Right to Access Information
Introduction: The Foundation of Data Rights
The right to access personal data is the cornerstone of all data protection frameworks globally. Without knowing what data an organization holds about you, how can you exercise any other right? It's akin to asking someone to fix a problem when you don't know what the problem is.
In the philosophical tradition of John Locke, who argued that property rights begin with knowledge of what one owns, the right to access information about one's personal data is the prerequisite for all other data rights. DPDPA 2023 recognizes this fundamental truth in Section 11.
As a data protection lawyer, you will frequently encounter situations where clients don't know what data organizations hold about them. Section 11 is your first tool β it empowers your client to demand transparency before taking any further action. Master this, and you've unlocked the gateway to all other remedies.
The Statutory Framework: Section 11 DPDPA
"The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent... upon making to it a request in such manner as may be prescribedβ
(a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed."
Β§11(1)(a): Data Summary
A comprehensive summary of all personal data being processed and the specific processing activities undertaken
Β§11(1)(b): Third-Party Sharing
Complete disclosure of all Data Fiduciaries and Data Processors with whom data has been shared
Β§11(1)(c): Additional Information
Any other prescribed information related to personal data and its processing
The Consent Prerequisite
Note the critical phrase: "to whom she has previously given consent". This is not a universal right against all data holders β it specifically applies to Data Fiduciaries with whom a consent relationship exists.
Express Consent
Where the Data Principal has actively consented to processing under Section 6
Deemed Consent
Processing covered under Section 7(a) β legitimate uses without explicit consent
Section 11(2) carves out an important exception: The right to know about third-party sharing under Β§11(1)(b) and additional information under Β§11(1)(c) does NOT apply when data has been shared with another Data Fiduciary authorised by law to obtain such data for prevention/detection/investigation of offences or cyber incidents.
DPDP Rules 2025: Implementation Framework
"For enabling Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on its website or app β
(a) the details of the means using which a Data Principal may make a request for the exercise of such rights; and
(b) the particulars, if any, such as the username or other identifier, which may be required to identify her under its terms of service."
Publish Request Mechanisms
Make available on website/app the specific means by which Data Principals can submit access requests β web form, email address, dedicated portal, or other mechanism.
Specify Identification Requirements
Clearly state what information (username, account ID, mobile number) the Data Principal must provide to verify their identity.
Process Requests
Upon receiving a valid request with proper identification, process and respond within the prescribed timeframe.
Provide Comprehensive Response
Deliver all information required under Β§11(1)(a), (b), and (c) in an understandable format.
Practical Application Example
Situation: Priya, a customer of "ShopIndia" e-commerce platform, wants to know what personal data they hold about her after using their services for 3 years.
Action: Priya visits ShopIndia's privacy settings page and submits an access request using her registered email ID.
ShopIndia's Compliant Response Must Include:
Under Β§11(1)(a) - Data Summary: Personal identifiers (name, email, phone, address), transaction history (156 orders), payment information (saved card last 4 digits), browsing behavior, communication records.
Under Β§11(1)(b) - Third-Party Sharing: BlueDart Logistics (Processor): address, phone for delivery; PaySecure Gateway (Processor): transaction details for payment; AdTech Analytics (Fiduciary): browsing patterns for advertising.
DPDPA vs. GDPR Comparison
GDPR grants a right to obtain a "copy" of personal data, while DPDPA provides for a "summary." A summary is an overview, while a copy is the actual data. Indian law thus provides somewhat less comprehensive access than the European standard.
Relevant Case Law
(2017) 10 SCC 1 β The Privacy Judgment
Justice Chandrachud observed that the right to control one's personal data flows from informational privacy under Article 21. The judgment established that individuals must have meaningful access to understand how their data is used β a principle now codified in Section 11.
Court of Justice of the European Union, 2014
The landmark "Right to be Forgotten" case established that access rights are foundational. Without first accessing what data is held, individuals cannot meaningfully exercise their erasure rights. This principle informs DPDPA's structure where access (Β§11) precedes erasure (Β§12).
Penalty for Non-Compliance
Non-observance of obligations relating to Data Principal rights (Sections 11-14) attracts a penalty of up to βΉ200 Crore under the DPDPA Schedule. The Board considers factors including nature and gravity of breach, type of data affected, repetitive nature, and mitigation efforts.