Get in touch
Get in touch

Search blog, projects, service or people.

IndiSec provides expert legal and AI-driven solutions for seamless DPDP compliance.

Contct Info

Phone
+91 98100 22887
Email
business@indisec.com
Location
207, Nilgiri Apartments, Barakhamba Road, New Delhi

Follow us

Untitled design (40)
Drag

Blog Details

Home > Blog > Resources > Your Rights, Your Superpowers

Your Rights, Your Superpowers

Images
Authored by
indisec
Date Released
September 9, 2025

Your Rights, Your Superpowers

In today’s hyperconnected world, being digitally active is not optional but inevitable. Being digitally active not only exposes our data but with every click, with every scroll, it leaves behind pieces of our identity in the public domain. Here’s the real twist, being digitally active is not equivalent to being digitally literate. Digitally active means mere usage of digital platforms and services, however, the concept of digital literacy goes beyond the usage, it is the ability to critically and safely evaluate and create content in the digital environment. To put it simply in the form of an example, being digitally active is driving anywhere without a map but being digitally literate is knowing the rules of the road and how to reach the destination safely. This difference matters because the same digital doors that open up numerous opportunities also open paths for attackers to misuse your data.

Recognising the urgent need to protect the personal data and identity of the citizens the Digital Personal Data Protection Act (or The DPDP Act) was enacted in India in the year 2023, a landmark law that reshaped how personal data is collected, stored, and used. It establishes clear obligations for organisations (or Data Fiduciaries) handling personal information and also grants users (or Data Principals) a concrete set of rights over their own data. Even the strongest privacy law can only be as effective as the people who use it. To truly safeguard your digital footprint, you must know what protections the Act offers and how to invoke them. In other words, the DPDP Act opens the door to stronger digital privacy but it’s your awareness and action that allow you to walk through it.

 

Guardians of Your Data: Rights You Hold under DPDP & GDPR

While doing a careful analysis of the DPDP act, I realised that there is a certain level of similarity of this act with the Indian constitution. Just as the Constitution grants citizens certain rights while also imposing duties upon them, the DPDP Act similarly confers both rights and responsibilities upon the Data Principals. However, to effectively exercise these rights, it is essential first to understand what they are. Let’s take a closer look at the rights available to us under the Act:

 

Right to Access information (Section 11): Data principals have the right to access information about what categories of personal data is being processed, what processing activities are done on it and all the third parties with whom it is being shared.

 

How to exercise this Right: Data Principals will have the ability to request access to their data in order to examine the personal data that companies store and distribute. To help the company find their data, they will need to present identity and other pertinent information. Businesses will give a summary of the request after they get it, enabling the principal to ask for any additional explanations or changes.

 

Right to Correction and Erasure of personal data (Section 12): If a data principal’s personal information is incorrect, lacking, or out-of-date, they have the right to request that it be corrected. In certain situations, such as when the data is no longer required for the reasons for which it was obtained or when the user withdraws their consent, they may also request that their personal data be erased. This right guarantees the accuracy and timeliness of the data stored by data fiduciaries.

How to exercise this right: Requests for data erasure or rectification can be made by Data Principals via the appropriate channels. In order to assist verification, these requests must explicitly specify the data that needs to be updated or deleted and include identification documentation. Following that, companies will examine these requests, make the required adjustments, and notify the data principle of their progress.

 

Right to Grievance Redressal (Section 13): For any grievances or issues regarding the handling of their personal data, data principals are entitled to grievance redressal channels. This right gives data principals the ability to address concerns about data processing, including possible infringements on their rights under the DPDP Act, and guarantees that data fiduciaries are held accountable.

 

How to exercise this right: Data Principals will be able to file complaints via certain channels that companies have given. These complaints should outline the problem in detail and may contain pertinent information and supporting documentation. Businesses will acknowledge receipt of the complaints, investigate, and respond to the data principal with the resolution or available options for further action, including escalation to the Data Protection Board if  unresolved.

 

Right to Nominate (Section 14): In the event of death or disability, data principals may designate another person to exercise their data protection rights. Even if the data principal is unable to manage their own personal data, this right guarantees that it is handled in accordance with their desires. It gives them a method to assign a trusted individual to oversee or limit access to their personal information.

 

How to exercise this right: By submitting a request that includes the nominee’s name, contact information, and any special instructions pertaining to their authority, Data Principals will be able to designate a representative. Companies will confirm the nominee’s and data principal’s identity. The company will confirm the nomination and document the information after it has been validated. Notifications on their tasks and responsibilities will be sent to the nominee and the data principal.

The DPDP grants these rights for data principals to exercise, but an imperative question arises, are these rights truly enough? To get a clearer picture, let’s explore exactly what rights users enjoy under the General Data Protection Regulation (GDPR).

When the topic is digital privacy and data protection, the first legislation everyone could think of is the GDPR. The GDPR has set a high bar for all the existing data privacy laws, below are the rights available to the users whose data is being processed.

