Section 11 - The Foundation of Data Principal Empowerment
Section 11 of the DPDPA establishes one of the most fundamental rights of Data Principals - the right to access information about their personal data. This right is the cornerstone of data subject empowerment because without knowing what data is held about them, how it is being processed, and who it has been shared with, Data Principals cannot effectively exercise any of their other rights. The right to access is the informational foundation upon which the rights to correction, erasure, and grievance redressal are built. If a Data Principal does not know that inaccurate data is being held, they cannot request correction. If they do not know that data is being retained beyond the purpose for which it was collected, they cannot request erasure. If they do not know the identities of the entities processing their data, they cannot direct their complaints effectively. Section 11 addresses this informational asymmetry by requiring Data Fiduciaries to provide Data Principals with a summary of their personal data and processing activities upon request. This transparency obligation is both a compliance requirement and a trust-building mechanism - organisations that respond to access requests promptly and comprehensively demonstrate their commitment to data protection and earn the confidence of their customers and users.
Scope of the Right - What Data Principals Can Request
Section 11(1) provides that a Data Principal shall have the right to obtain from the Data Fiduciary a summary of personal data that is being processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to such personal data. This right encompasses two distinct categories of information. First, a summary of the personal data itself - the categories of data held, the specific data points within those categories, and the current state of the data. Second, a summary of the processing activities - what the Data Fiduciary is doing with the data, including collection, storage, use, sharing, and any automated processing such as profiling or decision-making. Note that the right is to a 'summary' - not necessarily a complete copy of all personal data in its raw form. This is a significant distinction from the GDPR's Article 15, which grants the right to obtain a copy of the personal data undergoing processing. The DPDPA's 'summary' approach may provide Data Fiduciaries with greater flexibility in how they present the information, but it still requires substantive disclosure that enables Data Principals to understand what data is held and how it is being used.
- Right to a summary of personal data being processed
- Right to a summary of processing activities undertaken
- The right covers both the data itself and what is being done with it
- DPDPA provides for a 'summary' rather than a complete copy of raw data
- The summary must be substantive enough to enable meaningful exercise of other rights
Right to Know Identities of Data Fiduciaries and Processors
Section 11(1) also grants Data Principals the right to know the identities of all other Data Fiduciaries and Data Processors with whom their personal data has been shared by the Data Fiduciary. This is a critical transparency requirement that addresses the reality of modern data ecosystems, where personal data flows through complex networks of controllers, processors, sub-processors, and third parties. A consumer's personal data collected by an e-commerce platform may be shared with payment processors, logistics providers, marketing analytics firms, cloud infrastructure providers, customer support outsourcers, and fraud detection services. The Data Principal has the right to know the identities of all these entities. This obligation requires Data Fiduciaries to maintain comprehensive records of data sharing - tracking every entity with which personal data has been shared, the categories of data shared, and the purposes for which it was shared. For organisations with complex data supply chains, this can be a significant operational challenge. Data mapping exercises that identify all data flows, both internal and external, are essential for compliance. The records must be maintained in a form that allows the Data Fiduciary to respond to access requests accurately and completely, without relying on manual research or guesswork.
- Data Principals can request identities of all entities their data has been shared with
- This includes both Data Fiduciaries and Data Processors in the data supply chain
- Comprehensive data sharing records must be maintained for compliance
- Data mapping exercises are essential to identify all internal and external data flows
- Records must enable accurate and complete responses to access requests
Scope and Limitations of the Right to Access
While Section 11 establishes a broad right of access, it is subject to certain practical and legal limitations. The right applies only to personal data that is 'being processed' - meaning data that is actively within the Data Fiduciary's systems and subject to processing activities. Data that has been permanently deleted or anonymised beyond re-identification is outside the scope. The right is also subject to the exceptions provided under Section 17 of the DPDPA, which exempts certain categories of processing from Data Principal rights, including processing necessary for the prevention, detection, investigation, and prosecution of offences, processing by government bodies in the interest of sovereignty and integrity, and processing for research, archiving, or statistical purposes where specific safeguards are in place. Additionally, the right must be exercised through the Data Fiduciary - Data Principals cannot bypass the Data Fiduciary and directly approach Data Processors for access, since the legal relationship and compliance obligation sits with the Fiduciary. The rules under the DPDPA may also prescribe procedural requirements for access requests, including identity verification, response timeframes, and the format in which summaries must be provided.
