India's data-protection law is now real. The DPDP Act 2023 plus the DPDP Rules 2025 (notified November 2025) give every Indian six rights over their personal data — including the right to have it erased — with companies required to respond in 90 days and penalties up to ₹250 crore. Full compliance is due by 13 May 2027, but you can start exercising your rights today.
For years, Indians had no practical way to control who held their personal data. That has changed. The Digital Personal Data Protection Act, 2023 was passed in August 2023, and the DPDP Rules 2025 that make it operational were notified by the government in November 2025. The Data Protection Board — the body that hears complaints — is being stood up, and enforcement is phased with a full compliance deadline of 13 May 2027.
In plain terms: the companies holding your phone number, address and identity now have legal obligations to you, and you have enforceable rights against them. Here's what that means and how to use it.
The words that matter
- Data Principal — you, the person the data is about.
- Data Fiduciary — the company that decides how your data is processed (the equivalent of a "controller").
- Data Protection Board (DPB) — the fully-digital adjudicating body you complain to. Complaints are filed and tracked online.
Your six rights under the DPDP Act
Right to notice & informed consent
Before taking your consent, a company must give you a clear, itemised, plain-language notice — what data, for what specific purpose, and how to complain. If a notice is vague or bundled, that's leverage when you push back.
Right to withdraw consent
Withdrawing consent must be as easy as giving it. Once you withdraw, the company must stop processing and erase your data unless a law requires it to keep it.
Right to access
You can ask a company what personal data it holds about you and who it has shared it with. This is powerful — it exposes the onward chain of who else has your data.
Right to correction
You can have inaccurate or outdated data fixed — useful for credit bureau, telecom and KYC mismatches that cause real-world problems.
Right to erasure
The headline right: you can demand deletion of your personal data under Section 12. This is exactly what Saaph helps you do across 50+ Indian platforms and data brokers.
Right to grievance redressal & nomination
If a company ignores you, you can escalate to its Grievance Officer and then to the Data Protection Board. You can also nominate someone to exercise your rights on your behalf.
What the DPDP Rules 2025 added
The 2023 Act set the principles; the 2025 Rules made them workable. They spell out consent mechanics, security safeguards, breach-reporting duties, retention and erasure timelines (including automatic-deletion clocks for large platforms after periods of inactivity), children's-data verification, and the registration of "Consent Managers" (a single dashboard to manage consent, opening from late 2026). For a section-by-section walkthrough written for citizens, see our DPDP Act 2023 guide.
The 90-day clock and the penalties
When you send a valid request, the company must act within 90 days. If it doesn't, you escalate. Penalties under the Act run up to ₹250 crore per instance for the most serious failures — but remember those penalties are paid to the government, not to you. So the real prize for an individual is simple: your data erased, plus a clean, timestamped record if you ever need to complain to the Board. If a company has already ignored you, read what to do when a company ignores your deletion request.
How to actually use these rights today
You don't have to wait for 2027. The mechanics already work:
- Find where you're exposed — start with the big ones: TrueCaller, JustDial, Zaubacorp, and the full list of Indian data brokers.
- See what an app actually holds — our plain-English app explorer shows what each service collects and the simple steps to opt out or delete.
- Send the erasure request — cite Section 12, keep yourself in copy, and track the 90-day deadline. Our data-deletion guide has a template you can copy.
On the other side of this law sit the businesses that have to comply. If you run one, our parent company Ronin Works handles DPDP compliance for Indian companies — the mirror image of what Saaph does for individuals.
Exercise your DPDP rights — start with a free scan
Saaph finds where your personal data is exposed across 50+ Indian platforms and data brokers, then helps you send DPDP Act erasure requests and tracks the 90-day window. Built in India, for India.
Run a free scan →FAQ
Is the DPDP Act in force yet?
The Act passed in 2023 and the DPDP Rules 2025 were notified in November 2025. Enforcement is phased, with full compliance due 13 May 2027 — but the Board exists and you can exercise your rights now.
What rights do I have?
Notice/consent, withdraw consent, access, correction, erasure, grievance redressal and nomination — with a 90-day response window.
What's the penalty if a company ignores me?
Up to ₹250 crore per instance for serious failures. Those go to the government; your practical remedy is erasure plus a documented Board complaint.
General information as of July 2026, based on the DPDP Act 2023 and DPDP Rules 2025 as notified. Not legal advice; rules and timelines may be updated by the government.