To file a data privacy complaint under the Digital Personal Data Protection Act, 2023, first raise a grievance with the data fiduciary (the company or organisation processing your data) and wait up to 30 days for a response. If the grievance is not resolved satisfactorily, escalate your complaint to the Data Protection Board of India (DPBI), which operates as a digital-first adjudicatory body with powers to impose penalties up to ₹250 crore. The process is expected to be free of charge, and you will need evidence of the data processing violation and proof of your prior grievance to the data fiduciary.
Important caveat: The DPDP Act received Presidential assent on 11 August 2023. The DPDP Rules were notified on 13 November 2025, with provisions taking effect in three phases. As of March 2026, the Data Protection Board is operational (Phase 1), while provisions relating to consent managers take effect from November 2026 (Phase 2) and substantive data processing obligations from May 2027 (Phase 3). This guide reflects the framework as it stands and will be updated as subsequent phases are operationalised.
Who can file a data privacy complaint
- Any Data Principal — that is, any individual whose personal data is being processed or has been processed by a data fiduciary — Section 2(j) of the DPDP Act, 2023
- A parent or lawful guardian acting on behalf of a child (person under 18 years of age) whose personal data is being processed — Section 9
- A lawful guardian acting on behalf of a person with disability whose personal data is being processed — Section 9
- A nominee designated by the Data Principal for the purpose of exercising rights in the event of death or incapacity — Section 14(d)
You cannot file if: Your grievance relates to personal data that has been anonymised (and is therefore no longer personal data under the Act), or if the processing falls under the exemptions in Section 17 (processing by the State for national security, sovereignty, public order, prevention of offences, or processing necessary for enforcement of legal rights).
Documents you will need
Mandatory documents
- Identity proof — Aadhaar card, PAN card, or passport to establish your identity as the Data Principal whose data is at issue
- Evidence of the data processing violation — Screenshots, emails, app notifications, or other records showing how your personal data was collected, processed, shared, or misused without valid consent or in violation of the Act
- Copy of prior grievance to the data fiduciary — Written proof that you approached the data fiduciary's grievance redressal mechanism first (email, complaint form submission, portal complaint ID, or written letter with acknowledgment)
- Response from the data fiduciary (or proof of non-response) — The data fiduciary's reply to your grievance, or evidence that no response was received within the prescribed timeline (typically 30 days)
- Details of the data fiduciary — Full name, registered address, website, and contact details of the entity that processed your data
Additional documents (if applicable)
- Consent records — Any consent forms, privacy notices, or terms and conditions you were presented with at the time your data was collected, if you are alleging invalid or missing consent
- Evidence of harm suffered — If you suffered financial loss, reputational damage, or other harm due to the data processing violation, include supporting documentation (bank statements, correspondence, medical records as applicable)
Step-by-step process
Step 1: Identify the data fiduciary and the nature of the violation
Determine which organisation (the data fiduciary) collected or processed your personal data, and identify the specific violation. Common violations include: processing personal data without valid consent (Section 6), failure to provide a clear and itemised privacy notice (Section 5), failure to erase data upon withdrawal of consent (Section 12(3)), sharing personal data with third parties beyond the stated purpose, and failure to implement reasonable security safeguards leading to a data breach.
Where: Review the privacy policy of the app, website, or service that collected your data — this is typically found on their website or in the app settings Form: Not applicable Fee: Free
Tip: Under Section 11, you have the right to access a summary of your personal data and the processing activities being carried out on it. Under Section 12, you have the right to correction, completion, updating, and erasure of your personal data. Under Section 13, you have the right to nominate another person to exercise your rights in the event of your death or incapacity. Know your rights before filing.
Step 2: Exercise your rights by sending a formal request to the data fiduciary
Before filing a complaint with the Data Protection Board, you must first approach the data fiduciary directly. Send a written request to the data fiduciary's designated grievance officer or consent manager (once operational) exercising your rights under the Act. Clearly state what you are requesting: access to your data, correction, erasure, or an explanation of how your data is being processed.
Where: Email to the data fiduciary's grievance officer (contact details should be in their privacy policy) or through their designated grievance portal Form: No prescribed form — write a clear letter or email Fee: Free
Tip: State your full name, the account or service you use, the specific data concerned, and the exact relief you seek. Send via email and retain proof of delivery.
Step 3: Wait for the data fiduciary's response
The data fiduciary is required to respond to your grievance within the time period published in their grievance redressal policy, which cannot exceed 30 days under the DPDP Rules. If the data fiduciary resolves your complaint satisfactorily, no further action is needed. If they fail to respond within 30 days, or if their response is unsatisfactory, you have grounds to approach the Data Protection Board.
