Right to Correction & Erasure
DPDPA Section 12: The Twin Control Rights for Data Accuracy and Purpose Limitation
📋 Introduction: Control Over Your Digital Self
If the right to access (§11) allows you to see your digital reflection, Section 12 gives you the power to correct and erase that reflection. These are the twin control rights that transform Data Principals from passive subjects to active participants in their data's lifecycle.
Section 12 recognizes a fundamental truth: data about you can become inaccurate, outdated, or simply unnecessary. When that happens, you deserve the power to fix it or remove it entirely.
⚖️ The Statutory Framework
(a) to correction of inaccurate or misleading personal data, to completion of incomplete personal data and to updation of personal data; and
(b) to erasure of personal data, unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force."
This seemingly simple provision contains layers of legal sophistication. Let's unpack each component systematically.
✏️ The Right to Correction: Section 12(a)
Four Triggers for Correction
Section 12(a) identifies four distinct grounds on which a Data Principal can demand correction:
📌 1. Inaccurate Data
Data that is factually wrong. This is the most straightforward ground.
- Wrong date of birth in records
- Incorrect spelling of name
- Wrong educational qualifications
- Outdated employment status
📌 2. Misleading Data
Data that is technically true but creates a false impression due to lack of context.
- Criminal acquittal not showing dismissal
- Medical condition without recovery status
- Loan default without subsequent clearance
- Partial employment history
📌 3. Incomplete Data
Data that lacks material information necessary for a complete picture.
- Education record missing degree
- Employment history with gaps
- Medical record without follow-up
- Address without current updates
📌 4. Outdated Data
Data that was accurate when collected but is no longer current.
- Old address after relocation
- Former marital status
- Previous employer information
- Expired certifications
⚡ Key Insight: "Misleading" is Broader Than "Inaccurate"
The inclusion of "misleading" data is particularly significant. Consider this scenario: A credit bureau records that you defaulted on a loan in 2019. This is factually true. But if you paid off the entire amount with interest by 2020, the mere statement of default without the subsequent clearance is misleading—even though not technically inaccurate.
This expands the correction right beyond mere factual errors to include contextual completeness—a sophisticated recognition that data can lie by omission.
🗑️ The Right to Erasure: Section 12(b)
The Basic Right
Section 12(b) grants Data Principals the right to demand erasure (deletion) of their personal data. However, this right is not absolute—it comes with two important limitations.
The Two Exceptions
🎯 Exception 1: Purpose Not Exhausted
If the data is still required for the specified purpose for which it was collected, erasure can be refused.
- Active loan requiring borrower data
- Ongoing subscription services
- Pending insurance claims
- Incomplete transactions
📜 Exception 2: Legal Retention
If any law mandates retention of the data, erasure request must be denied.
- Tax records (7-8 years under Income Tax Act)
- KYC documents (5 years under PML Act)
- Employment records (statutory periods)
- Medical records (retention requirements)
⚠️ Critical Understanding: When Does Purpose "Exhaust"?
The phrase "necessary for the specified purpose" creates an important timing question. A Data Fiduciary must determine:
- Has the transaction/service been completed?
- Are there any pending obligations on either side?
- Have all warranty/guarantee periods expired?
- Are there any ongoing legal or regulatory requirements?
Only when all specified purposes are exhausted does the right to erasure crystallize.
🌍 DPDPA vs. GDPR: The Erasure Comparison
The GDPR's "Right to Erasure" (Article 17) is often called the "Right to be Forgotten" (RTBF). How does DPDPA's approach compare?
| Aspect | DPDPA Section 12(b) | GDPR Article 17 |
|---|---|---|
| Grounds for Erasure | Single ground: Purpose exhaustion | Six grounds including consent withdrawal, objection to processing, unlawful processing |
| Exceptions | 2 (purpose necessity, legal retention) | 5 (freedom of expression, legal obligation, public interest, archiving, legal claims) |
| Search Engine Delisting | Not explicitly addressed | Explicitly covered (Google Spain case) |
| Downstream Notification | Not explicitly required | Required under Article 17(2) |
| Scope | Narrower, more practical | Broader, more complex |
💡 Practical Implication
DPDPA's simpler approach may actually benefit both parties. Data Principals have a clear, enforceable right when purpose is exhausted. Data Fiduciaries have predictable compliance requirements without navigating six different grounds and five different exceptions.
📚 Landmark Cases: Right to be Forgotten in India
Google Spain SL v. AEPD (2014) - The Genesis
Before DPDPA, the concept of "right to be forgotten" entered Indian legal consciousness through the landmark European case of Google Spain SL v. Agencia Española de Protección de Datos (C-131/12).
The Facts
Mario Costeja González, a Spanish citizen, discovered that a Google search for his name returned links to 1998 newspaper articles about his social security debts and property auction. Though the debts were long resolved, the articles remained searchable.
The Ruling
The Court of Justice of the European Union held that search engines are "data controllers" and individuals have the right to request delisting of links containing "inadequate, irrelevant or no longer relevant" information—even if the underlying publication is lawful.
Impact: This case established that the passage of time can transform lawful, accurate information into something that warrants removal from search results. It's not about truth or falsity—it's about relevance and proportionality.
Vasunathan v. Registrar General (2017) - Indian Recognition
The Karnataka High Court was among the first Indian courts to recognize elements of the right to be forgotten in Sri Vasunathan v. The Registrar General (2017 SCC OnLine Kar 424).
The Facts
The petitioner's daughter had filed a case against her former in-laws which was later quashed by the High Court. Despite the quashing, the daughter's name continued to appear in search results linked to the case, affecting her reputation and future prospects.
