DPDPA Section 12: Correction & Erasure

Section 12 - Giving Data Principals Control Over Their Data

Section 12 of the DPDPA empowers Data Principals with actionable rights over the accuracy, completeness, and continued existence of their personal data held by Data Fiduciaries. While Section 11 provides the right to know what data is held and how it is processed, Section 12 provides the right to act on that knowledge - to correct errors, fill gaps, update outdated information, and request deletion of data that is no longer needed. These rights are fundamental to the principle of data quality and the broader objective of giving individuals meaningful control over their personal information. In practical terms, Section 12 addresses everyday scenarios that affect millions of people: a bank holding an outdated address that causes important correspondence to go to the wrong location, an insurance company using inaccurate health data that leads to wrongful premium calculation, an employer maintaining incorrect employment history that affects career progression, or a social media platform retaining personal data long after a user has stopped using the service. Section 12 provides the legal mechanism for individuals to remedy these situations, transforming data protection from an abstract right into a practical tool for safeguarding personal interests.

Right to Correction of Inaccurate or Misleading Data

Section 12(1)(a) grants every Data Principal the right to correction of inaccurate or misleading personal data. This right addresses one of the most common data quality problems - personal data that is factually wrong or that creates a false impression. Inaccurate data includes straightforward errors such as a misspelled name, an incorrect date of birth, a wrong contact number, or an outdated address. Misleading data is a broader concept - data that may be technically accurate but is presented or contextualised in a way that creates a false impression. For example, recording that a customer 'defaulted' on a loan payment without noting that the default was caused by a bank processing error, or recording that an employee was 'terminated' without noting that the termination was part of a mass layoff rather than an individual performance issue. The right to correction places an obligation on the Data Fiduciary to correct the data upon receiving a valid request from the Data Principal. The Data Fiduciary should not impose unreasonable barriers or delays - such as requiring excessive documentation or routing the request through multiple departments. A streamlined correction process with clear ownership, defined timelines, and confirmation mechanisms is essential for compliance.

• Covers both factually incorrect data and data that creates a misleading impression
• Applies to all categories of personal data held by the Data Fiduciary
• Data Fiduciaries must correct data promptly upon receiving a valid request
• Unreasonable barriers or delays in processing correction requests may constitute non-compliance
• Corrections must be propagated to any entities the data was shared with

Right to Completion of Incomplete Data

Section 12(1)(b) provides the right to completion of incomplete personal data. Incomplete data refers to personal data that is partially missing, lacks relevant context, or does not present a full picture of the Data Principal's circumstances. This right is particularly important in contexts where incomplete data can lead to unfair outcomes - for instance, a credit bureau holding partial payment history that understates a borrower's creditworthiness, a healthcare provider maintaining an incomplete medical history that could lead to inappropriate treatment decisions, or a government agency holding incomplete identity documentation that delays service delivery. The right to completion allows Data Principals to supplement their data with additional information that provides a more complete and accurate picture. The Data Fiduciary must assess the request and, where the additional information is relevant and verifiable, update its records accordingly. This right intersects with the Data Fiduciary's own obligation under Section 8(1) to maintain accurate and complete data - by exercising their completion right, Data Principals are effectively assisting the Data Fiduciary in meeting its own compliance obligations. Data Fiduciaries should view completion requests not as a burden but as an opportunity to improve data quality and decision-making accuracy.

• Covers personal data that is partially missing or lacks relevant context
• Particularly important where incomplete data affects decision-making outcomes
• Data Principals can supplement records with additional relevant information
• Data Fiduciaries should verify and incorporate additions where they are relevant and accurate
• Completion requests help Data Fiduciaries meet their own Section 8(1) data accuracy obligations

Right to Update Outdated Data

Section 12(1)(c) grants the right to update personal data that is no longer current. Personal data is inherently dynamic - people change addresses, phone numbers, email addresses, employment, marital status, and many other attributes over time. Data that was accurate at the time of collection may become outdated, and outdated data can cause the same types of harm as inaccurate data. A delivery company using an old address will fail to deliver packages. A hospital contacting an old emergency number will fail to reach the patient's family. An employer using outdated banking details will fail to deposit salary correctly. The right to update allows Data Principals to keep their personal data current across the organisations that hold it. This is both a compliance requirement for Data Fiduciaries and a practical convenience for Data Principals. Organisations should implement proactive mechanisms to encourage updates - periodic prompts to verify contact information, easy-to-use self-service portals for updating personal details, and automated alerts when data appears to be outdated based on usage patterns or bounce-backs. When a Data Principal submits an update request, the Data Fiduciary should process it promptly, confirm the update to the Data Principal, and ensure that the updated information is propagated to all systems and any entities with which the data has been shared.

