Putting Control Back Where It Belongs

India’s Digital Personal Data Protection Act, 2023 marks a decisive shift in how personal data is governed, placing individual rights at the centre of the compliance framework.

However, it brings to question – Who really controls personal data in India today – the individual or the organisation processing it?

A Data Principal is the individual to whom the personal data relates.

The DPDP Act, 2023 formally recognises the rights of Data Principals.

However, rights written into a statute do not automatically translate into real-world control. Without clear procedures, individuals are often left navigating unclear portals, unresponsive support systems, or opaque processes.

portals, unresponsive support systems, or opaque processes.

This is exactly where Rule 14 of the DPDP Rules, 2025 steps in.

It does not create new rights – instead, it defines how existing rights must be exercised, how organisations must respond, and how accountability is enforced.

Rule 14 turns legal entitlement into practical control

Rule 14 in Context: What It Actually Does

The DPDP Act establishes the rights available to Data Principals.

Rule 14 ensures those rights can actually be exercised without confusion, delay, or discretion.

Rule 14 operationalises statutory rights by mandating:

1. Published mechanisms to exercise rights
   Data Fiduciaries must clearly explain how a Data Principal can submit a rights request. This removes guesswork and ensures individuals are not dependent on informal or undocumented processes.
2. Clear identity verification requirements
   Rule 14 allows Data Fiduciaries to verify the identity of the requester before acting on a request. This protects individuals from unauthorised access and ensures requests are processed securely.
3. Time-bound grievance redressal
   Organisations can no longer delay grievance handling indefinitely. Rule 14 introduces a clear outer limit, making grievance handling a compliance obligation rather than a courtesy.
4. A legally valid right to nominate
   Data Principals can authorise another individual to act on their behalf. This ensures rights do not disappear due to incapacity, absence, or death.

How Rule 14 Assigns Roles & Responsibilities

Rule 14 it assigns clear roles within the rights-exercise framework. Each term determines who can act, who must respond, and who remains accountable when a Data Principal invokes their rights.

Understanding these roles is essential, because Rule 14 compliance fails not due to lack of intent, but due to misaligned responsibility.

• Data Principal
  A Data Principal is the individual to whom the personal data relates. This is the person who owns the rights under the DPDP Act and who can initiate requests under Rule 14.
  In cases involving minors or persons with disabilities, the Act recognises lawful guardians, but the rights still flow from the Data Principal.
• Data Fiduciary
  A Data Fiduciary is the entity that decides why and how personal data is processed. Under Rule 14, this entity carries the primary responsibility for enabling, responding to, and documenting rights requests.
  Compliance cannot be delegated away. Even where vendors or platforms are involved, accountability remains with the Data Fiduciary.
• Consent Manager
  A Consent Manager is a registered intermediary that helps Data Principals manage consent and exercise rights. When aConsent Manager is used, Rule 14 obligations apply equally to them.
  This ensures that outsourcing consent management does not dilute Data Principal rights.

• Identifier
  Rule 14 defines an “identifier” broadly as any unique sequence used by the Data Fiduciary to identify a Data Principal.
  Basically, identifier is the reference that helps a Data Fiduciary confirm who is making the request before acting on any data rights.

Examples include:

• Customer ID or Account ID
• Registered email address
• Mobile number
• Enrolment or reference number

Identifiers allow organisations to confirm that a request is legitimate. They balance security with accessibility, ensuring rights are exercised safely.

Think of an identifier as your “this is actually me” badge — without it, no data doors open.

With the groundwork laid, lets unpack Rule 14 in detail.

Mandatory Publication of Rights-Exercise Mechanisms (Rule 14(1))

Rule 14 makes transparency a binding requirement by mandating that Data Fiduciaries clearly publish how Data Principals can exercise their rights.

Every Data Fiduciary and Consent Manager must publish clear details on how Data Principals can exercise their rights, the channels they can use, the identifiers required, and how requests will be handled, in a manner that is prominently displayed, easy to find, and simple to understand.

1. The Means to Exercise Rights

• Clear instructions on how a Data Principal can submit a request
  The organisation must explain the exact steps involved, such as where to click, what form to fill, or which email to use.
• Accepted channels (portal, form, email, dashboard, etc.)
  Multiple channels may be offered, but each must be officially recognised and functional. Informal or undocumented channels are not sufficient.
• Step-by-step guidance that is easy to locate and understand
  Instructions must not be hidden in legal notices or dense policies. They must be prominently displayed and written in simple language.

Hidden or confusing processes undermine the very purpose of Rule 14 and expose organisations to compliance risk.

If users need a treasure map, three clicks, and a support ticket to find the rights request page — Rule 14 is already being violated.

2. Identification Requirements

• Explicit disclosure of what identifiers must be provided
• Data Principals must know in advance what information they will need to submit a request.
• Clear explanation of why identification is required
  Organisations should explain that identifiers are used to prevent fraud and protect personal data from unauthorised access.
• Proportionate data collection strictly for verification
  Only the minimum necessary information should be collected. Excessive data collection defeats the purpose of data protection.

Exercising Statutory Rights Under Rule 14(2)

Rule 14 confirms that a Data Principal may submit a request directly to the Data Fiduciary to whom consent was given.

This request – often referred to as a Data Subject Access Request (DSAR), is the formal way through which a Data Principal asks to access, correct, erase, or raise concerns about the processing of their personal data.

Rule 14 enables the practical exercise of:

• Right to access personal data
• Data Principals can ask what personal data is held about them and how it is being used.
• Right to correction, completion, or updating
  Inaccurate or outdated personal data can be corrected to prevent harm or misuse.
• Right to erasure
  Where lawful, Data Principals can request deletion of personal data once the purpose is fulfilled.
• Right to grievance redressal
  If rights are denied or mishandled, Data Principals can formally raise a grievance.

