Every individual whose personal data is processed by a Data Fiduciary in India holds 5 legally enforceable rights under the DPDP Act, 2023. These are not aspirational privacy principles. They are obligations backed by ₹50 crore per violation in penalties, enforceable by the Data Protection Board of India today.
Meesho manages personal data for over 120 million users across its e-commerce platform. Each of those users holds all 5 rights simultaneously. A single unresolved rights request is a ₹50 crore exposure. A systematic failure to build the fulfillment infrastructure is a compounding liability at scale.
What you will master in this guide:
- All 5 DPDP data principal rights and what each one requires from a Data Fiduciary
- The specific Databricks pipeline each right demands
- The 30-day fulfillment timeline and what happens when it is missed
- The common implementation gaps that create rights fulfillment exposure
For the workflow architecture to fulfill these rights, read how do you fulfill data principal requests on Databricks: the workflow architecture 2026.
What Is a Data Principal Under DPDP and Who Holds These Rights?
A data principal is any individual whose personal data is being processed by a Data Fiduciary. Under DPDP, this means every Indian resident whose name, contact details, financial data, health data, behavioral data, or any other personal information is collected, stored, or used by your organization.
The rights apply to all data principals. There is no minimum data volume, no registration requirement, and no opt-in for rights eligibility. If your platform collects personal data from an Indian resident, that resident holds all 5 rights against your organization automatically.
This is “The Rights Gap”: the distance between the rights that DPDP grants every data principal and the operational infrastructure most organizations have built to fulfill them. Most organizations have a grievance email address. DPDP requires a rights fulfillment architecture.
Every Indian resident whose personal data you process holds 5 legally enforceable rights against your organization. The infrastructure to fulfill them is your obligation, not theirs to pursue.
Right 1: What Is the Right to Access Information Under DPDP?
Section 11(a) of the DPDP Act grants data principals the right to obtain from the Data Fiduciary:
- A summary of the personal data being processed → The data principal is entitled to know what data you hold, not just that you hold it
- The processing activities being undertaken → Each purpose must be stated separately, which is why purpose-specific consent records are required in the first place
- The identities of any Data Processors and other Data Fiduciaries to whom the data has been shared → This means your data sharing register must be queryable at the individual principal level
What this requires from your Databricks estate: Your access fulfillment pipeline must query all PII-tagged tables in Unity Catalog, aggregate every record linked to the requesting principal’s ID, and return a structured summary covering data categories, processing purposes, and sharing relationships. The query must reach across bronze, silver, and gold layers.
The fiduciary obligation: Provide the requested summary within 30 days of receiving the validated request. Each failure to fulfill is a separate violation.
The gap most organizations have: Aggregating a single data principal’s records across a multi-table, multi-layer Databricks estate requires a principal ID join that spans every PII-tagged table. Without a complete PII inventory and a principal ID indexing layer, manual fulfillment takes days per request.
Right 2: What Is the Right to Correction and Completion Under DPDP?
Section 11(b) grants data principals the right to correction of inaccurate personal data and completion of incomplete personal data held by the Data Fiduciary.
What this requires from your Databricks estate: Your correction pipeline must locate the specific data fields containing the inaccurate or incomplete data, apply the correction or completion, and propagate the update across all tables and layers where the data appears. A correction applied at the silver layer that does not update the bronze-layer source or the gold-layer aggregate is a partial fulfillment.
The fiduciary obligation: Apply the requested correction within 30 days. Corrections must be accurate: applying a data principal’s requested correction without validating it introduces its own data quality risk.
The gap most organizations have: Update propagation across layers. Most Databricks pipelines process bronze to silver to gold in one direction. Reverse propagation of a correction requires a specifically designed correction workflow that most standard pipelines do not include.
Right 3: What Is the Right to Erasure Under DPDP?
Section 11(c) grants data principals the right to erasure of personal data in 2 circumstances:
- Where the data principal withdraws consent for processing → This is event-driven: withdrawal triggers the erasure obligation immediately, not at the next scheduled batch
- Where the personal data is no longer necessary for the purpose for which it was collected → This is a continuous obligation: personal data that has served its purpose must be erased proactively, not retained indefinitely
What this requires from your Databricks estate: Cascade deletion across all layers. The erasure pipeline must identify every table containing the principal’s records using the PII inventory, execute DELETE or anonymization operations across bronze, silver, and gold layers, purge Delta table history using VACUUM, and generate a cryptographic erasure certificate as audit evidence.
The fiduciary obligation: Erasure must be complete. Partial erasure is non-compliance. A pipeline that deletes from the current silver table but retains the records in Delta history or gold-layer aggregates has not fulfilled the right.
The gap most organizations have: Delta table history retention. Standard Databricks configurations retain historical data versions for 7 to 30 days. An erasure that does not call VACUUM on the affected tables leaves the principal’s data in table history, creating a DPDP violation even after the “erasure” job completes.
Right 4: What Is the Right to Grievance Redressal Under DPDP?
Section 13 grants data principals the right to submit a grievance to the Data Fiduciary’s designated grievance officer and receive a response within 30 days.
