Section 13 - The Right That Closes the Accountability Loop
Section 13 of the Digital Personal Data Protection Act, 2023, establishes the right of every Data Principal to have readily available means of grievance redressal with the Data Fiduciary or Consent Manager processing their personal data. This right is the critical accountability mechanism that connects Data Principal rights (Sections 11-12) with enforcement (Sections 18-26). Without an effective grievance redressal mechanism, the rights to access, correction, and erasure remain theoretical. Section 13 ensures that when a Data Principal believes their data is being mishandled, they have a clear, accessible, and responsive channel to raise their concerns. The section works in conjunction with Section 8(10), which requires Data Fiduciaries to publish the contact information of a Data Protection Officer or designated person. However, Section 13 goes further - it is not merely about publishing contact details but about ensuring the mechanism actually works, responds within prescribed timelines, and provides meaningful resolution. If the Data Fiduciary fails to respond or the Data Principal is unsatisfied with the response, Section 13 opens the pathway to escalation to the Data Protection Board of India.
The Statutory Text and Its Requirements
Section 13(1) provides that a Data Principal shall have the right to readily available means of grievance redressal provided by the Data Fiduciary or the Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of obligations or exercise of rights under the Act. Section 13(2) states that the Data Fiduciary or Consent Manager shall respond to the grievance within such time and in such manner as may be prescribed. This two-part structure creates both a substantive right and a procedural obligation. The substantive right is broad - it covers any act or omission regarding the performance of obligations under the Act or the exercise of Data Principal rights. This means a Data Principal can file a grievance about consent practices, notice deficiencies, security concerns, breach notification failures, data accuracy issues, erasure delays, or any other obligation the Act imposes. The procedural obligation - responding within prescribed time - awaits the Central Government's rules for specific timelines. However, the obligation to have the mechanism in place and functioning is immediate once the Act's provisions come into force.
Scope of Grievances That Section 13 Covers
The phrase 'any act or omission' regarding obligations or rights under the Act gives Section 13 an expansive scope. Data Principals can raise grievances about virtually any aspect of data processing. This includes complaints about inadequate or misleading consent notices under Section 5, issues with the consent mechanism or difficulties withdrawing consent under Section 6, concerns about data being processed beyond the stated purpose, dissatisfaction with responses to access requests under Section 11, delays or refusals in correcting or erasing data under Section 12, suspected security vulnerabilities or inadequate safeguards under Section 8(2), failure to notify about a data breach under Section 8(6), unauthorized sharing of data with third parties or Data Processors, concerns about children's data processing under Section 9, and any other perceived violation of the Act's provisions. This breadth means that organisations must prepare for a wide variety of grievances, each potentially requiring different internal routing, expertise, and resolution workflows. A grievance about data accuracy may require input from the data management team, while a security concern needs the information security team, and a consent issue may require legal review.
- Consent and notice-related complaints under Sections 5 and 6
- Data accuracy, correction, and erasure issues under Sections 11 and 12
- Security safeguard concerns under Section 8(2)
- Breach notification failures under Section 8(6)
- Purpose limitation violations and unauthorized data sharing
- Children's data processing concerns under Section 9
Prescribed Response Timelines and Manner
Section 13(2) delegates the specific response timelines and manner to rules that the Central Government will prescribe. While these rules are awaited, organisations should prepare for timelines aligned with international best practices and India's existing consumer protection frameworks. Under the GDPR, data controllers must respond to data subject requests within one month, extendable by two additional months for complex requests. India's Consumer Protection Act requires businesses to acknowledge complaints within a specified period. The DPDPA rules are likely to prescribe a response timeline in the range of fifteen to thirty days, with provisions for extension in complex cases. The 'manner' of response will likely require written communication in a clear, accessible format, using the same channel through which the grievance was received or a channel specified by the Data Principal. Organisations should not wait for the rules to be published before building their grievance infrastructure. The statutory obligation to have 'readily available means' exists independently of the procedural rules. Building the mechanism now and calibrating timelines when rules are published is the prudent approach.
Escalation to the Data Protection Board
The most significant consequence of Section 13 is its connection to the Data Protection Board of India. If a Data Principal is not satisfied with the response of the Data Fiduciary or Consent Manager, or if the Data Fiduciary fails to respond within the prescribed time, the Data Principal can file a complaint with the Board under Section 24. This escalation pathway transforms the grievance mechanism from a voluntary customer service function into a compliance-critical process. Every unresolved grievance is a potential Board complaint. Every delayed response is a potential regulatory inquiry. The Board has the power to conduct inquiries, impose penalties, and issue directions. When adjudicating a complaint, the Board will examine whether the Data Fiduciary had a readily available grievance mechanism, whether it responded within the prescribed time, whether the response adequately addressed the grievance, and whether the underlying act or omission constitutes a violation of the Act. Organisations that demonstrate good-faith efforts to resolve grievances - even if the Data Principal remains unsatisfied - will be in a stronger position than those that ignored or delayed addressing the complaint. The Board is expected to consider the effectiveness of the grievance mechanism as a factor in determining penalties.
