DPDPA 2023 Section 12: Right to Correction and Erasure of Personal Data
Section 12 of the Digital Personal Data Protection Act, 2023 grants every Data Principal in India the statutory right to obtain correction, completion, updating, and erasure of their personal data held by a Data Fiduciary. This right applies across every industry that handles digital personal data — from wedding photographers and schools to hospitals, hotels, marathon organisers, retail brands, media houses, and HR teams — and obliges the Data Fiduciary to act on a verifiable request unless retention is required by law.
Key facts
| Statute | Digital Personal Data Protection Act, 2023 |
|---|---|
| Section | Section 12 |
| Chapter | Chapter III — Rights and Duties of Data Principal |
| Effective | 2025–2026 phased rollout under DPDP Rules 2025 |
| Penalty ceiling | Up to ₹250 crore per instance (Schedule, read with Section 33) |
| Applies to | All Data Fiduciaries processing digital personal data in India |
What Section 12 says
Section 12 operationalises a core DPDPA promise: the Data Principal controls the accuracy and lifecycle of their personal data. A Data Fiduciary must, on request, correct inaccurate data, complete incomplete data, update outdated data, and erase data no longer necessary for the specified purpose — unless another law mandates retention. The right extends to photographs, video, biometrics, attendance records, guest lists, and patient images. Fiduciaries must publish a request mechanism, verify the requester, action the change within the DPDP Rules timeline, and propagate the correction or erasure to every Data Processor and downstream recipient.
What it means in practice
- Data Principals can demand correction of wrong names, dates, contact details, photos, medical records or HR data at any time.
- Data Fiduciaries must erase personal data once the purpose is fulfilled or consent is withdrawn, unless another law mandates retention.
- Requests must be actionable via an easily accessible mechanism — typically a published email, web form, or DPO contact.
- Erasure obligations extend to backups, archives, and copies held by Data Processors and downstream recipients.
- Refusal to act on a valid Section 12 request is a ground for complaint to the Data Protection Board under Section 13 and Section 27.
- Identity verification of the requester is permitted, but cannot be used to obstruct or unreasonably delay the right.
Who Section 12 applies to
- Wedding photographers and photo studios holding client galleries and RAW files
- Event management companies maintaining guest lists, RSVPs, and event footage
- Schools and ed-tech platforms (with Section 9 child-data overlay) holding student records and photos
- Marathon and sports event organisers storing bib data, finisher photos, and timing records
- Corporate HR teams and recruiters holding employee files, CVs, and CCTV footage
- Hospitals, clinics and healthcare chains managing patient records and clinical images
- Hotels, resorts and hospitality groups holding guest ID, check-in and CCTV data
- Retail brands and D2C companies storing loyalty, billing and customer profile data
- Media houses, news organisations and publishers holding subject interviews and imagery
- Advertising agencies and creative studios processing model releases and shoot footage
Common violations
Photographer refuses to delete a client's wedding gallery
A wedding photographer ignores a couple's written request to erase their full gallery and RAW files after a dispute, despite no legal retention obligation — a direct breach of Section 12(3).
School retains expelled student's biometric and photo data
A school continues to store an ex-student's facial recognition template and photographs beyond the stated academic purpose, refusing a parent's erasure request submitted under Section 9 read with Section 12.
Hospital fails to correct patient record
A hospital chain ignores a patient's request to correct a wrongly recorded blood group or diagnosis in their digital health record, exposing them to clinical risk and Section 12(2)(a) liability.
Hotel keeps CCTV and ID scans beyond stay
A hotel retains guest ID copies and CCTV footage indefinitely after checkout without a lawful retention basis, and refuses an erasure request from the guest.
HR team will not update employee record
A corporate HR system refuses to update an employee's legal name, gender marker, or address post-transition, violating the right to correction and completion under Section 12(2).
Marathon organiser republishes finisher photos after opt-out
An event organiser continues to display and sell finisher photographs on its portal after the runner formally requested erasure, breaching Section 12(3) and consent rules under Section 6.
Penalty for breach
Non-compliance with Section 12 can be treated as a breach of a Data Fiduciary's duties under the DPDPA 2023. The Data Protection Board of India may, after inquiry under Section 28, impose monetary penalties under the Schedule to the Act, with the general ceiling extending up to ₹250 crore per instance for serious or systemic breaches, and up to ₹50 crore for failure to fulfil additional obligations relating to children's data. Repeat or wilful refusal to honour correction and erasure requests can attract enhanced penalties and corrective orders.
Use the DPDPA Penalty Calculator to estimate your exact exposure.
Frequently asked questions
Can a wedding photographer refuse to delete photos citing artistic or portfolio rights?
No. Under DPDPA 2023 Section 12(3), once the specified purpose (delivering the wedding shoot) is fulfilled and the Data Principal requests erasure, the photographer must erase the personal data unless another law requires retention. Portfolio use requires a fresh, specific consent under Section 6.
Does Section 12 apply to CCTV footage in hotels, hospitals and retail stores?
Yes. CCTV footage that identifies a natural person is digital personal data. Guests, patients and customers can request erasure once the retention purpose is complete, subject to any statutory retention requirement.
How quickly must a Data Fiduciary act on a Section 12 request?
The Act requires action within a reasonable period; the DPDP Rules 2025 prescribe specific timelines for Data Fiduciaries to acknowledge and complete correction or erasure requests.
Who can file a Section 12 request at a school for a student under 18?
For children, the parent or lawful guardian exercises the right on behalf of the child, read with Section 9. Schools and ed-tech platforms must verify guardianship before acting on correction or erasure requests.
Can a hospital refuse erasure of medical records?
Healthcare providers may lawfully retain medical records for the period mandated by the Clinical Establishments Act, NMC regulations and state health rules. Section 12 erasure can be refused only to the extent another law requires retention; non-mandatory copies must still be erased on request.
Does an HR team have to delete a former employee's data?
Yes, except for records that must be retained under labour, tax, PF, or contractual law (e.g., Form 16, statutory payroll). Non-statutory data such as CCTV clips, internal photos and application screenshots must be erased on a valid request.
What is the penalty if a Data Fiduciary ignores a Section 12 request?
The Data Protection Board can impose monetary penalties under the Schedule to the DPDPA 2023, with a general ceiling of up to ₹250 crore per instance for serious breaches, in addition to corrective orders.
Related sections
Not sure if your workflow complies with Section 12?
Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.