Data Principal — Definition & Legal Meaning in India

Also known as: Data Subject · Data Owner · Individual Data Subject

Legal Glossary Cyber Law data principal DPDP Act cyber law
Statute: Digital Personal Data Protection Act, 2023, Section 2(j)
New Law: ,
Landmark Case: Justice K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
5 min read

Data Principal is the individual to whom personal data relates, or in the case of a child or a person with a disability, the parent or lawful guardian acting on their behalf. Under Indian law, the term is defined in Section 2(j) of the Digital Personal Data Protection Act, 2023, and carries a set of enforceable rights — including the right to access, correction, erasure, and grievance redressal — along with corresponding duties.

The Digital Personal Data Protection Act, 2023 provides the statutory definition:

Section 2(j): "'Data Principal' means the individual to whom the personal data relates and where such individual is — (i) a child, includes the parents or lawful guardian of such child; (ii) a person with disability, includes her lawful guardian, acting on her behalf."

A "child" is defined under Section 2(f) as an individual who has not completed eighteen years of age. The inclusion of parents and lawful guardians as data principals for children and persons with disabilities is a distinctive feature of the Indian framework, creating a legal fiction where the guardian exercises data rights on behalf of the actual data subject.

The Act confers rights on data principals through Sections 11-14 and imposes duties through Section 15:

Rights of Data Principals:

  • Right to information (Section 11): The right to obtain a summary of personal data being processed, the processing activities undertaken, and the identities of all data fiduciaries and data processors with whom data has been shared
  • Right to correction and erasure (Section 12): The right to demand correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the stated purpose
  • Right to grievance redressal (Section 13): The right to have access to a readily available means of grievance redressal by the data fiduciary, including the right to approach the Data Protection Board if the fiduciary fails to respond within the prescribed time
  • Right to nominate (Section 14): The right to nominate any other individual to exercise rights on the data principal's behalf in the event of death or incapacity

Duties of Data Principals (Section 15):

  • Not to register a false or frivolous complaint with the data fiduciary or the Data Protection Board
  • Not to furnish any false particulars, suppress material information, or impersonate another person when exercising rights
  • Breach of duties may attract a penalty of up to Rs 10,000

How courts have interpreted this term

Justice K.S. Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1]

The Supreme Court's privacy judgment established the constitutional basis for data principal rights. Justice D.Y. Chandrachud articulated that "the right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet." This principle of informational autonomy — that individuals are not mere passive objects of data processing but active agents with control over their personal information — directly informed the DPDP Act's articulation of data principal rights.

Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar) [(2019) 1 SCC 1]

The Constitution Bench recognised that individuals whose biometric data was collected under the Aadhaar scheme retained rights over that data. Justice Sikri observed that the collection of data does not extinguish the individual's interest in it, and that the state must provide mechanisms for individuals to verify what data is held, correct inaccuracies, and seek deletion where appropriate. These observations directly shaped the right to correction and erasure under Section 12 of the DPDP Act.

Google India Pvt. Ltd. v. Visakha Industries [(2020) 8 SCC 531]

While primarily concerning intermediary liability, the Supreme Court recognised the legitimate interest of individuals in controlling information about them available through search engines. The Court observed that the balance between the right to information and the right to privacy must account for the individual's reasonable expectation of control over their personal data, reinforcing the principle that data principals are not powerless subjects but rights-bearing agents in the data ecosystem.

Why this matters

The concept of data principal represents a paradigm shift in Indian law — from a regime where individuals had virtually no enforceable rights over their personal data to one where they are central actors with statutory entitlements. Before the DPDP Act, an individual whose personal data was misused had limited recourse: a civil suit for damages under general tort law, a complaint under the IT Rules of 2011 (which lacked a dedicated enforcement mechanism), or a criminal complaint under the IT Act (limited to specific offences). The DPDP Act creates a direct, accessible grievance mechanism through the data fiduciary's grievance officer and, failing that, the Data Protection Board.

For citizens, the practical exercise of data principal rights requires understanding the process: first, approach the data fiduciary's designated Consent Manager or grievance officer with a request; if the fiduciary fails to respond within the prescribed time, escalate to the Data Protection Board. The Board can direct compliance and impose penalties on non-compliant fiduciaries.

A notable feature of the Indian framework is the imposition of duties on data principals alongside rights. Section 15 prohibits frivolous complaints and false impersonation, reflecting the legislature's intent to balance individual rights with responsible exercise. This is a departure from the EU's GDPR, which does not impose duties on data subjects. Practitioners should note that a penalty of up to Rs 10,000 may be imposed on data principals who breach these duties.

Counterpart:

Parent framework:

Related concepts:

Frequently asked questions

Who is the data principal for a child's data?

Under Section 2(j) of the DPDP Act, when personal data relates to a child (an individual below 18 years of age), the parent or lawful guardian is treated as the data principal. Section 9 further requires that before processing any child's personal data, the data fiduciary must obtain verifiable consent from the child's parent or lawful guardian. Processing that is detrimental to the well-being of a child is prohibited, and the Central Government may notify specific data fiduciaries that are exempt from these requirements where the processing is verifiably safe.

Yes. Section 6(5) of the DPDP Act provides that the data principal has the right to withdraw consent at any time, "with the ease of doing so being comparable to the ease with which such consent was given." Upon withdrawal, the data fiduciary must cease processing the data (unless another lawful ground applies) and, where there is no further purpose for retention, erase the personal data. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

What happens if a data fiduciary ignores a data principal's request?

If a data fiduciary fails to respond to a data principal's request for information, correction, or erasure within the prescribed time, the data principal may file a complaint with the Data Protection Board of India under Section 13(2). The Board has the power to inquire into the complaint, direct the data fiduciary to take corrective action, and impose financial penalties as specified in the Schedule to the Act. Appeals from the Board's decisions lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Do data principals have duties under the DPDP Act?

Yes, unlike most international data protection frameworks. Section 15 imposes two specific duties on data principals: (a) not to register a false or frivolous complaint with the data fiduciary or the Data Protection Board, and (b) not to furnish false particulars, suppress material information, or impersonate another person in the exercise of rights under the Act. A data principal who breaches these duties may face a penalty of up to Rs 10,000 for each instance.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Data Fiduciary Data Protection (DPDP Act) Personal Data Consent (Data Protection) Article 21 (Right to Life)
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.