The Role of the Data Protection Officer in Grievance Handling
For Significant Data Fiduciaries designated under Section 10, the Data Protection Officer (DPO) plays a central role in grievance redressal. The DPO serves as the primary point of contact for Data Principals, the Board, and internal stakeholders. Under Section 10(2)(a), the DPO must be based in India and must represent the Significant Data Fiduciary as the point of contact for the grievance redressal mechanism. For non-significant Data Fiduciaries, Section 8(10) requires publishing the contact information of a designated person who will answer questions and address grievances. Whether this person is called a DPO, a grievance officer, or a privacy contact, they must have the authority, knowledge, and resources to handle grievances effectively. Best practice suggests that the designated person should have direct access to senior management, authority to direct internal teams to take corrective action, knowledge of data processing activities across the organisation, understanding of the Act's requirements and the organisation's compliance posture, and access to systems and records needed to investigate and resolve grievances. A figurehead DPO who merely receives complaints and forwards them without authority to act will not satisfy the spirit of Section 13.
- DPO must be based in India for Significant Data Fiduciaries
- Must serve as the primary point of contact for Data Principals and the Board
- Needs authority to direct corrective actions across the organisation
- Requires access to data systems and processing records
- Should report directly to senior management on grievance trends and systemic issues
Building an Effective Grievance Redressal Mechanism
An effective grievance mechanism under Section 13 requires more than publishing an email address. It requires a structured, documented, and consistently executed process. The mechanism should include multiple intake channels - online forms, email, in-app features, phone, and physical correspondence - to ensure accessibility for all Data Principals regardless of their technological sophistication. Upon receiving a grievance, the system should generate an acknowledgment with a unique reference number, classify the grievance by type and urgency, route it to the appropriate internal team, set internal SLA timelines that are shorter than the prescribed response period, track progress through defined stages (received, acknowledged, under investigation, resolved, closed), and maintain a complete audit trail. The response to the Data Principal should be substantive, not formulaic. It should address the specific concern raised, explain the investigation conducted, describe the action taken or the reason no action is warranted, and inform the Data Principal of their right to escalate to the Board if unsatisfied. Organisations handling large volumes of data should invest in grievance management software that automates intake, routing, tracking, and reporting.
- Provide multiple accessible intake channels: web form, email, in-app, phone
- Acknowledge receipt with a unique reference number and expected timeline
- Classify, prioritise, and route grievances to the appropriate internal teams
- Track resolution through defined workflow stages with internal SLAs
- Provide substantive responses addressing the specific concern raised
- Inform Data Principals of escalation rights to the Data Protection Board
Response SLAs and Internal Workflow Design
While the statutory response timeline awaits prescription, organisations should design internal SLAs that provide a buffer between internal deadlines and the external prescribed period. If the rules prescribe a thirty-day response period, internal SLAs should target resolution within twenty days, allowing ten days for quality review, escalation of complex cases, and final communication drafting. Internal SLA tiers should reflect the nature and urgency of the grievance. High-priority grievances - such as ongoing security breaches, unauthorised data sharing, or processing affecting vulnerable individuals - should have a resolution target of five to seven business days. Medium-priority grievances - such as access requests, correction requests, or consent withdrawal issues - should target ten to fifteen business days. Low-priority grievances - general inquiries about data practices or policy clarifications - should target fifteen to twenty business days. Each tier should have defined escalation triggers: if a grievance exceeds its SLA, it should automatically escalate to the next management level. Periodic reporting on grievance volumes, resolution rates, SLA compliance, and common themes should inform continuous improvement of data processing practices and the grievance mechanism itself.
Consent Managers and Their Grievance Obligations
Section 13 applies equally to Consent Managers - entities registered under Section 6(8) that serve as a single point of contact for Data Principals to manage consent across multiple Data Fiduciaries. Consent Managers face a unique challenge because grievances directed at them may actually relate to the processing activities of a Data Fiduciary, not the Consent Manager's own actions. For example, a Data Principal might complain to their Consent Manager that a particular Data Fiduciary is not honoring a consent withdrawal. The Consent Manager must determine whether the issue is with its own platform (failure to transmit the withdrawal) or with the Data Fiduciary (failure to act on a properly transmitted withdrawal). This requires clear contractual arrangements between Consent Managers and Data Fiduciaries regarding grievance routing, information sharing, and collaborative resolution. Consent Managers should maintain transparency with Data Principals about the scope of their responsibilities and the limitations of their authority. They must build systems that can track grievances across the Consent Manager-Data Fiduciary boundary and ensure that Data Principals receive a unified, coherent response regardless of where the underlying issue lies.
How Kraver.ai Helps
Kraver.ai's grievance management module is purpose-built for Section 13 compliance, providing an end-to-end solution that transforms grievance redressal from a reactive burden into a proactive compliance advantage. Our platform offers a branded, multi-channel grievance intake portal that you can embed in your website, mobile app, and customer-facing communications - ensuring the 'readily available means' requirement is met across every touchpoint. Upon receipt, our AI-powered classification engine automatically categorises grievances by type, urgency, and the specific DPDPA provision involved, routing them to the appropriate internal team with all relevant context. Built-in SLA management tracks every grievance against configurable internal timelines and the prescribed response period, with automated escalation alerts when deadlines approach. The response management module provides templates aligned with DPDPA requirements while allowing personalisation, ensuring substantive responses that address the specific concern raised. For DPOs and designated grievance officers, Kraver.ai provides a unified dashboard showing real-time grievance status, SLA compliance rates, trend analysis, and Board-ready reporting. Our audit trail captures every action taken on every grievance, creating the documentation needed to demonstrate compliance if a Data Principal escalates to the Board. Start building your Section 13 grievance infrastructure with Kraver.ai today.