Sections 14 and 15 - Rights and Responsibilities in Balance
The Digital Personal Data Protection Act, 2023, is built on a framework of reciprocal obligations. While Sections 4 through 13 establish extensive rights for Data Principals and duties for Data Fiduciaries, Sections 14 and 15 introduce two complementary dimensions that complete the framework. Section 14 extends the exercise of Data Principal rights beyond the lifetime or capacity of the individual by providing for nomination. Section 15 imposes duties on Data Principals themselves, recognising that a robust data protection regime requires responsible behaviour from all participants - not just the organisations processing data. Together, these sections reflect a mature legislative approach: rights come with responsibilities, and the law protects individuals while also safeguarding the system from abuse. Section 14 addresses a gap that many data protection laws around the world have struggled with - what happens to personal data rights when the Data Principal is no longer able to exercise them. Section 15 addresses the equally important question of what happens when individuals misuse the rights given to them.
Section 14(1): The Right to Nominate
Section 14(1) provides that every Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of the Act. This is a forward-looking provision that addresses the digital afterlife - the growing body of personal data that persists after an individual's death or when they lose the capacity to manage their own affairs. Without this provision, family members, heirs, or caregivers would have no statutory basis to access, correct, or erase a deceased or incapacitated person's data held by Data Fiduciaries. The nomination right covers all rights available to the Data Principal under the Act, including the right to access information about processing under Section 11, the right to correction and erasure under Section 12, the right to grievance redressal under Section 13, and the right to withdraw consent under Section 6. The nominee steps into the shoes of the Data Principal and can exercise these rights as if they were the Data Principal themselves.
Nominee Registration Process and Practical Considerations
The specific manner of nomination is to be prescribed by rules, but organisations should anticipate the following practical requirements. The nomination process should be simple, secure, and verifiable. Data Principals should be able to register a nominee through the same channels they use to interact with the Data Fiduciary - online portals, mobile apps, or physical forms. The registration should capture the nominee's identity details, the scope of the nomination (all rights or specific rights), any conditions or limitations the Data Principal wishes to impose, and verification of the nominee's identity and consent to act in that capacity. Organisations must build systems to store nominee information securely, verify nominee identity when they seek to exercise rights, and process nominee requests with the same rigour and timeliness as requests from the Data Principal. The nomination should be revocable and modifiable by the Data Principal at any time while they have capacity. Upon the triggering event - death or incapacity - the nominee should be able to present proof of the event (death certificate, medical certificate of incapacity, court order) and proof of their nominee status to exercise rights. Organisations should establish clear verification procedures that balance accessibility with security to prevent fraudulent nominee claims.
- Provide accessible nomination registration through existing customer channels
- Capture nominee identity, scope of nomination, and any conditions
- Verify nominee identity at registration and at the time of exercising rights
- Allow Data Principals to revoke or modify nominations at any time
- Establish verification procedures for triggering events (death/incapacity)
- Process nominee requests with the same standards as Data Principal requests
Section 14(2): Guardian Rights for Children and Persons with Disabilities
Section 14(2) provides that in the case of a child, the rights of the Data Principal under the Act shall be exercised by the lawful guardian. In the case of a person with a disability who has a lawful guardian, that guardian shall exercise the Data Principal's rights. This provision works alongside Section 9's protections for children's data, ensuring that the rights framework accounts for individuals who may lack the legal capacity to exercise rights on their own behalf. For children - defined as individuals under eighteen years of age - the lawful guardian is typically a parent or court-appointed guardian. For persons with disabilities, the lawful guardian may be appointed under the Rights of Persons with Disabilities Act, 2016, or the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation, and Multiple Disabilities Act, 1999. Organisations processing data of children or persons with disabilities must build systems to identify and verify lawful guardians, process rights requests from guardians with appropriate verification, and ensure that the child's or disabled person's interests are protected even when the guardian is exercising rights on their behalf.
Section 15(1): Duty to Comply with Applicable Laws
Section 15 shifts the lens from rights to responsibilities. Section 15(1) establishes the overarching duty of every Data Principal to comply with the provisions of all applicable laws when exercising rights or performing duties under the Act. This seemingly straightforward provision has important practical implications. It means that Data Principals cannot use DPDPA rights to circumvent other legal obligations. For example, a Data Principal cannot demand erasure of data that a Data Fiduciary is legally required to retain under tax laws, anti-money laundering regulations, or court orders. Similarly, a Data Principal exercising access rights cannot use the obtained information for purposes that violate other laws - such as using another person's data obtained through a shared account to harass or defame them. This provision also interacts with sector-specific regulations. In healthcare, a patient exercising access rights must still comply with confidentiality obligations regarding information about other patients that may be intermingled with their records. In financial services, access requests must be balanced against regulations prohibiting the disclosure of certain regulatory information. Data Fiduciaries can rely on this provision when explaining to Data Principals why certain requests cannot be fulfilled in full due to conflicting legal obligations.
