Section 15: Duties of Data Principal

Chapter: Rights and Duties of Data Principal

Maximum Penalty: Up to ₹10,000

Direct Answer

Section 15 of India's DPDP Act 2023 (Duties of Data Principal) data Principals must not suppress material information or file false or frivolous complaints. It applies to data principals exercising rights; fiduciaries documenting misuse. Non-compliance can attract penalties up to ₹10,000. Organisations should document controls, maintain audit evidence, and review this obligation before full enforcement expected from May 2027.

Overview

Data Principals must not suppress material information or file false or frivolous complaints.

Key Points of Section 15

• Data Principals must provide accurate information
• Must not file false or frivolous complaints
• Penalty up to ₹10,000 for duty breaches

Who This Applies To

Data Principals exercising rights; fiduciaries documenting misuse

Compliance Action Steps

1. Include duty awareness in notices
2. Flag frivolous complaints
3. Maintain evidence of false submissions

Practical Examples

1. A telecom customer requests a summary of profiling data held by the operator — Section 11 requires a readable response within your internal SLA.
2. A marketplace buyer asks to erase an old delivery address — Section 12 triggers cascading deletion across CRM, logistics, and analytics copies.
3. An unresolved support ticket escalates to the Data Protection Board — Section 13 grievance workflow must show acknowledgment and resolution timestamps.

Statutory Text

Duties of Data Principal. 15(a)-(c): Comply with law; no impersonation; no suppressing material facts for government documents. 15(d)-(e): No false/frivolous complaints; furnish verifiably authentic correction/erasure information.

Source: Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, Extraordinary, Part II—Sec. 1, 11 Aug 2023. Operative excerpts for reference; official Gazette text prevails.

Legal Provisions and Compliance Guidance

Section 15 — Duties of Data Principal (Chapter: Rights and Duties of Data Principal)

Statutory overview

Data Principals must not suppress material information or file false or frivolous complaints.

Plain-English requirements

1. Data Principals must provide accurate information

2. Must not file false or frivolous complaints

3. Penalty up to ₹10,000 for duty breaches

Operational implications for Indian organisations

Data fiduciaries and processors should translate Section 15 into concrete controls: update privacy notices, train staff, adjust product flows, and maintain evidence that demonstrates compliance during audits or Board inquiries. Map this section to your Record of Processing Activities (RoPA) and link each control to an owner, review date, and evidence repository. Product managers should embed privacy-by-design checkpoints in sprint reviews; security teams should align SOC monitoring with obligations that carry penalty exposure; and legal teams should track DPBI guidance that interprets ambiguous phrases in the statute.

Relationship to DPDP Rules 2025

The DPDP Rules 2025 notified in January 2025 provide operational detail for many Chapter obligations — including timelines, formats, and registration requirements. Monitor Central Government notifications and DPBI guidance for sector-specific interpretations that refine how Section 15 is enforced. Rule updates may introduce new forms, registration portals, or technical standards that supersede informal industry practice — subscribe to official Gazette notifications rather than relying solely on vendor marketing materials.

Sector-specific considerations

Rights-management workflows affect every consumer-facing brand. Telecom operators, super-apps, and loyalty programmes receive high volumes of access and erasure requests under Sections 11–15.

Implementation playbook

1. Launch a Data Principal rights portal.
2. Map data locations for access and erasure.
3. Define grievance SLAs.
4. Support nomination registration.
5. Log every rights request with timestamps.

Related provisions

Section 15 should be read alongside Section 13, Section 14, Section 16. Indian compliance programmes typically map these sections together in privacy impact assessments, vendor due diligence questionnaires, and board reporting packs. Cross-referencing prevents siloed fixes — for example, improving consent under Section 6 without updating notice under Section 5 leaves residual regulatory risk.

Documentation and evidence

Maintain version-controlled policies, system logs, consent records, training attendance, and DPIA outputs that reference Section 15. During a Data Protection Board inquiry, documented good-faith compliance efforts can influence remedial directions and penalty outcomes. Evidence should be tamper-evident where possible — immutable consent logs, WORM storage for audit trails, and timestamped policy approvals strengthen your position.

Financial exposure: The Act's penalty schedule links violations of this section to fines Up to ₹10,000. The Data Protection Board of India (DPBI) will consider severity, duration, intent, and remediation when determining penalties. Proportionate penalties mean startups and MSMEs are not automatically capped at the statutory maximum, but repeated or negligent breaches increase exposure significantly.

Audit and Board inquiry preparedness for Section 15

When the Data Protection Board opens an inquiry, investigators typically request: (a) your privacy notice and consent records tied to duties of data principal; (b) RoPA entries referencing Section 15; (c) training records for staff handling relevant workflows; (d) technical evidence such as access logs, encryption configurations, or deletion confirmations; and (e) correspondence with Data Principals on related rights requests. Proactively assemble a section-specific evidence bundle quarterly. Data Principals must provide accurate information; Must not file false or frivolous complaints. Platforms like Complynz automate control mapping and evidence collection so legal teams can respond to DPBI requests within days rather than weeks.

Enforcement timeline

The Act passed in August 2023. DPDP Rules were notified in November 2025. Consent Manager registration opens November 2026. Full operational enforcement is expected from May 2027 — organisations should complete gap remediation before that date. Early movers gain competitive advantage with enterprise buyers and government tenders that increasingly require demonstrable DPDP readiness.

Frequently Asked Questions

What does DPDP Act Section 15 require?

Section 15 (Duties of Data Principal) requires that data Principals must not suppress material information or file false or frivolous complaints. It applies to data principals exercising rights; fiduciaries documenting misuse.

Who must comply with Section 15 of the DPDP Act?

Data Principals exercising rights; fiduciaries documenting misuse

What is the compliance deadline for DPDP Section 15?

DPDP Rules 2025 introduced a phased 18-month implementation window. While some provisions are being rolled out from 2025–2026, full enforcement with DPBI penalty powers is expected from May 2027. Organisations should implement Section 15 controls before that date.

What penalty applies for violating DPDP Section 15?

Violations related to Section 15 can attract financial penalties Up to ₹10,000 under the DPDP Act penalty schedule, depending on breach severity and Board assessment. The DPBI considers factors including duration of non-compliance, number of Data Principals affected, whether the breach was intentional, and remedial steps taken before or after discovery.

How do I implement DPDP Section 15 in my organisation?

Start with a gap assessment mapping Section 15 requirements to your current privacy programme, product flows, and vendor contracts. Assign an internal owner, implement missing controls, document evidence in a central repository, and schedule quarterly reviews. Automated GRC platforms reduce manual effort and help maintain continuous compliance as rules evolve.

Does Section 15 apply to startups and small businesses in India?

Yes, unless a specific exemption notification applies to your organisation class. Section 15 (Duties of Data Principal) applies to data principals exercising rights; fiduciaries documenting misuse. Startups may receive targeted exemptions under Section 17, but core obligations around consent, security, and rights typically remain. Budget-constrained teams should prioritise high-penalty sections first.

How does Section 15 relate to GDPR or other global privacy laws?

Section 15 is India's standalone requirement under the DPDP Act 2023. Organisations already GDPR-compliant must still map DPDP-specific obligations — consent standards, DPBI enforcement, penalty caps, and Rules 2025 timelines differ from EU law. Apply the higher protection standard where laws overlap and maintain separate India-specific documentation.

Suggested Next Step

DPDP Guide — Share plain-language duty summaries in your privacy communications.

Back to Complete DPDP Guide