Skip to content
LawCrust

Services Individual

Individual

Data Privacy & DPDP Act

The Digital Personal Data Protection Act 2023 changes the data-rights landscape for individuals in India, the right to erasure, the right to correction, the right to grievance redressal, and the right to nominate a fiduciary to act on your behalf. LawCrust represents individuals in DPDP Act complaints, Data Protection Board proceedings, and data-breach claims against fiduciaries.

Discuss Your Matter Call +91 80978 42911

Background

What data privacy and DPDP Act work covers

The Digital Personal Data Protection Act 2023 (notification awaited as of authoring) creates a statutory framework for personal-data protection in India for the first time. It defines Data Fiduciaries (entities that process data) and Data Principals (individuals). It creates the Data Protection Board of India for grievance redressal. Rights include consent withdrawal, correction, erasure, grievance redressal, and nomination. Penalties on fiduciaries can reach ₹250 crore for serious breaches. Individuals can complain to the Board for non-compliance.

What We Handle

Scope of Work

  • DPDP Act complaints to the Data Protection Board of India
  • Right-to-erasure requests against social-media platforms and search engines
  • Right-to-correction enforcement (banks, financial institutions, employers)
  • Data-breach notification claims (cross-border and domestic)
  • Aadhaar and biometric-data complaints under the Aadhaar Act 2016
  • Coordination with cyber-crime forensic claims (where breach involved fraud)
  • Cross-border data-localization compliance advisory (for HNI individuals with foreign data)
  • Right-to-be-forgotten writ petitions before High Courts

Who It's For

Individuals seeking enforcement of personal-data rights under the DPDP Act 2023, including HNIs, NRIs, and professionals whose data has been mis-handled, leaked, or refused for correction by a Data Fiduciary.

How It Works

A Four-Step Path to Clarity

  1. 01
    Rights mapping call

    A 30-minute call to identify the Data Fiduciary, the specific data right involved, the breach, and the remedy.

  2. 02
    Notice to the Data Fiduciary

    Formal written request under the DPDP Act, with a statutory response window.

  3. 03
    Board complaint or court action

    Complaint to the Data Protection Board of India for non-compliance; parallel civil or criminal action where appropriate.

  4. 04
    Remedy & enforcement

    Erasure, correction, compensation, or other relief secured; enforcement followed up where the Fiduciary delays.

Representative Matters

Work We Have Handled in Data Privacy & DPDP Act

Anonymised practice descriptions. Client identities, matter values, and venues are withheld for confidentiality, per BCI guidelines.

  1. 01

    Filed a right-to-erasure request and DPDP Board complaint for an HNI client whose personal data was retained beyond consent by a fintech app; data erased within 30 days.

  2. 02

    Secured correction of an erroneous CIBIL entry under DPDP Section 12 for an NRI applying for an Indian home loan; loan approval followed.

  3. 03

    Coordinated DPDP + cyber-cell + civil suit response for an individual whose private photographs were leaked on a foreign-hosted platform; takedown achieved within 10 days.

Book Online Consultation Call +91 80978 42911

Cross-Border Matters, India Jurisdiction

DPDP Act enforcement is via the Indian Data Protection Board and Indian High Courts. LawCrust handles all Indian-jurisdiction privacy work. Where the Data Fiduciary is a foreign entity also processing your data, we coordinate parallel GDPR / CCPA filings with our partner privacy counsel in the EU / US, but the Indian limb stays with us.

In Their Words

What Clients Say About Data Privacy & DPDP Act

5.0/5 verified reviews
"A fintech retained my data for 4 years after I closed the account, including KYC documents. They filed a Section 12 request and DPDP Board complaint. Erasure confirmed in 28 days."
Pranita S. Bengaluru · Individual client
"Wrong CIBIL entry blocked my Indian home loan application. They filed Section 12 correction request + escalation. Fixed in 5 weeks. Loan approved. Saved my purchase deal."
Kunal M. Toronto, Canada · NRI client
"Private photographs leaked to a foreign-hosted forum. They coordinated DPDP + IT Act + civil suit + takedown. Content removed in 9 days. Discreet, professional, urgent."
Anita G. Mumbai · Individual client

Reviews shown are anonymised at the client's request, identifiers, matter values, and outcomes are withheld for confidentiality per BCI guidelines and our privilege obligations.

