Confidential Dispatch

Data Principal rights request template (access / correction / nomination)

5 min readUpdated 2026-07-18
On this page
  1. 01What this template is (and when to use it)
  2. 02The template — copy and fill in
  3. 03How to fill it in
  4. 04What this template doesn’t cover
  5. 05FAQ
At a glance

This is a free, ready-to-fill request for exercising your data rights with any company under India’s DPDP Act — to see what personal data it holds about you and what it’s done with it, to correct what’s wrong or incomplete, or to nominate someone to act for you. Keep the parts that match your request, delete the rest, and send it to the company’s grievance or privacy contact with the identifier it knows you by. For deletion specifically, use the dedicated erasure template instead.

Educational resource only. This provides a template for exercising Data Principal rights under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and its Rules; it is not formal legal advice.

The situation

The DPDP Act gives you rights most people never use — not because companies refuse, but because nobody knows what to write. “What do you have on me?” sent to a support inbox goes nowhere. A precise request — the right recipient, the right identifier, the specific right being exercised — is hard to misfile and easy to act on. This template is that request, in three optional parts.

What this template is (and when to use it)

One letter, three rights — use whichever parts your situation needs. The DPDP Act lets you ask any Data Fiduciary for a summary of your personal data and what’s been done with it (Section 11), have inaccurate or incomplete data corrected, completed or updated (Section 12), and nominate a person to exercise your rights if you can’t (Section 14). These rights attach to data processed on the basis of your consent, including data you provided voluntarily for a purpose — which covers most of what apps and businesses hold about you. Companies must publish how to reach them for such requests and which identifiers they need; find that contact in the app, site or privacy policy, and send this there.

The template — copy and fill in

Copy everything below, keep the numbered parts that apply, replace the bracketed fields, and delete what doesn’t.

Subject: Data Principal rights request — [Your full name]

To: The Grievance Officer, [Company / service name]

I am a user of [service], identifiable in your records by [identifier]. I am exercising my rights under the Digital Personal Data Protection Act, 2023.

1. Access (Section 11). Please provide: (a) a summary of the personal data you hold about me; (b) a summary of the processing activities you have carried out on it; and © the identities of all Data Fiduciaries and Data Processors with whom it has been shared, with a description of what was shared.

2. Correction (Section 12). The following personal data in your records is inaccurate or incomplete: [what is wrong]. Please correct/complete/update it to: [what it should be]. Please also ensure the correction reaches any processors or third parties holding this data on your behalf.

3. Nomination (Section 14). I nominate [nominee’s full name], reachable at [nominee contact], to exercise my rights under the Act on my behalf in the event of my death or incapacity.

Please respond within your published response time. I understand the DPDP Rules require a response within 90 days at most. If this request is not resolved, I will escalate it as a grievance and, if necessary, complain to the Data Protection Board of India.

[Your full name] [Date] [Contact email / phone]

How to fill it in

Keep only the numbered parts you’re using — a request for everything at once is slower than a request for the thing you need. Send it from the email or number the company has on record; that answers most identity-verification questions on its own.

  • [Company / service name] — and its Grievance Officer
    • What it means: Companies must name a grievance contact; the request goes there, not to general support.
    • Examples: The “Grievance Officer” or privacy contact named in the app’s help section or privacy policy.
  • [identifier]
    • What it means: Whatever the company knows you by — companies must state which identifiers they need to locate your record.
    • Examples: Registered mobile number, account email, customer ID.
  • [what is wrong] / [what it should be]
    • What it means: The specific inaccurate field and its correct value — precision here is what makes correction fast.
    • Examples: “My address is outdated — the current one is…”; “My name is misspelled as X — it is Y.”
  • [nominee’s full name], [nominee contact]
    • What it means: The person you’re authorising to act for you under the Act, and how the company can verify and reach them.
    • Examples: A spouse, adult child or sibling, with their email or phone.

What this template doesn’t cover

Erasure has its own template, and some data sits outside these rights. For deleting your data, use the dedicated data-deletion request template — erasure has its own mechanics (consent withdrawal, retention exceptions) worth handling precisely. These rights also attach to consent-based processing: data a company processes under a legal obligation or another defined ground may fall outside an access or correction request’s strict scope, though the company’s grievance channel remains open for everything. And a nomination made by letter is only as good as the company’s records — for critical accounts, also use any in-app nomination feature the service offers.

FAQ

What exactly can I ask a company to show me?

A summary of the personal data it holds about you, a summary of what processing it has done, and who your data has been shared with — that’s the access right (Section 11). It’s a summary you’re owed, not a forensic export of every log.

How long does the company have to respond?

The DPDP Rules cap responses at 90 days; many companies publish shorter timeframes, which then bind them. A dated, written request starts the clock cleanly.

Can I use this if the company runs on “legitimate use” rather than my consent?

The access and correction rights formally attach to consent-based processing (including data you volunteered). For other data, the company’s grievance route is still open — and most consumer relationships run on consent anyway.

What if the company just ignores it?

Escalate through its own grievance process — the Act expects that first step — and then complain to the Data Protection Board of India, taking your dated request and the silence with you.

Reviewed by Confidential Dispatch Editorial Team
Last updated 18 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →