Glossary · Data Principal

What Is a Data Principal Under DPDPA?

Under DPDPA, every customer, employee, patient, or student whose personal data you hold is a Data Principal with enforceable rights you must be ready to honour.

Last reviewed: 17 July 2026

Definition

A Data Principal is the individual whose personal data is being collected or processed — defined under Section 2(j) of the DPDPA, 2023. In plain terms: your customers, employees, patients, students, or app users. For children under 18, the term includes their parents or lawful guardians; for persons with disabilities, it includes their lawful guardians. The DPDPA grants Data Principals specific rights (Sections 11–14): the right to access information about their data, correct and erase it, nominate someone to exercise rights on their behalf, and raise grievances. Every business holding personal data must be ready to honour these requests.

How this matters in practice

Every customer, employee, or patient in your database is a Data Principal with enforceable rights — and the DPDP Rules, 2025 set timelines for responding to their requests. Privigo builds your rights-request workflow, grievance redressal mechanism, and consent records so requests don't catch you unprepared. Start with our free gap analysis — delivered fully remotely, anywhere in India.

Frequently asked questions

What rights does a Data Principal have under DPDPA?

Four core rights under Sections 11–14: access to a summary of their personal data and processing activities, correction and erasure of their data, grievance redressal from the business, and nomination of another person to exercise these rights in case of death or incapacity. Rights apply where processing is based on consent.

Do Data Principals have obligations too?

Yes — Section 15 requires Data Principals not to impersonate others, not to suppress material information, not to file false or frivolous complaints, and to furnish only verifiably authentic information. Filing a false grievance can attract a penalty of up to ₹10,000 on the individual.

Who is the Data Principal when I collect a child's data?

The child is the Data Principal, but the definition extends to include their parent or lawful guardian — meaning your business must obtain verifiable parental consent before processing a child's data (Section 9). This matters especially for schools, ed-tech platforms, and hospitals treating minors.

Official sources

Build a rights-request workflow that holds up

Book a 30-minute call to map how you will respond to Data Principal access, correction, and erasure requests before enforcement tightens.

Book a demo Free Gap Analysis

Disclaimer: Privigo is not a law firm. This page provides operational compliance guidance only. For institution-specific obligations, work with qualified Indian legal counsel.