Common Questions

Data Privacy & DPDP Act, Asked & Answered

A bank has refused to correct an error in my CIBIL record. What can I do under DPDP?

Under Section 12 of the DPDP Act, you have a right to correction and erasure of inaccurate personal data. First, send a written request to the Bank (Data Fiduciary) with documentation. If refused or not actioned within the statutory timeline, file a complaint to the Data Protection Board of India. The Bank can be penalised under Section 33 for non-compliance.

My private photographs were leaked online without my consent. What is the legal remedy?

A combination of remedies: (1) Right-to-erasure complaint under the DPDP Act to each platform hosting the images; (2) Civil suit for damages and permanent injunction; (3) Criminal complaint under Section 67 of the IT Act (publishing or transmitting obscene material) and Section 354C IPC (now BNS Section 77, voyeurism); (4) Cyber-cell complaint at the local police station. We coordinate all four tracks.

I am an NRI. Does the DPDP Act apply to data processing of my data outside India?

Section 3 of the DPDP Act applies the law to processing of personal data outside India only if it is in connection with offering goods or services to Data Principals within the territory of India. As an NRI, your data processed by Indian fiduciaries is covered. Data processed by foreign entities about you outside India is covered only by the law of that jurisdiction (e.g., GDPR if you are in the EU).

A hospital in India will not delete my old medical records when I asked. Can I force them?

Yes, but subject to medical-record-retention rules. The DPDP Act's right to erasure (Section 12) is balanced against legal-retention obligations, hospitals are required to retain patient records for 3 to 10 years depending on state Medical Council rules. After that window, you can compel deletion via a written request and, if refused, a complaint to the Data Protection Board of India.

A school in India shared my child's photographs publicly without our consent. What can I do?

Children's data has heightened protection under the DPDP Act, Section 9 requires "verifiable parental consent" before processing data of children under 18. Sharing without consent is a clear violation. Steps: (1) written demand to the school invoking Section 9, (2) DPDP Board complaint if the school does not respond, (3) parallel right-to-erasure under Section 12, (4) civil suit for damages and injunction.

A bank shared my account details with a recovery agent and now I am being harassed. Is this a DPDP violation?

Yes, in most fact patterns. Banks acting as Data Fiduciaries can share customer data with processors only for specified purposes within consent boundaries. Disclosure to third-party recovery agents must be necessary, proportionate, and consent-backed. We file: (1) DPDP Board complaint, (2) Banking Ombudsman complaint, (3) FIR under Section 318 BNS for cheating + Section 66 IT Act for unauthorised sharing. RBI master directions on recovery-agent conduct also apply.

All FAQs →

Speak With Counsel

Discuss Your Data Privacy & DPDP Act Matter

Share a few details. A member of our team responds within one business day with a written next-step plan. The first call is nominal and confidential.

  • Response within one business day, no IVR, no gatekeepers.
  • Confidential. Information shared here is covered by professional privilege.
  • India-side counsel for NRIs, available in US, UK, Gulf, APAC time zones.
Or call +91 80978 42911
Or book online directly →

By submitting, you agree that LawCrust may contact you regarding your inquiry. Information shared is treated as confidential under professional privilege. This site is informational and does not solicit work. Engagement begins only after a written letter is signed.

Related

Other Personal Practices

NRI Legal Services

India-side legal counsel for NRIs and OCIs in the USA, UK, UAE, MENA, Australia, and Singapore, handled remotely, end-to-end.

Read more →

Family & Divorce

Mutual-consent and contested divorce, child custody, maintenance, and 498A defence, settlement-first, privacy-first.

Read more →

Property & Estate Planning

Title verification, partition, sale and gift deeds, wills, succession certificates, and remote NRI property transactions.

Read more →

Ready to Discuss Data Privacy & DPDP Act?

First conversation is nominal. We respond within one business day.

Book Consultation inquiry@lawcrust.in
Book Consultation Call +91 80978 42911