Where: Not applicable — waiting period Form: Not applicable Fee: Free
Tip: Mark your calendar for the 30-day deadline. If you receive a response that partially addresses your grievance but does not fully resolve it, respond in writing explaining what remains unresolved. This written trail strengthens your complaint to the Board.
Step 4: Prepare your complaint for the Data Protection Board
Compile all documentation chronologically: your initial request, the data fiduciary's response (or evidence of non-response), evidence of the violation, and a clear statement of the relief sought.
Where: Your own preparation Form: The Board prescribes the complaint format (digital submission) Fee: Free
Tip: Ensure all documents are in digital format (PDF, JPEG). Prepare a concise summary (one to two pages) laying out the facts, the violation, and the relief sought.
Step 5: File the complaint with the Data Protection Board of India
Submit your complaint to the DPBI through their digital submission mechanism. The Board functions as a fully digital adjudicatory body — complaints are filed electronically, hearings are conducted via video conference, and orders are issued digitally.
Where: Data Protection Board of India digital portal (accessible via meity.gov.in) Form: Prescribed complaint form (digital submission) Fee: Free (expected)
Tip: Check the Board's latest notifications on meity.gov.in for the most current filing procedures, as the portal interface may be updated as additional phases are operationalised.
Step 6: Board examines the complaint and conducts inquiry
The Board examines whether a prima facie case exists. If satisfied, it issues a notice to the data fiduciary. Both parties submit written responses and evidence electronically. The Board may conduct hearings via video conference.
Where: Data Protection Board of India — proceedings are entirely digital Form: Response to Board notices (prescribed format) Fee: Free
Tip: Respond promptly to Board communications. Ensure your contact email and mobile number are current. If you have a legal representative, provide their details at the time of filing.
Step 7: Board issues order — including potential penalties
After completing the inquiry, the Board issues an order. The Board may direct the data fiduciary to take corrective measures, cease the violating processing activity, or pay monetary penalties. The penalty amounts under Section 33 and the Schedule to the Act are:
- Failure to take reasonable security safeguards resulting in a data breach: up to ₹250 crore
- Failure to notify the Board and affected Data Principals of a data breach: up to ₹200 crore
- Non-fulfilment of obligations in relation to children's data: up to ₹200 crore
- Non-fulfilment of additional obligations by Significant Data Fiduciary: up to ₹150 crore
- Breach of any other provision: up to ₹50 crore
Where: Board's digital platform — order issued electronically Form: Order of the Data Protection Board Fee: Not applicable
Tip: Board orders are enforceable. If dissatisfied, appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29 within the prescribed limitation period.
Fees and costs
| Item | Amount | Payment Method |
|---|---|---|
| Grievance to data fiduciary | Free | Not applicable |
| Filing complaint with DPBI | Free (expected) | Digital portal |
| Legal representation (optional) | ₹5,000-50,000 | Direct to advocate |
| Appeal to TDSAT (if needed) | As prescribed by TDSAT rules | TDSAT portal |
| Total estimated cost (self-filing) | ₹0 |
How long does it take
| Stage | Statutory Timeline | Realistic Timeline |
|---|---|---|
| Grievance to data fiduciary | Response within 30 days (maximum) | 7-30 days |
| Preparing complaint for Board | Not applicable | 3-7 days |
| Filing complaint with Board | Immediate (digital) | Immediate |
| Board's preliminary examination | No fixed statutory timeline | 15-30 days (estimated) |
| Notice to data fiduciary and response | As directed by Board | 30-60 days (estimated) |
| Inquiry and hearing | As scheduled by Board | 30-90 days (estimated) |
| Board's final order | No fixed statutory timeline | 60-180 days from filing (estimated) |
| Total end-to-end | No composite statutory deadline | 3-9 months (estimated) |
Note: Real-world timelines are still emerging as the Board became operational in November 2025. Estimates may evolve as case volume increases.
Can you do this online?
Yes — the entire complaint process is designed to be digital-first. The DPDP Act and Rules explicitly establish the Data Protection Board as a "digital office" where all proceedings are conducted electronically.
- Send your initial grievance to the data fiduciary via email or their online grievance portal
- Wait for response (up to 30 days)
- If unresolved, access the DPBI digital filing portal
- Submit your complaint electronically with all supporting documents in digital format
- Receive acknowledgment digitally
- Participate in hearings via video conference if required
- Receive the Board's order electronically
No physical appearance at any office is required at any stage. The Board's proceedings, including hearings, evidence submission, and order issuance, are all conducted through digital means.