What this requires from your operations: A named grievance officer who is accessible to data principals through your application and website. A grievance intake system that accepts complaints, creates a logged record, routes to the grievance officer, and tracks resolution. A process for responding to the data principal within 30 days with the outcome of the grievance.
The fiduciary obligation: Appoint a grievance officer. Make contact information available on your platform. Respond to every grievance within 30 days. If the grievance is unresolved by the Data Fiduciary, the data principal may escalate to the DPBI.
The gap most organizations have: Grievance logging and SLA tracking. Many organizations have a grievance email address but no system that tracks whether the 30-day response window is being met across all incoming grievances. An email inbox is not a grievance management system.
Right 5: What Is the Right to Nomination Under DPDP?
Section 14 grants data principals the right to nominate another individual to exercise their rights in the event of death or incapacity.
What this requires from your operations: A nomination intake process within your application that accepts a nominee’s identity details and the conditions of nomination. The nomination record must be linked to the data principal’s account and be accessible to your rights fulfillment team for validation when a nominee submits a request.
The fiduciary obligation: Accept and store valid nominations. When a nominee submits a rights request on behalf of a deceased or incapacitated principal, validate the nomination and fulfill the request as if submitted by the principal.
The gap most organizations have: Nomination is the right that most data platforms have not built for. It requires a specific intake form, document validation capability, and a modified rights fulfillment flow that accepts requests from a validated nominee rather than from the registered principal. Most platforms simply do not have this workflow.
What Is the Complete DPDP Rights Fulfillment Summary?
| Right | Governing Section | What the Principal Can Request | Fulfillment Timeline | Penalty for Non-Fulfillment |
|---|---|---|---|---|
| Access | Section 11(a) | Summary of data held and processing activities | 30 days | Up to ₹50 crore per violation |
| Correction | Section 11(b) | Correction or completion of inaccurate or incomplete data | 30 days | Up to ₹50 crore per violation |
| Erasure | Section 11(c) | Deletion of data upon consent withdrawal or purpose completion | 30 days | Up to ₹50 crore per violation |
| Grievance | Section 13 | Resolution of any grievance against the Data Fiduciary | 30 days | Up to ₹50 crore per violation |
| Nomination | Section 14 | Registration of a nominee to exercise rights posthumously | Immediate | Up to ₹50 crore per violation |
Final Verdict
The 5 DPDP data principal rights are not aspirational. They are operational infrastructure requirements. Each right requires a distinct pipeline on Databricks: PII aggregation for access, cross-layer propagation for correction, cascade deletion for erasure, grievance routing for redressal, and nomination validation for the fifth right. The ₹50 crore per violation penalty means that a systematic gap in any one of these pipelines compounds with every unfulfilled request.
The organizations that build all 5 rights fulfillment pipelines before the May 2027 enforcement deadline are the ones that absorb data principal requests as routine operational events. The organizations that do not are the ones that treat each request as a manual crisis.
For the complete workflow architecture, read how do you fulfill data principal requests on Databricks: the workflow architecture 2026.
FAQ: DPDP Data Principal Rights
The 5 data principal rights under DPDP are: (1) right to access a summary of personal data held and processing activities, (2) right to correction and completion of inaccurate or incomplete data, (3) right to erasure of personal data upon consent withdrawal or purpose completion, (4) right to grievance redressal within 30 days, and (5) right to nominate another individual to exercise rights posthumously.
The DPDP Act and Rules require rights requests to be fulfilled within 30 days of receiving a validated request. The 30-day clock starts at intake validation. The grievance redressal right also carries a 30-day response requirement under Section 13.
Up to ₹50 crore per violation under Section 11 and Rule 14. Since each unfulfilled rights request is a separate violation, the penalty compounds with every missed request at enterprise scale.
Section 14 grants data principals the right to nominate another individual to exercise their DPDP rights in the event of death or incapacity. Data Fiduciaries must accept nominations, store them linked to the principal’s account, and honor nominated rights requests upon validation.
Erasure applies to all copies of personal data held by the Data Fiduciary, including Delta table history versions. A pipeline that deletes current records but retains Delta history is non-compliant. The VACUUM operation on affected tables is a required component of a complete erasure.
Both rights allow data principals to request deletion of their personal data. The key difference is the legal basis: under GDPR, erasure applies when legitimate interest is outweighed or data is no longer necessary. Under DPDP, erasure applies specifically upon consent withdrawal or purpose completion. DPDP also applies this right uniformly across all personal data without a special category distinction.
Section 13 requires every Data Fiduciary to appoint a grievance officer who is accessible to data principals through the organization’s application or website. The officer must respond to grievances within 30 days. If the grievance is not resolved, the data principal may escalate directly to the Data Protection Board of India.
Automate DPDP Rights Fulfillment with Sinki.ai
Sinki.ai’s Data Erasure platform automates 3 of the 5 DPDP rights fulfillment workflows directly inside your Databricks workspace, including access aggregation, cascade erasure with certificate generation, and correction propagation.