Section 15(2): Prohibition on False and Frivolous Complaints
Section 15(2)(a) imposes a specific duty on Data Principals not to register a false or frivolous complaint or grievance with a Data Fiduciary or the Data Protection Board. This provision protects the integrity of the grievance and enforcement system. Without it, the Board and Data Fiduciaries could be overwhelmed with baseless complaints, diverting resources from legitimate grievances and genuine enforcement priorities. A 'false' complaint is one where the Data Principal knowingly misrepresents facts - for example, claiming that they never gave consent when they demonstrably did, or alleging a data breach that they know did not occur. A 'frivolous' complaint is one that lacks any reasonable basis or is filed for purposes unrelated to data protection - such as using the complaint mechanism to harass a business competitor or to pressure a company during a commercial dispute. The penalty for violating this duty can extend up to ten thousand rupees under the Schedule to the Act. While this amount may seem modest compared to penalties on Data Fiduciaries, it serves as a deterrent against abuse of the complaint system and ensures that Data Principals approach the grievance mechanism with the seriousness it deserves.
Section 15(2)(b)-(c): Prohibition on False Information and Impersonation
Section 15(2)(b) prohibits Data Principals from furnishing any false particulars or suppressing any material information in connection with the exercise of rights or performance of duties under the Act. This duty applies to all interactions with Data Fiduciaries and the Board. When a Data Principal exercises their right to access under Section 11, they must provide accurate identification. When they request correction under Section 12, the replacement information must be truthful. When they file a grievance under Section 13 or a complaint with the Board under Section 24, the facts stated must be accurate and complete. Section 15(2)(c) prohibits impersonation - no person shall impersonate another person while providing their personal data for a specified purpose. This addresses a growing concern in the digital economy where identity theft and impersonation are increasingly common. If a person provides someone else's personal data while pretending to be that person - whether to open a bank account, obtain services, or evade their own obligations - they violate this duty. The penalty for violating Section 15(2)(b) or (c) can also extend up to ten thousand rupees. However, the consequences may be more severe under other laws - impersonation may also constitute fraud or identity theft under the Indian Penal Code or Information Technology Act, leading to criminal liability in addition to the DPDPA penalty.
- Do not furnish false particulars when exercising rights or filing complaints
- Do not suppress material information in interactions with Data Fiduciaries or the Board
- Do not impersonate another person while providing personal data
- Violations attract penalties up to ten thousand rupees under the DPDPA Schedule
- Additional criminal liability may apply under IPC or IT Act for fraud and impersonation
Penalties for Breach of Data Principal Duties
The Schedule to the DPDPA prescribes penalties for breach of Data Principal duties under Section 15. The maximum penalty is ten thousand rupees per instance. While this is significantly lower than the penalties imposed on Data Fiduciaries - which can reach up to two hundred and fifty crore rupees - the inclusion of Data Principal penalties is itself notable. Most data protection laws worldwide impose obligations exclusively on data controllers and processors. The DPDPA's approach of holding Data Principals accountable reflects India's legislative philosophy of balanced rights and duties. The penalty is imposed by the Data Protection Board after giving the Data Principal an opportunity to be heard. The Board must follow the principles of natural justice - the Data Principal must be notified of the alleged violation, given access to the evidence against them, and provided an opportunity to present their defence before any penalty is imposed. In practice, these penalties are likely to be imposed sparingly and in cases of clear, deliberate abuse. The Board's resources are better directed at ensuring Data Fiduciary compliance, and pursuing individual Data Principals for minor infractions would be counterproductive. However, in cases of systematic false complaints, organised impersonation schemes, or deliberate suppression of material information, the Board will have the tools to act.
Impact on Organisational Processes
Sections 14 and 15 together require organisations to update several processes. For Section 14 compliance, organisations must add nominee registration functionality to their customer management systems, build verification workflows for nominee identity and triggering events, train customer-facing teams to handle nominee inquiries sensitively and efficiently, and update privacy notices to inform Data Principals about their right to nominate. For Section 15, organisations should update their complaint intake processes to include an acknowledgment by the complainant that the information provided is true and that filing false complaints may attract penalties. This serves both as a deterrent and as documentation that the Data Principal was aware of their duties. Organisations should also maintain records that can demonstrate the authenticity of consent - timestamps, IP addresses, device information, and consent artifacts - to defend against false claims of non-consent. When responding to access, correction, or erasure requests, organisations should verify the identity of the requestor to guard against impersonation. Section 15(2)(c) gives organisations an additional basis to implement robust identity verification for rights requests.
- Build nominee registration and management functionality
- Implement identity verification for all rights requests to prevent impersonation
- Include acknowledgment of duties in complaint and grievance forms
- Maintain consent records that can rebut false claims of non-consent
- Train teams to handle nominee, guardian, and edge-case requests
How Kraver.ai Helps
Kraver.ai's platform provides comprehensive support for both Section 14 and Section 15 compliance. Our nominee management module allows Data Principals to register nominees through your branded portal, capturing all required details with secure identity verification. When a triggering event occurs, the module guides the nominee through a verified activation process, with document upload and verification workflows for death certificates or incapacity documentation. For guardian management under Section 14(2), the platform integrates guardian verification into your consent and rights management workflows, ensuring that children's and disabled persons' data is managed appropriately. On the Section 15 side, Kraver.ai's complaint intake forms include configurable duty acknowledgments, informing Data Principals of their obligations before they file grievances. Our AI-powered complaint analysis module flags potentially false or frivolous complaints based on pattern recognition, helping your team prioritise genuine grievances while documenting evidence for cases that may require Board referral. The identity verification module provides multi-factor authentication for rights requests, protecting against impersonation and creating an audit trail for every interaction. Kraver.ai also maintains comprehensive consent records - with timestamps, device fingerprints, and consent artifacts - that can be presented as evidence if a Data Principal falsely claims they never consented. Build your complete Sections 14 and 15 compliance framework with Kraver.ai today.