What if things go wrong
Problem: The data fiduciary does not have a grievance redressal mechanism or does not respond
Solution: If the data fiduciary has no published grievance mechanism, or if they fail to respond within 30 days, this itself constitutes a violation. Document the absence of a grievance mechanism (screenshot their website, privacy policy, and contact pages) and proceed directly to the Data Protection Board. The failure to establish a grievance mechanism is a non-compliance matter that the Board can address.
Problem: The data fiduciary claims your request falls under an exemption
Solution: Certain processing activities are exempt under Section 17 — processing by the State for national security, sovereignty, public order, or crime prevention, and processing for research or statistical purposes. Request the data fiduciary to specify the exact exemption and how it applies. If you disagree, escalate to the Board, which has authority to determine whether an exemption validly applies.
Problem: You are unsure which entity is the data fiduciary
Solution: The data fiduciary is the entity that determines the purpose and means of processing your personal data — Section 2(i). If you used a mobile app, the company that published the app is typically the data fiduciary. If your data was shared with third parties, the original collector and each subsequent processor may be separately responsible. Check the privacy policy of each service you interacted with. If multiple entities are involved, you may file separate grievances with each.
Problem: The Board's order does not provide you adequate relief
Solution: Under Section 29, any person aggrieved by an order of the Data Protection Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The appeal must be filed within the prescribed limitation period. TDSAT has the power to confirm, modify, or set aside the Board's order. Beyond TDSAT, you may challenge TDSAT's order before the Supreme Court of India on a question of law.
Problem: The DPBI digital filing portal is not yet fully operational for your specific complaint type
Solution: If the Board's portal does not yet support your specific complaint type, send a written complaint to the Board's official email address (as published on meity.gov.in notifications). As additional phases are operationalised through 2026 and 2027, the portal functionality is expected to expand.
State-specific differences
This is a central government process — the Digital Personal Data Protection Act, 2023 is a parliamentary law that applies uniformly across all states and Union Territories. The Data Protection Board of India is a central body headquartered in the National Capital Region with jurisdiction over the entire country.
There are no state-specific variations in the complaint process, filing mechanism, or applicable penalties. The Board's digital-first approach means that geographic location is irrelevant — a Data Principal in any state can file a complaint and participate in proceedings from anywhere in India.
Some states have their own IT policies and data governance frameworks, but these do not override the DPDP Act. Where state law and the DPDP Act overlap, the central Act prevails.
Frequently asked questions
What is the difference between a Data Principal and a Data Fiduciary?
A Data Principal is the individual whose personal data is being processed — you. A Data Fiduciary is the entity that determines the purpose and means of processing your data — Section 2(i). You own the data; the fiduciary is responsible for handling it lawfully.
What rights do I have as a Data Principal under the DPDP Act?
You have the right to: (a) access a summary of your data and processing activities (Section 11); (b) correction and updating of inaccurate data (Section 12); (c) erasure upon withdrawal of consent (Section 12(3)); (d) grievance redressal (Section 13); and (e) nominate someone to exercise your rights upon death or incapacity (Section 14).
Can I withdraw consent that I previously gave?
Yes. Under Section 6(6), you have the right to withdraw consent at any time with the same ease with which consent was given. Withdrawal of consent does not affect the legality of processing done prior to withdrawal. Upon withdrawal, the data fiduciary must cease processing your data and erase it within a reasonable period, unless retention is required by law.
Does the DPDP Act apply to foreign companies processing Indian data?
Yes. Under Section 3(b), the Act applies to processing outside India if connected with offering goods or services to Data Principals in India, or profiling Data Principals in India. Global technology companies and platforms serving Indian users are covered.
What is a Significant Data Fiduciary and why does it matter?
A Significant Data Fiduciary (SDF) is designated by the Central Government under Section 10 based on data volume, sensitivity, and risk factors. SDFs have additional obligations: appointing a Data Protection Officer in India, conducting Data Protection Impact Assessments, and undergoing independent audits. Complaints against SDFs may receive heightened scrutiny from the Board.
Are there duties on Data Principals too?
Yes. Section 15 requires Data Principals not to file false or frivolous complaints, not to furnish misleading information, and not to impersonate others while providing personal data. Breach attracts a penalty of up to ₹10,000.
This guide is part of Veritect's Legal Procedure Guides, a step-by-step reference for common Indian legal processes. Last updated: 2026-03-27. This content is for informational purposes and does not constitute legal advice.