  • Right to be informed (Article 13,14): The data subject has the right to be given information when his or her personal data is processed. Information about the personal data processing is to be given by the controller both when the data is collected and when the data subject otherwise so requests. The information shall be provided to the data subject free of charge in easily accessible, written form (which may be in electronic form) and be worded in clear, simple language.
  • Right to Access (Article 15): The data subjects have the right to access i.e., to get confirmation from the controller as to whether or not his/her personal data is being processed, and if it is being processed, the data subjects can exercise their rights in order to identify for what purpose, what categories of data, to what persons such personal data is being shared.
  • Right to Rectification (Article 16): Any person has the right to contact a company or authority that processes personal data and request that inaccurate information be rectified. This also means that the individual has the right to add such personal data that is missing and that is relevant considering the purpose of the personal data processing. The entity processing the personal data must itself also ensure that the data is accurate and up to date.
  • Right to Restrict Processing (Article 18): Instead of requesting full deletion, individuals can place a “restriction” on how their data is processed. This right applies when the accuracy of the data is disputed, the processing is unlawful but the data subject opts for restriction over erasure, or the data is no longer needed except for legal claims. During this restriction period, organizations may store the data but cannot process it.
  • Right to Erasure (Right to be forgotten) (Article 17): Individuals can request deletion of their personal sensitive information under necessary circumstances.
  • Right to Object (Article 21): Individuals may object at any time to the processing of their personal data based on legitimate interests or public interest, as well as to processing for direct marketing (including profiling). Once an objection is raised, the organization must halt processing unless it can demonstrate compelling legitimate grounds to continue.
  • Right to Data Portability (Article 20): Individuals are entitled to receive their personal data in a structured, commonly used, and machine-readable format. They can also ask for the direct transmission of their data to another controller, if technically feasible. This right mainly covers data processed by automated means on the basis of consent.
  • Rights Related to Automated Decision-Making and Profiling (Article 22): Individuals have the right not to be subjected to decisions made solely on automated processing (including profiling) that produce legal or similarly significant effects. Although exceptions exist, such as explicit consent, contractual necessity, or legal authorization safeguards must still be in place, including the right to human intervention.

The above-mentioned rights under the DPDP Act and the GDPR clearly show that the ratio of rights available under GDPR is almost double than those under the DPDP. Take this for instance, the Right to be Informed is not explicitly offered as a right to data principals under the DPDP, rather imposed as an obligation on fiduciaries. In other words, the GDPR can be seen as more “for the people,” whereas the DPDP appears more “for the country.” This explains why the DPDP Act carves out an exception which denies Right to Erasure to Data Principals for purposes as mentioned under Section 17(2) R/W Section 17(4) of the DPDP act, which states that:

“(2) The provisions of this Act shall not apply in respect of the processing of personal data

(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”

(4) In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply.

Hence, the GDPR emerges as a more comprehensive and “rights-heavy” framework, covering almost every aspect of data control. In contrast, the DPDP Act is a lighter, more consent-centric regime that leaves several areas addressed by the GDPR untouched.

With Great Power comes great Responsibility 

 

Imagine the internet as a giant library, so to speak, with every service being a counter providing information, services, or goods. The DPDP Act, 2023 stands as the librarian’s rulebook, you are free to read, borrow, and even ask questions about your own records, yet you are required to behave responsibly. Just as a member of the library cannot falsify any information on their membership form, cannot pretend to be someone else, or cannot lodge false complaints about missing books, a data principal in the digital sphere must provide accurate information, be real about his identity, and put forward genuine grievances.

 

 

Two-way arrangement keeps this sprawling digital “library” orderly, safe, and just. The duties are provided under Section 15 of the Act and are discussed as under:

  • Compliance with laws: Adhere to all the applicable laws while exercising the rights provided under the act
  • No Impersonation: Another duty is to not impersonate any other person while providing personal data.
  • No suppression of information: information required must be complete and accurate for purposes like unique identifiers.
  • No false complaints: File only genuine complaints and not false or frivolous ones.
  • Provide authentic information: ensure that the personal data provided to the data fiduciary is authentic in nature particularly when seeking erasure or correction.

The Final Word: Turning Rights into Real Strength

By and large, both the DPDP Act and the GDPR uphold one cardinal truth: data protection is no longer a privilege rather a necessity in this digital age. Legislations either construct frameworks, set boundaries, or provide for remedies; however, their real strength emanates from the manner in which people exercise the rights and uphold the duties they confer. When you know your digital rights, act by them, and insist on accountability, you switch from being a passive data subject to someone actively protecting their privacy. Hence, “your rights” now become “your superpowers” with which you safely, confidently, and in some way control your destiny through personal data.

 

Share:

Leave a Reply

Your email address will not be published. Required fields are marked *

Download Your Free DPDP Act Guide Now

Download Now
IndiSec provides expert legal and AI-driven solutions for seamless DPDP compliance.
Follow us

Resources

Services

IndiSec Privacy Edge Pvt. Ltd., All Rights Reserved © 2024.