15.A Data Principal shall perform the following duties, namely:—

(a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
(b) to ensure not to impersonate another person while providing her personal data for a specified purpose;
(c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
(d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
(e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.

Applicable DPDP Rule 2025

Rule 13: Rights of Data Principals

Legal Interpretation of the

Section 15 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

While the Digital Personal Data Protection Act, 2023 (India) primarily focuses on the responsibilities of Data Fiduciaries and the rights of Data Principals, it also imposes certain duties on Data Principals themselves under Section 15. This approach acknowledges that a well-functioning data protection ecosystem requires accountability not only from organizations handling personal data but also from the individuals who provide it. By setting out these duties, Section 15 encourages responsible participation, honesty, and respect for the legal framework governing personal data.

Key Duties of the Data Principal under Section 15

1. Providing Accurate and True Information

Data Principals are expected to furnish personal data that is accurate, true, and not misleading. Providing false or incomplete information can lead to improper processing, fraudulent activities, or wrongful decisions by Data Fiduciaries.

2. Refraining from Misrepresentation or Impersonation

The Data Principal must not impersonate another person or misrepresent their own identity. Such actions undermine trust in the data ecosystem and can lead to harm or rights violations.

3. Avoiding Frivolous or Malicious Grievances

While Data Principals have the right to file grievances, they must not misuse this mechanism by lodging false, frivolous, or malicious complaints. Such misuse burdens the system and harms the credibility of genuine grievances.

4. Respecting the Rights and Freedoms of Others

Data Principals should not abuse their data rights to harass, intimidate, or infringe upon the privacy and freedoms of others. They must exercise their rights responsibly and refrain from using them in a manner that violates others’ dignity.

Legal Interpretation

Mutual Accountability in the Data Ecosystem:
The inclusion of Data Principal duties highlights that data protection is a shared responsibility. While Data Fiduciaries must handle data lawfully, Data Principals must also act in good faith to maintain integrity in the system.

Balance of Rights and Duties:
The DPDP Act grants extensive rights to Data Principals but also sets duties to prevent irresponsible use of these rights. This ensures that the data protection framework remains balanced and fair.

Consequences of Breach of Duties:
Though the Act mainly focuses on Data Fiduciary obligations, a Data Principal who abuses their duties—such as by filing false complaints—may face dismissal of such complaints or other repercussions as defined in subsequent rules or regulations.

Illustrations

1. Submitting Accurate Data for an Online Loan Application

Scenario:
A Data Principal applies for a personal loan online and must provide correct income and identity details.

Duty in Action:
By giving accurate information, the individual ensures fair assessment of their loan application. Providing false data could lead to financial misjudgments and undermine trust in the data regime.

2. Refraining from Impersonation on Social Media

Scenario:
A user creates a social media account using someone else’s name and photo.

Duty in Action:
Impersonating another person violates the Data Principal’s duty not to misrepresent. This could harm the actual owner of the identity and erode platform integrity.

3. Respecting the Grievance Redressal Process

Scenario:
A Data Principal files multiple unfounded complaints against a Data Fiduciary.

Duty in Action:
Such behavior clogs the complaint system, making it harder for genuine cases to be resolved. The Data Principal must ensure grievances are filed in good faith.

4. Not Using Rights to Harass Others

Scenario:
A Data Principal threatens to repeatedly request erasure of another person’s data solely to harass them.

Duty in Action:
This misuse of data rights violates the duties outlined in Section 15. Rights must not be exploited to harm others.

Significance and Broader Impact

Fostering a Cooperative Digital Environment:
By placing duties on Data Principals, the Act promotes a collaborative environment where both individuals and organizations uphold integrity, strengthening the data protection ecosystem.

Mitigating Frivolous Litigation and Complaints:
Ensuring Data Principals act responsibly prevents the grievance mechanism from becoming a tool for harassment or extortion, thus improving the effectiveness of redressal mechanisms.

Cultural Shift Towards Responsible Data Use:
Encouraging individuals to respect their data-related duties helps foster a culture where data protection is a collective ethic, reducing fraud, identity theft, and baseless claims.

Conclusion

Section 15 of the DPDP Act, 2023, affirms that data protection is a two-way street. By setting out duties for Data Principals, the Act ensures that individuals also contribute to the stability and fairness of the digital data environment. This balanced approach cultivates trust, accountability, and a more responsible data protection culture for all stakeholders.

Section 15 DPDPA

Duties of Data Principal.