Section 12 DPDPA

Right to correction and erasure of personal data.


12.(1) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force.

(2) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,—
(a) correct the inaccurate or misleading personal data;
(b) complete the incomplete personal data; and
(c) update the personal data.

(3) A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.

Applicable DPDP Rule 2025

Rule 13: Rights of Data Principals

Section 13 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 12 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 12 of the Digital Personal Data Protection Act, 2023 (India) grants Data Principals (individuals to whom the personal data relates) the right to request correction and erasure of their personal data. This provision empowers individuals to maintain the accuracy and relevance of their personal information within the data ecosystem. Such a right ensures that data is not only protected but also kept current and meaningful, preventing outdated or incorrect data from perpetually lingering in digital databases.

Key Provisions of Section 12

1. Right to Correction of Personal Data

Data Principals have the right to request that a Data Fiduciary correct their personal data if it is inaccurate, out-of-date, incomplete, or misleading. Once a legitimate request is made:

  • The Data Fiduciary must take reasonable steps to verify the validity of the request.
  • Upon confirmation, the Data Fiduciary should promptly correct, complete, or update the personal data.

This right ensures that data remains accurate and relevant, enabling the Data Principal to prevent potential harm or misjudgment arising from erroneous information.

2. Right to Erasure of Personal Data

Section 12 also allows Data Principals to request erasure of their personal data under certain conditions—such as when:

  • The data is no longer required for the purpose for which it was collected.
  • The Data Principal withdraws consent and there is no other lawful basis for retention.
  • The retention of the data no longer complies with the requirements of the law.

By facilitating erasure, the provision respects the principle of data minimization and the individual’s autonomy, ensuring that stale, irrelevant, or unlawfully held data can be permanently removed.

3. Obligations of Data Fiduciaries

When a Data Principal invokes the right to correction or erasure:

  • The Data Fiduciary must respond within a reasonable time frame and cannot unduly delay the process.
  • If the Data Fiduciary decides not to act on the request, they must provide justification.
  • The Data Fiduciary must ensure that changes are reflected in all relevant systems and, where appropriate, inform third parties who have previously received the data.

4. Balancing Rights and Obligations

While the right to correction and erasure is strong, it is not absolute. The Data Fiduciary may refuse requests if:

  • The data is required to comply with a legal obligation.
  • The retention is necessary for public interest, archiving, research, or statistical purposes.

In such cases, the Data Fiduciary must communicate the reasons for refusal, ensuring transparency and fairness.

5. Procedural Aspects and Accessibility

The process for requesting corrections or erasures should be simple and easily accessible. The Act’s intent is to make data rights exercisable in practice, not just in theory. Imposing complex procedures or high fees would undermine the purpose of empowering Data Principals.

Legal Interpretation

Ensuring Data Quality and Integrity:
Section 12 underlines the principle that personal data should be accurate, complete, and up-to-date. By legally empowering individuals to request corrections, it ensures data integrity and prevents reliance on flawed or misleading information.

Strengthening Autonomy and Privacy:
The right to erasure, often referred to as the “right to be forgotten,” gives individuals control over data that no longer serves a legitimate purpose. This enhances personal autonomy, prevents unnecessary digital footprints, and aligns with global trends in data protection law.

Accountability of Data Fiduciaries:
Data Fiduciaries must maintain frameworks to accommodate correction and erasure requests, ensuring ongoing data hygiene. The obligation to provide reasons for refusal or delays also promotes accountability and discourages arbitrary data retention.

Harmonization with International Norms:
The concepts of correction and erasure mirror established international data protection standards such as the EU’s GDPR. Incorporating these rights helps position India’s data privacy framework on the global stage, fostering trust and interoperability in the digital economy.

Illustrations

1. Social Media Platform – Incorrect Personal Details

Scenario:
A user notices that their birthdate and hometown are incorrectly displayed on their social media profile.

Application:
The user submits a request to correct this information. The platform verifies the user’s identity and updates the birthdate and hometown. The incorrect data no longer appears, preventing potential confusion or misrepresentation.

2. E-Commerce Website – Old Purchase History and Unneeded Accounts

Scenario:
A customer no longer uses a particular e-commerce platform and wants their account details, including purchase history and saved addresses, erased.

Application:
The customer files an erasure request. If no legal obligation mandates retention (e.g., for tax or dispute resolution purposes), the platform removes all personal data related to the customer. The digital traces of their shopping activity vanish, respecting their choice to retract their presence.

3. Banking Services – Outdated Contact Information

Scenario:
A bank customer changed their phone number months ago. The bank still has the old number on file, causing missed notifications and potential security issues.

Application:
The customer requests a correction. The bank updates its database with the new phone number. This ensures accurate communications and better account security.

4. Healthcare Provider – Sensitive Health Records

Scenario:
A patient’s old medical test results are no longer relevant, and the patient wants them removed from an online patient portal.

Application:
If legal retention periods have passed, the healthcare provider erases these records, reducing privacy risks by ensuring that sensitive health information is no longer unnecessarily stored.

Significance and Broader Impact

Building Trust Through Control:
Knowing that one can correct inaccuracies or remove outdated personal data fosters trust. Individuals feel more confident sharing data when they know they can maintain its accuracy or withdraw it.

Compliance and Good Data Governance:
The necessity to implement robust correction and erasure procedures encourages Data Fiduciaries to maintain disciplined data lifecycle management. This helps avoid data clutter and reduces risks associated with stale or incorrect data.

Supporting a Rights-Based Data Ecosystem:
Correction and erasure rights complement other data rights, such as access or withdrawal of consent. Together, these rights establish a holistic, rights-based regime that ensures individuals are active participants in the data processing environment, not passive subjects.

Conclusion

Section 12 of the DPDP Act, 2023, anchors the principle that personal data should never be set in stone. By granting Data Principals the right to correct inaccurate data and erase data that no longer serves a legitimate purpose, the Act promotes both privacy and data quality. This right ensures that personal data remains accurate, relevant, and respectful of individual autonomy— cornerstones of a modern, people-centric data protection framework.

© 2024 Advocate (Dr.) Prashant Mali