The Court's Observation
Justice Anand Byrareddy observed that the petitioner's daughter is entitled to have the reference to criminal proceedings against her in-laws removed from Google search results as part of her right to privacy.
Significance: While not establishing a complete RTBF, this case recognized that in sensitive matters (particularly matrimonial/family disputes), individuals have legitimate interests in preventing perpetual digital association with past proceedings.
Jorawar Singh Mundy v. Union of India (2021)
The Delhi High Court's decision in Jorawar Singh Mundy v. Union of India (W.P.(C) 3918/2021) addressed criminal acquittal and digital records.
The Facts
The petitioner, an American citizen, was acquitted in a narcotics case after a 25-year legal battle. Despite acquittal, Indian Kanoon (a legal database) continued to display the case proceedings, affecting his professional opportunities in the USA.
The Ruling
Justice Pratibha M. Singh directed that the judgment be masked/redacted from search engines while remaining accessible on the official database for legal research. The court balanced the right to be forgotten with legitimate interests in legal scholarship.
⚡ The Balancing Test
The court articulated factors for RTBF claims:
- Sensitivity of the personal data
- Time elapsed since the original publication
- Current relevance of the information
- Impact on the individual's life
- Public interest in maintaining access
🎯 Practical Application: Correction & Erasure Requests
Case Study: The Erroneous Employee Record
Scenario: Priya worked at TechCorp from 2018-2022. In 2023, she discovers that a background verification company has records showing she was "terminated for misconduct"—when in fact, she resigned voluntarily with a clear exit interview and relieving letter.
Step 1: Identify the Right
This is a case for Section 12(a) - Correction because:
- The data is inaccurate (she wasn't terminated for misconduct)
- The data is misleading (termination implies wrongdoing)
Step 2: Gather Evidence
Priya should compile:
- Resignation letter (showing voluntary departure)
- Acceptance of resignation from HR
- Exit interview documentation
- Relieving letter (showing "resignation" not "termination")
- Full & final settlement documents
Step 3: Submit Correction Request
Under Section 12(a), Priya submits a formal correction request to the background verification company, demanding:
- Change status from "Terminated for misconduct" to "Resigned"
- Add positive remarks from relieving letter
- Notify all parties who received the erroneous report
Step 4: Timeline & Escalation
If the Data Fiduciary fails to respond within the prescribed timeline:
- File grievance with the company's Grievance Redressal Officer
- If unresolved, approach Data Protection Board under Section 13
- Potential penalty: Up to ₹50 Crores under Schedule for breach
Case Study: The Ex-Customer's Erasure Request
Scenario: Rajesh closed his credit card account with ABC Bank in 2021. In 2024, he requests deletion of all his personal data from the bank's systems.
Bank's Analysis
| Data Type | Retention Requirement | Can Delete? |
|---|---|---|
| Transaction records | 8 years (Income Tax Act) | No (until 2029) |
| KYC documents | 5 years post-closure (PML Act) | No (until 2026) |
| Marketing preferences | None statutory | Yes |
| Communication history | None statutory | Yes |
Appropriate Response
The bank should:
- Delete: Marketing data, preferences, non-regulatory communications
- Retain: Transaction records and KYC documents (citing legal basis)
- Inform: Clearly explain which data is deleted vs. retained and why
- Timeline: Specify when retained data becomes deletable
🔄 Downstream Obligations
When a Data Fiduciary corrects or erases data, what happens to copies shared with third parties?
💡 DPDPA's Silence
Unlike GDPR Article 17(2), which explicitly requires controllers to inform other controllers about erasure requests, DPDPA Section 12 does not address downstream notification. However, this doesn't mean Fiduciaries can ignore the issue.
Best Practice Approach
Even without explicit statutory mandate, Data Fiduciaries should implement downstream notification for these reasons:
📌 Contractual Obligations
- Data sharing agreements should include correction/erasure clauses
- Processor contracts should mandate update compliance
- Business partners should be notified of material changes
📌 Reputational Protection
- Uncorrected data with third parties perpetuates harm
- Data Principal may have grounds for additional claims
- Demonstrates good faith compliance
⚡ Practical Tip for Fiduciaries
Maintain a "Data Sharing Register" that tracks:
- Third parties with whom Data Principal's data was shared
- Categories of data shared
- Contact mechanism for correction/erasure notifications
- Confirmation of downstream action
⚠️ Penalties for Non-Compliance
The Schedule to DPDPA prescribes significant penalties for failure to comply with Section 12 rights:
💰 Maximum Penalty: ₹50 Crores
Under Schedule Item 4: "Breach of any obligation of the Data Fiduciary under this Act or the rules made thereunder"—which includes failure to correct or erase personal data upon valid request—can attract penalties up to ₹50 Crores.
Factors Influencing Penalty Quantum
The Data Protection Board will likely consider:
- Nature of data: Sensitive personal data breaches attract higher penalties
- Number of affected individuals: Systemic failures vs. isolated incidents
- Duration of non-compliance: How long the request was pending
- Good faith efforts: Whether the Fiduciary attempted compliance
- Harm caused: Demonstrable damage to the Data Principal
✅ Key Takeaways
- Section 12(a) provides four correction grounds: inaccurate, misleading, incomplete, and outdated data
- "Misleading" is broader than "inaccurate"—context-free true statements can warrant correction
- Section 12(b) grants erasure right when purpose is exhausted and no legal retention applies
- Legal retention requirements (tax, KYC, employment laws) override erasure requests
- Indian courts have recognized RTBF elements even before DPDPA (Vasunathan, Jorawar Singh)
- Downstream notification isn't mandated but is best practice for Data Fiduciaries
- Penalties up to ₹50 Crores for failure to honor valid correction/erasure requests
- Documentation is critical—both for Data Principals and Fiduciaries in correction/erasure processes