data Principal faces delays or roadblocks in exercising their rights, it could undermine the entire framework of the DPDP Act.

4. The Right to Nominate

Rule 13 also touches upon a unique right—the right to nominate. Under Rule 13(4), a Data Principal can nominate individuals to exercise their rights on their behalf. This provision is particularly helpful for scenarios involving incapacitated individuals or minors.

Example:

Let’s say an elderly individual wants their next of kin to handle their data-related requests. The nominee, in accordance with the terms of service and applicable laws, can act on behalf of the Data Principal.

5. Defining Identifiers

The rule defines “identifier” broadly, covering any unique sequence of characters issued by the Data Fiduciary. This could range from:

  • Customer identification numbers.
  • Enrollment IDs.
  • Reference numbers.

Such identifiers are crucial for verifying requests and ensuring they’re processed for the correct individual.

Why Rule 13 is a Game-Changer

Rule 13 marks a significant step toward making data rights tangible for everyday users. By ensuring:

  1. Clarity through published means.
  2. Accessibility for exercising rights like access and erasure.
  3. Accountability through grievance redressal timelines.
  4. Inclusivity with the right to nominate.

The rule sets a new standard for user empowerment.

Challenges and Considerations

While the framework is robust, challenges remain:

  • Awareness: Many users may still be unaware of their rights.
  • Complexity: Not all platforms will have seamless processes in place.
  • Timeliness: Ensuring prompt grievance redressal will require significant effort, particularly for platforms with a high volume of users.

Final Thoughts

Rule 13 of the DPDP Rules, 2025, champions user rights in a meaningful way. By making the process transparent, accessible, and user-friendly, it ensures that Data Principals aren’t just passive participants but active stakeholders in their digital privacy. Whether you’re interacting with social media giants, e-commerce platforms, or fintech apps, Rule 13 ensures your rights are respected, your data is protected, and your voice is heard.

This rule serves as a beacon of accountability in the evolving landscape of digital data privacy, ensuring that the balance of power tilts back in favor of individuals.

© 2024 Advocate (Dr.) Prashant Mali