10 scenario-based questions on rights under India's DPDP Act 2023 — §§11–14. Get your score and see where your gaps are.
India's Digital Personal Data Protection Act 2023 creates a structured set of rights for Data Principals — the individuals whose personal data is processed. Unlike GDPR which has nine distinct rights, the DPDP Act 2023 consolidates four core rights under Chapter III, plus a separate right of nomination under §14.
For DPOs and compliance teams in BFSI, these rights create operational obligations. When a data principal exercises a right, your organisation must respond correctly — or face enforcement action from the Data Protection Board. Getting the rights taxonomy wrong is one of the most common failures in DPO readiness assessments.
Section 17 permits the Central Government to exempt certain Data Fiduciaries from obligations — including some rights obligations — in the interests of sovereignty, security, and public order. These exemptions are blanket: no individual right can override a §17 notification. State-controlled entities processing certain categories of data often operate under partial or full exemptions. The quiz includes a question on this to test awareness of where rights stop.
The quiz below uses scenarios drawn from real BFSI contexts — banking KYC, insurance claim data, fintech consent flows, and healthcare records. Each question includes the correct DPDP Act section reference after you answer.
§11 grants the data principal the right to obtain a summary of personal data being processed by the Data Fiduciary, the processing activities, identities of Data Processors, and other Data Fiduciaries to whom the data has been disclosed. This is the access/information right.
DPDP Act §11§8(7) requires Data Fiduciaries to erase personal data once the purpose is fulfilled — unless retention is required by law. RBI Master Directions mandate specific retention periods. The DPDP Act does not override sector-specific legal retention requirements. The erasure right under §12 is subject to this exception.
DPDP Act §12, §8(7)§13 establishes the right to grievance redressal. A data principal must first approach the Data Fiduciary's Grievance Officer. If unsatisfied with the response — or if there is no response — they may file a complaint with the Data Protection Board (DPB). The DPB is the statutory adjudicatory body for DPDP Act complaints.
DPDP Act §13, §27§14 grants every data principal the right to nominate any other individual to exercise their rights under the DPDP Act in the event of death or incapacity. This is a unique provision in the DPDP Act with no direct equivalent in many other privacy laws. Data Fiduciaries must build nomination workflows into their consent and rights management processes.
DPDP Act §14§6(4) allows withdrawal of consent, but §8(3) and §4 permit processing personal data without consent where it is necessary to fulfil a legal obligation or comply with a law or court order. If SEBI regulations mandate email delivery of notices, the fintech has a lawful basis beyond consent. The withdrawal removes the consent-based basis but does not extinguish the legal-obligation basis.
DPDP Act §6(4), §4, §8(3)§17 empowers the Central Government, by notification, to exempt any Data Fiduciary or class of Data Fiduciaries from all or some obligations under the DPDP Act — including Chapter III rights obligations — in the interests of sovereignty, public order, or security. Government entities processing data under specific national schemes may operate under such exemptions. DPOs in private BFSI should verify whether their public-sector clients or data-sharing counterparties operate under §17 exemptions.
DPDP Act §17§6(4) grants the data principal the right to withdraw consent at any time, and critically — withdrawal must be as easy as giving consent. Where consent was collected for multiple distinct purposes (marketing vs. clinical communication), the data principal can withdraw for specific purposes without affecting other lawfully consented processing. This is the consent granularity principle that DPDP-compliant consent management systems must implement.
DPDP Act §6(4), §6(1)§13 establishes a two-step process: first, the data principal must exhaust the Data Fiduciary's internal grievance mechanism. If the Grievance Officer fails to resolve the matter satisfactorily (or at all), the data principal may then file a complaint with the Data Protection Board under §28. The DPB has the power to investigate, summon, and impose penalties.
DPDP Act §13, §28§10 imposes additional obligations on Significant Data Fiduciaries, including mandatorily appointing a Data Protection Officer who must be resident in India and report to the Board of Directors (or equivalent governing body). While all Data Fiduciaries must have a Grievance Officer, the DPO with board-level reporting is exclusively an SDF requirement. This is a key distinction for BFSI compliance teams managing tiered obligations.
DPDP Act §10, §11(2)Under the DPDP Act, the Data Fiduciary is the primary obligated entity — they determine the purpose and means of processing and are accountable for ensuring data principal rights are fulfilled. Data Processors act only on instructions from the Data Fiduciary under a valid contract (§8(2)). The Processor's breach can also attract liability, but the Data Fiduciary cannot escape responsibility by pointing to the Processor. This is a critical principle for BFSI entities outsourcing technology operations.
DPDP Act §8(2), §2(i), §2(j)The DPDP Assurance Platform automates data principal rights workflows — rights request intake, Grievance Officer routing, response tracking, and DPB escalation readiness. Built for Indian BFSI.
Explore DPDP Assurance Platform →