Code: Section 12 DPDP
(1) A Data Principal shall have the right to correction, completion, updating and
erasure of her personal data for the processing of which she has previously given consent,
including consent as referred to in clause (a) of section 7, in accordance with any requirement
or procedure under any law for the time being in force.
(2) A Data Fiduciary shall, upon receiving a request for correction, completion or
updating from a Data Principal,—
(a) correct the inaccurate or misleading personal data;
(b) complete the incomplete personal data; and
(c) update the personal data.
(3) A Data Principal shall make a request in such manner as may be prescribed to the
Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data
Fiduciary shall erase her personal data unless retention of the same is necessary for the
specified purpose or for compliance with any law for the time being in force.
Explanation of Section 12 DPDP
Section 12 of the Digital Personal Data Protection Act (DPDP) outlines the Data Principal’s rights to correct, update, or delete their personal data, ensuring individuals can control the accuracy and completeness of their data.
Key Provisions:
- Right to Correction, Completion, and Updating (Sub-section 1 & 2):
Data Principals have the right to ensure that their personal data is accurate, complete, and up-to-date. Upon request, the Data Fiduciary must take appropriate steps to correct, complete, or update the personal data. - Right to Erasure (Sub-section 3):
If a Data Principal requests the erasure of their personal data, the Data Fiduciary must comply unless the data is required for legal reasons or for specified purposes. This provision ensures individuals can request that their data be deleted, subject to certain exceptions.
Illustration
Example 1: Correcting Inaccurate Data
Alice, a customer of an online store, notices that her phone number is listed incorrectly in her profile. She requests the store to update the number. The store corrects the error promptly, as per her request.
Example 2: Erasure of Data for Legal Purposes
John requests the erasure of his personal data from a healthcare provider. However, since the provider needs his data for medical records and legal compliance, they may refuse the request based on retention requirements.
Common Questions and Answers on Section 12 DPDP
1. What does a Data Principal need to do to request correction of their personal data?
- Answer: A Data Principal must submit a request in the prescribed manner to the Data Fiduciary, asking for correction, completion, or updating of their personal data.
2. What is the timeframe for a Data Fiduciary to correct or update personal data?
- Answer: The Data Fiduciary must promptly correct, complete, or update any inaccurate, incomplete, or outdated personal data once the request is made.
3. Can a Data Principal request the erasure of their personal data at any time?
- Answer: Yes, a Data Principal can request erasure. However, the Data Fiduciary can refuse the request if retention is necessary for legal compliance or a specified purpose.
4. Under what circumstances can a Data Fiduciary refuse to erase personal data?
- Answer: The Data Fiduciary can refuse to erase personal data if retention is necessary for compliance with the law or if the data is required for specific purposes, such as legal obligations.
5. Is there a prescribed process for making a correction, update, or erasure request?
- Answer: Yes, the request must be made in the prescribed manner, as specified by the regulations under the DPDP Act.
Conclusion
Section 12 of the Digital Personal Data Protection Act (DPDP) ensures that Data Principals have control over the accuracy, completeness, and retention of their personal data. By offering the right to correct, update, or erase personal data, this section empowers individuals to maintain their data privacy and security. However, data retention is still allowed under certain legal conditions, balancing privacy with regulatory compliance.
