Empowering Individuals: The Right to Information Through Data Subject Access Requests

~Sura Anjana Srimayi

Introduction

In today’s digital landscape, personal data is a powerful asset—driving business models, shaping consumer behavior, and influencing policy decisions. However, the large-scale collection and processing of such data also raise critical concerns around privacy, transparency, and individual autonomy.

This is where the concept of the Data Subject Access Request (DSAR) becomes vital. A DSAR empowers individuals to request and obtain details about the personal data organizations hold about them. It is a mechanism to audit data usage, detect misuse, and ensure responsible data handling. Around the world, DSARs are a cornerstone of modern data protection laws, encouraging transparency, compliance, and user control in an increasingly data-driven world.

I. Understanding Data Subject Access Requests (DSARs)

At its core, a DSAR is a formal request made by an individual to a data controller (usually an organization), seeking access to their personal data and information about how it is being used. It is a key instrument for enforcing the right to privacy.

A. What Can Be Requested in a DSAR?

When an individual files a DSAR, the organization must provide clear, comprehensive responses covering:

1. Confirmation of Processing – Whether the organization is processing the person’s data at all.

2. Purpose of Processing – Why the data is being collected and used.

3. Categories of Personal Data – What types of data are stored (e.g., name, contact info, browsing history, financial data).

4. Data Recipients – With whom the data has been shared (e.g., vendors, affiliates).

5. Retention Period – How long the data will be stored.

6. Source of Data – Where the organization obtained the data.

7. Automated Decision-Making – If decisions (such as profiling or loan approval) are made through algorithms, individuals can seek explanations.

B. Why DSARs Matter

1. Enhances Transparency – Individuals understand how their data is being handled.

2. Promotes Accountability – Organizations are compelled to maintain robust, ethical data practices.

3. Improves Data Accuracy – Users can correct, update, or delete inaccurate data.

4. Detects Misuse – Individuals can spot unauthorized or unexpected uses of their data.

5. Enables Further Rights – DSARs often precede other rights like data rectification, erasure, or portability.

II. India’s Data Rights Revolution: The DPDP Act, 2023

Historically, India lacked a comprehensive data protection framework, relying on outdated provisions in the Information Technology Act, 2000. That changed with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act)—India’s first full-fledged data protection legislation.

Although the DPDP Act doesn’t explicitly use the term “DSAR,” it introduces the “Right to Access Information” under Section 11, which effectively mirrors DSAR rights under global laws like the GDPR.

A. Key Provisions Under the DPDP Act, 2023

1. Right to Access Information (Section 11)
   A Data Principal (the individual) can demand from the Data Fiduciary (the organization):

   • A summary of processed personal data and its purposes.

   • Details of third parties to whom the data was shared.

   • Any additional information as may be prescribed by future regulations.

2. Right to Correction and Erasure (Section 12)
   Data Principals can request correction or deletion of incorrect, outdated, or unnecessary data.

3. Right to Grievance Redressal (Section 13)
   Organizations must provide accessible grievance redress mechanisms. If unsatisfied, individuals can approach the Data Protection Board of India (DPBI) for formal resolution.

4. Right to Nominate
   Individuals can appoint someone to exercise their data rights on their behalf in case of death or incapacity.

B. Implications of the DPDP Act in India

1. For Organizations (Data Fiduciaries)

• Mandatory DSAR Handling Mechanisms
  Organizations must set up processes—both manual and automated—for receiving, validating, and fulfilling DSARs within a reasonable time frame.

• Detailed Recordkeeping
  To comply with access requests, companies need proper data mapping, storage tracking, and disclosure logs.

• Transparent Privacy Notices
  Prior to collecting data, entities must inform users in simple language about data types collected, purposes, and user rights.

• Security Obligations
  Entities must implement reasonable safeguards to prevent breaches and ensure the integrity of user data.

2. For Individuals (Data Principals)

• Active Participation in Data Governance
  For the first time, Indian users can demand full clarity about their digital data footprints.

• Control and Empowerment
  Individuals can now actively track, correct, or delete their data, shifting the power dynamic from data holders to data subjects.

• Awareness of Data Sharing Networks
  DSARs shed light on the often-hidden data ecosystems by revealing data sharing with third parties.

• Accessible Legal Remedies
  The DPBI provides a direct legal forum to address violations and enforce user rights without cumbersome court proceedings.

III. Sector-Specific Impact of DSAR Implementation

1. Banking & FinTech
   Must balance consent, security, and customer access. Data accuracy is essential for services like credit scoring or KYC.

2. E-Commerce & Social Media
   Platforms collecting behavioral data for ads and profiling face increased responsibility, especially regarding children’s data.

3. Healthcare Sector
   Entities managing medical records and diagnostics need strong privacy protocols, clear consents, and DSAR readiness.

4. IT & Cloud Services
   Companies must audit systems, contracts, and infrastructure to align with the DPDP compliance mandates.

5. Non-Compliance Risks
   Penalties can be severe—up to ?250 crore—for failing to comply with DSAR or related obligations. Organizations must invest in compliance to avoid reputational and financial damage.

Conclusion

The Data Subject Access Request, enshrined in India’s DPDP Act, 2023 as the "Right to Access Information," symbolizes a seismic shift in digital governance. It is not merely a statutory right but a powerful enabler of digital citizenship, placing real control in the hands of individuals.

For organizations, the era of unchecked data hoarding is over. Compliance is now not just a legal duty but also a strategic opportunity—to build trust, ensure ethical data practices, and foster long-term brand credibility.

While challenges in execution are inevitable, the benefits of an empowered, privacy-conscious society far outweigh the costs. In a world where data is currency, transparency is the new trust—and DSARs are the tools that mint it.