DPDP enforcement deadline: May 2027Rules notified Nov 2025Penalty exposure up to ₹250 Cr
Free ToolsTemplatesServicesWorkshopsBook Consultation

Quick Answer

How must organisations respond to data subject access requests under DPDP? Under the DPDP Act 2023, a data principal has the right to obtain information about the personal data a Data Fiduciary holds about them and can request correction or erasure of inaccurate or outdated data. Organisations must acknowledge and respond to Data Subject Access Requests (DSARs) within the timeframe prescribed in the rules — anticipated to be 30 days for standard requests. If the Grievance Officer fails to resolve the complaint, the data principal may escalate to the Data Protection Board within 30 days of receiving the Grievance Officer's response.

DPDP DSAR Tracker — Manage Data Subject Access Requests Efficiently

Chapter III of the DPDP Act gives Data Principals the right to access, correct, and erase their data. Are you ready to respond within 30 days?

Free Tracker Template Full Kit ₹799
1
Organisation Profile
2
Process Assessment
3
Results & Tracker
Step 1: Organisation Profile
Tell us about your organisation so we can calibrate your readiness assessment.
Step 2: Rate Your Current DSAR Process
Answer honestly — this assessment is for your internal use only. Your answers determine your DSAR Readiness Score.
1Do you have a dedicated channel (inbox/form) for data rights requests?
2Do you have a template response ready to send within 30 days?
3Do you log each request with date received and target response date?
4Can you verify the identity of requestors before processing their request?
5Do you have an escalation path for complex or disputed requests?
6Do you track requests that were denied, with documented reasons?
Your DSAR Readiness Assessment
Based on your answers — here is where your organisation stands today.
0 / 100
Not Ready
See breakdown below
Question Breakdown
Free DSAR Tracker Template
Copy or download this template to start logging your Data Principal requests today.
Request ID Requestor Name Date Received Request Type Due Date (30 days) Status Notes
DSAR-2026-001 Rajesh Kumar 15 Jun 2026 Access Request 15 Jul 2026 In Progress Identity verified via Aadhaar OTP
DSAR-2026-002 Priya Sharma 18 Jun 2026 Erasure Request 18 Jul 2026 Completed Data erased from all systems on 20 Jun
DSAR-2026-003 Amit Patel 20 Jun 2026 Correction Request 20 Jul 2026 Pending Awaiting identity verification documents
Copied!

Full DSAR Response Kit — ₹799

₹799 one-time
Everything you need to handle Data Principal requests professionally and within DPDP Act timelines.
  • Complete DSAR SOP (10-page Standard Operating Procedure)
  • 5 response email templates (acknowledgement, access fulfillment, correction confirmation, erasure confirmation, denial with reason)
  • Identity verification checklist (step-by-step guide)
  • Escalation flowchart (PDF — who decides what and when)
  • 12-month tracker spreadsheet (Excel format, auto-calculates due dates)
Secure payment via Razorpay · Kit delivered in 15 min · Not legal advice

Data Principal Rights under the DPDP Act

Chapter III of the Digital Personal Data Protection Act, 2023 establishes a comprehensive set of rights for Data Principals — any natural person whose digital personal data is processed. These rights represent a significant shift in how Indian organisations must approach data governance, moving from a consent-and-collect model to one where individuals retain ongoing control over their information.

The Act recognises four core rights:

  1. Right to Access Information (Section 11): Data Principals may request a summary of the personal data the Fiduciary holds about them, the purposes for which it is being processed, and the identities of any Data Processors or other Fiduciaries with whom the data has been shared. Organisations must maintain data inventories granular enough to respond accurately and within the mandated timeline.
  2. Right to Correction and Erasure (Section 12): Data Principals can demand that inaccurate or misleading personal data be corrected, that incomplete data be completed, and that data no longer necessary for the original purpose be erased. The Fiduciary must comply unless a lawful ground for retention exists — such as a legal obligation or ongoing proceedings.
  3. Right to Grievance Redressal (Section 13): Every Fiduciary must establish a readily accessible grievance redressal mechanism. Data Principals who are unsatisfied with the organisation's response can escalate to the Data Protection Board of India, which has investigative and adjudicatory powers.
  4. Right to Nominate (Section 14): A Data Principal may nominate another individual to exercise their rights in the event of their death or incapacity — a provision unique to Indian data protection law, reflecting family-centric social norms.

These rights currently apply only to digital personal data. Physical records, legacy paper files, and non-automated processing are outside the Act's scope for now, though organisations should expect future expansion.

The 30-Day DSAR Response Timeline

The DPDP Act and the draft Digital Personal Data Protection Rules, 2025 require Data Fiduciaries to respond to a Data Principal's rights request within a specified period — currently 30 days under the draft Rules. This is not simply an acknowledgement deadline: the Fiduciary must provide a substantive response within 30 days, either fulfilling the request or communicating a documented reason for denial.

What the 30-day clock covers:

Failure to respond within 30 days — or providing a materially incomplete response — constitutes non-compliance. Data Principals may file a complaint directly with the Data Protection Board of India, which can impose financial penalties of up to ₹250 crore per instance under Section 33. Partial responses, delayed responses, and responses that ignore part of the request are all treated as violations. Organisations that process high volumes of personal data — particularly IT, HRMS, healthcare, and e-commerce players — must build automated DSAR workflows to reliably meet this deadline at scale.