• Personal data that was accurate at collection may become outdated over time
• The right to update ensures Data Principals can keep their data current
• Proactive mechanisms such as periodic verification prompts improve data currency
• Updates must be propagated across all systems and to entities data was shared with
• Self-service portals for data updates reduce compliance burden and improve user experience

Right to Erasure of Data No Longer Necessary

Section 12(1)(d) provides the right to erasure of personal data that is no longer necessary for the purpose for which it was processed. This right is closely connected to Section 8(7), which requires Data Fiduciaries to erase personal data when the purpose for processing has been fulfilled and retention is no longer necessary. The Data Principal's erasure right under Section 12 complements this obligation by giving individuals the ability to initiate erasure when they believe the purpose has been fulfilled or their data is being retained without justification. The trigger for erasure is 'no longer necessary for the purpose' - this means that if the original purpose for which data was collected has been achieved, and there is no other legitimate basis for continued retention, the Data Principal can request deletion. For example, a customer who has returned a product and received a full refund can request erasure of their purchase and payment data (subject to legal retention requirements). A job applicant who was not selected can request erasure of their application data after the recruitment process is complete. A user who has cancelled their subscription can request erasure of their account data. The right to erasure must be balanced against the Data Fiduciary's legitimate need to retain data for specific purposes - including compliance with other laws, defence of legal claims, and archival in the public interest.

• Data Principals can request erasure when data is no longer needed for its original purpose
• Complements the Data Fiduciary's own erasure obligation under Section 8(7)
• The trigger is purpose fulfilment - not simply the Data Principal's preference
• Erasure must be balanced against legitimate retention needs including legal obligations
• Data Fiduciaries must document their basis for retaining data when erasure is requested and declined

Exceptions to Correction and Erasure Rights

The rights under Section 12 are not absolute - they are subject to important exceptions that balance individual data protection rights against other legitimate interests. The primary exceptions are derived from Section 17 of the DPDPA, which exempts certain categories of processing from Data Principal rights. These include processing necessary for the prevention, detection, investigation, and prosecution of offences, where allowing correction or erasure could compromise law enforcement objectives. Processing necessary for the enforcement of any legal right or claim, where the data is required as evidence or for ongoing legal proceedings. Processing by government bodies in the interest of sovereignty, integrity, and security of India. Processing for research, archival, or statistical purposes where appropriate safeguards are in place. Additionally, Data Fiduciaries may decline erasure requests where retention is mandated by another applicable law - for example, tax records must be retained for the period specified under the Income Tax Act, financial transaction records must be retained as per RBI regulations, and employment records must be maintained as required under labour laws. When a Data Fiduciary declines a correction or erasure request based on an exception, it must inform the Data Principal of the reason for the refusal and the basis on which the exception applies, enabling the Data Principal to challenge the decision if they disagree.

• Section 17 exemptions apply to correction and erasure rights
• Law enforcement, legal claims, and national security processing may be exempt
• Retention mandated by other laws (tax, financial, employment) overrides erasure requests
• Data Fiduciaries must inform Data Principals of the reason for any refusal
• Data Principals retain the right to challenge refusals through grievance mechanisms

Comparison with GDPR Article 17 - Right to Erasure (Right to Be Forgotten)

Section 12 of the DPDPA bears significant resemblance to Article 17 of the EU's GDPR, commonly known as the 'right to be forgotten', while also incorporating distinct Indian law characteristics. GDPR Article 17 provides six specific grounds for erasure: the data is no longer necessary, consent is withdrawn, the data subject objects to processing, the data was unlawfully processed, erasure is required by EU or member state law, and the data was collected in relation to information society services offered to a child. The DPDPA's erasure right is narrower in its stated triggers - focused on purpose fulfilment - but is supplemented by the consent withdrawal provisions under Section 6 and the Data Fiduciary's own obligations under Section 8(7). A notable feature of the GDPR that is not explicitly replicated in the DPDPA is the obligation under Article 17(2) for a controller that has made personal data public to take reasonable steps to inform other controllers processing the data about the erasure request. The DPDPA's equivalent is likely to emerge through the rules, which may impose notification obligations when data that has been shared with third parties is subject to an erasure request. Organisations operating across both jurisdictions should design their erasure processes to meet the broader GDPR standard, as this will naturally ensure compliance with the DPDPA's requirements as well.

