👤 Duties of Data Principals (Unique to DPDP)
Unlike GDPR, the DPDP Act places specific duties on Data Principals — the individuals whose data is being processed. This is one of the most novel and discussed aspects of the law. While penalties for breach of these duties are relatively low (Rs 10,000), the concept itself signals that data protection is a two-way responsibility. As a consultant, you should be aware of these duties to advise your clients properly and to include them in privacy notices.
Comply with applicable laws when exercising rights
Section 15(a)Data Principals must follow all applicable laws when exercising their rights under the DPDP Act. They cannot misuse their data protection rights for illegal purposes.
Penalty: Up to Rs 10,000 (approx. USD 120)
Do not file false or frivolous complaints
Section 15(b)Data Principals must not file complaints with the Data Protection Board that are false, frivolous, or vexatious. This protects organisations from being harassed with meritless complaints.
Penalty: Up to Rs 10,000 (approx. USD 120)
Do not furnish false information or suppress material information
Section 15(c)When providing personal data to a Data Fiduciary or when communicating with the Data Protection Board, the Data Principal must not provide false or misleading particulars or suppress material information.
Penalty: Up to Rs 10,000 (approx. USD 120)
Do not impersonate another person when providing data
Section 15(d)A Data Principal must not impersonate another person while providing their personal data for a specified purpose. This addresses identity fraud at the point of data collection.
Penalty: Up to Rs 10,000 (approx. USD 120)