The Digital Personal Data Protection Act 2023 is India's most powerful privacy law. It gives every Indian citizen the legal right to know what data companies hold about them — and demand its deletion.
📅 Act passed: August 2023⏱ Company response time: 90 days💸 Max fine for non-compliance: ₹250 Crore
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection law. Passed by Parliament on August 11, 2023, it gives Indian citizens meaningful control over their personal data held by companies — whether Indian or foreign.
Before this law, Indian users had no formal legal mechanism to demand that companies delete their data. Data brokers, telemarketing firms, and people-search platforms could hold and sell your phone number, address, and identity information indefinitely with no accountability.
The DPDP Act changes this. It requires any company that collects or processes personal data of Indian residents (called a Data Fiduciary) to follow strict rules around consent, use, and deletion.
🇮🇳
Why this matters for you
Your phone number is listed on TrueCaller, JustDial, Acxiom, and dozens of other platforms — many without your knowledge or consent. The DPDP Act gives you the legal right to demand its removal. Saaph.in acts as your authorised representative to file these requests on your behalf under Section 12.
02 — YOUR RIGHTS
Your 5 Rights Under the DPDP Act
The Act grants Indian citizens five core rights over their personal data held by any Data Fiduciary:
📋
Right to Information
You can ask any company to tell you exactly what personal data they hold about you and why they're processing it. They must respond.
✏️
Right to Correction
You can request that a company correct inaccurate or incomplete personal data they hold about you.
🗑️
Right to Erasure
This is the most powerful right. You can demand permanent deletion of your personal data. Companies have 90 days to comply.
🚫
Right to Withdraw Consent
If a company collected your data with your consent, you can withdraw that consent at any time. Processing must stop after withdrawal.
⚖️
Right to Grievance Redressal
If a company ignores your request or violates your rights, you can file a complaint with India's Data Protection Board.
👤
Right to Nominate
You can authorise another person or service (like Saaph.in) to exercise these rights on your behalf — this is how we act for you.
03 — SCOPE
Who Must Comply?
The DPDP Act applies to any entity that processes the personal data of Indian residents — regardless of where the company is headquartered. This includes:
Indian telecom & caller ID platforms — TrueCaller, Hiya, Bharat Caller
Business directories — JustDial, IndiaMART, Sulekha, Quikr
Real estate portals — MagicBricks, 99acres, Housing.com
Job portals — Naukri, Shine, Monster India
Global data brokers operating in India — Acxiom, ZoomInfo, Experian India
Company records sites — Zaubacorp, Zauba Corp, Tofler
Social & professional networks — LinkedIn India, Facebook
Search engines — Google Search results containing Indian personal data
⚠️
Important limitation
The DPDP Act does not apply to personal data processed for national security, law enforcement, or journalistic purposes. Government bodies and certain research organisations may also be exempt under rules notified by the Central Government.
04 — HOW TO FILE
How to File a Data Erasure Request
You can file a data erasure request yourself, or authorise Saaph.in to do it on your behalf. Here's the step-by-step process:
Identify where your data is listed. Run a free scan at saaph.in to discover which platforms hold your information.
Find the platform's Data Protection Officer (DPO). The DPDP Act requires every significant Data Fiduciary to appoint a DPO and publish their contact information.
Send a written erasure request to the DPO email citing Section 12 of the DPDP Act 2023. Include your full name, phone, and email. Use our template below.
Wait up to 90 days. The company must acknowledge receipt and process the deletion within 90 days. Many process requests within 2–4 weeks.
Escalate if ignored. If the company does not respond within 90 days, you can file a complaint with the Data Protection Board of India (once operational).
🤖
Saaph.in does this for you automatically
Our Pro plan sends DPDP-compliant erasure emails to all platform DPOs on your behalf, tracks responses, and re-sends if there's no reply. You never have to write a single email.
05 — EMAIL TEMPLATE
DPDP Erasure Email Template
Copy and send this email to the Data Protection Officer of any platform. Replace the highlighted fields with your information.
Data Erasure Request — DPDP Act 2023
Subject: Data Erasure Request — DPDP Act 2023, Section 12To: dpo@[platform].com
Dear Data Protection Officer,
I, [Your Full Name], hereby exercise my right to erasure of personal
data under the Digital Personal Data Protection Act 2023 (DPDP Act),
Section 12.
I request the immediate and permanent deletion of all personal data
you hold pertaining to:
• Name: [Your Full Name]
• Phone: [Your Mobile Number with +91]
• Email: [Your Email Address]
• City: [Your City]
This includes but is not limited to: contact details, location data,
profile information, marketing lists, and any derived or inferred data.
You are required to process this request within 90 days as mandated
under Section 12 of the DPDP Act 2023. Failure to comply may result
in penalties of up to ₹250 Crore under Schedule I of the Act.
Please confirm deletion at this email address within 7 business days
of receiving this request.
Regards,
[Your Full Name]
Sent via Saaph.in — saaph.in
Authorised Representative under Section 12, DPDP Act 2023
Saaph.in Pro subscribers: we send this automatically to all relevant platform DPOs. No copy-pasting needed.
06 — PENALTIES
Penalties for Non-Compliance
The DPDP Act 2023 gives real teeth to your data rights. Companies that fail to comply face significant financial penalties:
₹250 Cr
Failure to implement adequate security safeguards — highest penalty tier for data breaches due to negligence.
₹200 Cr
Failure to notify Data Protection Board of a data breach — companies must report breaches promptly.
₹150 Cr
Non-compliance with obligations towards children's data — stricter rules apply to data of minors under 18.
₹50 Cr
Failure to honour data principal rights — including ignoring erasure requests, right to information, or correction requests.
₹10,000
Failure by data principal to comply — penalties also apply to individuals who provide false information when exercising rights.
💡
What this means in practice
The ₹50 Crore penalty for ignoring data rights is the most relevant for everyday users. When a platform receives a properly formatted DPDP Act erasure request, they have strong financial incentive to comply — the risk of non-compliance far exceeds the cost of simply deleting your data.
07 — FAQ
Frequently Asked Questions
The Act was passed in August 2023. As of 2025, the Government of India has not yet notified all provisions — specific rules and the Data Protection Board are being constituted. However, the core rights and obligations under the Act apply, and companies are preparing for full enforcement. Many platforms are already honouring erasure requests to stay ahead of compliance requirements.
Yes. Many platforms obtain your data from third parties — data brokers, public records, or other apps you used. You don't need to have directly registered with a platform to exercise your right to erasure. If they hold your data, you can request its deletion.
Companies can legitimately refuse if the data is required for legal compliance, active service delivery, or national security. However, they must tell you why they're refusing. If they simply ignore your request, you can file a complaint with the Data Protection Board of India once it is operational. Saaph.in will flag such platforms in your dashboard and advise on next steps.
Yes. The DPDP Act applies to any entity processing personal data of Indian residents, regardless of where the company is based. WhatsApp, Facebook, Google, LinkedIn, and international data brokers like Acxiom are all covered if they process data of Indian users.
The Act mandates 90 days, but many platforms process requests in 2–4 weeks. TrueCaller, for example, has a self-service unlisting process that takes effect immediately. Google results may take 1–3 weeks to de-index. Some data broker databases can take the full 90 days. Saaph.in monitors each request and alerts you when removal is confirmed.
Not necessarily. Data can reappear — especially if you use services that re-share your information, or if a platform refreshes its database from public records. This is why Saaph.in re-scans every 90 days and automatically re-sends removal requests when data reappears. Privacy is an ongoing process, not a one-time fix.
Ready to exercise your DPDP rights? Let Saaph.in scan for and remove your data from 50+ platforms.