Procedures for Exercising Correction and Erasure Rights

Data Fiduciaries must establish clear, accessible, and efficient procedures for Data Principals to exercise their correction and erasure rights under Section 12. The procedure should include the following elements: request channels that are easy to find and use, including web forms, email, in-app options, and potentially physical channels for individuals who may not be digitally literate. Identity verification mechanisms to confirm that the requestor is the Data Principal or their authorised representative. Acknowledgement of receipt within a defined timeframe, providing the Data Principal with a reference number and expected resolution timeline. Assessment of the request by a qualified person who evaluates whether the correction, completion, update, or erasure is appropriate, considering any applicable exceptions. Execution of the request if approved, with the changes applied across all relevant systems and databases - not just the primary system. Notification to third parties with whom the data was shared, informing them of the correction, update, or erasure so they can update their records accordingly. Confirmation to the Data Principal that the request has been fulfilled, specifying what actions were taken. If the request is declined, a clear explanation of the reasons and the basis for the refusal, along with information about the grievance redressal mechanism. Documentation of the entire process for audit trail and regulatory defence purposes.

• Provide multiple accessible request channels including web, email, app, and physical options
• Implement identity verification to prevent unauthorised modifications
• Acknowledge receipt with reference numbers and expected timelines
• Apply changes across all relevant systems and notify third parties
• Document the entire process for audit trail and regulatory compliance

Practical Implementation Challenges

Implementing Section 12's correction and erasure rights presents several practical challenges that organisations must address. Data fragmentation is a primary concern - personal data is often distributed across multiple systems, databases, applications, backups, logs, and archives. Correcting or erasing data in one system while it persists in others creates inconsistency and potential non-compliance. Organisations need comprehensive data inventories and automated propagation mechanisms to ensure changes are applied consistently. Technical limitations in legacy systems may prevent easy modification or deletion of records - some older databases and applications were not designed with data modification or deletion capabilities in mind. Organisations may need to invest in system upgrades or develop workarounds to enable compliance. Backup and archive management is another challenge - data that has been erased from production systems may still exist in backups. Organisations must develop retention policies for backups that align with their erasure obligations, and consider whether 'erasure' requires deletion from backups or whether it is sufficient to ensure that backed-up data is not restored without applying the erasure. Data shared with third parties presents a cascade challenge - when data is corrected or erased, all downstream recipients must be notified and must implement corresponding changes. Contractual provisions and automated notification mechanisms are essential to managing this cascade effectively.

• Data fragmentation across systems requires comprehensive inventories and automated propagation
• Legacy system limitations may require investment in upgrades or workarounds
• Backup and archive management must align with erasure obligations
• Third-party data sharing creates cascade correction and erasure obligations
• Contractual provisions with data recipients must address correction and erasure notifications

How Kraver.ai Helps

Kraver.ai's data rights management platform provides comprehensive support for Section 12 compliance, enabling organisations to handle correction and erasure requests efficiently, consistently, and with full audit documentation. Our Data Principal rights portal allows individuals to submit correction, completion, update, and erasure requests through a secure, user-friendly interface with built-in identity verification. Upon receipt, the platform's AI-powered data discovery engine locates all instances of the Data Principal's data across your connected systems - production databases, CRM platforms, analytics systems, cloud storage, email archives, and third-party integrations - ensuring that no data is missed. For correction and update requests, Kraver.ai applies changes across all identified systems simultaneously, maintaining consistency and eliminating the risk of partial updates. For erasure requests, the platform evaluates the request against applicable exceptions and retention obligations, flagging data that must be retained and clearly documenting the basis for any partial refusal. Automated third-party notifications inform downstream data recipients of corrections, updates, and erasures, with tracking to confirm that recipients have actioned the notifications. Every step is recorded in an immutable audit trail, from request receipt through verification, assessment, execution, and confirmation. Our analytics dashboard provides visibility into request volumes, response times, and compliance rates, enabling continuous process improvement. Simplify Section 12 compliance and demonstrate your commitment to Data Principal rights with Kraver.ai.