Requests must follow the published process and include required identifiers. This creates a clear, traceable, and auditable rights workflow.

A DSAR turns “Can you look into this?” into “You are legally required to respond.”

Grievance Redressal Obligations and Timelines

Grievance redressal refers to the formal process through which a Data Principal can raise concerns about how their personal data is being processed, including delays, denial of rights, incorrect handling, or non-response by the Data Fiduciary.

Grievance redressal is a core compliance obligation, not customer support.

Mandatory Requirements

• Published grievance process
  Data Fiduciaries must clearly explain how grievances can be submitted — such as through a dedicated portal, email address, or in-app mechanism — and identify the specific team, function, or officer responsible for receiving, reviewing, and resolving those grievances.
• Clearly defined resolution timeline
  Data Principals must be informed of a clearly defined resolution timeline, with Rule 14 requiring that grievances be resolved within a maximum period of 90 days from the date they are received.
• Contact points and escalation paths
  Data Fiduciaries must clearly state who a Data Principal can contact at each stage of the grievance process and how the issue can be escalated if it is not resolved on time, as the lack of a clear escalation path amounts to a compliance failure.

Resolution Timeline

Rule 14 sets a strict outer limit of 90 days for resolving grievances. Any delay beyond this period increases enforcement risk, as unresolved grievances may be escalated to the Data Protection Board for further action.

Operational Expectation

• Technical measures for tracking and logging grievances
  Organisations must implement technical systems that record when a grievance is received, track its status throughout the resolution process, log actions taken, and document the date of closure, ensuring a complete audit trail is available for review.
• Organisational controls to ensure accountability
  Organisations must assign clear internal ownership for grievance handling, with defined roles and responsibilities, so that every grievance is actively tracked, addressed on time, and not ignored, delayed, or lost within the organisation.
• Evidence of timely resolution
  Organisations must maintain documentation such as grievance records, timestamps, actions taken, responses provided to the Data Principal, and final resolution details, as this evidence is essential to demonstrate timely compliance during audits or investigations.

Right to Nominate (Rule 14(4))

Rule 14 ensures continuity of Data Principal rights through the right to nominate.

The right to nominate allows a Data Principal to formally appoint another person to exercise data protection rights on their behalf if they are unable to do so themselves.

A Data Principal may nominate one or more individuals to exercise rights on their behalf, subject to law and published procedures.

This is particularly relevant in cases involving:

• Death
• Incapacity
• Legal disability

Nomination mechanisms must be:

• Clearly published so individuals know how to nominate
• Identity-verified to prevent misuse
• Securely recorded to ensure legal validity

Technical and Organisational Measures

Rule 14 has real operational impact, and without supporting technical and organisational measures, its requirements cannot be implemented or demonstrated in practice.

1. Technical Measures

• Secure rights-management portals
  Requests should be submitted through dedicated portals or systems that allow Data Principals to raise, track, and monitor their requests securely, rather than through informal or ad hoc channels.
• Identity verification controls
  Appropriate verification measures must be in place to confirm that the person making the request is the actual Data Principal, helping prevent impersonation, unauthorised access, or misuse of personal data.
• Logging and audit trails for every request
  Systems must automatically record what request was made, when it was received, what actions were taken, and when it was completed, creating a clear audit trail that can be reviewed for compliance.

2. Organisational Measures

• Defined internal ownership
  Organisations must clearly assign responsibility for handling Data Principal rights requests to specific teams or individuals, so there is no confusion about who is accountable for responding and closing each request.
• SLA-based workflows
  Internal processes should be designed with fixed timelines that match DPDP requirements, ensuring requests are handled within defined periods rather than being delayed or treated as low priority.
• Escalation to senior compliance roles
  Requests that are complex, delayed, or disputed must be escalated to senior compliance or legal leadership to ensure timely resolution and avoid regulatory risk.

Why Rule 14 is a Structural Shift

Rule 14 changes how personal data rights work in practice by moving them from abstract legal entitlements to clear, enforceable processes that Data Principals can actually use.

It introduces:

• Transparency – individuals know exactly how to act
  Rule 14 requires organisations to clearly explain how Data Principals can exercise their rights, so individuals are not left guessing where to go or what steps to follow.
• Accessibility – processes are simple and discoverable
  Rights-exercise mechanisms must be easy to find and use, ensuring that Data Principals do not need legal or technical expertise to submit a request.
• Accountability – timelines and ownership are defined
  By setting clear timelines and assigning responsibility, Rule 14 ensures that rights requests are acted upon promptly and cannot be ignored or delayed without consequence.
• Empowerment – rights continue through nomination
  Even when a Data Principal is unable to act personally, Rule 14 allows a nominated individual to step in and exercise those rights on their behalf.

This marks a shift from symbolic rights to enforceable control.

Conclusion

Rule 14 ensures that Data Principal rights under the DPDP Act can actually be used, not just written about.

By requiring clear processes, defined timelines, and accountability, it moves control of personal data back to individuals.

And yes — this is where “we respect your privacy” finally has to mean something.

Key Takeaways

• The purpose of Rule 14 is to turn legal rights into usable and enforceable processes.
• It requires organisations to clearly explain how Data Principals can exercise their rights and to verify identity in a way that protects both individuals and organisations.
• Rule 14 ensures that rights such as access, correction, erasure, and grievance redressal follow defined workflows, with every grievance required to be resolved within 90 days.
• It also allows rights to continue through nomination in exceptional situations.
• To meet these requirements, organisations must have the right systems and teams in place, ultimately strengthening trust, legitimacy, and regulatory confidence.