What is a DSR? Data subject requests under India's DPDP Act explained
Date Published
A data subject request, or DSR, is how an individual asks an organisation to act on their personal data: show it, correct it, or erase it. In India, the label carries a catch. The DPDP Act never uses the term data subject. It uses data principal, so what you actually handle is a data principal request, and the data principal rights behind it are a defined, India-specific set. Privy's data principal rights management is built to run that workflow end-to-end. This guide explains what a DSR, more precisely a data subject access request or DSAR, covers under Indian law, the timelines that apply, and how the rights differ from the GDPR.
DSR, DSAR, Or Data Principal Request?
The terms get used interchangeably, so it helps to line them up against the core principles of the DPDP Act. A DSR is the umbrella: any data subject request to exercise a privacy right. A data subject access request, or DSAR, is the specific request to see your data, the most common DSR. Both data subject requests and DSAR come from the GDPR, which calls the individual a data subject. Indian law reframes the same idea around the data principal and the data fiduciary, the organisation that decides why and how data is processed. So an Indian customer filing a DSAR is, in legal terms, a data principal exercising data principal rights. Same workflow, Indian vocabulary. Read every DSR and DSAR in this guide as a data principal request.
The Rights A DSR Can Exercise Under The DPDP Act
Chapter III gives the data principal four rights, plus the power of consent withdrawal. A single data principal request can invoke any of them.
- Right to access information (Section 11): a summary of the personal data being processed, the processing activities, and the data fiduciaries and processors it has been shared with. This is the DSAR in Indian form.
- Right to correction and erasure (Section 12): correct, complete, or update data, and erase it once the purpose ends. This is India's version of the right to erasure, the one users search for as the right to be forgotten in India.
- Right of grievance redressal (Section 13): raise a complaint about processing, or about how a data subject's request was handled.
- Right to nominate (Section 14): name someone to exercise these data principal rights on death or incapacity.
Separately, Section 6 gives a consent withdrawal right: withdraw consent as easily as it was given, without undoing processing already done lawfully.
What A DPDP DSR Does Not Include
GDPR templates mislead here because Indian data subject rights are narrower than the GDPR's. Under the DPDP Act and Rules, a data principal cannot demand data portability. There is no standalone right to object to or restrict processing, and no specific right against automated decisions. The Indian list stays at access, correction, erasure, grievance, and nomination. For a privacy team, that means two things. You do not need portability export tooling to honour a DSAR. And you should not advertise data subject rights in your notice that the law does not grant, because promising rights you cannot fulfil only generates grievances, and grievance redressal is itself a data principal right.
How A Data Principal Makes A Request
Under the Rules, a data principal exercises these rights by sending a data principal request to a data fiduciary they already deal with, using the channel and identifying details the fiduciary publishes. They can also route a DSAR through a registered consent manager acting as one point of contact. Two consequences follow. First, the privacy team or DPO chooses and publishes the request channel, a portal, an email, or a form, plus the particulars needed to verify the person. Second, your consent notice has to carry that channel. A data subject request nobody can find is a right you have not really granted, and an unfounded DSAR becomes a grievance fast.
Timelines And What You Must Publish
The DPDP regime sets no fixed GDPR style 30 day clock for every data principal request. It works differently, as the DPDP Act FAQs on rights and revocation lay out. The Rules require every data fiduciary and consent manager to publish the period within which it will respond under its grievance redressal system, and that period cannot exceed 90 days. You also have to put the measures in place to meet it. If a grievance goes unresolved, the data principal can escalate to the Data Protection Board of India, so the published timeline is the standard by which a DSAR will be measured.
Frivolous Requests And The Data Principal's Duties
A data subject request does not run only one way. Section 15 places duties on the data principal too: no false or frivolous requests, no impersonation, no suppression of material facts. A data principal who abuses the grievance process can face a penalty. Operationally, you can decline a clearly fraudulent or frivolous DSAR, but you need the audit trail to prove why. Identity verification plus a logged decision are what separate a defensible refusal from a data principal rights violation.
What This Means Before May 2027
Data principal rights take effect with the substantive DPDP obligations on 13 May 2027. The hard part is not the policy; it is fulfilment at volume. To answer an access or right to erasure request, you have to locate every copy of one person's data across systems, act on it, and prove you did. At a consumer bank, a single data subject request can touch dozens of databases and vendor systems, which is why a DPDP readiness checklist for banks treats rights fulfilment as core, and why teams comparing tools study the DPDP platforms and privacy automation tools landscape before committing.
To turn every data principal request into a tracked process rather than a fire drill, see Privy's consent and rights governance solution and the data principal rights management platform, or explore the full stack at Privy by IDfy. When the Board asks whether a data principal can actually exercise their data principal rights with you, the answer should already sit in a system.
FAQ’s
Is a DSR the same as a data principal request?
In India, yes. A DSR, or data subject request, is the global term. The DPDP Act uses the term " data principal, so the legal term here is a data principal request. A DSAR (data subject access request) is a type of access to DSR.
What rights can a DSAR cover under the DPDP Act?
Four data principal rights: access (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and nomination (Section 14). Where processing is consent-based, the person can also use consent withdrawal under Section 6.
Does the DPDP Act include data portability or a right to be forgotten?
There is no data portability right. The right to erasure, often referred to as the right to be forgotten in India, does exist under Section 12, allowing a data principal to have data deleted once its purpose ends.
How long do you have to respond to a data subject request?
There is no fixed 30-day clock. You publish your own response timeline, which for grievance redressal, cannot exceed 90 days, and unresolved grievances can be escalated to the Data Protection Board.
Can you refuse a DSAR?
You can decline a false, fraudulent, or frivolous data principal request, since Section 15 places duties on data principals. Keep identity verification and a logged reason so the refusal is defensible.
Learn what RBI compliance for banks and RBI compliance for NBFCs requires under the Digital Personal Data Protection Act 2025 and India’s evolving regulatory framework of corporate governance in India.
Planning your FY 2026–27 budget? Here’s a strategic guide to DPDP compliance costs from data discovery and data intelligence to managing sensitive information and consent governance