- The right applies only to personal data actively being processed
- Permanently deleted or anonymised data falls outside the scope
- Section 17 exemptions apply to certain categories of processing
- Access requests must be directed to the Data Fiduciary, not directly to Processors
- Rules may prescribe procedural requirements including identity verification and response timelines
Comparison with GDPR Article 15 - Subject Access Request
Section 11 of the DPDPA shares conceptual foundations with Article 15 of the EU's GDPR, which grants data subjects the right of access to their personal data. However, there are notable differences in scope and implementation. GDPR Article 15 provides the right to obtain a copy of the personal data undergoing processing - not merely a summary. It also requires disclosure of specific information including the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, the existence of the right to lodge a complaint, information about the source of the data, and the existence of automated decision-making including profiling. The DPDPA's approach is more streamlined - a summary of personal data and processing activities, plus the identities of entities data has been shared with. The GDPR also imposes a strict one-month response timeline (extendable by two months for complex requests), while the DPDPA's response timeframes will be specified in the rules. Another significant difference is the GDPR's requirement to provide the first copy of data free of charge, with a reasonable fee permissible for additional copies - the DPDPA does not currently address fee structures for access requests. Despite these differences, organisations already compliant with GDPR Article 15 will find Section 11 compliance relatively straightforward, as the GDPR's requirements are broader in most respects.
Practical Implementation of Data Subject Access Requests (DSARs)
Implementing a robust DSAR (Data Subject Access Request) process is essential for Section 11 compliance. The process begins with request intake - providing clear, accessible channels through which Data Principals can submit access requests. This could include a dedicated web portal, an email address, a form within the organisation's app, or even physical channels. Upon receiving a request, the first step is identity verification - confirming that the requestor is indeed the Data Principal whose data they are seeking to access. This is critical to prevent unauthorised disclosure. Verification methods may include OTP-based authentication, government ID verification, or account-based authentication for existing users. Once identity is verified, the organisation must locate all personal data relating to the Data Principal across its systems. This is where data mapping becomes critical - organisations without comprehensive data inventories will struggle to identify all relevant data within the prescribed timeframe. The response must be compiled in a clear, intelligible format that provides a meaningful summary of the data and processing activities. The response should be delivered through a secure channel to prevent interception. Finally, the organisation should document the entire process - the request, the verification steps, the data located, the response provided, and the delivery confirmation - for audit trail purposes.
- Provide clear, accessible channels for submitting access requests
- Implement robust identity verification before disclosing any personal data
- Maintain comprehensive data inventories to locate all relevant data efficiently
- Compile responses in clear, intelligible formats that provide meaningful summaries
- Document the entire DSAR process for audit trail and regulatory defence
Response Timeframes and Operational Readiness
While the specific response timeframes for Section 11 access requests will be prescribed by the rules under the DPDPA, organisations should prepare for timelines that are consistent with international norms. The GDPR mandates a response within one month, extendable by two additional months for complex or voluminous requests. Other frameworks such as Brazil's LGPD and South Africa's POPIA specify similar timeframes. Organisations should design their DSAR processes to deliver responses within thirty days as a baseline, with internal escalation mechanisms for requests that require more time due to data complexity, volume, or technical challenges. Operational readiness requires investment in several areas: automated data discovery tools that can locate personal data across multiple systems and databases, standardised response templates that ensure consistency and completeness, workflow management systems that track requests, assign ownership, set deadlines, and escalate overdue requests, staff training so that employees who receive access requests know how to route them appropriately, and executive reporting that provides visibility into DSAR volumes, response times, and compliance rates. Organisations that process large volumes of personal data - particularly consumer-facing businesses - should anticipate high DSAR volumes once awareness of Section 11 rights increases, and build scalable infrastructure accordingly.
- Prepare for response timelines consistent with international norms (approximately thirty days)
- Invest in automated data discovery tools for efficient personal data location
- Implement workflow management for request tracking, ownership, and escalation
- Train staff on DSAR routing and handling procedures
- Build scalable infrastructure anticipating increasing DSAR volumes
How Kraver.ai Helps
Kraver.ai's DSAR management module provides end-to-end support for Section 11 compliance, from request intake to response delivery and audit documentation. Our branded Data Principal portal allows individuals to submit access requests through a secure, user-friendly interface, with built-in identity verification using Aadhaar, PAN, or account-based authentication. Upon receipt, the platform automatically initiates data discovery across your connected systems - databases, CRM platforms, cloud storage, email archives, and third-party services - using our AI-powered data mapping engine to locate all personal data associated with the requestor. The response compilation module aggregates discovered data into a clear, structured summary that meets Section 11's requirements, including processing activities and the identities of all entities the data has been shared with. Workflow automation tracks each request through its lifecycle, assigns ownership, enforces SLA timelines, and escalates overdue requests to management. Every step is documented in an immutable audit trail for regulatory defence. Our analytics dashboard provides real-time visibility into DSAR volumes, response times, completion rates, and trends - enabling you to identify bottlenecks and optimise your processes. Achieve Section 11 compliance and build Data Principal trust with Kraver.ai's DSAR management platform.