ProtectComplyYour Compliance partner
← Back to DPDP primer

DPDP Rule 12 (2025)

Exercise of Principal Rights

Paraphrased legal text

A Data Fiduciary shall provide a means for the Data Principal to exercise their rights, respond within a reasonable period, and where a request is refused, communicate the refusal with the reasons therefor.

What this means in plain English

  • You must publish how a principal can exercise rights.
  • Acknowledge within a reasonable period.
  • If you refuse a request, you must state the legal reasons in writing.
  • The Rights Manager module enforces this end-to-end.

Penalty if you get this wrong

Up to ₹50 crore — grouped under principal-rights obligations.

How ProtectComply solves it

Rights Manager (DSR)

  • Refusal blocked at the API layer unless the reason field is populated
  • AI response drafter pre-fills lawful refusal language
  • SLA timers per request type with escalation
See the module →

Related

DPDP §11 — Right to Access, Correction, ErasureDPDP Rule 13 (2025) — Grievance Resolution Timeline